CFIUS Final Rule Leverages Export Control Principles to Redefine Mandatory Filing Requirements
On September 15, 2020, the US Department of the Treasury issued a Final Rule comprising the latest regulation in an ongoing effort to reform the way the United States reviews and confronts the national security implications of foreign investments in US businesses. The Final Rule preserves many fundamental aspects of the preceding reforms but makes sweeping changes to the requirements for making mandatory disclosures to the US government prior to consummating certain types of foreign investments in and acquisitions of particular types of US businesses. These changes will require parties to foreign investment and acquisition transactions to undertake complex and multidisciplinary analyses to navigate a strict liability legal regime overseen by a government regulator with broad discretion to impose steep civil fines and punishing mitigation measures for noncompliance.
This alert describes the underlying reform legislation enacted in 2018 and discusses the substance and practical implications of the Final Rule, which becomes effective on October 15, 2020.
Overview: FIRRMA and the Committee on Foreign Investment in the United States
In 2018, Congress enacted the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) to address long-perceived gaps in the government’s ability to monitor and mitigate national security risks arising from foreign investments in and acquisitions of US businesses. FIRRMA attempts to close those gaps by expanding the jurisdictional reach of – and giving new tools to – the Committee on Foreign Investment in the United States (CFIUS or the Committee), an interagency body of US government agencies, departments and offices charged with the task of reviewing foreign investments in US businesses for national security issues.
Where CFIUS identifies a national security concern relating to a transaction within its jurisdiction (i.e., a “Covered Transaction”), the Committee has broad authority to suspend, modify or prohibit the transaction from closing in order to address that concern. Where a Covered Transaction has already closed, CFIUS has authority to unwind the transaction through a forced divestiture.
CFIUS assesses the potential national security implications of a Covered Transaction using a framework that considers the following principal elements:
- The threat, which is a function of the intent and capability of the foreign person to take action to impair the national security of the United States
- The vulnerabilities, which are the extent to which the nature of the US business presents susceptibility to impairment of national security
- The consequences to national security, which are the potential effects on national security that could reasonably result from the exploitation of the vulnerabilities by the foreign threat actor
FIRRMA’s key innovation is the expansion of CFIUS jurisdiction to reach noncontrolling, nonpassive foreign investments in US businesses that deal in certain ways with (i) critical technology, (ii) critical infrastructure or (iii) sensitive personal data about United States citizens. The CFIUS regulations call such companies “TID US businesses” (“T” for technology, “I” for infrastructure, “D” for data). This jurisdictional expansion marks a dramatic departure from the Committee’s historical jurisdictional reach, which was limited to transactions that could result in a foreign investor gaining “control” of a US business.
Another of FIRRMA’s innovations is the requirement for transacting parties to submit mandatory disclosures to CFIUS with respect to certain foreign investments in TID US businesses that deal in critical technology. (Prior to FIRRMA’s enactment, parties to Covered Transactions generally made CFIUS filings on a voluntary basis.) Where a mandatory filing is required but not submitted, FIRRMA authorizes CFIUS to impose civil fines on the parties in amounts up to the total value of the transaction at issue.
The Final Rule preserves the fundamental jurisdictional expansion introduced by FIRRMA but significantly modifies the requirements for making mandatory CFIUS filings through the adoption of a regulatory authorization test. These changes to the mandatory filing regime will materially alter the way US companies and their foreign investors and acquirers approach due diligence, transaction structures, risk allocation and transaction timelines.
The Final Rule: substance and detail
The Final Rule requires mandatory CFIUS filings with respect to foreign investment or acquisition transactions where the US business involved would require a US government authorization in order to export, reexport or transfer (to include release of software or technology to a foreign person anywhere) its products or technology to certain categories of foreign investors or buyers. Specifically, Section 800.401(c)(1) of the Final Rule provides that a mandatory CFIUS filing is required with respect to any covered transaction:
- involving a TID US business that “produces, designs, tests, manufactures, fabricates or develops” one or more “critical technologies”
- for which a “US regulatory authorization” would be required for the export, reexport, transfer (in-country) or retransfer of such critical technology
- to any foreign investor within the five categories of investors identified in Section 800.401(c)(1) (i.e., to any “Section 800.401(c)(1) Investor”)
As noted above and discussed below, the introduction of this regulatory authorization test represents a sweeping change to the prior mandatory filing regime. This change will require parties to foreign investment and acquisition transactions to undertake complex and multidisciplinary analyses in order to assess CFIUS jurisdiction issues and make consequential decisions regarding their transactions.
