Mandatory CFIUS Filings Under the Final FIRRMA Regulations

The final regulations (“Final Rules”) just issued by the Committee on Foreign Investment in the United States (“CFIUS”) extend the range of transactions subject to mandatory filings and revise and replace the interim pilot program that instituted mandatory CFIUS filings for certain critical technology transactions. As detailed below, mandatory filings are generally required when entities substantially controlled by a foreign government acquire a business involved in critical Technology, critical Infrastructure, or sensitive personal Data of U.S. citizens (together, “TID Businesses”), or any foreign entity acquires a qualifying interest in a business involved with a specified list of critical technologies.

The Final Rules provide for a short declaration, but submission of a full CFIUS notification may be more efficient in many cases. The Final Rules were released on January 13, 2020, go into effect on February 13, 2020, and implement most of the elements of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). This note provides an overview of U.S. businesses and transactions for which CFIUS filings may be required under the Final Rules, exemptions from these requirements, and alternative processes for submitting required filings to CFIUS.

TID Businesses Subject to Mandatory CFIUS Filings

The Final Rules will require mandatory CFIUS filings for certain investments in U.S. TID Businesses, encompassing U.S. businesses (including U.S. operations of non-U.S. companies) involved with:

  • Critical technologies: “Critical technologies” are defined in the Final Rules as (i) military technology and services subject to the International Traffic in Arms Regulations; (ii) dual-use (civilian/military) technologies that are controlled by the Export Administration Regulations for various reasons relating to national security, nonproliferation regimes, regional stability, or surreptitious listening; and (iii) emerging and foundational technologies to be designated by the Department of Commerce pursuant to FIRRMA’s sister legislation, the Export Control Reform Act of 2018, where the U.S. business “[p]roduces, tests, manufactures, fabricates, or develops one or more critical technologies.”


    Under the Final Rules, a critical technology TID Business is a U.S. business that “[p]roduces, tests, manufactures, fabricates, or develops one or more critical technologies.” The Final Rules provide several illustrations of the types of business activities relating to critical technologies that would fall under this definition. For example, verification of the fit and form of a critical technology item on its own may not constitute “test[ing].” Based on the illustrations, however, it is not necessary that the U.S. business currently be performing these activities; merely the ability to perform these activities would likely qualify the U.S. business as a TID Business subject to mandatory CFIUS filings.

  • Critical infrastructure: Critical infrastructure TID Businesses are those that own, produce, operate, or manage various specific forms of U.S. infrastructure listed in the Final Rules. The listed types of infrastructure relate to telecommunications and information services; industrial resources; electric power generation, transmission, distribution, storage, or control systems; refining, storage, or transport of oil or natural gas; financial services; strategic rail systems, airports, and maritime ports; and public water systems.
  • Sensitive personal data of U.S. citizens: A sensitive personal data TID Business is one that “[m]aintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.” Sensitive personal data, for purposes of the Final Rules, must be personally identifiable data that (i) is collected by a business that either targets U.S. government personnel or contractors or collects data on large numbers of individuals, and (ii) falls into at least one of several qualitative categories identified in the FIRRMA regulations.

Transactions Subject to Mandatory CFIUS Filings

Although the definition of TID U.S. business potentially capture a broad category of transactions, the Final Rules limit mandatory CFIUS filings to two scenarios involving U.S. TID Businesses:

  • Acquisitions of a “substantial interest” by a foreign government: The Final Rules require mandatory filings where a non-US investor acquires a “substantial interest” in a U.S. TID Business and a foreign government has a “substantial interest” in that investor. “[S]ubstantial interest” represents two distinct thresholds under the Final Rules: A non-U.S. investor will have to acquire a 25 percent interest in a TID Business and a single foreign government (through one or more national or subnational entities) will have to hold a 49 percent interest in the non-U.S. investor. If the non-U.S. investor is a limited partnership, the 49 percent foreign government interest threshold will apply only to ownership of the general partner; limited partnership interests will not be counted.
  • Investments in certain critical technology TID Businesses: As a successor to the October 2018 “pilot program,” the Final Rules continue to require CFIUS filings for investments—including noncontrolling investments—in a subset of critical technology TID Businesses that are active in, or developing critical technology specifically for use in, one or more of 27 industries specified in the Final Rules.

