CFIUS Has New Teeth: Foreign Investment into the US under New Level of Scrutiny

In light of recent changes to the CFIUS regulatory regime, it is imperative

that legal counsel to parties involved in transactions where foreign persons may be acquiring equity interests in US businesses pay careful attention to whether a CFIUS notification filing may be required...

In late September of 2019, the Committee on Foreign Investment in the United States ("CFIUS") published proposed rules (the "Proposed Rules") seeking to implement the provisions of the Foreign Investment Risk Review Modernization Act of 2018 ("Act"), a new piece of US legislation which expands the scope of CFIUS' coverage to include certain non-controlling investments in US businesses that implicate certain "critical technologies". The Proposed Rules significantly expand the definition of what constitutes a covered investment under the Act and clarify certain limitations imposed with respect to investments in real estate. The Proposed Rules are subject to public comment but are slated to be finalized by February of 2020.

Pre-Act

Prior to the enactment of the Act, the US Defense Production Act of 1950 empowered the President of the United States, acting through CFIUS, to retain the authority to review mergers, acquisitions and takeovers by or with any foreign person which could result in foreign control of any person or entity engaged in matters relating to national security or certain critical industries or infrastructure of the US.

The status quo prior to the Act was such that parties to a M&A deal with a relevant nexus to the US could voluntarily file with CFIUS if there was a reason to believe that the transaction could convey control of the US business to a foreign investor and could implicate US national security concerns. This voluntary filing structure remained in place

notwithstanding CFIUS' baseline right to initiate its own review, at any time, of transactions which it independently deemed to be questionable from a US national security perspective.

The Act

The Act broadens the authority of the President, acting through CFIUS, to scrutinize and possibly block US inbound deals in which foreign persons acquire minority equity stakes in any US business that "produces, designs, tests, manufactures, fabricates, or develops a critical technology that is either utilized in connection with the US business's activity in one or more pilot program industries, or designed by the US business specifically for use in one or more pilot program industries."

Post-Act

In the post-Act world, the framework for CFIUS notification and review has fundamentally changed. The Proposed

Rules now state that a covered transaction will include investments into the US from foreign persons who: (1) have

access to any material non public technical information of the US business in question; (2) enjoy membership or observer rights on the board of directors (or its legal equivalent) of the US business or the right to nominate an

individual to a position on the board; or (3) are engaged in any substantive decision-making of the US business

regarding what is now referred to as a "TID US Business."

Under the Proposed Rules, a TID US Business is any US business that (1) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; (2) exhibits specific functionalities with respect to covered investments in certain types of critical infrastructure; or (3) maintains or collects, directly or indirectly, sensitive personal data of US citizens.

The Proposed Rules stipulate that a mandatory CFIUS filing does not have to be made by parties to a covered transaction involving a TID US Business unless a foreign government has a "substantial interest" in the acquiring party. If this condition is not met, then filings with CFIUS may remain voluntary.

Critical Technology

"Critical technology" is any technology that includes:

Defense articles or defense services included on the United States Munitions List set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120-130);

Items included on the Commerce Control List set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730-774) and controlled (1) pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear non proliferation, or missile technology; or (2) for reasons relating to regional stability or surreptitious listening;

Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);

Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear

equipment and material);

Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and Emerging and foundational technologies controlled pursuant to section 1758 of the Export Control Reform Act of 2018.

Critical Infrastructure

In the context of the Act, Critical Infrastructure is defined as "a system or asset, whether physical or virtual, so vital to the United States that the incapacity or destruction of the particular system or asset of the entity over which control is acquired pursuant to that covered transaction would have a debilitating impact on national security."

Sensitive Personal Data

Sensitive Personal Data, as contemplated by the Act and the Proposed Rules refers to data that can be used to distinguish or trace an individual's identity, including through the use of a "personal identifier," such as a name, physical address, email address, social security number, phone number, or "other information that identifies a specific individual". The Proposed Rules further state that "if any party to the transaction has, or as a result of the transaction will have, the ability to disaggregate or deanonymize the data, or if the data is otherwise capable of being used to distinguish or trace an individual's identity," then such data is covered by the Proposed Rules as being personally identifiable and a trigger under the Proposed Rules.

Penalties for Non-Compliance

Parties that fail to comply with any mandatory filing requirements pursuant to the Proposed Rules can be assessed a civil monetary penalty up to the complete value of the transaction itself and can incur other harsher

sanctions and penalties in the discretion of CFIUS, including having the entire covered transaction being ordered to be unwound.

Conclusion

In light of these recent changes to the CFIUS regulatory regime, it is imperative that legal counsel to parties involved in transactions where foreign persons may be acquiring equity interests in US businesses pay careful attention to whether a CFIUS notification filing may be required.

This is important to (i) evaluate the need for a filing before significant resources are committed towards consummating a transaction, and (ii) if appropriate, include appropriate provisions addressing potential CFIUS review in the definitive deal documentation. The consequences of ignoring CFIUS, and in particular the Proposed Rules described herein, could result in significant financial penalties and, in some cases, in an entire acquisition deal being unwound.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.