United States: CFIUS Review

This is an Insight article, written by a selected partner as part of GCR's co-published content. Read more on Insight

United States: national security review

The national security review process in the United States – often referred to as the Exon–Florio or the Committee on Foreign Investment in the United States (CFIUS) review process, after the relevant authorising statute and the interagency committee charged with conducting the reviews, respectively – has existed for decades. It originally focused, at least in practice, on the acquisition by foreign companies of US businesses directly or indirectly supplying the US Department of Defense, but especially after the 9/11 terrorist attacks, the concept of national security – and therefore the types of transactions subject to review under the regime – was broadened by statute and in practice. National security is an ever-evolving concept, and as cybersecurity concerns increase in the wake of suspected state-sponsored and other cyberattacks, CFIUS is focusing more on such concerns. Today, the national security review process can be an important part of many transactions, even though it remains voluntary.

Although submitting a transaction to CFIUS for a national security review is voluntary, the risk of not submitting a notification can be substantial because CFIUS can impose costly mitigation measures on a transaction, or the President can forcibly order the post-close divestment of a business or assets. The President has ordered the divestment or prohibition of only five transactions since the relevant statute was adopted in 1988.1 Most recently, in March 2018, President Trump prohibited Broadcom Limited (Broadcom) from completing its attempted hostile takeover of 5G leader Qualcomm Incorporated (Qualcomm). CFIUS had cited concerns with respect to Broadcom's relationships with Chinese companies and Qualcomm's ability to innovate in light of Broadcom's proposed debt financing for the takeover.2 The prohibition order was issued even though Broadcom was in the process of re-domiciling from Singapore to the United States, the completion of which arguably would have eliminated CFIUS' jurisdiction to review the transaction. Outright prohibition, however, is not the only way a deal can run into trouble: several transactions have garnered significant publicity as a result of US government opposition on national security grounds and have been subjected to delay, restructuring or abandonment.

Furthermore, filing ensures that government security clearances or licences issued under other federal regulations that are tied to the national security review process are not jeopardised. Notification also may insulate parties to a transaction from public and political criticism of a decision not to file a particularly sensitive transaction. Consequently, companies should consider the national security implications of cross-border transactions and draft appropriate provisions in transaction documents to address, among other things, conditions to closing, cooperation and risk sharing.

What is the regulation and who administers it?

The US national security review process is conducted pursuant to the Exon–Florio Amendment to the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007 (FINSA).3 FINSA grants the President the authority to review any merger, acquisition or takeover by or with any foreign person that could result in foreign control of any person engaged in interstate commerce in the United States (ie, a 'covered transaction'), and to suspend or prohibit any such transaction that threatens to impair the national security of the United States.

CFIUS is charged with conducting the national security review on behalf of the President pursuant to FINSA and, as appropriate, making a recommendation regarding presidential action. CFIUS is an interagency committee consisting of, as chair, the Secretary of the Treasury and, as members, the Secretaries of Commerce, State, Defense, Homeland Security and Energy, as well as the Attorney General, the United States Trade Representative, and the Director of the Office of Science and Technology Policy. The Secretary of Labor and the Director of National Intelligence serve as ex officio members. Other executive branch representatives observe and, as appropriate, participate in CFIUS' activities, including the Chairman of the Council of Economic Advisors, the Director of the Office of Management and Budget, the Assistant to the President for National Security Affairs, the Assistant to the President for Economic Policy, and the Assistant to the President for Homeland Security and Counterterrorism.4

In practice, CFIUS operates through staff representatives from each of the CFIUS member agencies, although FINSA strictly limits the ability of members to delegate authority for certain decisions. CFIUS reaches decisions by consensus, but any member may seek to have a transaction subjected to an investigation.

What is national security?

The Act does not define 'national security', but requires CFIUS, at a minimum, to consider the following factors:

• domestic production needed for projected national defence requirements;

• the capability and capacity of domestic industries to meet national defence requirements, including the availability of human resources, products, technology, materials and other supplies and services;

• the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security;

• the potential effects of the proposed or pending transaction on sales of military goods, equipment or technology to any country:

• identified by the Secretary of State as a country that supports terrorism, is a country 'of concern' regarding missile proliferation or the proliferation of chemical and biological weapons, or is listed on the Nuclear Non-Proliferation Special Country List; or

• that poses a potential regional military threat to the interests of the United States;

• the potential effects of the proposed or pending transaction on US international technological leadership in areas affecting US national security; and

• the potential for national security-related effects from the acquisition of US critical technologies and infrastructure, including energy.5

Critical technologies are defined by reference to a number of export control regulations, including, among others, the International Traffic in Arms Regulation (ITAR) and the Export Administration Regulation.6

Critical infrastructure is defined as those systems and assets, whether physical or virtual, that are so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.7

What is a covered transaction?

FINSA applies to any 'covered transaction', defined in the relevant regulations as a transaction by or with any foreign person that could result in direct or indirect control of a US business by a foreign person.8 Each of these terms is further defined in the regulations.

A 'transaction' includes mergers, acquisitions or takeovers, and can include the acquisition of an ownership interest, the conversion of convertible voting instruments (whether debt or equity) and the formation of a joint venture.9

The concept of control is broader than in the US antitrust context because it is based on function rather than structure. Control turns on the ability to determine, direct or decide important matters affecting an entity, and the regulations specifically recognise dominant minority control.10 In practice, CFIUS interprets control very broadly.

Foreign persons include any foreign national, foreign government or foreign entity, or any entity over which control is exercised or exercisable by a foreign national, foreign government or foreign entity.11

A US business is one engaged in interstate commerce in the United States and thus is not limited to businesses incorporated in the United States.12 Accordingly, FINSA may be implicated when a foreign entity acquires another foreign entity and indirectly acquires its US subsidiary.

What information is required in a filing?

The notification must include substantial information regarding the nature of the transaction, the nature of the business to be acquired and the identity of the foreign acquiring person. The specific information that must be included is outlined in the regulations.13 With respect to the US business to be acquired, CFIUS requires information about, among other things, its US government contracts, clearances and licences. With respect to the foreign acquiring person, information must be provided regarding its ownership structure, and certain 'personal identifier information' must be provided about its board of directors and executive management to permit background checks to be conducted by the US government.

What is the review period?

Formal acceptance of a properly prepared notice triggers an initial 30 calendar day review of the notified transaction. The regulations recommend that the parties informally file a draft notice at least five business days in advance of formally filing a notification. While not required, most parties submit a draft as a matter of practice because CFIUS has the discretion to reject a notification as incomplete (thereby delaying the start of the review period). In practice, CFIUS requires the notification to be submitted jointly (when the transaction is not hostile) and no filing fee is required. It typically takes from several weeks to several months before a notification is accepted as complete and the initial review clock starts.

By the end of the 30-day period, CFIUS must decide whether to clear the transaction if it perceives no potential risk to national security, or to initiate an additional 45-calendar-day investigation. During either the 30-day or the 45-day period, CFIUS can request additional information and the parties are required to respond within three business days. Furthermore, CFIUS may decide during either the 30-day or the 45-day period to issue a no-action letter or to require the parties to enter into a mitigation agreement to resolve any potential national security concerns. Alternatively, at the end of a 45-day investigation, CFIUS may refer the matter to the President. The President then has 15 calendar days to take any action, which must be publicly announced. If a transaction involves either a foreign government-controlled entity or US critical infrastructure, FINSA requires CFIUS to proceed with a 45-day investigation unless expressly waived by the relevant CFIUS member agencies.

The CFIUS review process recently has become more time-consuming and intensive. Historically, CFIUS has reviewed fewer than 200 transactions per year,14 although CFIUS reviewed almost 240 cases in 2017, and likely will surpass that number in 2018. For the last three years for which data has been reported (between 2013 and 2015), CFIUS reviewed 129 filings per year on average, of which approximately 43 per cent involved an extended investigation. We estimate that CFIUS is now sending at least 75 per cent of cases into an investigation.

What powers does CFIUS have?

CFIUS has the authority to review a covered transaction and to impose mitigation measures to address any national security concerns, although in practice such measures typically are negotiated. Mitigation measures may be imposed only after CFIUS has identified a specific US national security concern and determined that a mitigation measure is reasonably necessary to resolve that concern. Nonetheless, CFIUS has broad authority to develop mitigation measures, although it uses that authority in only a handful of cases each year. Between 2013 and 2015, only 40 cases (10 per cent) resulted in the use of legally binding mitigation measures. In 2015, mitigation measures were applied to 11 different acquisitions.15

Mitigation measures vary on a case-by-case basis and have included, for example, commitments with respect to domestic production, cybersecurity measures, or government access to assets, such as computer servers or telecommunications networks for law enforcement purposes. More invasive mitigation measures may include a requirement to establish certain corporate firewall procedures between the US business and its foreign parent or to terminate certain activities of the US business.

