The CFIUS Non-Notified Docket

Ted Posner of Baker Botts LLP outlines key considerations for parties regarding the Committee on Foreign Investment in the United States' increasing scrutiny of historical transactions that were not voluntarily filed with the committee.

It's a common scenario: After careful consideration, parties to a transaction involving foreign investment in a U.S. business decide against a voluntary filing with the Committee on Foreign Investment in the United States (CFIUS).

They reason that in their case the filing isn't mandatory, the national security implications seem remote, and the time and expense just don't appear to be worth it. The parties close the deal, satisfied that they've made a reasonable judgment and can put CFIUS in the rearview mirror.

What the parties may not appreciate is that even though they have decided not to go to CFIUS, CFIUS may still come to them. Indeed, it may do so even years after the transaction has closed and the interests of the foreign investor and the U.S. business have become intertwined in such a way that disentanglement is difficult and perhaps cost prohibitive.

And while CFIUS for decades has had the authority to reach back and review historical transactions that managed to fly below the radar, it is only in recent years that CFIUS has made a concerted effort to put certain historical transactions under the microscope. Accordingly, it is prudent for parties to understand CFIUS's authorities with respect to "non-notified" transactions.

The CFIUS program is voluntary, but supported by mandatory tools

From its inception, the legal framework for reviewing foreign investment in the United States to identify its potential impact on national security (as set forth in section 721 of the Defense Production Act of 1950 (DPA) (Section 721)) has relied on transaction parties' voluntary submissions to CFIUS.

Parties to transactions within CFIUS's jurisdiction ("covered transactions") that could implicate national security are incentivized to notify them by the "safe harbor" that comes from clearing CFIUS. That is, having cleared CFIUS, parties had some comfort that (absent extraordinary circumstances) their deal could not later be unwound due to newly discovered concerns that the transaction might put U.S. national security at risk.

The essentially voluntary nature of the CFIUS program has been supported, from its inception, by other features that allow CFIUS to reach out to parties even if the parties have not first approached CFIUS. CFIUS could invite parties to notify their transaction to CFIUS. If parties declined to notify a transaction notwithstanding an express request, they risked CFIUS initiating a review based on a so-called agency notice.¹

When Congress overhauled the CFIUS program by enacting the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA),² it added to the tools available to CFIUS. As a result of FIRRMA, parties to certain transactions are required to notify those transactions to CFIUS.

This requirement applies in particular to transactions involving businesses engaged with critical technology, critical infrastructure, or sensitive personal data (so-called "TID U.S. businesses").

CFIUS is scrutinizing non-notified transactions

But even with the designation of a subset of transactions that must be notified to CFIUS and the prospect of CFIUS initiating a review on the basis of an agency notice, the program has remained mostly voluntary. As a result, it is possible — indeed, likely — that each year a certain number of transactions will close without review by CFIUS even though they may well implicate national security.

Recognizing that possibility, Congress in FIRRMA directed CFIUS to undertake a closer look at historical, non-notified transactions.³ As Treasury states on its CFIUS web page, "Since 2020, Treasury has dedicated staffing, training, resources, and outreach to support this critical effort — strengthening and sharpening the Committee's ability to identify and assess whether non-notified transactions merit further review."⁴

The number of cases in which CFIUS has asked for a filing from parties to a non-notified transaction is relatively low compared to the overall volume of cross-border transactions: 12 in 2024,⁵ 13 in 2023,⁶ 11 in 2022,⁷ and eight in 2021.⁸

But the consequences for parties in this situation can be significant. If CFIUS identifies a national security risk in a post-closing review, it may insist on the parties undertaking costly, unanticipated risk mitigation measures.

At the extreme, a company may be compelled to divest the interests of the foreign owner. That is precisely what happened in 2024 when CFIUS determined that a Chinese investor's 2022 acquisition of land in Wyoming to be used for a crypto mining facility posed a risk to the national security that could not be mitigated.⁹

Bearing the foregoing in mind, parties that are weighing the relative risks of filing or not filing their covered, non-mandatorily-fileable transactions with CFIUS should do so with eyes open. That means taking account of key consideration, of which we highlight four.

Key considerations about CFIUS review of non-notified transactions

1. CFIUS is devoting more resources to the non-notified docket

First, as already noted, CFIUS is devoting more resources to the review of non-notified transactions. In its most recent annual report (covering calendar year 2024), CFIUS stated that it had "continued to advance its targeted approach for identifying and actioning non-notified and non-declared transactions, including through hiring additional staff, evaluating new tools and datasets, and regularly coordinating across CFIUS member agencies."¹⁰

2. CFIUS's definition of national security is expanding

Second, the closer scrutiny being given to non-notified transactions occurs against a backdrop in which the executive branch is broadening its conception of national security. It would be a serious mistake to consider national security today as limited to conventional concepts such as national defense.

That may have been the case when Section 721 was first enacted in 1988. Then, the statute expressly called out only three factors bearing on national security, two of which concerned national defense and the third of which referred vaguely to "the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security."¹¹ But since then, the list has only grown.

A 1992 amendment added two new factors, one concerning export controls, and another concerning effects on U.S. international technological leadership.¹²

In the aftermath of CFIUS's clearance of the much publicized Dubai Ports World/P&O transaction in 2006, Congress enacted the Foreign Investment and National Security Act of 2007 (FINSA) which, among other things, added five more national security factors — bringing the total to ten — plus a catch-all eleventh provision encompassing "such other factors as the President or the Committee may determine to be appropriate, generally or in connection with a specific review or investigation."¹³

By a 2022 executive order, President Biden elaborated on the ten statutory factors and added several additional factors to address issues including "aggregate industry investment trends," "cybersecurity risks," and "sensitive data."¹⁴

While President Trump has not yet issued an executive order addressing the national security risk factors that CFIUS takes into consideration, he did issue a memorandum early in his second administration entitled "America First Investment Policy." Among other pronouncements, that memorandum declares that "[e]conomic security is national security,"¹⁵ a statement that may have the effect of further broadening the way in which CFIUS conceptualizes national security.

The trend for CFIUS's understanding of national security to expand means that a transaction that one might reasonably have considered as not implicating national security even a few years ago could be seen very differently today.

3. CFIUS's subpoena power is expanding

This leads to the third consideration that parties should take into account: CFIUS's power to compel parties to produce information.

This power stems from section 705 of the DPA, which authorizes the President "by regulation, subpoena, or otherwise, to obtain such information from ... any person as may be necessary or appropriate, in his discretion, to the enforcement or the administration of [the DPA] and the regulations or orders issued thereunder."¹⁶

For CFIUS, the scope and purpose for which a subpoena may be issued are set forth at 31 C.F.R. § 800.801.¹⁷ Under that provision, parties that have notified a transaction to CFIUS are required to provide information "that will enable the Committee to conduct a full assessment, review, and/or investigation of the transaction."

Additionally, the provision requires parties to a transaction that has not been notified to the Committee to provide information as requested by the Staff Chairperson to enable the Committee "to assess whether the transaction is a covered transaction."

In November 2024, the regulations were updated (with effect from December 26, 2024) to require parties to non-notified transactions to provide information as requested by CFIUS for two additional reasons:

• To enable CFIUS to determine "[w]hether the transaction may raise national security considerations," and
• To enable CFIUS to determine "[a]s appropriate, whether the transaction is a transaction for which a submission is or was required under" the mandatory notification rules.¹⁸

As a result of these updates, CFIUS may compel transaction parties to produce information not only to ascertain whether the transaction is covered, but also to gather information about the national security "merits" of the transaction. While this does not empower CFIUS to do a full-blown review of a transaction in the absence of a notice, it does bolster the tools available to CFIUS to drill down on the substance of non-notified transactions.

4. CFIUS's authority continues even if the "covered" relationship does not

A fourth consideration concerns the scope of what CFIUS reviews when it reviews a non-notified transaction. One reason parties may neglect the possibility of CFIUS reviewing a transaction that flew below the radar when it was concluded is that the relationship between the foreign investor and the U.S. business may well have evolved since the transaction closed.

For example, the transaction may have entailed a foreign investor's acquisition of control at the time the transaction was concluded, but subsequent developments may have resulted in the foreign investor's losing control. That development may cause the parties to conclude that CFIUS no longer has a basis for (or interest in) reviewing the transaction. That conclusion would be incorrect.

Nothing in the statute or regulations that define its authority divest CFIUS of jurisdiction just because the attributes that caused a transaction to be a covered transaction are no longer present at a later time.

All that is required for CFIUS to undertake a review is that a transaction have been proposed or concluded and that it met the definition of "covered transaction" at the relevant time. In the case of a historical transaction, subsequent events will not change the fact that a covered transaction triggering CFIUS's jurisdiction was concluded.

