CFIUS Enters a New Landscape

January 16, 2019

In August 2018, the U.S. Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”)1 updated the statute authorizing reviews of foreign investment by CFIUS to reflect changes in CFIUS’s practice over the 10 years since the last significant reform, expand CFIUS’s jurisdiction, and make significant procedural alterations to the CFIUS process.

Introduced to “modernize and strengthen” review of foreign investment in the United States, FIRRMA cements a relatively aggressive approach to foreign investment review. However, ultimately, the changes to current CFIUS practice are modest, and many of the changes merely codify practices in place since the later years of the Obama administration.

The most significant change brought about by FIRRMA is the introduction of mandatory notifications covering certain transactions involving critical technology, critical infrastructure, or sensitive personal data (so-called “other investments”), as well as an expansion of jurisdiction over minority investments in those areas. CFIUS has also been granted broader jurisdiction over real estate transactions, successive transactions involving the same parties, and transactions designed to evade or circumvent CFIUS jurisdiction. CFIUS has for a number of years been closely examining transactions in these areas, as well as in the semiconductor space and “big data” generally, telecommunications and cybersecurity, and integrity of the defense industry/government supply chain.

The rules for “critical technology” transactions have already been implemented as a pilot program. Under those rules, CFIUS notification is mandatory if a foreign person is acquiring “control” (closer to “substantial influence” under existing CFIUS practice; as a rule of thumb, CFIUS has historically tended to assert jurisdiction when an ownership stake exceeds 15% and includes any significant formal governance right such as a board seat) or a direct or indirect non-controlling investments that afford a foreign person any of the following:

  • access to any material nonpublic technical information (financial information is excluded, but many operating joint ventures would be caught);
  • membership, observer, or nomination rights to the board of directors or equivalent; or
  • any other involvement in substantive decision-making related to “critical technologies,” other than mere voting of a minority block of shares.

“Critical technologies” are in turn defined as certain export-controlled technologies (essentially, all but the least-controlled categories) that the company manufactures or develops for use in one of several specified industries. In practice, industry participants are struggling with ambiguities in all facets of these definitions – exactly where the limits are for non-notifiable investments, identifying export-controlled technologies (which is especially challenging if those technologies are developed for a company’s own internal use), and identifying the correct industry code (for which there is no official government source; different government agencies take inconsistent positions). The consequences of these difficulties can be severe – failure to make a required filing carries a fine of up to the value of the transaction.

Pilot programs have not yet been created for the critical infrastructure and personal data categories, but they are expected to be structurally similar.

Boards should consider the expansion of CFIUS jurisdiction and the scope of mandatory filings to evaluate the effects of CFIUS requirements on potential transactions. Boards should also identify the potential need to file with CFIUS early in a transaction, assess the benefits and risks of voluntarily filing with CFIUS, and consider structuring investments and acquisitions so as to mitigate CFIUS scrutiny. Finally, boards should bear in mind CFIUS risk as a potential constraint on strategic exits for both existing and new investments.

[1] For more on FIRRMA, see our memorandum: