In the digital economy, the world is flat. As a result, many businesses are at risk of being an inadvertent participant in international and cross-border transactions. Based on significant changes in cyber, privacy and investment laws in the U.S. and abroad, failure to consider international involvement can expose a business and its counsel to significant risk. Such is the case with the final CFIUS/FIRRMA regulations that become effective February 13.
If you are a U.S. business or real estate holder considering investment, ownership or financing by non-U.S. parties, you should exercise early diligence to determine if your transaction will fall within the final CFIUS/FIRRMA regulations — and you will be well advised to do so prior to entering into a letter of intent.
As background, the initial source of U.S. regulation of foreign investment was the creation of the Committee on Foreign Investment in the U.S. (CFIUS) in 1975. The 2007 Foreign Investment and National Security Act further refined the CFIUS process, provided congressional oversight and increased transparency of decisions by the Committee. The act also broadened the definition of national security and required greater scrutiny of certain types of foreign direct investment. Historically, CFIUS was limited to technology, industries and infrastructure directly involving national security. It was also a voluntary filing.
Foreign investors were quick to adapt and began structuring investments to avoid national security reviews. Despite otherwise heavy polarization, a bipartisan CFIUS reform bill moved rapidly through Congress, and on August 13, 2018, President Donald Trump signed the CFIUS reform act titled the “Foreign Investment Risk Review Modernization Act” (FIRRMA). With the corresponding speed of its passage, the U.S. Treasury Department implemented a FIRRMA pilot program less than three months later, in October 2018, creating the first mandatory CFIUS filing. On January 13, 2020, the Treasury Department released final FIRRMA regulations, which take effect February 13, 2020.
The final CFIUS/FIRRMA regulations represent an expansion of an area of law commonly referred to as “foreign direct investment” and/or “FDI.” FDI is not exclusive to the U.S., rather it has been adopted in most industrialized countries to describe and regulate non-domestic investment in domestic businesses. Anyone engaged in international and cross-border transactions should add FDI to their diligence discussions when assessing a prospective deal.
The final FIRRMA regulations apply to U.S. businesses that are involved with critical technologies, critical infrastructure or sensitive personal data — referenced in the final regulations as “TID U.S. businesses” and “TID.” Anyone engaged in international and cross-border transactions should also add TID to their diligence discussions when assessing a prospective deal.
In issuing the final FIRRMA regulations, the U.S. Treasury Department actually issued two sets of regulations to separately address TID and real estate, presumably to permit CFIUS to better address different national security concerns unique to TID and real estate.
Regulations Regarding TID Investments
The final FIRRMA regulations expand CFIUS jurisdiction to include non-controlling investments, direct or indirect, by a foreign person in certain U.S. businesses.
A covered transaction includes investments that afford the non-U.S. person with:
- Access to material non-public technical information
- Membership, observer rights or nomination rights to the board of directors or equivalent governing body of a U.S. business
- Other than voting of shares, influence or control over the (i) use, development, acquisition or release of critical technologies, (ii) management, operation, manufacture or supply of critical infrastructure, or (iii) use, development, acquisition, safekeeping or release of sensitive personal data of U.S. citizens
More broadly, the final regulations apply to non-U.S. investments in U.S. businesses that:
- Produce, design, test, manufacture, fabricate or develop one or more critical technologies
- Own, operate, manufacture, supply or service critical infrastructure
- Maintain or collect sensitive personal data of U.S. citizens in a manner that may threaten national security
The final FIRRMA regulations specify that TID includes:
- Critical technologies subject to export controls and other existing regulatory schemes, as well as emerging and foundational technologies controlled pursuant to the Export Control Reform Act of 2018.
- Critical infrastructure such as telecommunications, utilities, energy and transportation, and including businesses that own, operate, manufacture, supply or service critical infrastructure identified in an appendix to the final regulations.
