United States: CFIUS Review

National security review

The national security review process in the United States, conducted by the Committee on Foreign Investment in the United States (CFIUS), has existed for decades. It originally focused, at least in practice, on the acquisition by foreign companies of US businesses directly or indirectly supplying the US Department of Defense, but, especially after the 9/11 terrorist attacks, the concept of national security – and therefore the types of transactions subject to review under the regime – was broadened by statute and in practice. National security is an ever-evolving concept, and its expansion in recent years has been fuelled by rapid advancements in technology, increasing digitalisation, increasingly globalised supply chains, and the appearance of China as a significant investor and technological competitor.

These developments prompted CFIUS to become much more active in recent years, and led Congress to pass the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which is the most sweeping reform of CFIUS in the past 30 years. FIRRMA significantly expanded CFIUS’ jurisdiction, implemented a number of process changes and strengthened CFIUS’ authorities, such as the authority to share information with foreign governments, mandate filings, enforce voluntary divestments, enforce mitigation and fund operations. While some portions of FIRRMA are immediately effective, other portions will not become effective until implementing regulations are finalised, which must occur by February 2020.

Especially in light of FIRRMA, CFIUS has become an important determinant of the success or failure of many transactions. It is important for parties to transactions to consider whether to file with CFIUS because, in some instances as a result of FIRRMA, the submission of a filing is mandatory, and even where there is no mandatory filing, CFIUS has broad authority to act on transactions even after they have closed.

Although submitting a transaction to CFIUS for national security review has historically been voluntary, FIRRMA established for the first time a mandatory filing requirement for investments made by foreign government-controlled entities and empowered CFIUS to subject other types of transactions to a mandatory filing requirement. ¹ Pursuant to this new authority, CFIUS launched a pilot programme, effective 10 November 2018, mandating that parties notify CFIUS of certain foreign investments in ‘pilot programme US businesses’. Under this pilot programme, parties must submit a filing to CFIUS if their transaction involves a controlling or otherwise non-passive investment (ie, an investment that provides the investor with certain rights, such as board representation or certain governance or access rights) by a foreign person in a US business when the US business is involved with critical technology (defined with reference to export control laws) and is active in, or designs products for, specified industries. Parties can be fined up to the transaction value for failure to file when required. The current pilot programme regulations are in place until no later than 5 March 2020. ²

Even when the mandatory filing requirement is inapplicable, parties may still choose voluntarily to submit a notice for review with respect to any transaction subject to CFIUS’ jurisdiction. The risk of not submitting a notice voluntarily can be substantial, because CFIUS can take action even after the parties close the transaction, up to and including recommending that the President order the foreign owner to divest the acquired business. The President has formally ordered the divestment or prohibition of only five transactions since the relevant statute was adopted in 1988. ³ However, foreign owners have agreed to voluntarily divest their interest in a US business in many instances in light of CFIUS opposition, before CFIUS referred the transaction to the President for a formal order of divestment. For instance, earlier this year, China-based Beijing Kunlun Tech Co Ltd entered into an agreement with CFIUS to divest the online dating site, Grindr LLC, due to data security concerns after Kunlun acquired control of Grindr without advance CFIUS review. ⁴ In such a circumstance, the foreign person may not be able to recoup the original value of his or her investment.

Notification and CFIUS clearance also may insulate parties to a transaction from public and political criticism that the transaction threatens US national security. Consequently, companies should consider the national security implications of cross-border transactions and draft appropriate provisions in transaction documents to address, among other things, conditions to closing, cooperation and risk-sharing.

What is the regulation and who administers it?

The US national security review process is conducted pursuant to section 721 of the Defense Production Act of 1950 (Section 721), as amended (most recently by FIRRMA). ⁵ Section 721 grants the President the authority to suspend or prohibit in whole or in part certain enumerated trans­actions if they threaten to impair the national security of the United States.

