On January 13, 2020, the U.S. Department of Treasury issued final regulations (the "Final Rules") that implement most of the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA"). While the Final Rules provide some important clarifications to the proposed rules (the "Proposed Rules") issued on September 17, 2019 (see our alert here), the Final Rules are largely consistent with the Proposed Rules. The Final Rules go into effect on February 13, 2020.
Prior to the enactment of FIRRMA, the authority of the Committee on Foreign Investment in the United States ("CFIUS") to conduct national security reviews of foreign investment in the U.S. was generally limited to control investments by "foreign persons" in U.S. businesses. FIRRMA represents a significant expansion of CFIUS's jurisdiction. CFIUS can now review certain non-controlling investments in U.S. businesses by foreign persons that (i) are involved with "critical technologies", (ii) own, operate, manufacture or supply or provide services to "critical infrastructures" or (iii) collect or maintain "sensitive personal data", in each case, if such investments afford foreign persons certain rights (as described below). CFIUS will also have jurisdiction to review certain "covered real estate" transactions by foreign persons if the relevant real estate is in close proximity to U.S. military installations or sensitive U.S. government facilities, or within or part of an airport or a maritime port.
The Final Rules were issued in two parts: 31 CFR Part 800 - Provisions Pertaining to Certain Investments in the United States by Foreign Persons and 31 CFR Part 802 - Provisions Pertaining to Certain Transactions in the United States by Foreign Persons Involving Real Estate. Ten key takeaways for where FIRRMA has landed are discussed at length below, but first, for those who have been following CFIUS developments over the last two years, immediately below are some of the noteworthy updates to the Proposed Rules.
Key Updates to the Proposed Rules
(i) Commentary and examples clarifying that certain updates to the definition of "U.S. business" in the Proposed Rules was not meant to expand the extra-territorial scope of what has traditionally been thought to be a U.S. business;
(ii) Adoption of an interim rule with a nerve center test for the definition of "principal place of business" (this definition is important in determining whether an entity is a "foreign person" under FIRRMA);
(iii) An exception from the mandatory CFIUS filing requirements in respect of businesses developing encryption technology for the mass markets and other non-sensitive uses (this exception is meant to address potentially unnecessary CFIUS filings related to businesses that generally present a low national security risk profile);
(iv) A narrowed definition of "substantial interest" in respect of entities with a general partner or similar managing fiduciary to focus on the relevant foreign government's ownership of the general partner and not the investing entity itself (this narrowing should help to limit the applicability of the "substantial interest" mandatory filing requirements); and
(v) Identification of Australia, Canada and the United Kingdom (including Northern Ireland) as "excepted foreign states" (investors from these jurisdictions are potentially exempt from certain FIRRMA requirements).
Where FIRRMA Landed: Ten Key Takeaways
1. Jurisdiction (potential CFIUS review) vs. mandatory filings
While CFIUS's jurisdiction has been greatly expanded under FIRRMA, the instances in which a mandatory CFIUS filing is required are generally limited to (i) foreign person investment in TID U.S. Businesses (defined below in Takeaway #5) involved in critical technologies (see discussion in Key Takeaway #7 below) and (ii) foreign government "substantial interest" transactions in a TID U.S. Business (see discussion Key Takeaway #8 below). However, CFIUS's jurisdiction to review foreign non-control investments in TID U.S. Businesses and certain real estate transactions is now quite broad (but importantly, the filing regime for these foreign non-control investments is voluntary). These topics are covered in detail below.
2. What Qualifies as a U.S. Business?
A key part in determining the applicability of CFIUS to a transaction is whether the target company is a U.S. business. Prior to the Proposed Rules, a "U.S. business" was defined under FIRRMA "as any entity engaged in interstate commerce in the U.S., but only to the extent of its activities in interstate commerce." Under the Proposed Rules this proviso was omitted, causing concern that CFIUS was attempting to expand its extra-territorial reach to non-U.S. entities with little nexus to the U.S. Through commentary and examples in the Final Rules, CFIUS clarified that this was not its intent and the traditional scope of what constitutes a U.S. business continues to apply.
3. Who is a Foreign Person?
Another key part in determining the application of CFIUS to a transaction is whether a party to a transaction (and/or its control person and/or indirect owners) are in fact foreign persons under CFIUIS. A "foreign person" is generally defined as any foreign national, foreign government or foreign entity (whereby an entity controlled by a foreign national, foreign government or foreign entity is also a foreign person). Under the proposed rules a foreign entity was defined as any entity "organized under the laws of a foreign jurisdiction" if either "its principal place of business is outside of the U.S. or its equity securities are primarily traded on a foreign exchange". However, the Proposed Rules did not define "principal place of business". As part of the Final Rules, CFIUS has proposed the following interim definition (comments are being accepted until February 15, 2020).
"the primary location where an entity's management directs, controls, or coordinates the entity's activities,
or, in the case of an investment fund, where the fund's activities and investments are primarily directed,
controlled, or coordinated by or on behalf of the general partner, managing member or equivalent."
However, the interim definition also provides that if an entity's most recent filing with or submission to a U.S. government or a non-U.S. government it has identified its principal place of business, principal office and business, address of executive offices, address of headquarters or equivalent of any of the foregoing as being outside the U.S., such location is deemed to be the entity's principal place of business unless the entity can demonstrate that such location has changed to the U.S. since such filing or submission. Thus, careful consideration should be made when making any such filing or submission to ensure the entity is not jeopardizing (without good reason) its non-foreign person status under CFIUS.
As a general matter, this clarification should provide some certainty to U.S. based investment fund managers that form offshore investment funds and other investment vehicles to accommodate tax, legal, regulatory or other reasons (but still direct and control the entity's activities from within the U.S.) that the jurisdiction alone of such vehicle is not determinative of its foreign person status. Non-U.S. investment fund managers, on the other hand, are likely to continue find it challenging for the investment funds they manage to avoid being deemed a foreign person under this test.
Separately, investment vehicles formed in any jurisdiction (including the U.S.) may be deemed foreign persons under FIRRMA to the extent they are ultimately controlled by foreign nationals. This is a fact specific analysis.
4. CFIUS can still review "control" transactions
As discussed above, the Final Rules maintain CFIUS's jurisdiction to review any investment in any U.S. business (referred to as "covered control transactions" in the rules) where a foreign person obtains "control" of the U.S. business. Control is broadly defined and could be triggered even where the foreign investor holds a small minority stake in the business (if for example, the investor retains the right to dismiss senior executives, terminate significant contracts or select new business lines).
5. CFIUS's expanded jurisdiction allows it to review non-control investments in "TID U.S. Businesses"
CFIUS's jurisdiction has been expanded to cover certain non-controlling equity investments in U.S. businesses that (i) are involved with "critical technologies", (ii) own, operate, manufacture or supply or provide services to "critical infrastructures" that are so vital to the U.S. that the incapacity or destruction of such systems or assets would have debilitating impact on national security, or (iii) collect or maintain "sensitive personal data" that may be exploited in a manner that threatens to harm national security (each, a "TID U.S. Business"). Any such direct or indirect foreign investment in a TID U.S. Business (referred to as a "covered investment" in the rules) is subject to CFIUS's jurisdiction if such investment affords a foreign person:
(i) access to "material non-public technical information";
(ii) membership or observer rights or the right to nominate an individual to the board; or
(iii) rights to involvement, other than through voting of shares, in the "substantive decision-making" of the TID U.S. Business with respect to the sensitive personal data, critical technologies or critical infrastructure at issue.
Critical Technologies. "Critical technologies" include: (i) (a) defense services and articles controlled by the International Traffic in Arms Regulations, (b) items controlled by the Export Administration Regulations for reasons related to national security, chemical and biological weapons proliferation, nuclear nonproliferation, missile technology, regional stability, surreptitious listening, (c) specially designed nuclear components, parts and technology, (d) nuclear facilities and equipment and (e) select agents and toxins, in each case, either utilized in connection with or designed for one of the twenty-seven industries identified by CFIUS (the list is included at the end of this alert) and (ii) "emerging and foundational technologies," as defined in the Export Control Reform Act. The full range of emerging and foundational technologies has not yet been defined by the Commerce Department, though the department has indicated it will release regulations on a rolling basis. A November 2018 notice from the Commerce Department indicated that emerging technologies was likely to include, among others: biotechnology (including nanobiology and genomic and genetic engineering), artificial intelligence (including neural computing, computer vision, speech and audio processing, and natural language processing), additive manufacturing (including 3-D printing), navigation and timing (including self-driving car technology), microprocessor technology, robotics and quantum computing.
