CFIUS Publishes Final Rule Governing Mandatory Filing Requirements for Critical Technology Businesses

CFIUS Publishes Final Rule Governing Mandatory Filing Requirements for Critical Technology Businesses

September 22, 2020, Covington Alert

On September 15, 2020, the Department of the Treasury, as chair of the Committee on Foreign Investment in the United States (“CFIUS”), published in the Federal Register a final rule (the “Final Rule”) amending the requirement to file with CFIUS certain transactions involving U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more “critical technologies.” As expected, the Final Rule shifts the test for whether certain transactions must be filed with CFIUS from an industry-based assessment to an assessment based on whether a license would be required to export the critical technology produced, designed, tested, manufactured, fabricated, or developed by the U.S. business to the foreign person that is a party to the transaction and certain owners of the foreign person. This change likely will result in more transactions being subject to mandatory filing requirements, and it will be more important than ever for parties to analyze carefully whether a transaction is subject to a mandatory filing, especially for transactions involving a U.S. business that produces, designs, tests, or develops any software.

The Final Rule also makes certain important clarifications regarding the exception from the mandatory filing requirement for transactions involving U.S. businesses whose only involvement with critical technology relates to software incorporating encryption functionality. The Final Rule provides that in order to rely on this exception, U.S. businesses must first comply with certain procedural requirements, including, in some cases, prior submission of a Commodity Classification (“CCATS”) request to the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”). Parties to some transactions will therefore be forced to choose between filing with CFIUS or filing a CCATS request. In our experience, the software affected by this clarification is common in technology sector companies, especially in companies that provide software-as-a-service or other Internet-based offerings. Companies in a wide range of other industry sectors, however, may also develop such software. Therefore, it will be essential for transaction parties to determine the precise classification of any software produced, designed, tested, or developed by any U.S. business party to a transaction subject to CFIUS jurisdiction.

Background

The Final Rule generally mirrors the rule initially proposed by CFIUS and published in the Federal Register on May 21, 2020 (the “Proposed Rule”). Our analysis of the Proposed Rule is available here. As expected, the Final Rule abandons the two-part test for mandatory filings first imposed in October 2018 through temporary regulations known as the critical technology pilot program (the “Pilot Program”), and which were incorporated this past February into the final regulations implementing the Foreign Investment Risk Review Modernization Act (“FIRRMA”). That two-part test required a filing where the U.S. business involved in the transaction (1) produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; and (2) utilizes such critical technology or designs it for use in one or more of 27 industries designated by North American Industry Classification System (“NAICS”) code. This industry analysis has been widely viewed as ambiguous and difficult to administer.

Starting October 15, 2020, as a result of the Final Rule, parties will be required to file a short-form declaration (or a full notice in lieu of a declaration) for any transaction subject to CFIUS jurisdiction involving a U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies for which a “U.S. regulatory authorization” would be required for the export, re-export, transfer (in-country), or retransfer of such critical technology to a foreign person that is a party to the transaction or certain parties in the ownership chain of the foreign person.

Implications of the Final Rule for Transactions Involving U.S. Businesses Developing Software

Under the Final Rule, as well as under the current CFIUS regulations, a mandatory filing is not triggered for a transaction in which the U.S. business’s only involvement with a critical technology is that it produces, designs, tests, manufactures, fabricates, or develops one or more encryption items (including hardware, software, and technology) that are eligible for export under License Exception ENC. In principle, the vast majority of encryption items are eligible for export under License Exception ENC. However, License Exception ENC requires that certain procedural steps be taken before a party can export an encryption item. For most encryption items, this procedural step is simply filing a self-classification report with BIS and the “ENC Encryption Request Coordinator” located at the National Security Agency. Such encryption items fall under paragraph (b)(1) of License Exception ENC. However, in other cases, parties may be required to file a CCATS request with BIS before exporting an encryption item pursuant to License Exception ENC. Such encryption items fall under paragraphs (b)(2) and (b)(3) of License Exception ENC.

The current CFIUS regulations do not specify whether any of these procedural steps must be completed for an encryption item produced, designed, tested, manufactured, fabricated, or developed by a U.S. business to be considered “eligible” for License Exception ENC (when it would otherwise be eligible in principle), and thus whether such procedural steps must be completed for transaction parties to be relieved of a mandatory filing. However, the Final Rule adds a “note” stating that to be “eligible” for that purpose requires completing any Export Administration Regulations requirements that must be satisfied prior to export. The Federal Register Notice clarifies that the U.S. business need not file a self-classification report required for export under License Exception ENC paragraph (b)(1), but it must file the CCATS request for an encryption item described by paragraph (b)(2) or (b)(3) to qualify as “eligible” for License Exception ENC, and thus not trigger a mandatory CFIUS filing. This clarification likely will vastly increase the number of transactions subject to mandatory filings because paragraph (b)(2) of License Exception ENC includes encryption source code that is not publicly available. Thus, any transaction subject to CFIUS jurisdiction involving a U.S. business that produces, designs, tests, or develops source code for encryption for data confidentiality that is not publicly available must file a CCATS request with BIS to be considered eligible for License Exception ENC, and thus for the transaction parties to avoid a mandatory filing.

Other Changes Made by the Final Rule

FIRRMA requires filings with CFIUS for certain transactions involving foreign government ownership and so called “TID U.S. businesses,” a category that encompasses U.S. businesses involved with critical technology, critical infrastructure, and sensitive personal data. Specifically, a CFIUS filing is required for any transaction through which a “foreign person in which a foreign government holds a substantial interest” acquires a “substantial interest” in a TID U.S. business. In the final regulations implementing FIRRMA, CFIUS defined “substantial interest” as a 49 percent or greater interest, directly or indirectly, between the foreign government and the foreign person, and a 25 percent or greater interest, directly or indirectly, between the foreign person and the TID U.S. business.

The Final Rule makes two clarifying edits to the substantial interest definition:

• First, the current definition provides that in the case of an entity “with a general partner, managing member, or equivalent, the national or subnational governments of a single foreign state will be considered to have a substantial interest in such an entity only if they hold 49 percent or more of the interest in the general partner, managing member, or equivalent of the entity.” The Final Rule revises the definition to require that the general partner, managing member, or equivalent “primarily directs, controls, or coordinates” the activities of the entity—it is not sufficient for the entity merely to have a general partner or equivalent. Accordingly, for any fund where the general partner or equivalent does not “primarily direct, control, or coordinate” the activities of the fund, then other interests, such as limited partner interests, could be deemed to be a “substantial interest.”
• Second, the Final Rule also provides certain revisions to clarify that for purposes of the substantial interest calculation, regardless of the type of entity at issue, a parent will be deemed to have 100 percent of the applicable interest in any entity of which it is a parent.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our CFIUS and International Trade Controls practice groups.