CFIUS is charged with conducting the national security review on behalf of the President pursuant to Section 721 and, as appropriate, making a recommendation regarding presidential action. CFIUS is an interagency committee consisting of, as chair, the Secretary of the Treasury and, as members, the Secretaries of Commerce, State, Defense, Homeland Security and Energy, as well as the Attorney General, the United States Trade Representative, and the Director of the Office of Science and Technology Policy. The Secretary of Labor and the Director of National Intelligence serve as ex officio members. Certain other White House officials, such as Chair of the Council of Economic Advisors, the Director of the Office of Management and Budget, the Assistant to the President for National Security Affairs and the Assistant to the President for Economic Policy, observe and, as appropriate, participate in CFIUS’ activities. ⁶

In practice, CFIUS operates through staff representatives from each of the CFIUS member agencies, although Section 721 strictly limits the ability of members to delegate authority for certain decisions. CFIUS reaches decisions by consensus, but certain actions may be triggered by an individual member agency.

What is national security?

Section 721 does not define ‘national security’, but specifies that CFIUS, at a minimum, may consider the following factors:

• domestic production needed for projected national defence requirements;
• the capability and capacity of domestic industries to meet national defence requirements, including the availability of human resources, products, technology, materials, and other supplies and services;
• the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security;
• whether the transaction is a foreign government-controlled transaction;
• whether the transaction involves a country that does not adhere to non-proliferation regimes or cooperate on counterterrorism efforts, presents a risk for transhipment or diversion of technologies,
• the potential effects of the proposed or pending transaction on sales of military goods, equipment or technology to any country:
  • identified by the Secretary of State as a country that supports terrorism, is a country ‘of concern’ regarding missile proliferation or the proliferation of chemical and biological weapons, or is listed on the Nuclear Non-Proliferation Special Country List; or
  • that poses a potential regional military threat to the interests of the United States;
• the potential effects of the proposed or pending transaction on US international technological leadership in areas affecting US national security; and
• the potential for national security-related effects from the acquisition of US critical techno­logies and infrastructure, including energy. ⁷

Critical technologies are defined by reference to a number of export control regulations, including, among others, the International Traffic in Arms Regulation and the Export Administration Regulation. ⁸ Companion export control reform legislation enacted along with FIRRMA provides that critical technologies will be expanded to include ‘emerging and foundational technologies’ as classified by the US Department of Commerce. ⁹ Critical infrastructure is defined as those systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security. ¹⁰

What is a covered transaction?

The definition of a ‘covered transaction’ was substantially revised by FIRRMA. Pre-FIRRMA, a covered transaction was any transaction by or with a foreign person that could result in foreign control (direct or indirect) of a US business, ¹¹ including a transfer of control of a US business from one foreign person to another. Each of these terms is further defined in the regulations.

A ‘transaction’ included mergers, acquisitions or takeovers, and leases under certain circumstances, and could include the acquisition of an ownership interest, the conversion of convertible voting instruments (whether debt or equity) or the contribution of a US business to a joint venture. ¹²

The concept of control is broader than in the US antitrust context, because it is based on function rather than structure. Control turns on the ability to determine, direct or decide important matters affecting an entity, and the regulations specifically recognise dominant minority control. ¹³ In practice, CFIUS interprets control very broadly. An investor, for example, could be determined to have control of a US business if it has consent rights or the ability to block decisions on important matters.

Foreign persons include any foreign national, foreign government or foreign entity, or any entity over which control is exercised or exercisable by a foreign national, foreign government or foreign entity. ¹⁴

A US business is one engaged in interstate commerce in the United States and thus is not limited to businesses incorporated in the United States. ¹⁵

CFIUS’ jurisdiction thus historically turned on whether a foreign person was acquiring control. FIRRMA expands the scope of transactions subject to CFIUS’ jurisdiction in a number of material ways. First, stand-alone acquisitions, leases or concessions of real estate in certain instances will be subject to CFIUS jurisdiction, even if the transaction does not involve the acquisition of an existing US business. ¹⁶ Second, CFIUS will have jurisdiction to review ‘other investments’ by foreign persons – namely non-passive investments not amounting to control – in US businesses involving critical infrastructure, critical technologies or sensitive personal data. ¹⁷ ‘Other investment’ is defined by reference to access and governance rights rather than a specific investment threshold.

Is a filing mandatory?

Only certain transactions falling within CFIUS’ jurisdiction must be notified to CFIUS. FIRRMA provides that investments made by foreign government-controlled persons in a US business involved in critical infrastructure, critical technology or sensitive personal data must be notified to CFIUS, and permits CFIUS to implement certain other mandatory notice requirements.

As discussed above, CFIUS implemented its first mandatory filing obligation in November 2018 pursuant to the pilot programme. Parties to a transaction subject to the pilot programme must submit a filing to CFIUS – whether a declaration or notice as discussed below – when the relevant US business manufactures, produces, fabricates, develops, tests or designs critical technology where it is using that technology for its activities in, or designing it for, one of 27 specified ‘pilot programme industries’. These industries include, among others, the manufacturing of petrochemicals, semiconductors, computers, chemicals, transformers and primary and storage batteries, and tele­communications equipment; the manufacturing of certain defence systems; nuclear power generation; and biotechnology research and development. ¹⁸

When a mandatory filing obligation is not triggered, counsel for the parties to a transaction typically assess the national security profile of a particular transaction to determine whether the submission of a voluntary filing is warranted. As discussed in the initial section of this overview, any filing analysis must also consider that CFIUS may proactively contact parties involved in a transaction that CFIUS thinks implicates national security to encourage the parties to notify a transaction, before or after closing. Although this occurs infrequently, it does happen. FIRRMA directs CFIUS to increase its monitoring of non-notified transactions. ¹⁹

In practice, assessing the CFIUS risk in a transaction can involve two-way due diligence: the buyer considers the target’s US business activity, technology, contractual relationships, licences and security clearances to determine whether to file; the target considers the buyer’s track record of compliance with certain laws and the strategic relationship of the United States with the buyer’s country, as well as the buyer’s track record, if any, with CFIUS reviews, to determine the risk the buyer poses to clearance (especially in an auction).

Factors that tend to suggest that a filing should be made include, for example, the following:

• Does the target have classified contracts or access to classified information requiring facility or personnel security clearances?
• Does the target have any non-classified (prime or sub) contracts related to defence, homeland security or law enforcement?
• Does the target have any potentially sensitive advanced, emerging or export-controlled technology?
• Does the target have access to any large or particularly sensitive data set containing personally identifiable information on US citizens?
• Is the target business in critical infrastructure?

What information is required in a filing?

The information needed to complete a filing depends on whether a ‘declaration’ or a ‘notice’ is being filed. The declaration is a new form that is more streamlined and limited than the traditional full notice. ²⁰ Currently, only transactions that fall within the pilot programme may be the subject of a declaration. Once the final rules implementing FIRRMA are issued, all transactions can be submitted as declarations. The declaration requires information regarding the nature of the transaction, the business activities of the parties to the transaction, the rights that the foreign person will receive as a result of the transaction and the critical technologies that are designed, produced or tested by the US business.

A notice must include substantial information regarding the nature of the transaction, the nature of the business to be acquired, identification of its government contracts and information about the identity of the foreign acquiring person, including (unlike for declarations) extensive personal identifier data for all officers and directors in the ownership chain between the direct acquirer and the ultimate foreign parent to permit background checks to be conducted by the US government. The specific information that must be included is outlined in the regulations. ²¹

What is the review period?

The applicable review period and process depends on whether a declaration or notice is submitted.

If a transaction is subject to the pilot programme’s mandatory filing requirement, the parties must file a declaration not later than 45 days before closing. Following submission of the declaration, CFIUS has 30 days to review the transaction. There are no pre-filing discussions, but CFIUS can request additional information during its review and the parties must provide the information within two business days. At the end of the 30 days, CFIUS can (i) request a full notice from the parties, (ii) state that it had insufficient information to complete its review, leaving the parties without a definitive outcome, (iii) unilaterally initiate a review as if based on a full notice or (iv) inform the parties that it will take no further action, providing the parties safe harbour for that transaction. ²² Because it is possible that the parties may need to submit a full notice after submitting a declaration, parties need to consider on a case-by-case basis the likelihood of a non-definitive outcome and whether it makes sense to skip the declaration and file a full notice in the first instance. The rules allow submission of a full notice in lieu of a declaration to satisfy the mandatory filing requirement.