To frame the significance of the new US regulatory authorization test, it is important to note that between November 2018 (when the first regulations implementing FIRRMA came into effect) and October 15, 2020 (when the Final Rule becomes effective), mandatory CFIUS filings were assessed with reference to an industry test, which asked whether the US business receiving an investment or being acquired utilizes its technology in, or designs its critical technology for use in, certain industries listed in the CFIUS regulations (e.g., biotechnology, battery manufacturing and computer or semiconductor manufacturing).
The Final Rule disposes of that industry criterion and replaces it with a new test that asks whether a US regulatory authorization (e.g., an export license) would be required to release the TID US business’s products or technology to its foreign investor or acquirer pursuant to any of the four main US export control regimes administered by the Departments of State, Commerce, Energy or the Nuclear Regulatory Commission. More specifically, the Final Rule requires transacting parties to determine whether a regulatory authorization would be required for the “export, reexport, transfer (in-country) or retransfer” of the critical technology of the US company to the specific foreign investor or acquirer and certain other foreign persons or entities in that foreign investor’s or acquirer’s upstream ownership chain.
Unlike the comparatively simple (though somewhat ambiguous) industry test, which focuses on the business activities of the US company, the far more complex regulatory authorization test focuses on the export control classification of a US business’s products and technologies, as well as the principal place of business (for entities) or nationality (for individuals) of each of the foreign parties involved, including certain entities in the foreign parties’ ownership chains.
Practical implications for US businesses and foreign investors
Practically speaking, the Final Rule will add complexity to assessments of mandatory CFIUS filing requirements – particularly with respect to the requisite export control/regulatory authorization analysis, and determinations of whether an investor is a “foreign investor,” and if so, such investor’s specific nationality.
Increased complexity of mandatory filing assessments
Under the CFIUS regulations in effect prior to October 15, 2020, the absence of a mandatory filing requirement often could be ascertained relatively easily (e.g., by determining that the US business in question does not operate in one of 27 sensitive industries listed in the CFIUS regulations). Under the Final Rule, mandatory filing determinations require more comprehensive diligence of both the US business and the foreign investor(s) or acquirer. As discussed below, the US business may need to assess not only the products that it sells, but also (i) the technologies related to the development, production or use of those products and (ii) any technologies that are developed and tested for the US business’s internal use only. Foreign investors and acquirers may need to determine their own nationality and the nationalities of all foreign persons and entities in their upstream ownership chains.
Note that if a mandatory filing is not required with respect to a particular investment or acquisition, the parties should nonetheless consider whether a voluntary filing is warranted. (A voluntary filing may be warranted where a transaction presents colorable national security issues and the parties wish to secure CFIUS approval of a transaction to ensure against future CFIUS interference with and mitigation of the transaction.) The Final Rule does not change the analysis with respect to voluntary CFIUS filings.
The introduction of the regulatory authorization test in the Final Rule reflects an effort by CFIUS to leverage existing export licensing regimes to identify US businesses that are likely to represent potential national security vulnerabilities and to mandate CFIUS filings in certain contexts. At a conceptual level this makes sense: the export control and CFIUS regulatory regimes are focused on protecting US national security by limiting the capabilities of potential adversaries. As discussed below, however, applying existing export control regimes in a context and for a purpose for which they were not designed will certainly in many cases create practical difficulties for transacting parties.
Challenges presented by the regulatory authorization test
Existing export control regimes were designed and drafted to address issues arising from actual exports of US products and technology in the context of a specific transaction. Whether an export transaction is authorized under existing export control laws depends on the specific circumstances of the contemplated transaction, including (i) the specific commodities, software, technology or services being exported, (ii) the destinations of those exports, (iii) the identity of the recipients, and (iv) the nature of the intended end-use by the recipients.
The regulatory authorization analysis under the Final Rule, however, differs in key respects from the analysis that US companies have typically undertaken for export licensing purposes. Companies that are not mindful of these key differences may incorrectly assume that their products and technologies are not critical technology or are authorized for CFIUS purposes, and thereby subject themselves and their investors to potential fines and post-closing inquiries and mitigation from CFIUS. Some of these practical difficulties are discussed below.