While CFIUS is charged with reviewing a transaction and imposing mitigation measures where warranted, FINSA grants the President, and only the President, the authority to suspend or prohibit a covered transaction. CFIUS therefore must refer a transaction to the President if CFIUS recommends that it be suspended or prohibited and the parties are unwilling to abandon the transaction. If CFIUS fails to reach a consensus for a particular case, CFIUS must also send a report outlining the divergent opinions and recommendations to the President. To exercise the authority to suspend or prohibit a transaction, the President must find both that there is credible evidence that a 'foreign interest exercising control might take action that threatens to impair the national security', and that other laws do not, in the President's judgment, 'provide adequate and appropriate authority' to protect the national security. Presidential action is rare, partly because mitigation measures often address national security concerns, and partly because parties typically abandon a transaction before CFIUS actually refers the case to the President with a prohibition recommendation.

Determinations by CFIUS or the President under FINSA are not subject to judicial review. The exemption from judicial review was confirmed by the district court for the District of Columbia in 2013 when Ralls sought to have a presidential order requiring it to divest its interest in certain Oregon wind farms overturned by the court. The district court ruled that the merits of the President's decision were not subject to judicial review and that a party that completes a covered transaction without clearance assumes the risk of doing so.16 On appeal, the Court of Appeals for the District of Columbia Circuit agreed that the President's decision was not subject to judicial review but held that the 'presidential order deprived Ralls of constitutionally protected property interests without due process of law' and instructed that upon remand, Ralls be given access to unclassified evidence in support of the decision.17 On remand, the District Court ordered CFIUS to provide all unclassified information on which it relied for its decision, afford Ralls an opportunity to respond to that information, and provide Ralls' response to the information along with CFIUS' updated recommendation to the President.18 The parties ultimately resolved the case via settlement.

Involvement of third parties?

The CFIUS process is confidential and third parties have no right to participate in the process. CFIUS deliberates only among itself, without seeking input from private parties. Other federal (eg, members of Congress), state (eg, governors) and local government officials (eg, mayors) as well as trade or industry groups often informally contribute to the review process and occasionally take a public position or write to CFIUS regarding the national security implications of specific transactions. This typically occurs when publicly reported transactions involve politically sensitive issues. As a result, it may be prudent to engage public and government relations experts to contact third-party constituencies.

What types of transactions are subject to review?

Because the national security review process is confidential, CFIUS is prohibited from disclosing information about particular cases under review. Since 2008, CFIUS has published an annual report of aggregated case statistics; however, CFIUS has not yet published annual reports for either 2016 or 2017. The annual reports show that transactions involving acquiring parties from the United Kingdom, Canada, France and Israel historically accounted for a significant percentage of transactions reviewed by CFIUS. In fact, the United Kingdom alone typically accounts for 20 to 30 per cent of cases reviewed each year. However, from 2013 to 2015, CFIUS reviewed more transactions involving Chinese acquiring persons than from any other jurisdiction.19 The number of transactions reviewed involving Chinese acquiring persons has grown substantially, from one in 2005 to 29 in 2015. We expect that the 2016 and 2017 annual reports will confirm that this trend has continued.

CFIUS' purview is not restricted to any specific sector and it has reviewed transactions dealing with information technologies, network security, cyber systems, energy (development and transport), semiconductors, aerospace, telecommunications, optics, robotics, mining and natural resources, plastics and rubber, automotive, financial services, coatings and adhesives, chemicals, insurance, and steel. The annual reports provide information at a very general level regarding the industries involved in transactions subject to CFIUS review. The annual reports show that transactions involving manufacturing typically account for the highest percentage of cases reviewed by CFIUS, with the finance, information and services sector accounting for the second-highest percentage.20 Within the manufacturing sector, transactions involving the acquisition of a manufacturer of computer and electronic products accounted for the largest percentage of transactions reviewed between 2013 and 2015, followed by acquisitions of machinery manufacturers and transportation equipment.21

To file or not to file?

Because the national security regime is voluntary, counsel for the parties to a transaction typically consult with each other with respect to the national security profile of a particular transaction in order to determine whether a filing is warranted. In practice, there can be two-way due diligence: buyer considers target's US business activity, licences and clearances to determine whether to file; target considers buyer's track record of compliance with certain laws and national origin as well as track record, if any, with CFIUS reviews, to determine the risk buyer poses to clearance (especially in an auction).

As noted above, there is no legal obligation to file, but a filing potentially offers a number of benefits:

• obtaining a no-action letter provides a safe harbour against future presidential action, provided parties comply with obligations under FINSA;

• filing may ensure that relevant government security clearances and licences are not jeopardised, which would negatively affect the ability to do business;

• in practice, related regulations involving clearances and licences require parallel notifications (eg, one under FINSA and one under the ITAR); and

• filing and observing the waiting periods may avoid public and political criticism.

Factors that tend to suggest that a filing should be made include the following.

