New FIRRMA Regulations – Navigating a Changing FDI Review Environment

Key Takeaways

• The U.S. Department of the Treasury published new proposed rules to implement FIRRMA’s expansion of CFIUS jurisdiction over certain non-controlling investments and certain real estate transactions. The public comment period will run through October 17, 2019.  The new regulations will take effect no later than February 13, 2020.
• Proposed rules focus on non-controlling investments in “TID” U.S. businesses (Technology, Infrastructure, and Data) and certain real estate transactions involving sensitive locations.
• Mandatory declarations will be required for “substantial” foreign government investments in TID U.S. businesses.
• Proposed rules contemplate exceptions from review for investments by identified foreign persons from a to-be-determined list of closely-aligned non-U.S. countries.
• No current changes to FIRRMA Pilot Program on critical technologies (31 C.F.R. part 801).
• The carve-out for limited partner investments through an investment fund initiated with the FIRRMA Pilot Program is carried over into TID and covered real estate transactions.
• No changes to CFIUS’s existing jurisdiction over transactions that could result in foreign control of a U.S. business.
• U.S. businesses, counsel, and investors will need to navigate the CFIUS process and consider mitigation measures for a much broader set of transactions than before.

New Proposed Regulations

On September 17, 2019, the U.S. Department of the Treasury (“Treasury”) announced two new proposed regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).  FIRRMA significantly expanded the jurisdiction and resources of the Committee on Foreign Investment in the United States (“CFIUS”). As detailed in previous Ankura alerts (06/18/18; 10/17/18; and 01/14/19), heightened national security concerns culminated in Congress’s passage of FIRRMA in August 2018 and the subsequent issuance of interim regulations via a pilot program in connection with U.S. businesses involved in “emerging and foundational technologies” in October 2018. The pilot program was intended to address the perceived growing threat of foreign direct investment (“FDI”) being exploited for purposes harmful to U.S. national security.

The first proposed regulation focuses on certain non-controlling investments in TID U.S. businesses, while the second proposed regulation focuses on real estate transactions.  The proposed regulations are voluminous and introduce numerous new terms and provisions.  As summarized below, the proposed regulations extend CFIUS’s jurisdiction to a significantly broader class of FDI transactions and will require companies, counsel, advisors, and investors to conduct additional diligence and mitigation planning for transactions in a variety of industries and contexts.

Treasury will accept written public comments on the proposed regulations through October 17, 2019 (see the proposed regulations for information on submitting comments). This will enable Treasury to better refine the proposed regulations and issue final versions by the FIRRMA-imposed deadline of February 13, 2020.

Non-Controlling Investments in TID U.S. Businesses

Before FIRRMA, CFIUS jurisdiction covered only transactions that could result in foreign control of a U.S. business. The first proposed regulation implements FIRRMA’s extension of CFIUS jurisdiction to cover transactions involving non-controlling investment by a foreign person when: (1) the target U.S. business is involved in TID activities or industries, and (2) the investment provides the foreign person with the ability to access certain types of information, management rights, or involvement in decision-making.

In short, under the proposed regulation, a non-controlling investment in a TID U.S. business will fall under CFIUS’s purview (and thus be a “covered investment”) if:

1. The target U.S. business:
   • produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies;
   • owns, operates, manufactures, supplies, or services critical infrastructure; or
   • maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.

2. The foreign person is given any of the following as a result of the investment:
   • Access to the target U.S. business’s material nonpublic technical information;
   • Membership or observer rights on the target U.S. business’s board of directors or the right to nominate a board member; or
   • Any involvement (beyond that through voting shares) in certain substantive decision-making of the target U.S. business involving sensitive personal data, critical technologies, or critical infrastructure.

“Critical technologies” include items subject to certain levels of U.S. export controls as well as “emerging, foundational, or other critical technologies,” which are still to be defined by an interagency process led by the U.S. Department of Commerce.  “Critical infrastructure” includes subsectors such as telecommunications, utilities, energy, and transportation, as identified in an appendix to the proposed regulation.

