CFIUS Issues Draft FIRRMA Regulations and Invites Public Comment

On September 17, 2019, the U.S. Department of the Treasury, as chair of the Committee on Foreign Investment in the United States (CFIUS), issued long-awaited draft regulations implementing elements of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), landmark CFIUS reform legislation enacted in August 2018. The two sets of draft regulations address the expansion of CFIUS jurisdiction to include certain noncontrolling investments and a broader range of real estate transactions, as well as mandatory CFIUS filings for transactions involving businesses engaged in critical Technology, critical Infrastructure, or sensitive personal Data of U.S. citizens (collectively referred to by CFIUS as “TID”). CFIUS will accept public comments on the draft regulations until October 17, 2019; after evaluating those comments, CFIUS is expected to issue final rules no later than January 2020, with the new regulations taking effect no later than February 13, 2020.


The draft regulations were issued in two separate proposed rulemakings: one covering controlling and noncontrolling investments in U.S. businesses, and another covering real estate transactions undertaken outside the scope of investments in U.S. businesses.

How the Draft Regulations Address Key Issues in FIRRMA

In our client alert on September 4, 2019, we identified 10 key issues expected to be addressed in the FIRRMA regulations. Most, but not all of these issues were addressed in the draft regulations:

Definition of “U.S. business.”

Consistent with FIRRMA, the draft regulations define “U.S. business” as any entity—regardless of who controls it—that is engaged in interstate commerce in the United States. This definition no longer includes the proviso “only to the extent of its activities in interstate commerce” that was part of the 2008 CFIUS regulations. This exclusion theoretically expands the extraterritorial reach of CFIUS, but the examples provided with the new definition suggest that this is not CFIUS’s intent.

Definition of “control.”

Although FIRRMA expands CFIUS’s jurisdiction over certain noncontrolling investments, potentially allowing CFIUS to adopt a more precise definition of “control” applicable to other transactions already subject to CFIUS jurisdiction, the draft regulations do not do so. Instead, they largely track the 2008 CFIUS regulations, but provide additional examples of important business decisions in which a foreign investor’s potential involvement could constitute control of the business.

“Safe harbor” for foreign investments via U.S. managed funds.

FIRRMA attempts to establish U.S. fund managers as a buffer between passive foreign investors and sensitive U.S. businesses. CFIUS’s interim “pilot program” regulations mandating CFIUS filings for critical technology investments implemented the safe harbor to some extent, but left a number of key issues unresolved; these have not been addressed in the new sets of draft regulations.  The draft regulations do reiterate a previously issued clarification from CFIUS that a foreign investor’s membership on an advisory board will not, absent other factors relating to the rights of the investor or the advisory board, give rise to CFIUS jurisdiction over a “covered investment” (i.e., an investment that does not result in foreign control of a U.S. business). The safe harbor differs, however, for CFIUS jurisdiction over covered investments and mandatory filings for certain investments in TID businesses.  For purposes of CFIUS jurisdiction, it is sufficient if the foreign investor in the U.S. fund is not the general partner or managing member of the fund; presumably, the safe harbor would be available if some other foreign person were to serve as a general partner.  For purposes of mandatory filings, however, no foreign person can serve as general partner or managing member of the fund.  In either case, CFIUS has not established a definition of “foreign person” that addresses the situation in which the general partner of a fund offered by a U.S. fund management company is managed by an offshore entity managed by U.S. citizens or by a combination of U.S. and foreign nationals.


Definition of “substantial interest.”

FIRRMA mandates CFIUS filings for foreign investments in TID businesses if a foreign government holds a “substantial interest” in the non-U.S. investor; for this purpose, a substantial interest is defined as 49 percent of the direct or indirect voting interest in the foreign investor or the investor’s general partner, or 49 percent of the limited partners’ voting interests. In addition, the draft regulations use the term “substantial interest” to establish a materiality threshold for investments triggering mandatory filings under this provision; in this case, a substantial interest is 25 percent of the voting interest in the U.S. business.

Definition of “critical infrastructure.”

FIRRMA calls for mandatory CFIUS filings and expands CFIUS jurisdiction over noncontrolling investments for certain transactions in TID businesses. Congress also mandated that CFIUS limit the scope of its definition of “critical infrastructure” for these purposes. In an appendix to the draft regulations, CFIUS has identified a list of specific types of critical infrastructure as well as the related activities that, if performed by a U.S. business with respect to that infrastructure, would qualify the U.S. business as a TID business.