Submission of a notice under the voluntary regime is generally preceded by a pre-filing period. The regulations recommend that the parties informally file a draft notice at least five business days in advance of formally filing a notice; in practice, parties informally file in draft at least several weeks before filing a final notice. Though not required, most parties submit a draft as a matter of course because CFIUS has the discretion to reject a notice as incomplete (thereby delaying the start of the review period). It typically takes from several weeks to a couple of months from submission of the draft before a notice is accepted as complete and the initial review clock starts. In practice, CFIUS requires the notice to be submitted jointly (when the transaction is not hostile) and no filing fee is currently required, although FIRRMA provides CFIUS the option of imposing one. ²³

Formal CFIUS acceptance of a properly prepared notification triggers an initial 45-calendar day ‘review’ of the notified transaction. By the end of the initial 45-day period, CFIUS must decide whether to clear the transaction if it perceives no potential risk to national security or initiate an additional 45-calendar day ‘investigation’, which can be extended by an additional 15 days in extraordinary circumstances. During either the review or investigation, CFIUS can request additional information and the parties are required to respond within three business days. Furthermore, CFIUS may decide during either the review or investigation to issue a clearance letter or require the parties to enter into a mitigation agreement to resolve any potential national security concerns. Alternatively, at the end of a 45-day investigation, CFIUS may refer the matter to the President. The President then has 15 calendar days to take any action, which must be publicly announced. If a transaction involves either a foreign government-controlled entity or US critical infrastructure, Section 721 requires CFIUS to proceed with a 45-day investigation unless expressly waived by the relevant CFIUS member agencies.

The CFIUS review process has recently become more time-consuming and intensive. Historically, CFIUS has reviewed fewer than 200 transactions per year, ²⁴ but it reviewed almost 240 cases of increased complexity in both 2017 and 2018, resulting in long lead times as CFIUS tried to juggle its caseload. For the past three years for which data has been reported (between 2013 and 2015), CFIUS reviewed 129 filings per year on average, of which approximately 43 per cent involved an extended investigation. We estimate that CFIUS is now sending at least 60 per cent of cases into an investigation.

What powers does CFIUS have?

CFIUS has the authority to review a covered transaction and impose mitigation measures to address any national security concerns, although in practice these measures typically are negotiated. Mitigation measures may be imposed only after CFIUS has identified a specific US national security concern and determined that other government authorities (such as export controls) are not sufficient to resolve that concern. Nonetheless, CFIUS has broad authority to develop mitigation measures, although it uses that authority in only a handful of cases each year. Between 2013 and 2015, only 40 cases (10 per cent) resulted in the use of legally binding mitigation measures. In 2015, mitigation measures were applied to 11 different acquisitions. ²⁵

Mitigation measures vary on a case-by-case basis and have included, for example, commitments with respect to domestic production, cybersecurity measures or government access to assets, such as computer servers or telecommunications networks for law enforcement purposes. More invasive mitigation measures may include a requirement to establish certain corporate firewall procedures between the US business and its foreign parent, or terminate certain activities of the US business.

While CFIUS is charged with reviewing a transaction and imposing mitigation measures where warranted, Section 721 grants the President, and only the President, the authority to suspend or prohibit a covered transaction. Therefore, if CFIUS seeks to prohibit a transaction and the parties are unwilling to voluntarily abandon the transaction, CFIUS must refer the transaction to the President for action. Though unlikely to occur in practice, if CFIUS fails to reach a consensus for a particular case, CFIUS must also send a report outlining the divergent opinions and recommendations to the President. To exercise the authority to suspend or prohibit a transaction, the President must find both that there is credible evidence that a ‘foreign interest exercising control might take action that threatens to impair the national security’ and that other laws do not, in the President’s judgement, ‘provide adequate and appropriate authority’ to protect national security. Presidential action is rare, partly because mitigation measures often address national security concerns, and partly because parties typically abandon a transaction before CFIUS actually refers the case to the President with a prohibition recommendation.