- Sensitive personal data, including 10 categories of data — such as financial, geolocation and health data that can be used in a manner that threatens national security — maintained or collected by U.S. businesses that (i) target products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain data on at least one million individuals, or (iii) have a demonstrated objective to maintain or collect data on greater than one million individuals, with integration of such in products or services.
Regulations Regarding Real Estate Investments
The final FIRRMA regulations also cover real estate proximate to government installations, pose a risk of foreign surveillance or critical U.S. infrastructure (e.g., airports and ports). Significantly the regulations broadly apply to “the purchase or lease by, or a concession to, a foreign person of private or public real estate” that is:
- Located within, or will function as part of, an air or maritime port
- In close proximity to a United States military installation, other facility or property that is sensitive based on national security
- Reasonably capable of providing the ability to collect intelligence on a sensitive U.S. government installation
- Capable of exposing national security activities, or creating a risk of foreign surveillance
The final regulations more specifically address transactions on/or around specific airports, maritime ports and military installations. Relevant military installations are listed by name and location in an appendix to the regulations. The relevant airports and maritime ports are on referenced lists published by the Department of Transportation. The regulations include real estate that is:
- Within, or will function as part of, an air or maritime port
- Within “close proximity” (defined as one mile) of certain specified U.S. military installations
- Within the “extended range” (defined as between one mile and 100 miles) of certain military installations
- Within certain geographic areas associated with missile fields and off-shore ranges
The regulations create an exception for “excepted real estate investors” based on their ties to certain countries identified as “excepted real estate foreign states” — which are currently limited to the United Kingdom, Canada and Australia — but that sunsets if those countries do not reciprocate by 2022. Other exceptions include transactions involving:
- A company holding an active U.S. facility security clearance pursuant to a Security Control Agreement, Special Security Agreement, Proxy Agreement or Voting Trust Agreement to mitigate its foreign ownership, control or influence (FOCI)
- An investment fund that is managed exclusively by a U.S. person or is ultimately controlled by U.S. nationals, or does not permit foreign control of the fund, its investment decisions or decisions regarding its U.S. investments
- An air carrier that holds a general, temporary or charter air transportation certificate
- A U.S. business that only produces, designs, tests, manufactures, fabricates or develops encryption items, software or technology eligible for License Exception under the Export Administration Regulations.
Significantly, as of February 13, CFIUS is no longer voluntary for covered transactions, and will require the filing of a CFIUS notice or a new FIRRMA declaration. The final regulations include enhanced enforcement powers and penalties, which are already being enforced, including the reversal of the deal, divestiture, mitigation and/or civil penalties up to the value of the transaction.
As a result, the final FIRRMA regulations necessitate that U.S. businesses and their counsel exercise early pre-deal diligence for investments, financing, acquisitions, mergers or joint venture opportunities to determine:
- Existence of non-U.S. investors?
- Critical or export controlled technologies?
- Involvement of sensitive personal information of U.S. citizens?
- Real estate that is or is proximate to critical U.S. infrastructure or sensitive U.S. government installations?
In closing, I would note that the U.S. is not alone. The European Union established Regulation 2017/0224 on November 20, 2018, which provided a framework for the screening of FDI in the EU. EU 2017/0224 mimics FIRRMA to protect the essential interests “of the EU and its Member States” from FDI. The U.K., Germany and France have active FDI screening mechanisms, and 14 other member states have adopted some form of foreign investment screening. Other industrialized countries, such as Australia, China and Japan, also have followed suit.
Additional information on the final CFIUS / FIRRMA regulations can be found on the Department of the Treasury’s website.
David Vance Lucas is a partner in the Huntsville office of Bradley Arant Boult Cummings LLP, where he is a member of the firm’s Intellectual Property Practice Group and leads the International and Cross Border team. Much of Lucas’ experience was accumulated as general counsel for Huntsville-based Intergraph Corp. (now Hexagon AB Group), where he garnered extensive experience in a variety of U.S. and foreign legal environments. He now advises both U.S. and foreign clients on the harmonized application of U.S., U.K. and European laws, and represents clients in various proceedings in the U.S. and abroad.