Staying ahead of the game: trend of aggressive CFIUS enforcement continues

"The circumstances in which CFIUS may be interested in a transaction have widened significantly. Now more than ever it is imperative for dealmakers to think ahead, from the earliest stages of strategic planning. They must consider commercial ties to red flag countries such as China and work out whether the nature of the transaction is likely to spark CFIUS’ interest." - Jonathan Gafni, Senior Counsel, Linklaters Washington D.C.

For a number of years we have witnessed the U.S. foreign investment regime, run by the Committee on Foreign Investment in the United States (CFIUS), gradually broaden in scope and become tougher in effect. Last year the adoption of the Foreign Investment Risk Review Modernization Act (FIRRMA) significantly expanded the reach of the U.S. foreign investment (See our Insights). It is no secret that this change was made with Chinese investment particularly in mind.

Since then, developments have continued apace. In particular, we have seen:

(i) enforcement of mitigation orders in an unprecedented way;

(ii) continued broadening of the definition of “national security”, particularly as it relates to personally identifiable information; and

(iii) exercise of CFIUS’ authority to unwind transactions years after completion and to scrutinise non-notified transactions.

We look at these developments in more detail below and offer some practical guidance for businesses investing in the U.S.

Enforcement of mitigation agreements

CFIUS recently announced that in 2018 it imposed a US$1 million civil monetary penalty on an unnamed entity for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS”. This is believed to be the first fine of its kind.

In the same announcement, CFIUS referred to its authority to initiate unilateral reviews under the Defense Production Act.  This can be read as a signal that CFIUS reserves the right to re-open cases for previously reviewed transactions based on breach of a mitigation agreement.

The recent FIRRMA CFIUS amendments addressed the need for enforcement of mitigation agreements. We expect CFIUS to continue to enforce compliance with mitigation agreements, especially for material breaches.

Also note that FIRRMA authorised additional funding for CFIUS enforcement. This would include monitoring mitigation agreements, for which CFIUS is developing a dedicated staff function. Although minor breaches may not invite a monetary penalty, transacting parties should not expect to receive CFIUS clearance through a mitigation agreement and receive a free pass on compliance. The additional funding and monetary fine may signal an increase in monitoring of unfiled transactions.

Personally identifiable information in the spotlight

Earlier this year, CFIUS reportedly ordered Beijing Kunlun Tech Co. Ltd to sell its interest in Grindr LLC, years after completion of the transaction. It is understood that CFIUS was concerned with Kunlun’s access to sensitive personally identifiable information (e.g. sexual preferences, medical information, messages, etc.) of U.S. citizens. PII has become a key area of concern in recent years.

This action by CFIUS is notable for two main reasons: (i) it is still quite rare that CFIUS requires a foreign party to divest the whole of a U.S. business; and (ii) it is extremely rare that it intervenes on a consummated transaction.

In January 2018, CFIUS reportedly blocked China’s Ant Financial’s acquisition of MoneyGram due to concerns over PII.

It’s not just Chinese buyers

CFIUS’s recent aggressive enforcement trend has affected the conduct of non-Chinese buyers as well. At the end of July, Pamplona Capital Management, a private equity firm backed by Russian investors, reportedly tried to sell its 47 percent interest in cybersecurity firm Cofense Inc. at the behest of CFIUS.

Even looking beyond U.S. adversaries China and Russia, Japan’s SoftBank Group Corp reportedly gave up board seats, access to sensitive information, and took more passive roles to pass CFIUS muster for its technology deals.

SoftBank’s technology deals have focused on sectors such as AI, self-driving technologies, data analytics, etc. These sectors potentially implicate critical technologies under CFIUS regulations. Notably, the Department of Commerce is currently finalising its list of emerging technologies to include, for instance, self-driving technology and AI, which will be explicitly relevant to the CFIUS risk analysis once final.

SoftBank reportedly hopes to alleviate CFIUS’s concerns with more passive roles. For example, SoftBank’s 16 percent stake in Uber entitled it to two board seats. CFIUS has reviewed this investment, but SoftBank reportedly has not kicked off the formal review of the two board seats. As of the recent Uber IPO, SoftBank had yet to take these seats.

Staying ahead of the game

If you are a foreign investor in the U.S. here are some top practical tips in respect of the CFIUS regime:

  • First, it is more productive to view CFIUS as a collaborative process than as an adversarial one. CFIUS ultimately holds all the cards, so it is best for clients to embrace the process, be transparent in their disclosures, and pursue reasonable solutions that meet both commercial needs and the national security objectives of the government.
  • Next, it is important to engage early. Do proper diligence as early as possible of both the investor and the target to enable counsel to anticipate possible threats, vulnerabilities, and CFIUS reactions.
  • Finally, make sure that deal documentation properly protects your interests relating to CFIUS. This includes appropriate representations, efforts covenants, and termination provisions.