16 January 202016 minute read

New regulations reinforce CFIUS's expanded role with respect to foreign investments in the United States

On January 13, 2020, the US Department of the Treasury released two sets of new regulations that comprehensively implement the Foreign Investment Risk Review Modernization Act (FIRRMA) – a law that strengthens the authority of the Committee on Foreign Investment in the United States (CFIUS). CFIUS is an interagency committee chaired by the Secretary of the Treasury and is responsible for screening foreign investments into the United States to determine if they could impair US national security. The new CFIUS regulations will become effective on February 13, 2020 and are titled (i) Provisions Pertaining to Certain Investments in the United States by Foreign Persons (31 CFR Parts 800 and 801) and (ii) Provisions Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States (31 CFR Part 802).  These CFIUS regulations reflect the Treasury Department’s response to comments provided after its issuance of certain proposed rules in September 2019, as described in our previous alert. Among various developments, the new regulations:

  • strengthen CFIUS’s jurisdiction over certain types of non-controlling investments involving critical technology, critical infrastructure, and sensitive data
  • expand the requirement for parties to file a mandatory declaration with CFIUS in certain instances involving foreign governments
  • create limited exemptions to CFIUS jurisdiction, including for certain non-controlling transactions involving investors from Australia, Canada, and the United Kingdom in defined circumstances
  • introduce a new option for transaction parties to submit a short-form voluntary declaration to CFIUS instead of the more substantial notice and
  • enable CFIUS to review foreign investments in or acquisitions of US real estate that previously fell outside CFIUS’s purview because they did not involve US businesses.

The recent regulations do not implement CFIUS’s authority under FIRRMA to assess and collect fees in connection with filings. This is expected to be addressed separately in the future.

Non-controlling investments involving critical technology, critical infrastructure, or sensitive data (TID)

CFIUS maintains jurisdiction over what previous regulations referred to as “covered transactions.” Traditionally, covered transactions were investments that could result in the control of a US business by a foreign person. Control was, and continues to be, defined as the power, whether or not exercised, to directly or indirectly determine, direct, decide, take, reach, or cause decisions regarding important matters affecting a US business. Both majority as well as dominant minority investments can satisfy the control test.

FIRRMA envisioned expanding the scope of covered transactions (and in turn CFIUS’s jurisdiction) to include certain non-controlling investments by foreign persons, irrespective of the voting percentage that they may receive in a US business. The new CFIUS regulations now fully implement FIRRMA in this respect. Specifically, the updated regime preserves CFIUS’s jurisdiction over control transactions discussed above, now referred to as “covered control transactions,” while also extending its authority to review investments that afford a foreign person certain non-public information access, board/observer rights, or substantive decision-making power in relation to a “TID US business” (explained below). The new regulations refer to these types of non-controlling investments that are within CFIUS’s jurisdiction as “covered investments.”

The acronym “TID” stands for (and highlights CFIUS’s core concerns with respect to foreign influence over) technology, infrastructure, and data. Specifically, the new regulations define a TID US business as a US business that:

  • produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies1
  • owns, operates, manufactures, supplies, or services critical infrastructure2 specifically identified by the new regulations or
  • maintains or collects directly or indirectly sensitive personal data of US citizens.3

Mandatory declarations

Interim CFIUS regulations that predate the new regulations imposed a pilot program that requires parties to file a mandatory declaration with CFIUS with respect to foreign investments in or acquisitions of US businesses that are involved with critical technologies in connection with certain listed industries. This pilot program is slated to expire on February 12, 2020. However, the new regulations preserve several of the elements of the pilot program, including the above mandatory declaration requirement.4 The new regulations specify certain exceptions to the critical technologies mandatory filing requirement. Specifically, these exemptions apply to:

  • investors from “excepted foreign states” (discussed below) that satisfy certain detailed criteria contained in the new regulations (these types of investors are referred to as “excepted investors”)
  • FOCI-mitigated entities5
  • certain encryption technology and
  • investment funds managed exclusively and ultimately controlled by US nationals.

In addition, the new regulations expand the scope of the mandatory declaration to encompass a covered transaction that will result in a foreign government acquiring a “substantial interest” in certain US businesses. The CFIUS pilot program did not cover this scenario. Specifically, the new regulations impose a mandatory declaration requirement if a covered transaction involves a foreign government-controlled entity’s acquisition of a 25 percent or more voting interest in any TID US business, unless the foreign government is from an “excepted foreign state.” This exception is limited in scope and is discussed below.

Excepted foreign states

The new regulations have introduced the concept of “excepted foreign states.” Excepted investors from those states are exempt from CFIUS jurisdiction with respect to non-controlling covered investments. At this stage, the new regulations have preliminarily designated Australia, Canada, and the United Kingdom as “excepted foreign states” through February 2022. According to the Treasury Department, the new regulations cite these countries because of their alignment with the United States on robust intelligence sharing and defense industrial base integration.

