Congress Reaches Agreement on CFIUS Reform Legislation Broadening National Security Reviews and Addressing Emerging Technologies
By Christopher R. Wall, Nancy A. Fischer and Matthew R. Rabinowitz
Originally published on the Pillsbury Law Blog
House and Senate negotiators have agreed on proposed reforms to the Committee on Foreign Investment in the United States (CFIUS) foreign investment review process, which has been added as Title XVII of the FY2019 National Defense Authorization Act (NDAA). The final bill makes a number of changes intended to improve the efficiency of national security reviews and investigations, although a significant increase in staff and funding will be required in order to handle the increased caseload. Importantly, outbound technology transfers in the context of joint ventures and other collaborative arrangements will not be added to the “covered transaction” definition, but will instead be addressed by U.S. export controls.
Members of Congress have discussed efforts to modernize the CFIUS process for over a year. In November 2017, members of the U.S. House and Senate introduced companion legislation entitled the Foreign Investment Risk Review Modernization Act of 2017 (FIRRMA), which would change the scope of what is considered a “covered transaction” and add a new streamlined “declaration” process. As described in our most recent blog post on the subject, differing versions of the House and Senate FIRRMA bills have surfaced over time following engagement with the White House, CFIUS member agencies, and industry stakeholders. Conference negotiators have been working on final consensus language after FIRRMA was attached to the NDAA, which was passed by the Senate last month.
Much of the statute is subject to further regulations to be developed and implemented by CFIUS. Below is a brief summary of the most significant aspects of the bill:
- Covered Transaction Definition
- The final version of the bill continues to cover all transactions in which a foreign person acquires control of a U.S. company, as reflected in current law. The bill also treats as covered transactions acquisitions of real estate in close proximity to military installations and certain other facilities.
- Competing versions of the House and Senate bill differed in their treatment of “non-passive” but non-controlling investments in sensitive U.S. companies that deal with critical technologies or critical infrastructure. The final bill contains a new category of “other investments” that would be considered covered transactions in certain circumstances. Essentially, there is a three part test for these non-controlling investments to be considered covered transactions:
- (1) Type of US Business. The investment involves a U.S. business that:
- (I) owns, operates, manufactures, supplies, or services critical infrastructure;
- (II) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or
- (III) maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.
- (2) Type of Investment. The investment affords a foreign person:
- Access to material nonpublic technical information;
- Membership or observer rights on the board of directors; or
- Any involvement other than through voting of shares, in substantive decision making of the United States business regarding:
- Sensitive personal data of U.S. citizens;
- Critical technologies; or
- Critical infrastructure.
- Importantly, the final bill clarifies the circumstances in which transactions made by investment funds would not be considered covered transactions when they are managed by U.S. persons and foreign limited partners have no control over the fund.
- (3) Type of Country. CFIUS is required to develop regulations limiting the definition of a “foreign person” in the above context.
- Thus, while transactions involving acquisitions of control will be covered regardless of the home country of the acquirer, transactions involving “other investments” (and real estate) will only be covered for certain categories of foreign persons. In developing regulations, CFIUS is to consider “how a foreign person is connected to a foreign country or foreign government, and whether the connection may affect the national security of the United States.”
- (1) Type of US Business. The investment involves a U.S. business that:
- A new streamlined “declaration” can be filed in lieu of a formal notice. This short form process should help reduce the regulatory burden on parties who currently are required to prepare complete notifications and go through the full review process in order to receive clearance even if the transaction does not present national security concerns.
- While largely voluntary, there are circumstances in which mandatory declarations will be required.
- First, declarations will be mandatory when a foreign person in which a foreign government has a “substantial interest” acquires a “substantial” interest in any of the three types of U.S. businesses included in the “other investment” definition discussed above (e.g., critical infrastructure, critical technology, or sensitive personal data).
- Also, CFIUS may require mandatory declarations for anycovered transaction that involves a critical technologycompany.
- Filing Fees
- The final bill allows CFIUS to assess and collect a filing fee for written notices, not to exceed the lesser of 1% of the value of transaction or $300,000. Filing fees are not required for declarations, though parties would presumably be subject to the fee if CFIUS requests the parties submit a written notice following a declaration.
- CFIUS is also to study the feasibility and merits of a “prioritization fee” to prioritize the timing of CFIUS’ response to a draft or formal written notice prior to the Committee initiating its review.
- Process Improvements
- The final text requires CFIUS to provide comments on a draft notice or accept a formal notice no later than 10 business days after submission if the parties stipulate it is a covered transaction.
- The bill extends review period from 30 to 45 days, with an allowance for only one 15-day extension for an investigation in extraordinary circumstances. It is unclear whether CFIUS might still be able to request the parties to withdraw and re-file on their own accord when the review and investigation take longer than 45 days.
- Export Control Reform/Emerging and Foundational Technologies
- Title XVII includes the Export Control Reform Act of 2018, which establishes statutory authorization for the administration of U.S. export controls. This authority is currently exercised by means of annual Executive Orders issued under the International Emergency Economic Powers Act.
- In addition to authorizing current export controls, the Act would establish an interagency process to identify “emerging and foundational technologies” that would be added to the definition of critical technologies. Such emerging technologies would also be subject to export licensing requirementswith license exceptions for certain types of ordinary commercial transactions.
- Perhaps most significantly, the licensing of technology and provision of associated support, on its own, would not be considered a covered transaction subject to CFIUS review. The Commerce Department would, however, seek additional information from parties when technology transfers subject to export licensing requirements take place in the context of joint venture transactions. Of course, joint ventures would continue to be subject to CFIUS review when the joint venture involves the the contribution of a “U.S. business” and a foreign person can control the joint venture.
The revised NDAA has passed the House and is expected to pass the Senate this week. Although certain provisions will be effective immediately upon enactment, others will have delayed effective dates. This includes the new declaration process and “other investments” that would be subject to the covered transaction definition. These provisions would become effective the earlier of either 18 months after enactment of the law or 30 days after CFIUS publishes a determination in the Federal Register that the regulations, organizational structure, personnel, and other resources necessary to administer the new provisions are in place. We anticipate it taking a year or more for CFIUS to develop regulations and put the proper personnel in place to handle the increased caseload.