The U.S. Department of Treasury, Office of Investment Security issued on September 24, 2019 in the Federal Register new proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). Congress enacted FIRRMA in August 2018.
Many of FIRRMA's provisions will not come into effect until Treasury’s Office of Investment Security adopts definitive or final implementing regulations. FIRRMA and the new proposed regulations open the aperture of jurisdiction and the scope of review of foreign direct investments in the United States by the multi-agency Committee on Foreign Investment in the U.S. (CFIUS).
Previously, CFIUS had jurisdiction to review inbound investment transactions (mergers, acquisitions, joint ventures) that would or could result in a foreign person gaining control of a U.S. company, and that would enable such person to pose a risk to U.S. national security. If a CFIUS review did not resolve the potential national security risks (either by finding such risks did not exist, or could be addressed by mitigation agreements), CFIUS could recommend to the President of the United States to block, suspend, or unwind the transaction.
FIRRMA and the new proposed regulations expand CFIUS’ jurisdiction to include not only transactions that could result in control of a U.S. company, but also transactions that could result in the foreign person gaining substantial influence over the decisions and activities of the U.S. person. These additionally included transactions are termed “covered investments” and they need only trigger one of several criteria to qualify for CFIUS reviews. In addition, if a proposed investment might involve acquisition of real estate that is in “close proximity” to a seaport, airport, military installation, or critical infrastructure and could be utilized to conduct surveillance or other activities that might jeopardize national security, then such transactions too now come within FIRRMA’s and the proposed regulations’ expanded jurisdiction of CFIUS reviews.
Moreover, the proposed regulations continue the provisions of a pilot program that partially implemented FIRRMA in October 2018. Prior to the pilot program, there were no mandatory reporting requirements under CFIUS. The pilot program sets criteria for certain transactions in which the parties must file a declaration of their transaction to CFIUS for a national security review, and failure to make such filing could result in significant fines.
Why is this important for members of our Cyberspace Law Committee when only some of our members advise on mergers & acquisitions, and even fewer advise on inbound foreign direct investments (by M&A or joint ventures)?
First, our CLC members tend to advise high tech companies, and they have increasingly become the subjects (or targets) of foreign direct investment. When such transactions are proposed, counsel need to alert their clients to the possible need to file a mandatory declaration or to the advisability of filing a notice of the proposed transaction for a full CFIUS review. Clients need to be so alerted as early as possible in order to ensure compliance and to protect their economic interests in the proposed transaction (whether it proceeds or “craters").
Second, among the most important information that a U.S. target of a proposed foreign direct investment needs to assess is whether the transaction might give the involved foreign persons access to (i) material nonpublic technical information (which counsel may be need to help a client identify and do a risk-based analysis of the risks of such a result) or (ii) sensitive personal data (for the same reasons). Such risks may bring the transaction within the scope of a CFIUS review.
Third, other new criteria for a CFIUS review relate to whether the U.S. company is a so-called “TID US business” (i.e., one that meets any of the following criteria: (a) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies (as defined in the new proposed regs), (b) performs functions set out in an Appendix to the new proposed regs with respect to “covered investment critical infrastructure” (as defined in the regs), or (c) maintains or collects sensitive personal data of U.S. citizens. Clients may not be aware of these criteria, or not understand them (because they are quite complex), or may be reluctant to accept the fact that their involvement in such activities necessitates a filing of a mandatory declaration or makes a notice to CFIUS highly advisable. Counsel’s input may be crucial for a client to navigate its way through the requirements and obligations created under FIRRMA and the new proposed regs.
And, fourth, some of the required information in a voluntary notice to CFIUS involves the preparation of a “cyber security plan” to protect the U.S. company’s digital assets and resources (i.e., its computer networks, systems, data, etc.) after the completion of the transaction. Counsel with expertise in cybersecurity is needed for a filing to address this increasingly important requirement and to do so in a manner that CFIUS will find accurate and complete (which the company’s CEO or similar officer must certify to at the start and at the conclusion of a CFIUS review).
Each of those reasons highlights expertise, skills, and judgment that cyberspace law counsel can bring to the transaction, and can help a client prepare for the sometime arduous effort to prepare the filing or declaration to CFIUS and to respond to CFIUS’ written inquiries as it proceeds with its review.
We recommend that committee members obtain a copy of the proposed regulations (there are two sets, one for “covered investments” and one for real estate related transactions). Each set can be downloaded at the Federal Register website:
- “Covered Investment” regs are available: https://www.govinfo.gov/content/pkg/FR-2019-09-24/pdf/2019-20099.pdf; and
- Real Estate related regs are available: https://www.govinfo.gov/content/pkg/FR-2019-09-24/pdf/2019-20100.pdf
Read CFIUS’ explanation at the start of each set of regulations. That will alert you to the issues addressed in the new proposed regs. If you think that may be relevant for any of your high tech clients (if they become the target of a foreign direct investment), then consider becoming familiar with the new proposed regs. Waiting until the final versions are issued may require less effort, but clients will need to be aware well before then of how their corporate transactions might be affected if they might be underway and not yet completed by the date of the anticipated date for final regs (FEB 2020).