Proximity to U.S. government facilities

Under FIRRMA, CFIUS’s expanded jurisdiction over real estate transactions focuses on proximity to U.S. government facilities with sensitive activities. To address the different proximity issues raised by different types of facilities, the draft regulations create several categories of facilities for which different proximity limits apply. Relevant locations generally include larger airports and maritime ports, civilian airports at which military aircraft are based, military bases and training ranges. Depending on the nature of each facility and its activities, the proximity standards cover real estate transactions within the subject properties, within 1 mile of the subject properties within 100 miles of the subject properties or within 12 miles of the U.S. coastline.

CFIUS jurisdiction over “urbanized” real estate transactions.

FIRRMA gives CFIUS jurisdiction over a broader range of real estate transactions than in the past, but generally exempts “urbanized” real estate except as provided by CFIUS in regulations. In general, the draft regulations’ proximity rules, described above, will override the urbanized real estate exception. Notably, the draft regulations also exempt foreign acquisitions, leases or concessions in a multi-unit commercial office building that do not result in the foreign party controlling more than 10 percent of the building’s square footage or providing more than 10 percent of the building’s tenants.

Nexus between personal data and national security.

Under FIRRMA, certain transactions involving access to personal data of U.S. citizens that can be “exploited in a manner that threatens national security” are also subject to mandatory CFIUS filings and the expansion of CFIUS jurisdiction over noncontrolling investments. Recognizing the broad use and availability of personal data to U.S. businesses, the draft regulations limit the scope of FIRRMA’s provisions to the following types of personal data:

  • personally identifiable data collected or maintained by U.S. businesses targeting U.S. government agencies and contractors with intelligence, national security or homeland security responsibilities;
  • personally identifiable data collected or maintained by U.S. businesses on more than one million individuals or by U.S. businesses that have a demonstrated objective to do so as an integrated part of the business;
  • data on individuals’ financial distress or hardship;
  • credit report data not obtained for purposes permitted under the Fair Credit Reporting Act;
  • information submitted as part of insurance applications;
  • health data concerning individuals;
  • nonpublic electronic communications collected to facilitate third party communications (e.g., messaging applications);
  • geolocation data;
  • biometric enrollment data;
  • data used to obtain government identification cards;
  • data concerning applications for or the status of personnel security clearances; and
  • genetic information.

Personal data concerning the employees of the U.S. business, unless the employees hold U.S. government-issued security clearances, are not within the scope of the draft regulations.

Overall, this list is relatively narrow, and provides the market with much greater visibility into CFIUS’s thinking with respect to access to personal data.

Preferential treatment of investors from certain countries.

FIRRMA allows CFIUS, through regulations, to exempt certain classes of investors from the expanded jurisdiction granted to CFIUS under the new law. The draft regulations create a general framework for identifying investors receiving such treatment, but specific exemptions are unlikely to be available in the short term. First, CFIUS intends to identify “excepted foreign states,” selected from a group of eligible countries that have also have “robust” processes to assess national security risks arising from foreign investments and to facilitate coordination with the U.S. on investment security matters. The draft regulations do not include a list of “excepted foreign states.” Preferential treatment will then be available to “excepted investors,” defined narrowly on the basis of their connections to excepted foreign states and the absence of connections to countries that are not excepted foreign states. Excepted investors do not include dual nationals (if the second nationality is not of an excepted foreign state), and will not include anyone who has violated certain U.S. laws, provided material misstatements or omissions in previous CFIUS filings or violated a material provision of a CFIUS mitigation agreement. In addition, an excepted investor can lose that status up to three years after a transaction closes, if its nationality, place of organization or the nationality of any member of its board of directors changes to include a country that is not an excepted foreign state. If an investor loses its excepted status, the draft regulations authorize CFIUS agencies to initiate a retroactive review of the subject transaction.

Definition of “contingent equity interest.”