CFIUS will provisionally continue to utilize the North American Industry Classification Codes System ("NAICS") to determine whether a business is involved with one of the twenty-seven critical technologies. However, CFIUS has indicated that in the future (pursuant to further rule making) the determination of a technology as a critical technology will instead relate to the technology's status under U.S. export control licensing requirements. CFIUS has not provided any further details on how this approach would be implemented but it appears that the intent is to help avoid capturing technologies that are not actually sensitive.
Critical Infrastructure. A "critical infrastructure" investment is generally an investment in a U.S. business that owns, manages, operates, manufactures, supplies, or provides services (referred to as "functions related to critical infrastructure" in the rules) to critical infrastructures, including, certain defense industrial base sectors, telecommunications, energy, transportation, financial services and public water and waste systems. The Final Rules provide an appendix (reproduced at the end of this Alert) that sets forth the combinations of the twenty-eight categories of "critical infrastructures" and "functions related to critical infrastructure" that potentially constitute a TID U.S. Businesses.
Sensitive Personal Data. A "sensitive personal data" investment is generally an investment in a U.S. business that maintains, collects, or has a demonstrated business objective to collect "identifiable data" (generally, data that can be used to identify a person of a type falling within one of the ten categories set forth below) of more than one million people, or tailors its product to U.S. executive branch or military personnel. The applicable "identifiable data" categories include: (i) data that could be used to determine a person's financial distress, (ii) data contained in a consumer report (unless limited data is obtained from a consumer reporting agency for purposes described in the Fair Credit Reporting Act), (iii) data contained in insurance applications, (iv) data that relates to a person's physical, mental or psychological well-being (i.e., health information), (v) non-public electronic communications, including, email messaging, or chat communications between or among users of a U.S business' products or services (if the U.S. business is providing communications platforms used by third parties), (vi) geolocation data, (vii) biometric enrollment data (e.g., facial, voice, retina and fingerprints), (viii) data stored and processed for generating state and federal identification cards, (ix) data concerning U.S. government personnel security clearance and (x) data in an application for U.S. government security clearance. However, regardless of the amount of data collected or maintained, who is targeted by the business or if the data falls within one of the ten categories set forth above, data that consists of the results of genetic testing results and genetic sequencing constitutes "sensitive personal data" (however, under the Final Rules, CFIUS clarified that data from an individual's genetic test obtained from databases maintained by the U.S. government and routinely provided to private parties for purposes of research is exempted). Information that an employer maintains with respect to its own employees (unless the information is about U.S. Government contractor security clearances) generally does not constitute sensitive personal data.
6. Investment fund safe harbor for "covered investments" in TID U.S. Businesses
The rules contain a safe harbor for indirect "covered investments" of foreign persons in a TID U.S. Business through a private investment fund. An investment fund generally does not trigger a filing as a result of such indirect investment if:
(i) the fund is exclusively managed by a general partner (or equivalent);
(ii) the general partner is not a foreign person (note that, among other reasons, the general partner could be a foreign person if it is controlled by foreign nationals);
(iii) the advisory board of committee does not have the ability to approve, disapprove, or otherwise control investment decisions of the fund or the decisions of the general partner;
(iv) the foreign person does not otherwise have the ability to control the investment fund;
(v) the foreign person does not have access to material nonpublic technical information; and
(vi) the investment does not give the foreign person any of the rights, access, or involvement described above for covered investments.
Importantly, a waiver of a potential conflict of interest, waiver of an allocation limitation, or a similar activity, applicable to a transaction pursuant to the terms of an agreement governing an investment fund shall not constitute control of investment decisions of the investment fund or decisions relating to entities in which the investment fund is invested, subject to exceptions in extraordinary circumstances.
Separately, notwithstanding the benefits provided by the safe harbor for investment funds to avoid CFIUS jurisdiction as a result of the foreign person status of its limited partners, CFIUS jurisdiction could be triggered for other reasons, for example, if the investment fund itself is a foreign person and is afforded the rights described in clauses (i)-(iii) under Key Take Away #5.
