We are continuing to see strong interest in basic facts about CFIUS. One reason is increased CFIUS enforcement of its authorities. Another is news coverage of Chinese investment in U.S. critical technology and companies acquiring sensitive personal data. But CFIUS affects transactions far beyond Chinese investments. In fact, China is not even one of the top five countries with new CFIUS filings related to critical technology (Japan and Sweden are the top two). The Biden administration across the board is increasing its interest in protecting U.S. national security through CFIUS, including ramping up CFIUS investigations of closed transactions, including some transactions that concluded years before. The Office of Investment Security Monitoring and Enforcement spearheads CFIUS efforts to identify transactions in which the parties did not notify CFIUS and to request information from the parties to determine whether a transaction raises national security concerns.
What Is CFIUS?
The Committee on Foreign Investment in the United States (CFIUS) is a U.S. interagency committee that reviews “covered transactions”–foreign acquisitions of and investments in U.S. businesses–for national security concerns. Upon review, CFIUS can block a transaction or require the parties to alter the transaction to mitigate any national security concerns. Even if the transaction has closed, if the parties did not notify CFIUS of the transaction, CFIUS can unilaterally investigate the deal and direct the foreign investor or buyer to divest from the U.S. business if there is a national security concern that cannot be mitigated. Thus, foreign companies seeking to acquire or invest in U.S. businesses need to be aware of the potential for a CFIUS review of their transactions and to plan for future CFIUS-friendly structuring.
Historically, CFIUS maintained jurisdiction over transactions in which a foreign investor acquired a controlling interest in a U.S. business. Parties to such transactions could submit a “voluntary” notice for CFIUS review to obtain a “safe harbor” from future CFIUS intervention in the transaction if the Committee agreed that no national security concerns existed. While these notices have always been technically voluntary, not filing one leaves parties vulnerable to a CFIUS review at any time, even after a transaction has closed. This process still exists for investors to minimize risk and to obtain a safe harbor.
However, in February 2020, CFIUS jurisdiction expanded to require that investors file mandatory declarations (a shorter form filing than a notice) for certain covered transactions involving critical technologies or infrastructure or large amounts of sensitive personal data. In addition, CFIUS jurisdiction expanded to include certain noncontrolling investments, as well as real estate investments in close proximity to U.S. military installations, ports, and other locations considered sensitive for national security purposes.
What Happens if the Parties Do Not Make the CFIUS Filing?
The consequences of not filing with CFIUS can be severe. CFIUS generally seeks to mitigate any identified national security concerns. If it is unable to mitigate the concern, however, CFIUS could recommend that the U.S. President issue an executive order blocking the transaction. If the transaction has already closed, CFIUS can also recommend that the President direct the foreign investor to divest from the U.S. business.
Are There Penalties?
CFIUS may impose financial penalties ranging between $250,000 and the value of the transaction for material misstatements or omissions, negligence, or failure to comply with CFIUS the requirements, including making mandatory declarations (discussed below).
What Is the Mandatory Declaration?
Investors generally must file a mandatory declaration when:
- A foreign government will acquire a substantial direct or indirect investment in a U.S. business that produces, designs, tests, manufactures, fabricates, or develops critical technology; performs functions with respect to certain critical infrastructure; or maintains and collects significant amounts of sensitive personal data (known as a “TID business”)
- A private foreign investor makes an investment in a TID business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies for use in certain industries, and the foreign investor also has:
- Access to any nonpublic material technical information
- Membership, observer rights, or the right to nominate individuals to the board of directors, or involvement in substantive decision-making related to critical technologies, critical infrastructure, or sensitive personal data (in a TID business)
Is There an Exception for Certain Countries?
Maybe. CFIUS regulations include exceptions to the mandatory declaration requirements related to investments in TID businesses for investors from excepted countries (currently Australia, Canada, and the United Kingdom). To qualify as an excepted investor, the investor must be one of the following:
- A foreign national of an excepted state
- A foreign government of an excepted state
- An entity organized under the laws of an excepted foreign state or the United States, with a principal place of business in either, when:
- Any foreign person with 10 percent or more voting interest is a national of an excepted state or organized under its laws with a principal place of business in an excepted state or the U.S.
- 75 percent or more of both the board members and observers are either U.S. nationals or nationals of one or more excepted foreign states
What if We Are Going to Be Limited Partners?
Foreign limited partners investing in a TID business through an investment fund may be exempt from a mandatory declaration if:
- The general partner will not be a foreign person
- The firm’s advisory board will have no control of investment decisions
- The foreign person(s) will have no ability to control the fund
- The foreign person(s) will have no access to material, nonpublic technical information
Note that this is a narrow definition, and control is a very broad definition. If the foreign limited partners have negative rights, these rights may also be deemed control.
What Should I Learn About the Target Company That Might Signal if an Investment Could Trigger a CFIUS Review?
As early as possible, a foreign investor should learn the following information about the U.S. target company:
- Is the U.S. business involved in critical technology, critical infrastructure, or the collection or maintenance of sensitive personal data (as defined in the CFIUS regulations)?
- What are the export classifications for its products and technology?
- Do any of its physical locations have geographic proximity to a U.S. government facility, military base, airport, restricted airspace, or seaport?
- Does it have any direct or indirect business with U.S. government agencies, including the military? Has there been any government funding or investment, or does it provide any products or services under or connected to a government contract? Are any of its research and development activities of special interest to any government or military?
What Do I Need to Know About My Company to See if It Has a CFIUS Issue?
To address a CFIUS concern, you will need to know not only the details of your ownership structure and the nationalities of your investors but also the details of your individual beneficial owners. In completing this analysis, you must pierce all corporate veils and identify any government ownership or investment.
Can CFIUS Send Me Questions if We Are Part of a Transaction and We Don't Make a Filing or File a Notice?
Yes. The U.S. Treasury Department’s Office of Investment Security Monitoring and Enforcement leads CFIUS’ efforts to identify foreign investments in U.S. businesses in which the parties did not notify CFIUS (“non-notified” transactions); to enforce the mandatory declaration requirements discussed above; to oversee compliance with mitigation agreements; and to enforce and administer penalties for any violations. For parties choosing not to file a notice, the best guidance is to have a CFIUS analysis conducted and documented prior to completion of the transaction. If and when CFIUS does contact the U.S. business about the transaction, the parties will be ready to respond and address any potential concerns.
What Is the Difference Between the Short Form (Declaration) and the Long Form (Notice)?
The long form is voluntary, requires more information on the parties, and takes at least 45 days for the review, but can result in a safe harbor for the transaction. The short form declaration requires fewer details and could be reviewed in 30 days but could result in a requirement that you make a full filing, or in a determination that CFIUS is not able to conclude actions. In such cases, the parties will not receive a safe harbor unless they then submit a voluntary notice and CFIUS completes that longer evaluation of the transaction.
Please let us know if we can answer any specific questions.