Under the proposed regulation, “sensitive personal data” would include ten categories of “identifiable” data (for example:  financial, geolocation, and health data) maintained or collected by U.S. businesses that: (i) target or tailor products or services to sensitive populations, including U.S. military members and employees of federal agencies involved in national security, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. Significantly, sensitive personal data is limited to that which is identifiable to an individual—data that is fully anonymized, aggregated, or encrypted (i.e., no mechanism for de-anonymization, disaggregation, or decryption), is not included in the definition, except that genetic information, however, is considered sensitive personal data regardless of whether it is “identifiable” or meets any of the criteria identified above.

The proposed regulation also will require a CFIUS filing for investments that result in a foreign government obtaining a “substantial interest” in a TID U.S. business. A “substantial interest” is defined as a voting interest by a foreign person of 25% or more in a U.S. business where a foreign government has a voting interest of 49% or more in the foreign person investor.

Note that these new authorities also will apply to transactions that change a foreign person’s rights in an existing TID investment or covered real-estate investment/interest.

Importantly, the FIRRMA Pilot Program introduced last fall, which requires mandatory declaration to CFIUS of all non-controlling FDI investments in certain critical technology-related U.S. businesses operating in specific industries, will continue to remain in effect and will co-exist with the above proposed regulations. Nevertheless, CFIUS is considering whether to continue the mandatory declaration requirement under the Pilot Program and will address this and other aspects of the Pilot Program in the final rule related to CFIUS reviews of covered investments concerning TID U.S. businesses.

Proposed Provisions on Real Estate Transactions

The second proposed regulation also will bring under CFIUS jurisdiction real estate transactions involving foreign person investment in property in/around covered sites. Specifically, a real estate transaction involving a foreign person would fall under CFIUS’s purview (and thus be a “covered real estate transaction”) if the target real property:

• Is, is located within, or functions as part of specific airports or maritime ports;
• Is in “close proximity” or within the “extended range” of certain identified U.S. military installations or sensitive U.S. Government facilities;
• Could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property; or
• Could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.

CFIUS would exercise jurisdiction in these scenarios when there is a purchase by, lease, or concession to, a foreign person that affords that foreign person certain property rights. This authority includes review of “greenfield” FDI in previously-undeveloped real property.

Of note, transactions involving certain real estate within an “urbanized area” or “urban cluster” are considered “excepted real estate transactions,” which are carved out from CFIUS’s purview.

Excepted Investors and Investment Fund Carve-outs

Despite the broad net cast by the proposed regulations, they include carve-outs that implement FIRRMA’s requirement for CFIUS to limit the application of its expanded jurisdiction with respect to certain categories of foreign persons. Both proposed regulations include similar “exceptions” for certain foreign persons.

The first proposed regulation creates three new defined terms that would operate in conjunction to exclude from CFIUS jurisdiction investments in TID U.S. businesses by certain foreign persons.

• Certain foreign persons would be deemed “excepted investors” based on their ties to one or more “excepted foreign states,” and compliance with certain other laws, orders, and regulations. For foreign entities (i.e., not foreign nationals or foreign governments), the definition incorporates additional criteria, including that “minimum excepted ownership” of the foreign entity be held by certain persons, foreign governments, or foreign entities.
• “Excepted foreign states” are foreign states (to be identified at a future date) that are: (1) included on a list of eligible states to be published on the Treasury website, and (2) determined by CFIUS to have a strong established process to assess foreign investments for national security concerns.
• The concept of “minimum excepted ownership” establishes the threshold of ownership interest required based on whether an entity’s equity securities are primarily traded on an exchange in an excepted foreign state or the U.S.

Similar to the first proposed regulation, the second proposed regulation would establish three defined terms that would operate in conjunction to exclude from CFIUS jurisdiction real estate transactions by certain foreign persons.

• Certain foreign persons would be deemed “excepted real estate investors,” analogous to “excepted investors” under the first proposed regulation.
• Similarly, “excepted real estate foreign states” would be foreign states that are: (1) included on a list of eligible states published on the Treasury website, and (2) determined by CFIUS to have a strong established process to assess foreign real-estate investments for national security concerns.
• The concept of “minimum excepted ownership” is the same as under the first proposed regulation.

The lists of excepted foreign states and excepted real estate foreign states are still to be determined and, presumably, will be used by the U.S. Government as an incentive to encourage closely-aligned non-U.S. governments to adopt FDI controls akin to CFIUS and FIRRMA.

