Update on CFIUS Developments

Update on CFIUS Developments

May 7, 2019, Covington Alert

We are writing to provide an update on the current trends and operations of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”). Approximately nine months after the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) and six months into the Critical Technology Pilot Program (“the Pilot Program”)—and several months before the Committee is expected to release its proposed rulemaking to fully implement the new authorities under FIRRMA—we think it is an opportune time to reflect on the current environment in CFIUS by posing and answering six key questions that we see arising frequently:

1. How has CFIUS evolved since the enactment of FIRRMA, and is it harder now to get deals through?

While CFIUS overall remains open to investment, there are several developments since the enactment of FIRRMA that have made the dynamic somewhat more challenging than in the period before FIRRMA. First, certain agencies that historically have had economic responsibility and have championed open investment in the CFIUS process are now squarely applying a more cautious, security-oriented view toward transactions, particularly any transaction that may have a nexus with China. This dynamic started to come into focus before the passage of FIRRMA, but it has increased in intensity and force over the last nine months. As a result, the Committee generally is risk-averse, even more than it was prior to the passage of FIRRMA.

Second, the staff at various CFIUS agencies continue to confront bandwidth challenges as they balance their caseload with additional responsibilities, including the development of the FIRRMA regulations, and as turnover among staff has persisted since FIRRMA. Even with the significant staff augmentation we are seeing at the United States Department of the Treasury (“Treasury”) and the other agencies, CFIUS is stretched thin with its competing priorities. This reality, coupled with the more general risk aversion in the Committee, is resulting in the persistence of drawn-out timelines for most matters subject to a full review by the Committee, and especially those that have any complexity at all and may require mitigation.

With that said, for the vast majority of transactions, the substance of the process is not materially more difficult than prior to the passage of FIRRMA, but parties do need to thoroughly plan and prepare to make their CFIUS reviews as productive and efficient as possible.

2. What does the overall timeline currently look like for a CFIUS process, and how, if at all, can that timeline be shortened?

Given the dynamics within the Committee, as noted above, we generally are cautioning parties to expect the timeline between signing a transaction and commencing planning for a CFIUS review, on the one hand, and the completion of the CFIUS process, on the other hand, to take approximately five to six months. This includes the time necessary to assemble the filing and supporting materials, share the draft filing with Treasury, engage in pre-filing discussions with Treasury, get the filing accepted by the Committee, and then proceed with the formal review and investigation periods, which each last 45 days. This is not a hard-and-fast rule, however. Complicated matters may still require one or more refilings that reset the 90-day statutory clock and lengthen the Committee’s review. At the same time, Treasury, as CFIUS chair, has been pressing agencies to clear less complicated matters at the conclusion of the review phase, and we have seen progress towards that end on easier cases.

3. How is the Critical Technology Pilot Program (“the Pilot Program”) working? What transactions are being declared, and what are the results from the declaration process?

As a general matter, the Critical Technology Pilot Program—which mandates short-form declarations for certain investments by any foreign person in certain businesses involved with critical technologies in any one of 27 sectors—has not resulted in a flood of declarations or filings, and also has not been an avenue to significantly expedite the CFIUS process for most transactions. While the Pilot Program is quite broad, many transaction parties, especially those involving China, are not taking the rights that would trigger the Pilot Program, and many others have elected to file formally rather than go through the declaration process. For those transactions that have been “declared,” rather than formally filed, the predominant outcomes from CFIUS are either a request for a formal filing or advising the parties that CFIUS was unable to complete action, which neither provides the parties with the legal certainty of a CFIUS approval nor requires them to file formally. For the small minority of transactions that are approved through the declaration process (approximately ten percent), the Pilot Program provides the shortest route—45 days between signing and closing—to receiving approvals.