Subsequent events could affect CFIUS's consideration of national security risk. Thus, if a covered transaction gave rise to a concern because of the actions a foreign person could take through its actual or potential exercise of control over a U.S. business, loss of the ability to exercise control could cause that concern to dissipate.

On the other hand, even if a foreign person loses the ability to control a U.S. business that it acquired through a covered transaction, national security impacts that arose as a result of the covered transaction could linger even after the attributes of coverage have disappeared.

For example, the foreign person may have gained access to material non-public technical information of the U.S. business during the period when it had control, resulting in a risk to U.S. national security that remains even after it loses control. Or, during its period of control, the foreign person may have caused the U.S. business to export sensitive personal data, resulting in a risk that persists even after it no longer has control.

Or, having had the ability to control the U.S. business for a period of time, the foreign person may exert an influence over the business that outlives its technical ability to exercise control. Any of these circumstances could be a basis for CFIUS to identify a national security concern arising from a covered transaction even after the attributes of coverage have disappeared.

Taken together, the considerations discussed here — that is, the increased resources devoted to examination of non-notified transactions, the broadening of the understanding of national security, the enhancement of CFIUS's authority to compel parties to produce information, and the potential for CFIUS to review a covered transaction even if the attributes that made it covered are no longer extant — should serve as a reminder to parties that when it comes to non-notified transactions, CFIUS risk does not necessarily disappear after the transaction is concluded.

In short, even if parties believe they are done with CFIUS, CFIUS may not be done with them.

Originally published by Westlaw Today.

Footnotes:

1. See 31 C.F.R. § 800.501(c).

2. Pub. L. No. 115-232, §§ 1701-1728, Aug. 13, 2018, 132 Stat. 2174 (amending section 721 of the Defense Production Act of 1950).

3. 50 U.S.C. § 4565(b)(1)(H).

4. CFIUS Non-Notified Transactions, U.S. Department of the Treasury, https://bit.ly/4mfrBu0 (consulted 8/27/2025).

5. CFIUS Annual Report to Congress for CY 2024 at 40, 2024 CFIUS Annual Report, https://bit.ly/41OUNB2 (consulted 8/27/2025).

6. CFIUS Annual Report to Congress for CY 2023 at 39, 2023 CFIUS Annual Report, https://bit.ly/4ptLX5W (consulted 8/27/2025).

7. CFIUS Annual Report to Congress for CY 2022 at 52, CFIUS — Annual Report to Congress CY 2022_0.pdf, https://bit.ly/4ml0Ggy (consulted 8/27/2025).

8. CFIUS Annual Report to Congress for CY 2021 at 45, CFIUS-Public-AnnualReporttoCongressCY2021.pdf, https://bit.ly/3K19eM9 (consulted 8/27/2025).

9. See Statement on the President's Decision Prohibiting the Acquisition by MineOne Cloud Computing Investment I L.P. of Real Estate, and the Operation of a Cryptocurrency Mining Facility, in Close Proximity to Francis E. Warren Air Force Base, U.S. Department of the Treasury, https://bit.ly/46JZzl1 (May 13, 2024) (consulted 8/27/2025).

10. CFIUS Annual Report to Congress for CY 2024 at 40, 2024 CFIUS Annual Report, https://bit.ly/4ppJyc6 (consulted 8/27/2025).

11. Defense Production Act of 1950, § 721(e), as added by Pub. L. No. 101-418, § 5021, Aug. 23, 1988,102 Stat. 1425.

12. Pub. L. No. 102-484, § 837, Oct. 23, 1992, 106 Stat. 2463 (redesignating subsection (e) of section 721 of the Defense Production Act of 1950 as subsection (f), and adding paragraphs (4) and (5) to the redesignated subsection).

13. Foreign Investment and National Security Act of 2007, Pub. L. No. 110-49, § 4, July 26, 2007, 121 Stat. 246, 253 (adding paragraphs (6) to (11) to DPA, § 721 (f)).

14. E.O. 14083, § 3, 87 Fed. Reg. 57369 (Sep. 20, 2022).

15. America First Investment Policy — The White House, https://bit.ly/465MTFW (consulted 8/27/2025).

16. 50 U.S.C. § 4555.

17. A related provision concerning CFIUS review of real estate transactions is set forth at 31 C.F.R. § 802.801.

18. 89 Fed. Reg. 93179, 93184-85 (Nov. 26, 2024) (setting forth amendments to 31 C.F.R. § 800.801(a) and 31 C.F.R. § 802.801(a)).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.