- Export analyses can be complex and do not always yield definitive or consistent results: The regulatory authorization test under the Final Rule requires US businesses to classify their products and related technology for export control purposes and implicitly assumes that such analyses yield clear and correct classifications of the products and technologies at issue. The reality, however, is that export control analyses do not always result in uniform classification determinations – even between companies that develop similar products and technology. This is so because export classifications involve the application of a large body of complex, and sometimes ambiguous, regulations to often equally complex products and related technologies. To conduct this assessment with the precision demanded by the Final Rule requires deep familiarity with the specific products and technologies at issue and long experience navigating the regulations. Many companies have not undertaken such analyses, or if they have, have not done so with the requisite experience and expertise. Moreover, because proprietary products and technologies developed by companies are continually evolving, export classifications can quickly become outdated and no longer applicable to subsequent iterations of a product. Parties to Covered Transactions therefore must be careful not to simply accept prior export classifications at their face value and should instead revisit those classifications with the CFIUS regime in mind.
- Foreign investors must be prepared to assess and disclose their upstream ownership before a transaction: The regulatory authorization analysis requires an assessment of not only foreign investors that are directly investing in a TID US business, but also of any foreign individual or entity who individually holds, or is part of a group of foreign persons that in the aggregate holds, a voting interest (direct or indirect) of 25% or more in such direct foreign investor (collectively, the Owners). In order to have a complete understanding of any mandatory CFIUS requirements under the Final Rule, each direct foreign investor will need to identify and perhaps disclose its Owners during the diligence process – even if there is no intent to share the US business’s commodities, software or technology with or among the Owners.
- Investment transaction timelines often do not accommodate the time and effort required to conduct an export control classification: Export control analyses can be lengthy exercises requiring cycles of dialogue between a company’s technical personnel and export control counsel. Recognizing the complexities and ambiguities often inherent in export control classifications, existing export control regulations include mechanisms for companies to receive definitive export classifications from the US government. Such formal classifications, however, may take weeks or months to complete, making a formal classification impractical or impossible in many investment transactions. Accordingly, the Final Rule’s use of a regulatory authorization test can be expected to complicate investment transactions where an export control classification does not yield a definitive result within the tight time constraints of a transaction. To the extent possible, parties should therefore plan to build into their transaction timelines sufficient time for a regulatory authorization analysis.
- The CFIUS regulatory authorization analysis is not limited to products being exported: A regulatory authorization analysis will require companies to look beyond their product lines and to assess all commodities, software or technology that they develop, test or utilize in the course of their operations – including items that are developed solely for the US business’s internal use that bear little or no relationship to a commercial end product. Many companies naturally will not appreciate the need for such a broad analysis. Indeed, for export control compliance purposes (as opposed to CFIUS purposes), companies often focus on classifying only the products that they anticipate actually exporting. The broader analysis required in the CFIUS context may have significant implications for transaction costs and timelines, and investors should be careful not to accept at face value a US company’s representations about the results of an export control analysis.
- The CFIUS regulatory authorization analysis does not recognize many export license exceptions relied upon by exporters for compliance purposes: In the context of actual export transactions, the export control regulations recognize many exceptions to the requirements to obtain an export license. The CFIUS regulatory authorization regime, however, recognizes only three license exceptions under the Export Administration Regulations for purposes of determining whether an export license would be required to export commodities, software or technologies to a specific foreign investor, person or entity in an investor’s ownership chain. As a result, under the Final Rule, a mandatory CFIUS filing may be required with respect to an investment in a US business that has traditionally not been required to affirmatively apply for and secure export licenses for its exports. Again, investors should be careful not to accept at face value a US company’s representations about the results of an export control analysis.
Challenges presented by the foreign investor analysis
Transacting parties often will encounter similar difficulties under the Final Rule with respect to determining whether an investor or acquirer is a foreign person for CFIUS purposes. Specifically, the requirement to apply the regulatory authorization test to each foreign investor described in Section 800.401(c)(1) introduces complexities and nuances that can result in complicated outcomes. The following examples highlight some of these complexities:
- Different investors in the same US business can create different CFIUS outcomes: Prior to the effective date of the Final Rule, virtually all foreign investors receiving the same rights in a US business had the same filing requirements with CFIUS. For example, if two foreign investors – one German, one Chinese – participated in a financing in which each was afforded representation on the board of directors of a TID US business that tests critical technology and operates in a designated CFIUS industry, both investors would be required to submit a mandatory CFIUS filing. That parity of outcomes no longer applies under the Final Rule. With the shift to the regulatory authorization test, CFIUS analyses and outcomes will turn on determinations of investors’ principal place of business (for entities) or nationality (for individuals). As a result, in situations where multiple foreign investors are simultaneously investing in a US business on the same terms, parties must assess CFIUS filing requirements with respect to each investor.