The first proposed regulation also implements FIRRMA provisions that carve out from CFIUS review transactions involving indirect, non-controlling investment in TID U.S. businesses by foreign persons investing as limited partners in investment funds controlled by U.S. general partners, provided specified criteria are satisfied.  This indirect investment carve-out also applies to indirect investments where foreign governments have a substantial interest.

Note that these carve-outs do not apply to control transactions. All transactions that could result in foreign person control of a U.S. business remain subject to CFIUS’s jurisdiction.

How Ankura Can Help

These long-anticipated regulations present a sea change in the types of FDI that will be subject to CFIUS review. Coupled with CFIUS’s significantly expanded authority and resources to identify unfiled covered transactions and impose monetary penalties for non-compliance, these proposed regulations represent substantial change in the U.S. FDI environment.  The new proposed FIRRMA regulations also will work in tandem with anticipated expanded U.S. export controls for emerging and foundational technologies, and restrictions on using adversary country-sourced gear in U.S. telecommunications networks to significantly elevate national security-related regulatory risks in the U.S. and international business environment.

In order to adapt and succeed in this altered deal environment, U.S. businesses, investors (both U.S. and foreign), advisors, and counsel involved in TID and/or real estate transactions and industries will need to account for these new regulations when designing, conducting diligence, and planning future transactions.

Ankura can assist U.S. businesses, organizations, counsel, and advisors to confidently navigate the new CFIUS landscape.

• Pre-Transaction Risk Assessment – Parties to a potentially CFIUS-covered transaction need to fully understand the review process and the national security threats and vulnerabilities that the U.S. Government will associate with the transaction. Ankura’s professionals include former government intelligence officials who developed the current CFIUS threat assessment process and reviewed several hundred CFIUS transactions. Our team identifies threat actors and threat vectors that may be considered U.S. national security risks and provides analyses of such threats to clients seeking to best position themselves for CFIUS reviews.
• Transactional Diligence – Ankura’s experts are uniquely-positioned to assist transaction parties and counsel to quickly conduct diligence on transaction parties and the target’s business activities to facilitate analysis and decisions regarding CFIUS and FIRRMA regulatory requirements, including Pilot Program requirements.  Ankura has particular technical expertise assisting clients and counsel to determine whether a proposed transaction is subject to FIRRMA TID or real property controls.
• CFIUS Trusts and Investor Assistance – Ankura integrates the financial sophistication and capabilities of a state-chartered trust company to help investors, fund managers, lenders, and counsel implement investment vehicles and transactional processes that facilitate CFIUS-compliant deals. Trusts and Special Purpose Vehicles may be used to credibly operationalize indirect investment carve-outs from CFIUS review where a non-US investor is interested only in the financial benefits of investing in the U.S. economy and companies. Ankura also assists investing entities and parties and their associated U.S. business holdings in designing and implementing operational processes and controls to ensure ongoing compliance with FIRRMA’s passive investment carve-outs. Further, these capabilities are not limited only to use in support of the passive investor carve-outs. They also can be used to facilitate successful CFIUS mitigation in the event of a full CFIUS review and formal mitigation agreement.
• Mitigation Planning and Implementation – Preparation is critical for the execution of successful CFIUS-covered transactions. Transactions need to be designed and mitigation strategies developed to proactively address CFIUS concerns. Ankura works with our clients and their advisors and counsel to develop and implement mitigation proposals and measures that effectively address CFIUS’s national security concerns, including policies, procedures, operational processes, and security controls concerning personnel, assets and materials, data and information, IT and networks, and real property. Ankura has particular expertise addressing the complex interaction of technology, infrastructure, data, and access.
• Third-Party Services (Assessments, Audits, and Monitorship) – The increasing operational and technological complexity of methods to mitigate CFIUS national security concerns has prompted CFIUS to occasionally require independent third-party assessments, audits, and/or monitorship of proposed or actual mitigation measures agreed upon during the CFIUS review process. Ankura’s combination of trusted CFIUS experience, enterprise and industry perspective, and technical expertise has enabled our team to become the market leader for effective and credible independent third-party assessments, audits, and monitoring of CFIUS mitigation plans.

© Copyright 2019. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.