The new regulations do not mention any other countries, including US allies like Germany, Japan, or Korea. However, the new regulations allow CFIUS two years to develop processes and procedures for updating the list of excepted foreign states. This means that countries that are on that list now may lose their special status if they fail to satisfy certain national security expectations of the United States, while other countries not already on that list may be allowed to join the league of excepted foreign states if they meet those expectations.

It is important to note that the foreign state exception is limited in scope and only applies in the context of CFIUS’s jurisdiction over covered investments, i.e., non-controlling investments in TID US Businesses.  CFIUS continues to assert jurisdiction over foreign investments from all foreign persons (including those that may otherwise qualify as excepted investors) if a transaction could result in the foreign control of a US business.

New short-form voluntary declarations

The Treasury Department has asserted that the CFIUS process largely remains “voluntary” in nature notwithstanding the mandatory declaration requirements discussed above. Parties to any transaction covered by CFIUS jurisdiction may file a voluntary notice in an effort to receive a safe harbor letter that would protect their investments (subject to limited exceptions) from CFIUS challenges in the future. The notice is a lengthy document that can take significant time and effort to prepare. In addition, CFIUS can spend two or three months, or in some cases six months to a year or more, to complete the voluntary notice review process. The new regulations have now introduced an option for parties to submit an abbreviated voluntary declaration form (which generally should not exceed five pages) as an alternative to the lengthier written notice. Previously, parties could only file a declaration if certain triggers were satisfied that would make such a filing mandatory; voluntary declarations were not allowed.

According to the new regulations, CFIUS will have 30 days in which to assess the voluntary declaration. However, notwithstanding the potential benefits associated with the voluntary declaration, the new regulations also allow CFIUS to request the parties to submit a full notice if CFIUS is unable to conclude its review within the 30-day declaration review period allotted to the voluntary declaration process. It is expected that repeat CFIUS filers from US allied countries would be most likely to benefit from the submission of a voluntary declaration, especially if they have already submitted a notice for a prior transaction which received no objection from CFIUS.

New jurisdiction over real estate transactions 

CFIUS has long expressed an interest in reviewing foreign persons who use investment opportunities to gain access to real estate proximate to sensitive US military and government facilities. However, prior to the new regulations, CFIUS’s ability to review real estate matters was generally limited to instances where a foreign person invested in a US business  and that US business happened to occupy or otherwise hold real estate that raised national security concerns.

In 2018, FIRRMA envisioned expanding CFIUS’s reach over certain real estate transactions that previously fell outside of CFIUS’s authority. In that regard, the Treasury Department has now issued additional regulations that specifically target foreign investments in certain types of US real estate alone, irrespective of whether the transaction involves an investment in a US business. These real-estate-specific regulations appear in 31 CFR Part 802 and are separate from the new regulations in 31 CFR Parts 800 and 801 that apply to foreign investments in US businesses discussed above.6  

The new regime in Part 802 authorizes CFIUS to review a purchase, lease, or concession pertaining to certain types of real estate (discussed below) that provides a foreign person with three or more of the following rights:

  • physical access to the property
  • exclusion of others from physically accessing the property
  • improvement or development of the property and/or
  • affix structures or objects to the property.

CFIUS’s newly acquired jurisdiction as described above does not apply with respect to investments in all types of real estate. Instead, the new regulations are concerned only with investments in certain types of real estate consisting of those

  • that are, located within, or will function as part of, an air or maritime port identified by the Department of Transportation (known as a “covered port”)
  • located in “close proximity” (ie, within one mile) of certain designated US military installations or potentially other sensitive US government facilities or properties to be identified by CFIUS in the future
  • within the “extended range” (one mile to 100 miles) of certain designated military installations
  • within any county or other geographic area identified in connection with a designated military installation or
  • within any part of a designated military installation to the extent located within the limits of the territorial sea of the United States.

The new regulations do not provide CFIUS with unrestricted jurisdiction over real estate transactions. The regulations exempt from CFIUS’s authority certain types of transactions involving (i) single “housing units” or (ii) “urbanized areas” or “urban clusters” (defined by the US Census Bureau) that are not in close proximity to certain designated military installations or located within, or function as part of, covered ports.

According to the new regulations, certain foreign investors that satisfy certain criteria and have ties to “excepted real estate foreign states” (a term similar to the excepted foreign state concept discussed above) can also claim immunity from CFIUS jurisdiction under Part 802. At this stage, the list of those exempt states is limited to Australia, Canada, and the United Kingdom. Investors seeking to take advantage of these exemptions must be able to demonstrate, among other matters, that they have a history of complying certain laws, orders, and regulations relevant to national security matters.