7. Mandatory filing scenario #1 – critical technologies (Pilot Program carried forward)
The Pilot Program mandatory filing regime expires on February 12, 2020. However, the substance of the Pilot Program is largely carried forward in the Final Rules. Under the Final Rules, CFIUS mandatory filings will continue to be required for a "covered investment" by a foreign person in a TID U.S. Business or transactions resulting in foreign control of a TID U.S. Business, in each case, if such business produces, designs, tests, manufactures, fabricates, or develops critical technologies that are either utilized in connection with or designed for such businesses' use in one of the Pilot Program's twenty-seven industries.
However, under the Final Rules, mandatory critical technology filings are not required under the following scenarios:
(i) a "covered control transaction" or a "covered investment" by an "excepted investor" (see the "white list" discussion in Key Takeaway #10 below);
(ii) a "covered control transaction" or a "covered investment" in which the foreign person's direct or indirect investment in the critical technology TID US Business is subject to an agreement with a cognizant security agency to offset foreign ownership control or influence (a FOCI) and operating pursuant to a security clearance;
(iii) a "covered control transaction" or a "covered investment" by an investment fund (a) that is exclusively managed by a general partner or equivalent, (b) the general partner is exclusively controlled by U.S nationals or is not a foreign person and (c) the investment fund otherwise satisfies the investment fund safe harbor (described above); and
(iv) a transaction that is a "covered investment" in a critical technology TID US Business solely because the technology is eligible for export or transfer pursuant to EAR Part 740.17 (i.e., the relevant encryption technology is a critical technology but is available to the general public and used for non-sensitive purposes).
8. Mandatory filing scenario #2 - a foreign government acquires a substantial interest
Under the Final Rules, a mandatory CFIUS filing is only required under this test if a foreign person acquires 25% or more of the voting interests in a TID U.S. Business and, in turn, a national or subnational government of a single foreign state (other than an "excepted foreign state" - see the "white list" discussion in Key Takeaway #10 below) holds 49% or more of the voting interests in that foreign person (referred to as a "substantial interest" in such TID U.S. Business). The Final Rules clarify that if the entity is a partnership, the substantial interest test is only applicable if the foreign government holds owns 49% or more of the voting interests of the entity's general partner.
However, under the Final Rules, mandatory substantial interest filings are not required under the following scenarios:
(i) a "covered control transaction" or a "covered investment" by an investment fund (a) that is exclusively managed by a general partner or equivalent, (b) such general partner is not a foreign person and (c) the investment fund otherwise satisfies the investment fund safe harbor (described above); and
(ii) a "covered control transaction" in an air carrier (as defined in 49 U.S.C. 40102(a)(2)) that holds a certificate issued under 49 U.S.C. 41102.
9. Application to real estate transactions
Under part 802 of the Final Rules, CFIUS will have jurisdiction over the purchase or lease by, or concession to, a foreign person of "covered real estate" if the foreign person obtains three or more of the following property rights: (i) the right to physical access, (ii) the right to exclude others, (iii) the right to improve or develop the property or (iv) the right to attach fixed or immovable objects. Covered real estate generally includes real estate that is physically within or functionally a part of an airport or a maritime port (a "covered port"), or close to U.S. military installations and other sensitive government facilities. CFIUS appears to be concerned with, among other things, the ability of foreign persons to collect intelligence and the risk of exposing sensitive activities. The rules provide for certain exceptions related to single housing units, retail trade and food services, commercial office space, the extension of a mortgage or similar financing for a foreign person to acquire covered real estate and real estate within urban areas or urbanized clusters.
10. Excepted foreign states and excepted investors – the "white list"
The Final Rules include the adoption of a "white list" whereby governments, nationals and entities ("excepted investors") from "excepted foreign states" are excluded from CFIUS's expanded jurisdiction over (a) non-control TID U.S. Business transactions (i.e., "covered investments") and (b) certain real estate transactions (i.e., "covered real estate" transactions) and excepted from "critical technology" and "substantial interest" mandatory filing requirements described above; however, excepted investors remain subject to traditional CFIUS jurisdiction to review "covered control transactions".