There are several reasons why the Pilot Program is not resulting in many transactions being “approved” during the declaration phase. A principal reason, though, is that the declaration process does not include all of the information that CFIUS receives and gathers during a full review—in particular, it does not include the full “threat” report that otherwise is produced by the U.S. intelligence community in connection with a full review. If a buyer has been through CFIUS before, we understand that information from the prior threat report(s) is shared with the Committee, but a new threat report generally is not produced. Thus, under the Pilot Program, the Committee really is only taking a quick look at high-level information—a dynamic that, in the context of a process that is fundamentally about risk identification and mitigation, and that is driven by national security professionals, naturally lends itself to more conservative and risk-averse outcomes: namely, requests for full filings or a reluctance to “approve” even if there are no indication of concern.

With that said, we do expect that the Committee will learn from the Pilot Program, and will apply the lessons in a fashion that will make the voluntary declaration process under the full regulations implementing FIRRMA more meaningful.

4. How are concerns about China factoring into the process? Is there an outright ban or at least a presumptive “no” for any investment from China?

There is no question that concerns about China are driving many aspects of the CFIUS process, even for transactions that do not involve any Chinese party. For many transactions, and especially those in key industries, such as semiconductors and telecommunications, CFIUS will analyze the transaction through the lens of how it will advance or impair U.S. competitiveness vis-à-vis China in that industry. Parties from countries that are allies of the United States that seek to invest in these sectors should be prepared for CFIUS scrutiny related to the parties’ own operations and relationships in China, and plan their transactions accordingly. It is also becoming more common for CFIUS to seek mitigation to address perceived risks that do not arise from the transaction or relate to the foreign acquirer, but rather address risks related to third parties (often with a focus on China).

Nevertheless, there is no outright ban on Chinese investment, and well-planned transactions can still receive approval. Indeed, we have had multiple Chinese transactions approved in recent months, including where national security concerns were presented but mitigated through agreement with CFIUS.

In our experience, transactions involving Chinese parties will be particularly challenging where they involve U.S. businesses involved with “critical technologies” as defined in the Pilot Program, or where the business aligns with the priority sectors identified in the Made in China 2025 plan and Pilot Program regulations. For these transactions, CFIUS is likely to start from a position of significant skepticism, and the parties will need to be prepared to overcome that skepticism.

We also expect this trend to continue regardless of whether the U.S. and China reach a trade deal. Even with a trade deal, we expect that CFIUS will continue to aggressively scrutinize Chinese investment, particularly in connection with critical technologies and sensitive personal data.

5. Are more deals being rejected now, particularly transactions with personal information, and is any personal information now a national security issue? Why?

No. To the extent that there is a perception that more deals are being rejected post FIRRMA, that is incorrect. Despite some reports of rejected deals, we are mindful that deals that have already closed present more challenging issues for CFIUS to resolve where national security concerns are present, and often leave CFIUS with fewer options for resolving those concerns. There also is now a greater focus on CFIUS enforcement under FIRRMA, with CFIUS mandated to maintain a process to identify transactions for which information is “readily available” but for which the parties have not filed a notice or declaration. Congress also has allocated greater personnel and financial resources for this process. Nevertheless, while we expect that CFIUS’s attention to enforcement will  increase as it augments its staff and develops and implements new processes for the identification and review of non-notified transactions, the reality is that there have not been more transactions rejected by CFIUS recently than at other times in the past.

With respect to transactions involving sensitive personal information, this is an area which CFIUS has been scrutinizing for several years and where we expect CFIUS’s approach to continue to evolve. The focus reflects a concern that within certain data sets there may be information on U.S. government personnel or other individuals who hold positions of national security sensitivity and who could be targeted by threat actors. This concern has grown over the last several years for three reasons: first, the clear threat indicators of adversaries using various avenues to acquire data on U.S. citizens, build profiles, and target individuals; second, the proliferation of personal data through various electronic data sets; and third, importantly, the increased computing and software capabilities that enable automated identification of patterns and connections among large data sets.

Notwithstanding the expanding scope of the types of personal data that may raise national security concerns and the increased scrutiny on personal data in the CFIUS context, the Committee has continued to approve transactions with businesses that possess or use sensitive personal data, in some cases with conditions requiring the implementation of mitigation measures designed to protect such data.

This also is sure to be a key area of focus for the rulemaking implementing FIRRMA. FIRRMA broadened CFIUS’s focus on sensitive personal data by requiring mandatory filings for certain non-controlling foreign investments in companies that maintain or collect sensitive personal data of U.S. citizens. CFIUS has not yet issued proposed regulations implementing this portion of FIRRMA, and it is our sense that CFIUS itself is not fully settled on how to approach mandatory or voluntary filings involving sensitive personnel data. We expect that the implementation of this element of FIRRMA will be one of the more challenging elements of the new regulations, and it will be a key area to monitor.

6. What is the expected timeline for the FIRRMA regulations, and what are some key issues that warrant the attention of investors and potential transaction parties in those regulations?

The deadline for CFIUS to implement final regulations implementing FIRRMA is February 2020. We understand that Treasury is planning to publish a proposed final rule for comment later this year, likely in the late summer or early fall. Parties that wish to provide comments on the proposed rule should be prepared to do so because the window for providing comments may be narrow.

Among the most significant issues that CFIUS may address in the regulations are:

Core Jurisdictional Definitions

• The definition of “U.S. business,” including whether the definition will encompass foreign companies who sell into U.S. interstate commerce but have no assets in the United States.
• The definition of “foreign person” for purposes of jurisdictional expansion and mandatory filings, including whether CFIUS will use this term to exclude certain categories of investors (such as those from allied countries) from the scope of CFIUS’s new authorities.
• The definition of “foreign entity,” which may have an impact especially on the scope CFIUS jurisdiction as applied to investment funds.
• The definition of “control,” which is currently a fact-specific inquiry that CFIUS has applied flexibly.

Scope of the Jurisdictional Expansion

• The scope of U.S. businesses that will be subject to expanded jurisdiction covering non-controlling investments, especially through the definitions of “critical infrastructure” and “sensitive personal data.”
• The definition of “substantial interest,” which will determine which foreign parties with foreign government ownership will be subject to mandatory filings for investments in certain U.S. businesses.
• The scope of mandatory filings for investments in “critical technology” companies, which are currently governed by temporary regulations under the Pilot Program. While we understand that CFIUS has viewed the number of filings received under the Pilot Program as manageable, we also believe that the scope of the program likely reached a range of U.S. businesses that CFIUS may not have intended, especially as a result of the inclusion of certain encryption technology within the definition of “critical technology,” and that CFIUS in turn may ultimately dial back the scope of mandatory filings for the “critical technology” prong of its expanded jurisdiction.
• The scope of the real estate provision, including how CFIUS will define “proximity” to sensitive locations.

Process and Other Points

• Timelines for starting cases. FIRRMA requires CFIUS to accept filings within ten days after submission in certain circumstances, addressing a significant concern among transaction parties about the uncertainty and delays that have plagued the beginning of cases in recent years. From a process standpoint, transaction parties will wish to monitor whether the proposed regulations apply some certainty to this timeline.
• The details of the short form filing, or “declaration” process, for voluntary declarations. FIRRMA created a voluntary declaration process precisely so that more benign transactions and investors from trusted allies could have the prospect for a shorter and less cumbersome review and receive the certainty of CFIUS action while still enabling the government to gain visibility into a broader set of transactions. Thus, for transaction parties who may be looking ahead hopefully to the prospect of a streamlined CFIUS process, the details of the voluntary declaration process will be especially important.
• Enforcement. FIRRMA authorizes a range of enforcement mechanisms, including potential civil penalties for non-filing or for breaching mitigation agreements; we will be watching to see whether CFIUS identifies through rulemaking what factors it will consider in assessing civil penalties.

We hope that you find this report useful. Please do not hesitate to contact the following members of our CFIUS practice if you would like to discuss any aspect of the foregoing in further detail.