Treasury Issues Long-Awaited Proposed CFIUS Regulations

On September 17, 2019, the Department of the Treasury issued two sets of proposed regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). As described in our prior alerts— CFIUS Update: Congress Enacts the Foreign Investment Risk Review Modernization Act and CFIUS Update: Interim Regulations, FIRRMA Pilot Program, and Proposed Rulemaking on Emerging Technologies—FIRRMA, enacted in August 2018, expanded and clarified CFIUS's authority in various ways, including jurisdiction to review certain non-controlling investments in US businesses. CFIUS issued interim regulations in October 2018, implementing parts of FIRRMA and a new FIRRMA Pilot Program that requires parties to declare some types of such transactions to CFIUS.

Treasury's release of the proposed regulations heralds the first wholesale revamping of CFIUS regulations since 2008. During the past decade, the sources, levels, and nature of foreign direct investments in the US have changed dramatically. One consequence is a profound shift in US government thinking about the threats and vulnerabilities arising from foreign capital that has traditionally been welcomed. Congress enacted FIRRMA to better align CFIUS's authority and rules with the emerging threat landscape.

The Pilot Program rules aim to provide CFIUS with visibility into foreign investments in certain critical technology businesses, particularly where a foreign investor acquires a small, non-controlling stake. The newly proposed regulations would largely implement the remaining provisions of FIRRMA; a notable exception is authority for CFIUS to charge filing fees, which CFIUS will address at a later time. The proposed regulations do not further address the FIRRMA Pilot Program, which is authorized until March 5, 2020.

The first set of proposed rules would amend the current CFIUS regulations (Part 800 Regulations). They primarily focus on the expansion of CFIUS jurisdiction to non-controlling investments (covered investments) in certain US businesses in the critical technology, critical infrastructure, and sensitive personal data industries (TID [Technology, Infrastructure, Data] US businesses). The second set of proposed rules solely addresses FIRRMA's new jurisdiction over certain real estate transactions.

The documents comprising the proposed rules number over 300 pages. We address the key concepts below.

Covered, Non-controlling Investments

Consistent with the FIRRMA Pilot Program, "covered investments" are transactions that afford a foreign person (1) access to material non-public technical information about the TID US business; (2) membership or observer rights on the TID US business's board of directors; or (3) involvement in substantive decision making of the TID US business relating to critical technology, critical infrastructure, or sensitive personal data. The Part 800 Regulations do not alter CFIUS's jurisdiction over transactions in which a foreign person acquires "control" of any US business.

1. TID US Businesses

   The Part 800 Regulations define the scope of each of the TID US businesses.

   Critical Technology: FIRRMA expanded CFIUS jurisdiction to "covered investments" in US businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies. Consistent with the definition of "critical technologies" in the FIRRMA Pilot Program regulations,1 "critical technologies" means items controlled pursuant to: (1) the International Traffic in Arms Regulations; (2) certain controls of the Export Administration Regulations; (3) nuclear-related equipment and materials; (4) select agents and toxins; and (5) "emerging and foundational technologies" specified in a parallel rulemaking by the Commerce Department pursuant to the Export Control Reform Act of 2018.2

   Critical Infrastructure: FIRRMA expanded CFIUS jurisdiction to "covered investments" in a US business that "owns, operates, manufactures, supplies, or services critical infrastructure." The Part 800 Regulations refer to these activities as "functions." CFIUS jurisdiction is limited to functions related to specific types of critical infrastructure (e.g., internet exchanges, submarine cables, airports, oil and gas infrastructure, maritime ports, defense industrial resources, public water systems). Both the specific types of critical infrastructure and the relevant functions are identified in Appendix A to the Part 800 Regulations (see below). A US business only falls within the scope of a "covered investment," if it performs a function listed in column 2 of Appendix A with respect to the corresponding critical infrastructure listed in column 1 of Appendix A.

