News Detail Banner
All News & Events

Article: January 2020: What CFIUS Final Regulations Mean for Businesses

February 04, 2020
Business Litigation Reports


On January 13, 2020, the U.S. Department of Treasury, on behalf of the Committee on Foreign Investment in the United States (CFIUS), issued final rules expanding CFIUS’s authority to review foreign investments in U.S. businesses for national security concerns as mandated by the Foreign Investment Risk Review Modernization Act (FIRRMA).  These regulations, which go into effect February 13, 2020, have immediate and acute implications for U.S. and foreign businesses seeking their investment capital.  Whereas CFIUS jurisdiction was previously limited to foreign acquisitions of controlling interests in U.S. companies, FIRRMA now arms CFIUS with the ability to review acquisitions of even non-controlling interests.  Moreover, these regulations now require parties to obtain clearance from CFIUS before consummating certain deals or face the risk of civil penalties.  The elaborate regulations make it essential for businesses to have a comprehensive understanding of potential buyers’ ownership structures and to structure funds to mitigate potential CFIUS risk down the line.

What Is CFIUS?

            CFIUS is an interagency committee that conducts national security reviews of certain transactions involving foreign investments in the United States, so-called “covered transactions.”   CFIUS has the power to retroactively terminate deals, implement fines, and recommend corporate changes for covered transactions generally.  CFIUS’s authority has grown since it was created by executive order in 1975 to monitor foreign investment trends.  Most notably, in 1988, Congress authorized the President to review and block transactions resulting in foreign “control” of a U.S. business that posed a threat to national security, and the President delegated the review of these transactions to CFIUS.  In 2007, Congress codified CFIUS processes and established formal congressional oversight of CFIUS. 

            FIRRMA, which was signed into law in 2018 with bipartisan support, dramatically expanded the powers of CFIUS due to concerns over foreign countries obtaining highly sensitive or national security-related U.S. technology or data.  Prior to FIRRMA, CFIUS’s jurisdiction was limited to transactions that could result in “control” of a U.S. business by a foreign person.  For purposes of CFIUS review, “control,” continues to mean the “power . . . to determine, direct, or decide important matters affecting an entity.”  The 2018 law was motivated “to address growing national security concerns over foreign exploitation of certain investment structures which traditionally have fallen outside of CFIUS jurisdiction,” and specifically by limitations in CFIUS’s jurisdiction that allowed foreign non-controlling investments that presented national security concerns to evade review.  (U.S. Treasury Dep’t, Summary of the Foreign Investment Risk Review Modernization Act of 2018, available at  To close this loophole, FIRRMA expands the definition of a CFIUS “covered transaction” to include review of certain non-controlling investments by foreign persons, including U.S. funds with foreign investors, as well as a change that results in foreign control of a U.S. business and “any other transaction, transfer, agreement, or arrangement designed to circumvent CFIUS jurisdiction.”  (Id.  This article does not include a discussion of FIRRMA’s addition of certain real estate transactions as a “covered transaction.”).  In addition, FIRRMA’s “mandatory declaration” provision requires pre-transaction filing for certain transactions. 


Non-Controlling Investments Subject to CFIUS Review

            Under FIRRMA, CFIUS gained jurisdiction over certain transactions that give a foreign person a non-controlling interest in an unaffiliated U.S. business.  There are two key limitations: (1) the U.S. business must involve critical technology, critical infrastructure, or sensitive personal data of U.S. citizens; and (2) the investment must afford the foreign person board membership, access to nonpublic material information, or involvement in decision-making over activities that may implicate national security interests.  FIRRMA also requires CFIUS to implement regulations that define “foreign person” in the context of non-controlling investments.

  1. TID Businesses

            To qualify as a “covered transaction,” the foreign person must invest in a U.S. business that involves critical technology, critical infrastructure, or sensitive personal data of U.S. citizens.  These are referred to as “TID” businesses for short. 

            Critical Technology.  FIRRMA applies if the U.S. business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies. The final rule, like the proposed rule, uses FIRRMA’s definition of critical technologies.  Examples of critical technologies include defense articles and defense services in the U.S. Munitions List, and items controlled pursuant to international regimes on chemical and biological weapons proliferation, nuclear technology, and “emerging and foundational technologies” controlled pursuant to section 1758 of the Export Control Reform Act of 2018. 

            Critical Infrastructure.  FIRRMA also applies if the U.S. business owns, operates, manufactures, supplies, or services critical infrastructure.  Under the rule, a U.S. business qualifies as a TID business if it performs functions for one of the 28 types of “covered investments” for critical infrastructure that are listed in Appendix A to the final rule.  (These functions relating to critical infrastructure are listed in Appendix A to the final rule, available at The final rule provides the following examples of U.S. businesses that would qualify as performing functions related to critical infrastructure:  a corporation that operates a crude oil storage facility with the capacity to hold 50 million barrels of crude oil; a corporation that provides third-party physical security for stated crude oil storage facility; and a corporation that runs third-party cyber security for stated crude oil storage facility.