The initial list of excepted foreign states is limited to Australia, Canada and the United Kingdom (including Northern Ireland), all of which are close U.S. allies and have robust intelligence sharing arrangements with the U.S. While CFIUS left open the possibility of expanding the list of excepted foreign states, it is unclear if or when additional countries will be added.
The criteria for an entity to be an excepted investor is complex and requires a detailed analysis. In general, the following criteria must be met:
(i) the foreign entity is organized in an excepted foreign state or the U.S.;
(ii) the foreign entity must have a principal place of business in an excepted foreign state or the U.S.;
(iii) 75% of the members (and observers) of the foreign entity's board of directors (or similar body) must be U.S. nationals or nationals from an excepted foreign state;
(iv) all foreign person investors with an equity interest of 10% or more of the outstanding voting interests of such entity (or that hold the right to 10% or more of the profits of such entity or that otherwise could exercise control over such entity) must be (a) a foreign government from an excepted foreign state, (b) a national from an excepted foreign state or (c) a foreign entity organized in an excepted foreign state that has a principal place of business in the U.S. or an excepted foreign state; and
(v) the "minimum excepted ownership" of such entity must be held by (a) non-foreign persons, (b) foreign nationals from an excepted foreign state, (c) a foreign government from an excepted foreign state and/or (d) foreign entities organized in an "excepted foreign state" with a principal place of business in an excepted foreign state or the U.S.
"minimum excepted ownership" generally means: 80% of the voting interests and a right to 80% of the profits of the entity (or in each case, a majority with respect to a publicly traded company).
The Final Rules also identify certain disqualifying events for "excepted investors" including violations of CFIUS requirements, OFAC and other anti-money laundering laws and other U.S. laws and regulations. There is no process for CFIUS to provide an ex ante determination of whether a particular investor is an excepted investor. Therefore, parties have to rely on their own assessments of whether they meet the criteria.
Part 802 includes an identical list of "excepted real estate foreign states" and similar rules for "excepted real estate investors."
As expected, consistent with the FIRRMA legislation enacted in 2018, the adoption of the Final Rules represent a substantial expansion of CFIUS's jurisdiction. While the Final Rules contain certain exceptions and clarifications that are expected to help minimize the impact of CFIUS compliance in some respects, we expect that FIRRMA will continue to be a key issue that will require a fact specific analysis of individual transactions and parties thereto, and to the extent practicable, investors will consider taking steps to avoid being deemed a foreign person under CFIUS (in particular, investors who could potentially invest in critical technologies or otherwise be subject to mandatory CFIUS filings). We will continue to monitor any developments related to FIRRMA and its implementing rules, including further interpretations and/or enforcement by CFIUS of the rules.
 The term "control" is used throughout FIRRMA and is very broadly defined (generally, as the power to determine, direct or decide important matters of the business). Control is a key concept in determining whether a transaction is potentially subject to CFIUS jurisdiction (including, at the target company level, examining whether rights afforded to a foreign person potentially constitutes control under FIRRMA and, at the investing entity level, determining among other things, the foreign person status of such entity under FIRRMA.
 What constitutes a "TID U.S. Business" is described in detail below. The acronym TID stands for Technology, Infrastructure and Data business.
 However, an entity that is a foreign entity as a result of the above test may be able to avoid being considered a foreign entity under FIRRMA if it can demonstrate that a majority of the equity interests in such entity is ultimately owned by U.S. nationals.
 "[S]ubstantive decision-making" under the rules is defined as the process through which decisions regarding significant matters affecting an entity are undertaken. The rules provide a non-exhaustive list of the types of significant matters that are covered: (1) involvement in decisions related to pricing, sales and contracts, (2) corporate strategy and business development, (3) research and development, (4) manufacturing locations, (5) access to critical technologies, material non-public technical information or sensitive personal data, (6) physical and cybersecurity protocols, (7) establishment or maintenance of architecture of information technology used in collection or maintaining sensitive personal data, (8) practices and policies regarding collection use or storage of sensitive personal data and (9) strategic partnerships. The rules clarify that strictly administrative decisions do not constitute substantive decision-making.
Click here to view Appendices which include: Appendix B to Part 800 – Industries (27 Critical Technology Industries); and Appendix A to Part 800 – Covered Investment Critical Infrastructure and Functions Related to Covered Investment Critical Infrastructure