Because of the length of the CFIUS process, parties sometimes execute transactions in two steps: acquisition of economic interests prior to CFIUS clearance, and acquisition of voting or other governance rights only after receipt of CFIUS clearance. Opportunities for two-step transactions have been limited by FIRRMA’s treatment of the issuance of “contingent equity interests” as transactions immediately subject to CFIUS jurisdiction. The draft FIRRMA regulations underscore this by defining contingent equity interests more broadly than in the interim regulations issued in October 2018, though they do not include most lending transactions secured by equity securities of the borrower unless the risk of default is imminent. The draft FIRRMA regulations do allow CFIUS to disregard the rights to be acquired upon exercise, conversion or the satisfaction of other conditions if CFIUS determines that: (i) the exchange of contingent equity interests for equity interests is not imminent, (ii) the timing of the exchange is not within the control of the acquiring party and (iii) the number of equity rights to be acquired as a result of the exchange cannot be reasonably determined when the contingent equity interests are issued. This provision gives CFIUS more latitude in determining whether a transaction transfers sufficient rights to be subject to CFIUS jurisdiction, but is not likely to enable the broad use of two-step transactions.
Issues Deferred for Future Rulemaking

The draft regulations issued on September 17 note that CFIUS has deferred further rulemaking on two issues for a later date:

Mandatory filings for critical technology transactions.

CFIUS acknowledged that it has received comments on the “pilot program” regulations issued in October 2018 that established mandatory CFIUS filings for investments in U.S. businesses involved with critical technologies, but decided not to address those comments until its final rulemaking, when it will also address any additional comments relating to the new draft rules. In the meantime, the pilot program rules remain in effect. As discussed above, however, the draft regulations do cover mandatory filings for a subset of transactions already covered by the pilot program: acquisitions of substantial interests in critical technology businesses by investors in which a foreign government holds a substantial interest.

CFIUS filing fees.

FIRRMA authorizes CFIUS to begin collecting filing fees in connection with CFIUS notices, based on a transaction-specific formula to be defined in regulations. Maximum fees will be up to the lesser of one percent of the value of the transaction or $300,000 (subject to annual adjustment for inflation). The formula for determining these filing fees will be defined in future rulemaking.
Other Notable Provisions of the Draft Regulations

Mandatory filings for TID transactions.

The draft regulations establish a process requiring CFIUS filings for TID transactions in which: (i) a foreign investor acquires a 25 percent voting interest in a TID business, (ii) a foreign government holds a 49 percent interest in the foreign investor and (iii) the investment does not qualify for the safe harbor afforded indirect passive investments via U.S.-managed investment funds. Unlike mandatory filings required under the pilot program for critical technology investments (which cover a broader range of foreign investments in critical technology businesses), for which filings are required at least 45 days prior to closing, mandatory filings under the draft regulations must be made only 30 days prior to closing. The filings can be in the form of a short-form (five-page) declaration describing the transaction and parties, or the parties can submit a full notice in lieu of a declaration. If the parties choose to submit a declaration, CFIUS staff must confirm whether the declaration was completed “promptly”, and if so, distribute it to the CFIUS member agencies, who then have 30 days to complete an assessment of the declaration. As with pilot program declarations, CFIUS can clear the transaction, request a full notice, advise the parties that CFIUS cannot complete action without a full notice or self-initiate a full review of the transaction.

Anecdotally, it appears that CFIUS has cleared few transactions on the basis of declarations filed under the pilot program for critical technology transactions. The value of short-form mandatory declarations may be similarly limited for other TID transactions, given the inherent sensitivity of the subject businesses.

Voluntary short-form declarations.

The draft rules permit parties to submit voluntary, five-page declarations in lieu of a full notice for any transactions for which filings are not mandatory. As with mandatory declarations, CFIUS would provide an assessment and response within 30 days after acceptance. For transactions unlikely to attract CFIUS scrutiny (i.e., investments by non‑threatening investors—especially those with a positive CFIUS history—in businesses without a clear nexus to U.S. national security), voluntary declarations may be useful tools for obtaining CFIUS clearance is a shorter period of time. Unlike full notices, however, short-form declarations will not provide a safe harbor against subsequent CFIUS review.

The two proposed rulemakings are together more than 300 pages long, and include a great many details and nuances that will require analysis of specific facts and circumstances before they can be applied to individual transactions involving U.S. businesses and real estate.  In addition, as noted in the draft regulations, CFIUS expects to update the regulations periodically to reflect changes in technology, business practices, and the national security environment.  We advise prospective parties to monitor the development of these regulations and to consult with experienced counsel before undertaking these transactions.

1: The draft regulations also do not address whether, as suggested by the statutory language of FIRRMA, the safe harbor would be available for a passive indirect investment via a U.S.-managed fund only if the fund actually has an advisory board.  Presumably, Congress and CFIUS should be even more comfortable offering a safe harbor for indirect investments through funds that do not have advisory boards.