• Does the target have classified contracts or access to classified information requiring facility or personnel security clearances?

• Does the target have any non-classified (prime or sub) contracts related to defense, homeland security, or law enforcement?

• Does the target have any potentially sensitive advanced or emergent technology?

• Does the target have any large or particularly sensitive data set containing personally identifiable information on US citizens?

• Is the target business in critical infrastructure?

• Are the target's exports (including data) subject to the ITAR or other export restrictions?

Any filing analysis must also consider that CFIUS may proactively contact parties involved in a transaction that CFIUS thinks implicates national security to encourage the parties to notify a transaction, before or after closing. Although this occurs infrequently, it does happen. For instance, in 2016, China's Fosun International Ltd (Fosun) divested its 2015 acquisition of American insurer Ironshore Inc after CFIUS raised apparent concerns. Fosun did not initially notify the transaction, but was contacted by CFIUS after closing and asked to submit a notification.22


In cross-border transactions involving the acquisition of a US business, it is important to consider not only the merger control implications but also the potential national security implications of a transaction. As outlined above, the US national security review process is not limited by industry and could potentially apply to any sector. If a transaction might implicate US national security issues, it is important to determine whether the issues are significant enough to warrant a filing and, if so, to ensure the relevant transaction document accounts for the process and risk. Furthermore, it is important to engage with CFIUS to try to ensure a timely and efficient review process, as well as, in some cases, applicable third-party constituencies such as customers (eg, if a target company does significant business with the US Department of Defense or a US defense contractor). Finally, although CFIUS review is an important consideration for any multinational transaction, it is not the only one: the US process should be considered along with those of other countries that also have foreign investment review regimes, including, for example, Canada, China, France and Germany.


1 President George H W Bush issued an Executive Order in 1990 that directed China National Aero-Technology Import and Export Corporation (CATIC) to divest all interests in the Seattle-based company Mamco, a manufacturer of aircraft components. 55 FR 3935 (1990). President Barack Obama issued two Executive Orders, one in 2012 that directed Ralls Corporation (Ralls) to divest its interests in four wind farms in Oregon, and one in 2016 that prohibited Grand Chip Investment (GCI) GmbH, a German entity owned by China's Fujian Grand Chip Investment Fund LP, from purchasing the US business of Aixtron SE (Aixtron), a German semiconductor equipment supplier. See, respectively 77 FR 60281 (2012) and 81 FR 88607 (2016). President Trump issued an Executive Order in September 2017 that prohibited China Venture Capital Fund Corporation Limited's US affiliate Canyon Bridge Capital Investment Limited from acquiring Lattice Semiconductor Corporation, a Delaware corporation. 82 FR 43665 (2017).

2 President Trump issued an Executive Order in March 2018 that prohibited Broadcom Limited from completing its attempted takeover of Qualcomm Incorporated. See 83 FR 11631 (2018).

3 50 USC Section 4565.

4 These members were appointed pursuant to Executive Order 11858 (23 January 2008).

5 50 USC Section 4565(f).

6 50 USC Section 4565(a)(7).

7 50 USC Section 4565(a)(6).

8 31 CFR Section 800.207. Legislation is pending in the US Congress to expand the scope of covered transactions to include acquisitions of real estate, contributions of intellectual property, and minority acquisitions that provide access to non-public information regardless of whether they otherwise provide an indicia of control.

9 31 CFR Section 800.224.

10 31 CFR Section 800.204.

11 31 CFR Section 800.216.

12 31 CFR Section 800.226.

13 31 CFR Section 800.401.

14 The number of notices filed each year has varied widely; for example, from 65 in 2009 to 143 in 2015. Committee on Foreign Investment in the United States Annual Report to Congress for CY2015, www.treasury.gov/resource-center/international/foreign-investment/Documents/Annual%20Report%20to%20Congress%20for%20CY2015.pdf (CFIUS CY2015 Annual Report).

15 CFIUS CY2015 Annual Report.

16 Ralls Corporation v Committee on Foreign Investment in the United States, 926 F Supp 2d. 71 (DDC 2013).

17 Ralls Corporation v Committee on Foreign Investment in the United States, 758 F.3.d 296, 325 (DC Cir 2014).

18 Order, Ralls Corporation v Committee on Foreign Investment in the United States, No. 12-cv-01513-ABJ (DC Cir 13 March 2015) (ECF No. 73).

19 CFIUS CY2015 Annual Report.

20 Id.

21 Id.

22 Roumeliotis, Greg, 'US watchdog expands scrutiny to more Chinese deals,' Reuters (11 October 2016).

Unlock unlimited access to all Global Competition Review content