Originally posted on 03/26/2020, content updated on 10/06/2023

Foreign companies and investors who are acquiring or investing in a U.S. company should consider whether their U.S. inbound transaction will be subject to review by the Committee on Foreign Investment in the United States (CFIUS). On February 13, 2020, regulations (31 CFR §§800, 802) (the “Final Regulations”) issued by the U.S. Department of the Treasury went into effect, which expanded and clarified CFIUS’ jurisdiction over certain foreign investments in U.S. companies or real estate.

CFIUS is an interagency committee chaired by the Secretary of the Treasury that is authorized to review certain transactions involving foreign investment into the U.S. to determine the effect of such transactions on national security. If a transaction could pose a risk to U.S. national security, the U.S. President may suspend or prohibit the transaction, or impose conditions on it.

Before August 2018, CFIUS’s jurisdiction was limited to transactions in which a foreign investor acquired control of a U.S. business (which involves certain blocking rights). CFIUS’s jurisdiction was expanded in August 2018, when President Trump signed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) into law. The Final Regulations implement FIRRMA. FIRRMA covers not only certain controlling/majority investments but also certain non-controlling/minority investments and certain investments in real estate located near sensitive government sites (including airports, harbors, and military sites). This article will focus on non-controlling investments in U.S. companies.

A non-controlling investment is subject to CFIUS’ jurisdiction if it (i) is an investment in a U.S. business involved in certain critical technologies, critical infrastructure, or sensitive personal data of U.S. nationals (referred to as “TID” businesses), and (ii) grants the foreign investor any of the following: (a) access to any material non-public technical information of the U.S. company, (b) membership or observer rights on the board of directors or equivalent governing body of the U.S. company or the right to nominate an individual to a position on the board of directors or equivalent governing body, (c) any involvement, other than through voting of shares, in substantive decision-making of the US company.

Critical technologies are defined as items on certain U.S. export regulations (such as the U.S. Munitions List and the Commerce Control List) and other regulatory regimes and include certain emerging and foundational technologies controlled under the Export Control Reform Act of 2018 (“ECRA”). The Bureau of Industry and Security (BIS) is working on proposed rules to define “emerging and foundational technologies” that will be subject to future export controls. BIS is considering technologies such as (a) artificial intelligence and machine learning technology; (b) logistics technology; (c) robotics; and (d) advanced surveillance technologies, such as faceprint and voiceprint technologies.

Critical infrastructure is generally defined as systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. Critical infrastructure includes certain IP networks, telecommunications services, interstate oil pipelines, crude oil storage facilities, rail lines, public water systems, and electric power generation, storage, or transmission facilities. A list of types of critical infrastructure can be found in Appendix A to Part 800 of the Final Rules.

Sensitive personal data include the following categories: financial, consumer report data, geolocational, health data, non-public electronic communications (including emails and chats), Federal ID card data, U.S. government personnel security clearance data, and genetic testing data.  The categories are covered under FIRRMA only if the U.S. business: (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. Genetic testing data from databases maintained by the U.S. government and routinely provided to private parties for research are exempted, so as not to capture U.S. businesses using common datasets for research purposes.  Examples of transactions that were blocked by CFIUS involved a dating app for LGBT individuals (Grinder LLC) and an online patient forum (PatientsLikeMe).

Under the Final Regulations, non-controlling investments by certain investors from Canada, the UK and Australia are exempted.  Furthermore, investments in TID businesses by U.S. investment funds with foreign limited partners will not be subject to CFIUS review if (i) the fund is managed exclusively by a U.S. general partner (or equivalent), (ii) the firm’s advisory board on which the foreign limited partner sits does not have the ability to control in any way the investment decisions of the investment fund, (iii) the foreign limited partner does not have the ability to control the fund, including through investment decisions, ability to approve or disapprove decisions made by the managing partner, or unilaterally determine the compensation of the general partner, and (iv) the limited partner does not have access to material, nonpublic technical information.

Filings with CFIUS are voluntary, except for the following investments which require a prior filing with CFIUS: (i) investments in critical technology businesses operated within one of twenty-seven specific industries, as defined by the North American Industry Classification System (NAICS) codes, listed in Appendix B to Part 800 of the Final Rules, as well as (iii) investments by foreign persons in which a foreign government (other than Canada, the UK, or Australia) owns a substantial stake.  Filings related to investments in critical technology businesses were made mandatory in October 2018 when FIRMA instituted a “Pilot Program”.  CFIUS stated, however, that it expects to replace the Pilot Program system based on NAICS codes with a system based on export control licensing requirements. Even if a prior filing with CFIUS is not required, the parties should consider filing on a voluntary basis in order to avoid a possible rejection or modification of the transaction after closing.

Filings with CFIUS may require a filing fee not to exceed $300,000. Voluntary and mandatory CFIUS filings can be done by a short declaration or longer notice. Mandatory declarations must be filed 45 days before the close of a transaction. CFIUS has 30 days to render a decision on a mandatory declaration but may at that time require a full notice, which may delay the transaction substantially.  CFIUS has 130 days to decide on a notice.  Failure to submit a mandatory filing may result in a penalty of up to the greater of $250,000 or the value of the transaction.