The new regulations also contain exemptions to CFIUS’s jurisdiction in relation to (i) the lease or concession of real estate in air or maritime ports (a) only for the purpose of retail sales or (b) involving a foreign air carrier that has satisfied security program standards accepted by the Transportation Security Administration; (ii) the purchase, lease or concession of certain commercial space in multi-unit commercial buildings; or (iii) real estate owned by Alaska Natives or held in trust by the United States for certain native populations. Regulators have carefully crafted the language concerning all of the above exemptions. Parties are well advised to review the specific provisions of the new regulations before relying on an exemption.

While many real estate transactions were already subject to CFIUS jurisdiction, the final regulations make clear that real estate transactions subject to Part 802 will be considered covered transactions subject to the CFIUS voluntary filing process, either in the form of a notice or a short-form declaration.  The new regulations on real estate transactions do not impose any mandatory filing requirement in this context. However, if a particular transaction involving real estate is also connected to a US business, then CFIUS regulations under Parts 800 and 801 will apply instead of Part 802. This could mean that a mandatory declaration must be filed if certain triggers are satisfied.

What’s next for CFIUS

The Treasury Department has made it clear that it views CFIUS’s role as evolving and anticipates issuing further regulatory amendments to account for changes in technology, data use, and the national security landscape. For instance, the Treasury Department intends to revise the mandatory declaration requirement for certain covered transactions involving critical technologies. At this stage, the mandatory declaration is triggered depending on whether the US business that is the subject of a covered transaction develops, produces, or tests a critical technology in relation to one or more pilot program industries identified by their North American Industry Classification System (NAICS) code. The private sector has criticized this reliance on the subjective and oftentimes challenging NAICS code system. The Treasury Department anticipates revising its criteria so that it shifts the emphasis on NAICS codes to one based upon export control licensing requirements. The timing for such a revision remains unclear. 

The Treasury Department also intends to review on a periodic basis the list of countries that qualify as excepted foreign states and excepted real estate foreign states. Certain countries may be added to that list, while others may be removed if they fail to meet certain national security standards.

Additionally, the new regulations impose an interim rule regarding the definition of “principal place of business.” This term is relevant to determining whether an investor is a foreign person subject to CFIUS jurisdiction as well as whether it can qualify for the excepted foreign state or excepted real estate foreign state exemptions discussed above. Under the interim rule, a principal place of business is defined as “the primary location where an entity’s management directs, controls, or coordinates the entity’s activities.” In the case of an investment fund, the principal place of business means the primary location “where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing partner, or equivalent.” CFIUS has invited the public to provide comments with respect to this definition within a 30 day timeframe.

Finally, as mentioned above, the new regulations do not impose any CFIUS filing fees, even though FIRRMA allows CFIUS to do so. The Treasury Department has stated that it will issue separate proposed regulations at a later date that address CFIUS’s fee authority. Presumably, the Treasury Department will allow for public comment on those proposed fee schedules.

Further assistance

DLA Piper maintains a robust, cross-disciplinary CFIUS practice consisting of corporate, regulatory, and government affairs professionals. Please feel free to contact any of our CFIUS attorneys below should you have any questions.

Christine Daya

Thomas M DeButts

Danish Hamid

Sarah E. Kahn

Richard Newcomb

Ignacio E. Sanchez

Lawrence E. Levinson



1Critical technologies are items subject to US export controls and other existing regulatory regimes, as well as emerging and foundational technologies that will soon be controlled pursuant to the Export Control Reform Act of 2018.

2Critical infrastructure covers systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on US national security. In certain cases, critical infrastructure could include (but is not limited to) internet/telecommunications networks, satellite systems, industrial resources, specialty metal facilities, energy sources and storage, oil pipelines, financial systems, rail lines, airports, maritime ports, and public water and treatment systems.

3Sensitive personal data includes, but is not limited to, financial, geolocation, electronic communication, and health data maintained or collected by US businesses that (i) target or tailor products or services to sensitive populations (including US military members or US federal government employees with national security responsibilities), (ii) cover over one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on more than one million individuals and such data is integrated into the US business’s primary products or services. Genetic test information is considered sensitive personal data as well irrespective of whether the US business satisfies items (i), (ii), or (iii) above.

4The Treasury Department anticipates revising the program from one based upon industry codes to one based upon export control licensing requirements, but the timing for such a revision remains unclear.  CFIUS will also consider the potential for an investor-specific waiver mechanism in the future.

5FOCI-mitigated entities include investors (i) subject to a security control agreement, special security agreement, voting trust agreement, or proxy agreement approved by a cognizant security agency to offset foreign ownership, control, or influence (FOCI), or (ii) operating under a valid facility clearance, pursuant to the National Industrial Security Program regulations.

6Part 800 maintains an exemption for “greenfield” investments made by foreign persons seeking to start a new business in the United States from scratch, subject to the applicability of Part 802.

Print