   Sensitive Personal Data: FIRRMA expanded CFIUS jurisdiction to "covered investments" in a US business that maintains or collects sensitive personal data of US citizens "that may be exploited in a manner that threatens to harm national security." The Part 800 Regulations define sensitive personal data as:

   (1) either genetic information or

   (2) "identifiable data" (i.e., data used to distinguish an individual's identity) that are maintained or collected by a (a) US business that either (i) targets or tailors its products or services to sensitive US Government personnel or contractors, (ii) maintains or collects data on greater than one million individuals, or (iii) has a business objective to maintain or collect data on greater than one million individuals and such data are an integrated part of the US businesses products and services; and (b) the data fall within one of a number of categories, including: (i) data used to analyze an individual's financial hardship, (ii) consumer reports, (iii) insurance applications, (iv) health; and (v) geolocation.

2. Excepted Investments

   The Part 800 Regulations also introduce the concept of "excepted investors," to whom CFIUS's expanded jurisdiction over "covered investments" will not apply. The scope of the exception is limited to foreign persons with a substantial connection to one or more foreign states that will be separately identified by the Treasury Department. The Part 800 Regulations indicate that the initial list of "excepted foreign states" will be limited and will take into account the foreign state's own foreign investment review process and cooperation with the United States regarding investment security matters.

   Mandatory Declarations

   The Part 800 Regulations implement FIRRMA's authorization of a short-form declaration process for both mandatory and voluntary filings. As with the current FIRRMA Pilot Program declarations,3 CFIUS can respond to a voluntary declaration in one of four ways: (1) request the parties file a formal notice; (2) unilaterally initiate a review of the transaction; (3) clear the transaction; or (4) determine that it is unable to make a determination on the basis of the declaration.

   Per FIRRMA, declarations will be mandatory for "covered transactions" (e.g., both covered control transactions and covered investments) in which a foreign person obtains a "significant interest" in a TID US business and a foreign government has a "significant interest" in that foreign person.4 The Part 800 Regulations establish the threshold for the foreign person's "significant interest" as a 25% voting interest, direct or indirect, and the foreign government's "significant interest" as a 49% or more voting interest, direct or indirect.

   Real Estate Transactions

   In parallel with the Part 800 Regulations, the Treasury Department issued proposed regulations implementing FIRRMA's expansion of CFIUS jurisdiction to review certain real estate transactions in the US, referred to as "covered real estate transactions" (Part 802 Regulations). Prior to FIRRMA, CFIUS jurisdiction encompassed acquisitions of real estate only where the transaction involved foreign acquisition of control of a US business. That remains the case: transactions involving real estate may still be treated as "covered transactions" under the Part 800 Regulations—for example, transactions involving long-term leases and other assets, or where the US business is in proximity to sensitive US government facilities. The Part 802 Regulations implement FIRRMA's extension of jurisdiction to stand-alone real estate investments. In CFIUS's view, the level of specificity required to review such "covered real estate transactions" warrants a separate rulemaking process.

   The scope of CFIUS jurisdiction is framed by the proposed definitions identifying the types of real estate and real estate transactions that are covered by the Part 802 Regulations, and those that are not. In sum:

   1) "Covered real estate" is only real estate in close proximity to airport and maritime ports, and certain military installations. The list of military installations are specifically identified in Appendix A to the Part 802 Regulations, which categorize the sites into four categories: (1) real estate within close proximity (i.e. one mile); (2) real estate in an extended range (between one and 100 miles); (3) real estate within specific counties in Colorado, Montana, Nebraska, North Dakota, and Wyoming, which are near air force base missile fields; and (4) real estate within an off-shore military range.

   2) "Covered real estate transactions" are purchases or leases by, or concessions to, a foreign person (other than "excepted real estate transactions") that afford a foreign person at least three "property rights" in "covered real estate." "Property rights" include the right to physically access, exclude, improve, or develop, or attach structures or objects to the real estate.

   3) Excepted real estate transactions include (i) investments by investors from specified foreign states, which will be identified by the Treasury Department, (ii) certain transactions in urbanized areas, (iii) single housing units, and (iv) retail and commercial office space.

   Public Comment Period

   The Treasury Department is providing only 30 days for...