On September 15, 2020, the Department of the Treasury published a final rule that modifies the regulations that govern mandatory filings with the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency committee chaired by the Department of the Treasury and is responsible for reviewing foreign investments in, or acquisitions of, US businesses and real estate to determine if the transaction threatens to impair US national security. Although CFIUS is largely a voluntary process, CFIUS introduced mandatory filing requirements with the launch of a critical technology pilot program in November 2018 and formalized and expanded the mandatory filing requirements in February 2020. The new rule modifies the criteria that trigger a mandatory filing with CFIUS, potentially subjecting more transactions to mandatory CFIUS review. These changes will apply to transactions that have not yet entered into a definitive agreement as of October 15, 2020.
The new rule addresses a CFIUS concern that transaction parties were previously able to avoid a mandatory filing based on a relatively subjective and often imprecise limitation on the filing requirement involving certain North American Industry Classification System (NAICS) codes, despite engaging with technologies that may be considered sensitive to national security. These circumstances also yielded inconsistent regulatory restrictions whereby a foreign investor could be restricted from access to the technology of a target US business under the US export control regime, but could invest in or own the US business and potentially influence decisions about the development, production and sales of critical technology without CFIUS review.
Shifting away from the relatively subjective NAICS code assessment, the rule will now be based on the national security foundations of established export control regimes. Investors from excepted foreign states, FOCI-mitigated entities as well as investment funds managed exclusively and ultimately controlled by US nationals will continue to be excluded from the filing requirement.
Foreign investors and US companies that are contemplating a transaction or joint venture arrangement that involves a foreign party should evaluate the applicability of CFIUS review and assess whether a filing is mandatory. Transaction parties would be best served by accounting for these regulatory developments in the course performing due diligence and determining realistic deal closing dates.
Export control licensing replaces NAICS codes for mandatory filing analysis
Under the existing CFIUS regulations, parties to a covered transaction are required to file a declaration (or may opt to file a notice) if the transaction involves a US business that produces, designs, tests, manufactures, fabricates or develops one or more "critical technologies" that are either used by the US business in, or designed specifically for use in, one of 27 industries identified by their NAICS code.
Under the final rule, the filing requirement will continue to apply to both controlling transactions and "covered investments" (ie, non-controlling investments that afford the foreign person access to material non-public technical information, board director or observer rights, or substantive decision-making power). The definition of "critical technologies" has been and will continue to be defined by reference to US export control regimes, including the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and a few other more specialized export control regulations.
The new CFIUS regulation alters the criteria that trigger a mandatory filing with CFIUS by eliminating the requirement that a critical technology be used in or specifically designed for use in one of the 27 NAICS code industries, instead tying the critical technologies mandatory filing requirement to export authorization requirements under US export controls. Specifically, a filing with CFIUS will be mandatory where:
- the US business involved in the transaction produces, designs, tests, manufactures, fabricates, or develops certain types of "critical technologies" and
- a "U.S. regulatory authorization" would be required to provide such critical technology to any of the following persons, based on principal place of business, nationality (for individuals), or other reasons (eg, if the person is designated on the Entity List under the EAR):
- any person that could "directly control" the US business as a result of the covered transaction
- any person that is "directly acquiring an interest" or already has a "direct investment" in the US business and is acquiring certain relevant non-controlling rights or
- any person that individually holds or is part of a group of foreign persons that holds a 25 percent or more voting interest in a foreign person described in (ii)(a) and (b) above.
Assessing US regulatory approval requirements
For purposes of the new mandatory filing rule, the term "US regulatory authorization" is a license or other approval issued by the relevant US export control authority. Determination of whether a license or other approval is required is largely based on (1) the export classification of the critical technology and limited applicable license exceptions and (2) the nationality of the recipient.
Understanding the export classification regimes under the ITAR and EAR is a critical component of the CFIUS mandatory filing analysis. Not only does the classification determine whether the products, software or technologies involved in the transaction are "critical technologies," but the classification also drives the potential licensing requirements and applicable license exceptions, and thus the mandatory CFIUS filing obligation.
Under the final rule, only three exceptions under the EAR may be considered in evaluating the applicable export licensing requirements. Specifically, products, software or technologies that are eligible for the following license exceptions will not trigger a mandatory filing:
License Exception Technology and Software Unrestricted (TSU) (15 CFR 740.13) – authorizes the provision of limited software updates, sales technology and low-level operation technology and software to certain destinations and end users.
License Exception Encryption Commodities, Software, and Technology (ENC) (15 CFR 740.17(b)) – authorizes the export to certain categories of end users of most standard and some non-standard encryption source code and certain other cryptographic commodities, software and components for use in network infrastructure. The current CFIUS regulations exempt encryption technology that is eligible for any part of License Exception ENC, but the final rule narrows that exemption to include only those items eligible for export under the authority of subsection (b) of License Exception ENC. Subsection (b) includes a self-classification provision for certain eligible items and mandatory written review by the Bureau of Industry and Security (BIS) for others. Thus, companies that have not submitted a written encryption classification request, where required for License Exception ENC export authorization for their technology, software and products may lose the opportunity to invoke this exemption unless they file with BIS at least 30 days before closing in most cases.
License Exception Strategic Trade Authorization (STA) (15 CFR 740.20(c)(1)) – authorizes the provision of items subject to certain controls to a limited set of destinations that are considered to pose a lower risk of unauthorized or impermissible end uses.
All aspects of these license exceptions must be satisfied to relieve the CFIUS filing requirement, including the foreign person’s eligibility to rely on the exception. Notably, other export license exceptions that may be available under the EAR for the technology at issue are not to be considered when assessing the export licensing requirements for purposes of the CFIUS mandatory filing.
Practical impacts of the new mandatory CFIUS filing criteria
The changes in this final rule may increase the burden on some US companies considering foreign investment, as it will require them to undergo a careful assessment of their hardware, software, technology, and services to determine their export control classifications and whether export licenses or authorizations are applicable or if exceptions would be available. In this regard, software or SaaS businesses will need to be especially careful in assessing the encryption features of their technology under US export controls. Notably, this mandatory filing provision may be triggered based on theoretical access to the critical technologies, meaning that no intent to provide any critical technologies to a foreign party is required. Thus, classifying products, technology and services under US export controls will be necessary for CFIUS purposes even if the US business involved in the transaction does not actually export in practice.
Although the short-form declaration process provides a faster alternative to a full notice filing, even the 30-day review period (plus preparation and filing time) might delay the speed at which many investments would otherwise close – particularly in the venture capital space. Thus, to avoid timing issues should a mandatory filing be required with CFIUS, companies that anticipate foreign investment would be best positioned to consider export controls at as early a stage as possible.
DLA Piper maintains a robust, cross-disciplinary CFIUS practice consisting of corporate, regulatory, and government affairs professionals. Please feel free to contact any of our CFIUS attorneys to learn more:
 Critical technologies are defined to include (i) defense articles and defense services included on the US Munitions List of the ITAR; (ii) items included on the Commerce Control List of the EAR and controlled for specified reasons; (iii) items related to assistance to foreign atomic energy activities; (iv) nuclear facilities, equipment and material covered; (v) select agents and toxins; and (vi) emerging and foundational technologies that are or will be controlled pursuant to the Export Control Reform Act of 2018.
 Certain transactions involving foreign government-controlled investors and target US businesses dealing in critical technology, critical infrastructure, or sensitive personal data continue to be subject to mandatory CFIUS review.
 In the case of investment funds, this requirement extends only to foreign persons with a voting interest of 25 percent or more in the fund’s general partner, managing member, or equivalent.