            Sensitive Personal Data.  FIRRMA applies if the U.S. business maintains or collects the sensitive personal data of U.S. citizens.  Under the final rule, sensitive personal data includes defined “identifiable data” and genetic data. 

            Data constitutes “identifiable data” if it (1) is maintained or collected by a U.S. business that targets or tailors products or services to sensitive U.S. government personnel or contractors, or maintains or collects such data, or has the objective to do so, for more than one million individuals, (2) the data comprises one or more of ten categories listed in the rule (e.g., financial data that could reveal an individual’s financial distress or hardship; data relating to an individual’s health condition; non-public electronic communications; data concerning U.S. Government personnel security clearance status);  and (3) the data does not fall within a limited exception, such as data on a company’s own employees or public records. 

            In response to comments that the proposed rule’s treatment of genetic data was too broad, the final rule limits sensitive personal data to the results of an individual’s genetic tests  as defined by the Genetic Information Non-Discrimination Act of 2008.  The final rule also adds an exception for genetic testing data derived from databases maintained by the U.S. Government and routinely provided to private parties for the purposes of research.

  1. Rights the Investment Affords to the Foreign Person

            The non-controlling investment by a foreign person in a TID business is covered under CFIUS if it affords the foreign person:  access to material nonpublic technical information possessed by the U.S. business; membership or observer rights on the board of directors or the right to nominate an individual to the board; or involvement in substantive decision making of the U.S. business regarding any of the TID activities (i.e., critical technologies, critical infrastructure, or sensitive personal data).

  1. What Constitutes a “Foreign Person” and Key Exceptions

            The fundamental issue for CFIUS review comes down to whether an investment vehicle is considered a foreign person.  The rule maintains the pre-FIRRMA definition of “foreign person,” which includes any foreign government, foreign person, or foreign entity, while adding that any U.S. entity controlled by a foreign person is considered a foreign person.  The final rule limits CFIUS review of non-controlling foreign investments in U.S. entities in three important ways.  First, the rule introduces an interim rule defining “principal place of business,” for purposes of determining what constitutes a “foreign entity,” which shields entities organized offshore for tax purposes, but that are managed and operated from the United States.  Second, the rule provides an explicit carve-out for certain investment funds.  Third, the rule exempts “foreign excepted investors,” based on the entity’s connection to an excepted foreign state.  

            Principal Place of Business.  The CFIUS regulation defines a “foreign entity” any entity organized under the laws of a foreign state if either its principal place of business is outside the United States or its equity securities are primarily traded on a foreign exchange; however, the proposed rule left “principal place of business” undefined.  In direct response to comments about CFIUS’s jurisdiction over transactions by investment funds, the final rule adopts a definition of “principal place of business” as an interim rule, which will go into effect on February 13, 2020, but may be revised in response to public comments.  The rule defines principal place of business as:  “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.”

            But, if the entity represented in its most recent filing to the U.S. government (or a state government or any foreign government) that its principal place of business (as opposed to its place of incorporation) was outside the United States, then this location will be deemed to be the entity’s principal place of business (unless the entity can demonstrate that its principal place of business has changed since the time of the submission or filing).

            This interim definition clarifies that in many cases, U.S.-based investment fund managers that form offshore investment funds for tax, legal, or any other reason, will not be considered foreign for purposes of CFIUS as long as it is managed and controlled by U.S. persons in the United States. 

            Investment Fund Carve-Out.  Separate and apart from the exception for off-shore funds with a principal place of business in the U.S., the rule implements an exception for indirect investments by foreign persons made through an investment fund.  Such a transaction will not be subject to CFIUS review if certain conditions are met, including where:  (1) the fund is managed exclusively by a U.S. general partner, managing member, or equivalent; (2) the advisory board does not control the fund’s investment decisions or the investment decisions of the general partner, managing member, or equivalent; and (3) the foreign person does not otherwise have the ability to control the fund or access to material nonpublic technical information as a result of its participation on the advisory board or committee.

            Excepted Investor Status.  Finally, the final rule makes Australia, Canada, and the United Kingdom exempt from CFIUS’s expanded jurisdiction by affording them status as “excepted foreign states.”  The proposed rules introduced the concept of excepted foreign states, but had not yet decided which states would make the list.  An investor connected to one of these three countries may qualify as an “excepted investor.”  An excepted investor can be a (1) foreign national of an excepted state (but not also a national of a non-excepted state), (2) a foreign government of an excepted foreign state, or (3) a foreign entity that is organized under the laws of, and has its principal place of business in an excepted foreign state or the United States. 

            To qualify as excepted investor, a foreign entity must also meet several other conditions.  Several commenters lobbied for a less restrictive definition of excepted investor than what had been put forward in the proposed rule.  In response, the final rule made three modifications to the excepted investor definition.  First, the final rule permits up to 25% of an entity’s board of directors to be foreign nationals from states other than the three excepted foreign states, whereas the proposed rule did not allow any entities with even one board member from a non-excepted foreign state to be a excepted investor.  Second, the final rule relaxed the percentage ownership interest an individual foreign investor may have to be considered a excepted investor.  The percentage ownership limit was increased from 5 percent to 10 percent.  Third, the final rule decreased the “minimum excepted ownership” from 90 percent to 80 percent, meaning that 80 percent of the entity must be must owned by a person or entity falling under the definition of an “excepted investor.”

Mandatory and Voluntary Filings

            Since CFIUS has authority to review transactions even long after they are finalized, parties may make a voluntary filing for CFIUS clearance prior to consummating a transaction, which gives the deal a “safe harbor” against later review that could result in forced divestment.    FIRRMA creates a streamlined submission process that allows parties to covered transactions to submit short-form filings called declarations in lieu of a full notice.  After receiving the declaration, CFIUS will have 30 days to either approve the transaction or launch a full CFIUS review.  FIRRMA, however, also makes the filing of such declarations mandatory in certain circumstances.  Parties that fail to submit a mandatory declaration may be liable for civil penalties up to $250,000 per violation or the value of the transaction, whichever is greater. 

            The mandatory declaration requirement and the prospect of civil monetary penalties for failure to comply with mandatory filing requirement has, according to one commenter, already had “ripple effects” throughout the investment and M&A markets.  Although FIRRMA instructs CFIUS to implement regulations requiring mandatory declarations for investments by non-U.S. governments and investments targeting certain U.S. businesses, there are substantial carve-outs for investment funds that do fall under CFIUS’ jurisdiction (i.e., do not fall within one of the exceptions to CFIUS’ expanded jurisdiction as described above).

  1. Mandatory Declaration Requirement for Substantial Government Investment in TID Business

            Investments in TID businesses by non-U.S. persons in which a foreign government has a “substantial interest,” including sovereign wealth funds, must file a declaration with CFIUS prior to closing the deal.  FIRRMA instructs CFIUS to determine what constitutes a “substantial interest” by a foreign government.  The rule’s implementation of this provision requires a declaration for a covered transaction that results in a foreign entity in which a foreign government holds 49% or more voting interest obtaining a 25% or more voting interest in a TID U.S. business. 

            Importantly, in the investment fund context, the final rule clarifies that “substantial interest” applies to a foreign government’s interest in the general partner only and not limited partner interests.  This means that U.S. based businesses need not worry about CFIUS review simply because they hold sovereign wealth money as one of their limited partners.

            The requirement for mandatory declarations for transactions resulting in a substantial government interest in a TID business also provides an explicit exception for investment fund transactions that meet the following criteria:  (1) the fund is managed exclusively by a general partner or equivalent who is not a foreign person; and (2) if any foreign person has membership as a limited partner on an advisory board or committee of the fund: (i) the advisory board or committee does not have the ability to approve, disapprove, or otherwise control (a) investment decisions of the investment fund or (b) decisions made by the general partner, managing member, or equivalent related to entities in which the investment fund is invested; and (ii) the foreign person does not otherwise have the ability to control the investment fund.

  1. Implementation of Pilot Program’s Mandatory Declaration Requirement for Critical Technology

            FIRRMA authorizes, but does not require, CFIUS to mandate filings for transactions involving critical technology.  In November 2018, CFIUS implemented certain FIRRMA provisions via a “pilot program” that imposed mandatory reporting for certain foreign non-controlling investments in U.S. businesses that develop a “critical technology” that the business designs for, or uses in one of 27 targeted industries.  (These target industries are listed in Appendix B to the final rule, available at  The final rule integrates the pilot program’s mandatory declaration for critical technology. 

            In the final rule, Treasury rejected public comments asking to remove certain industries from the list of sectors for which a mandatory declaration is required.  For example, a proposal by a U.S. subsidiary of a Japanese-based biopharmaceutical firm to remove “biotechnology research and development” from the list of industries that must submit a mandatory declaration was rejected.  According to the comment, the company conducted a survey that shows CFIUS’s effect of deterring investment in U.S. firms.  More than 50% of survey respondents indicated that CFIUS would likely impact their decision to do business with the company and 32% responded that they would forego future business transactions with the company due to the CFIUS requirement.


            In light of the final rules, it is essential that businesses formulate investment strategies that build in CFIUS risk, implement processes to enable the rapid identification of which potential deals implicate CFIUS review, and to consider whether current and future investment funds can be structured to minimize the rights accorded to foreign investors.