Determinations by the President under Section 271 are not subject to judicial review. The exemption from judicial review was confirmed by the district court for the District of Columbia in 2013 when Ralls sought to have a presidential order requiring it to divest its interest in certain Oregon wind farms overturned by the court. The district court ruled that the merits of the President’s decision were not subject to judicial review and that a party that completes a covered transaction without clearance assumes the risk of doing so. ²⁶ On appeal, the Court of Appeals for the District of Columbia Circuit agreed that the President’s decision was not subject to judicial review but held that the ‘presidential order deprived Ralls of constitutionally protected property interests without due process of law’ and instructed that, upon remand, Ralls be given access to unclassified evidence in support of the decision. ²⁷ On remand, the District Court ordered CFIUS to provide all unclassified information on which it relied for its decision, afford Ralls an opportunity to respond to that information, and provide Ralls’ response to the information along with CFIUS’ updated recommendation to the President. ²⁸ The parties ultimately resolved the case via settlement. Although CFIUS determinations are theoretically reviewable, this has limited practical implications because CFIUS concerns are generally either resolved through mitigation that the parties voluntarily undertake or the matter is referred to the President, whose decision is not reviewable.

Involvement of third parties?

CFIUS members deliberate only among themselves, without seeking input from private third parties. The CFIUS process (unless the matter is referred to the President) is confidential, and third parties have no right to participate in the process. Nonetheless, members of Congress, trade or industry groups, and competitors regularly take a public position or write to CFIUS regarding the national security implications of specific transactions. Even to the extent that CFIUS does not formally engage with these outside parties, this pressure can pose political and commercial challenges to the transaction. As a result, it may be prudent to engage public and government relations experts to contact third-party constituencies.

What types of transactions are subject to review?

Because the national security review process is confidential, CFIUS is prohibited from disclosing information about particular cases under review. Since 2008, CFIUS has published an annual report of aggregated case statistics; however, CFIUS has not published annual reports for 2016, 2017 or 2018. The annual reports show that transactions involving acquiring parties from the United Kingdom, Canada, France and Israel historically accounted for a significant percentage of transactions reviewed by CFIUS. In fact, the United Kingdom alone typically accounts for 20 to 30 per cent of cases reviewed each year. However, from 2013 to 2015, CFIUS reviewed more transactions involving Chinese acquiring persons than from any other jurisdiction. ²⁹ The number of transactions reviewed involving Chinese acquiring persons has grown substantially, from one in 2005 to 29 in 2015. We expect that the 2016, 2017 and 2018 annual reports will confirm that this trend continued, though it likely flattened out in 2018 and 2019 as the overall volume of Chinese merger and acquisition activity in the United States dropped.

CFIUS’ purview is not restricted to any specific sector, and it has reviewed transactions dealing with information technologies, network security, cyber systems, energy (development and transport), semiconductors, aerospace, telecommunications, optics, robotics, mining and natural resources, agriculture, plastics and rubber, automotive, financial services, coatings and adhesives, chemicals, insurance and steel. The annual reports provide information at a very general level regarding the industries involved in transactions subject to CFIUS review. The annual reports show that transactions involving manufacturing typically account for the highest percentage of cases reviewed by CFIUS, with the finance, information and services sectors accounting for the second-highest percentage. ³⁰ Within the manufacturing sector, transactions involving the acquisition of a manufacturer of computer and electronic products accounted for the largest percentage of transactions reviewed between 2013 and 2015, followed by acquisitions of machinery manufacturers and transportation equipment. ³¹

Conclusion

In cross-border transactions involving the acquisition of a US business, it is important to consider not only the merger control implications but also the potential national security implications of a transaction. As outlined above, the US national security review process is not limited by industry and could potentially apply to any sector. It is important to consider whether a filing is mandatory and, even if it is not, whether the transaction might implicate US national security issues that are significant enough to warrant a filing and, if so, to ensure the relevant trans­action document accounts for the process and risk. Furthermore, it is important to engage with CFIUS to try to ensure a timely and efficient review process, and that any remedies are narrowly tailored and do not significantly impair the benefit that the parties expect from the transaction, and, in some cases, to engage with applicable third-party constituencies such as customers (eg, if a target company does significant business with the US Department of Defense or a US defence contractor). Finally, although CFIUS review is an important consideration for any multinational transaction, it is not the only one: the US process should be considered along with those of other countries that also have foreign investment review regimes, including, for example, Canada, China, France and Germany.

Notes