- Parties must diligence investors’ nationality as well as the nationalities of entities in their upstream ownership chains: Not only must the transaction parties diligence the US regulatory authorization requirement for each foreign investor that is directly participating in a transaction, they also must look at the upstream ownership chain for each foreign investor to determine whether a mandatory filing is required for any of those upstream entities. Specifically, the parties must determine whether any foreign person individually holds – or is part of a specified group of foreign persons that in the aggregate holds – 25% or more of the voting interest of the foreign investor directly making the investment in a US business. In practice, this means that a foreign investor directly investing in a US business may have a principal place of business in a country that does not implicate a regulatory authorization requirement, but may have another foreign entity in its upstream ownership chain (e.g., a shareholder or managing director of a fund) whose different nationality does trigger a mandatory filing. The complexity of the required analysis will be directly proportional to the complexity of the investor’s structure and organization.
The application of export control principles to CFIUS foreign investment reviews, and the Final Rule’s focus on an investor-specific export control analysis, will in many cases complicate the due diligence process and change how parties to Covered Transactions address transaction structures, risk allocation and timeline issues.
Because of the potentially significant consequences of failing to make a mandatory CFIUS filing where one is required (i.e., the prospect of civil penalties in amounts up to the value of the transaction at issue), the Final Rule’s changes will cause many US businesses and foreign investors to view certain transactions as presenting higher regulatory risk than in months past. In many instances, we expect that the Final Rule will make nonpassive investments in US companies by investors from certain countries (e.g., most notably in the current climate, China) prohibitively costly or prohibitively risky.
US companies and foreign investors must factor these additional costs, risks and delays into their plans and understand their potential consequences with respect to diligence, transaction structure, negotiations, transaction timelines and even deal certainty. To help mitigate these transactional pressures, transacting parties should consider the following practical suggestions:
- Conduct (or refresh) export control classification analyses now, not when a term sheet is negotiated: For US companies (and non-US companies with US subsidiaries or operations), developing an early understanding of how their products and technologies are regulated is crucial for developing their business and attracting capital. Conducting or refreshing an export control classification and creating an export classification roadmap that considers the applicable technical controls at various stages of a company’s planned evolution of their products and technology can help companies avoid delays and CFIUS complications. Now more than ever before, CFIUS counsel must have significant export control experience to understand and advise parties on the complex issues created by the Final Rule.
- Conduct foreign person analyses now, not when a term sheet is negotiated: For investors and acquirers contemplating an investment in or acquisition of a US company (or a non-US company with a US subsidiary or operations), determining the nationality of the direct investor or acquirer as early as possible will help avoid delays after a term sheet is negotiated. Because of the breadth of the Final Rule’s conception of a Section 800.401(c)(1) investor, a foreign person analysis must take into account all persons and entities in the direct investor’s or acquirers’ upstream ownership chain.
- Consider embracing passive foreign investments where practicable – especially for high-risk investors: CFIUS does not have jurisdiction to review truly passive foreign investments in US businesses. Indeed, the CFIUS regulations recognize a passive investment safe harbor for investments involving the acquisition of 10% or less of a company’s voting interest that are otherwise consistent with a passive economic investment – e.g., an investment without board representation. US companies that deal in critical technology can minimize their CFIUS exposure by encouraging foreign investors to make such passive investments. While companies can make exceptions for specific strategic foreign investment opportunities on a case-by-case basis, a default practice of taking passive investments by foreign investors will minimize CFIUS complications and avoid the costs associated with pursuing transactions that are unlikely to not pass a national security review or that may invite a post-closing inquiry and investigation by CFIUS.
- If a transaction triggers a mandatory filing, ensure that the parties agree on the path forward: In the event parties elect to pursue a transaction that implicates a mandatory or voluntary CFIUS filing, the parties should reach agreement on a number of key issues, including the specific rights the foreign investor will receive (and when it will receive them), the effort that will be required to prepare the CFIUS filing, the information that will be required from each party, the inclusion of covenants to cooperate with the CFIUS filing, the allocation of costs, what types of mitigation parties are willing (and unwilling) to accept, and the definition of CFIUS clearance.
For questions about this alert or the CFIUS foreign investment regime generally, contact a member of the Cooley CFIUS team listed here.