CFIUS Issues Draft FIRRMA Regulations and Invites Public Comment
On September 17, 2019, the U.S. Department of the Treasury, as chair of the Committee on Foreign Investment in the United States (CFIUS), issued long-awaited draft regulations implementing elements of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), landmark CFIUS reform legislation enacted in August 2018. The two sets of draft regulations address the expansion of CFIUS jurisdiction to include certain noncontrolling investments and a broader range of real estate transactions, as well as mandatory CFIUS filings for transactions involving businesses engaged in critical Technology, critical Infrastructure, or sensitive personal Data of U.S. citizens (collectively referred to by CFIUS as “TID”). CFIUS will accept public comments on the draft regulations until October 17, 2019; after evaluating those comments, CFIUS is expected to issue final rules no later than January 2020, with the new regulations taking effect no later than February 13, 2020.
The draft regulations were issued in two separate proposed rulemakings: one covering controlling and noncontrolling investments in U.S. businesses, and another covering real estate transactions undertaken outside the scope of investments in U.S. businesses.
How the Draft Regulations Address Key Issues in FIRRMA
In our client alert on September 4, 2019, we identified 10 key issues expected to be addressed in the FIRRMA regulations. Most, but not all of these issues were addressed in the draft regulations:
Definition of “U.S. business.”
Definition of “control.”
“Safe harbor” for foreign investments via U.S. managed funds.
FIRRMA attempts to establish U.S. fund managers as a buffer between passive foreign investors and sensitive U.S. businesses. CFIUS’s interim “pilot program” regulations mandating CFIUS filings for critical technology investments implemented the safe harbor to some extent, but left a number of key issues unresolved; these have not been addressed in the new sets of draft regulations. The draft regulations do reiterate a previously issued clarification from CFIUS that a foreign investor’s membership on an advisory board will not, absent other factors relating to the rights of the investor or the advisory board, give rise to CFIUS jurisdiction over a “covered investment” (i.e., an investment that does not result in foreign control of a U.S. business). The safe harbor differs, however, for CFIUS jurisdiction over covered investments and mandatory filings for certain investments in TID businesses. For purposes of CFIUS jurisdiction, it is sufficient if the foreign investor in the U.S. fund is not the general partner or managing member of the fund; presumably, the safe harbor would be available if some other foreign person were to serve as a general partner. For purposes of mandatory filings, however, no foreign person can serve as general partner or managing member of the fund. In either case, CFIUS has not established a definition of “foreign person” that addresses the situation in which the general partner of a fund offered by a U.S. fund management company is managed by an offshore entity managed by U.S. citizens or by a combination of U.S. and foreign nationals.
Definition of “substantial interest.”
Definition of “critical infrastructure.”
Proximity to U.S. government facilities
CFIUS jurisdiction over “urbanized” real estate transactions.
Nexus between personal data and national security.
Under FIRRMA, certain transactions involving access to personal data of U.S. citizens that can be “exploited in a manner that threatens national security” are also subject to mandatory CFIUS filings and the expansion of CFIUS jurisdiction over noncontrolling investments. Recognizing the broad use and availability of personal data to U.S. businesses, the draft regulations limit the scope of FIRRMA’s provisions to the following types of personal data:
- personally identifiable data collected or maintained by U.S. businesses targeting U.S. government agencies and contractors with intelligence, national security or homeland security responsibilities;
- personally identifiable data collected or maintained by U.S. businesses on more than one million individuals or by U.S. businesses that have a demonstrated objective to do so as an integrated part of the business;
- data on individuals’ financial distress or hardship;
- credit report data not obtained for purposes permitted under the Fair Credit Reporting Act;
- information submitted as part of insurance applications;
- health data concerning individuals;
- nonpublic electronic communications collected to facilitate third party communications (e.g., messaging applications);
- geolocation data;
- biometric enrollment data;
- data used to obtain government identification cards;
- data concerning applications for or the status of personnel security clearances; and
- genetic information.
Personal data concerning the employees of the U.S. business, unless the employees hold U.S. government-issued security clearances, are not within the scope of the draft regulations.
Overall, this list is relatively narrow, and provides the market with much greater visibility into CFIUS’s thinking with respect to access to personal data.
Preferential treatment of investors from certain countries.
Definition of “contingent equity interest.”
Issues Deferred for Future Rulemaking
The draft regulations issued on September 17 note that CFIUS has deferred further rulemaking on two issues for a later date:
Mandatory filings for critical technology transactions.
CFIUS filing fees.
Other Notable Provisions of the Draft Regulations
Mandatory filings for TID transactions.
The draft regulations establish a process requiring CFIUS filings for TID transactions in which: (i) a foreign investor acquires a 25 percent voting interest in a TID business, (ii) a foreign government holds a 49 percent interest in the foreign investor and (iii) the investment does not qualify for the safe harbor afforded indirect passive investments via U.S.-managed investment funds. Unlike mandatory filings required under the pilot program for critical technology investments (which cover a broader range of foreign investments in critical technology businesses), for which filings are required at least 45 days prior to closing, mandatory filings under the draft regulations must be made only 30 days prior to closing. The filings can be in the form of a short-form (five-page) declaration describing the transaction and parties, or the parties can submit a full notice in lieu of a declaration. If the parties choose to submit a declaration, CFIUS staff must confirm whether the declaration was completed “promptly”, and if so, distribute it to the CFIUS member agencies, who then have 30 days to complete an assessment of the declaration. As with pilot program declarations, CFIUS can clear the transaction, request a full notice, advise the parties that CFIUS cannot complete action without a full notice or self-initiate a full review of the transaction.
Anecdotally, it appears that CFIUS has cleared few transactions on the basis of declarations filed under the pilot program for critical technology transactions. The value of short-form mandatory declarations may be similarly limited for other TID transactions, given the inherent sensitivity of the subject businesses.
Voluntary short-form declarations.
The two proposed rulemakings are together more than 300 pages long, and include a great many details and nuances that will require analysis of specific facts and circumstances before they can be applied to individual transactions involving U.S. businesses and real estate. In addition, as noted in the draft regulations, CFIUS expects to update the regulations periodically to reflect changes in technology, business practices, and the national security environment. We advise prospective parties to monitor the development of these regulations and to consult with experienced counsel before undertaking these transactions.