- CFIUS intends to issue a revised rule that would replace the 27-industry qualification for these mandatory filings with a qualification based on export control licensing requirements.

In either case, to trigger a mandatory CFIUS filing, the investment must afford the foreign investor, with respect to the subject TID Business: (i) control of the business; (ii) access (even if not used) to any material nonpublic technical information in the business’s possession; (iii) voting or observer rights with respect to, including the right to nominate members of, the board of directors or similar governing body of the business; or (iv) any involvement, other than through the voting of shares, in substantive decision making with respect to the business’s use, development, acquisition, or release of critical technology, the management, operation, manufacture, or supply of critical infrastructure, or the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens.

Exemptions from Mandatory CFIUS Filings

The Final Rules provide for certain exemptions from mandatory CFIUS filings, including:

  • Certain indirect foreign investments via U.S.-managed funds: The Final Rules provide for a qualified exemption for indirect foreign investments via investment funds managed by U.S.-based managers. In short, these investments will be disregarded by CFIUS as foreign investments in U.S. businesses if the foreign investors have limited governance and information access rights and if limited partner advisory committees or similar bodies in which foreign investors participate also have limited rights. Key elements of this exemption include the following:

    Please see our previous client alert for additional details regarding CFIUS’s treatment of indirect investments via U.S.-managed investment funds.

- The investment fund must qualify as an “investment company” as defined in the Investment Company Act of 1940, as amended, or as an entity that would be an investment company but for one of the exclusions listed in 15 U.S.C. § 80a-3.

The general partner (or equivalent manager) of the investment fund cannot be a “foreign person,” defined as a foreign national, foreign government, or foreign entity, except in the case of an investment supporting one of 27 industries (described above), where the general partner can be a foreign person but must be controlled exclusively by U.S. nationals (i.e., individuals who are U.S. citizens and/or were born in certain U.S. possessions, but not U.S. permanent residents).

> CFIUS has issued with the Final Rules an interim regulation, also taking effect on February 13, 2020, defining the “principal place of business” of an investment fund as the place where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent. This provision allows a U.S.-managed fund whose general partner is an offshore entity to continue to avail itself of the exemption, provided that the fund has consistently reported its principal place of business as being the United States.

  • Investments by excepted investors: The Final Rules do not require CFIUS filings from certain “excepted investors.” To qualify as an excepted investor, the foreign party must be the government of an “excepted foreign state,” a national of an excepted foreign state and/or the United States (not counting individuals who hold dual nationality in another country that is not an excepted foreign state), or any entity organized and headquartered in the United States or an excepted foreign state for which 75 percent of voting members and 75 percent of observers on the board of directors, as well as any 10 percent owners, are all from an excepted foreign state and/or the United States. If a 10 percent owner of the investor is itself an entity, the regulations impose additional indirect ownership requirements.


    CFIUS has initially designated Australia, Canada, and the United Kingdom as excepted foreign states. In the coming days, we will issue a separate client alert providing greater detail on the Final Rules’ requirements for excepted foreign states and excepted investors.

    Although excepted investors are exempt from mandatory CFIUS filings, CFIUS retains jurisdiction (including post-closing jurisdiction) over investments by exempt investors that could result in control of a U.S. business. Such transactions can therefore be the subject of voluntary CFIUS filings by the parties or, in extremely rare instances, “agency notices” submitted by a member of CFIUS.

  • Foreign investments through certain NISP-regulated entities: A CFIUS filing is not required if the foreign investor’s prospective interest in a critical technology TID Business supporting one of 27 industries, as described above, would be held solely and directly via an entity that is either:

- Subject to mitigation of foreign ownership, control, or influence (“FOCI”) through a security control agreement, special security agreement, voting trust agreement, or proxy agreement with a cognizant security agency pursuant to the National Industrial Security Program (“NISP”) regulations. The exception does not apply to investments via entities subject to FOCI mitigation via special board resolutions.

Operating under a valid facility security clearance issued pursuant to the NISP regulations.

This exception does not apply to mandatory CFIUS filings for acquisitions by foreign governments in TID Businesses.

  • Certain encryption technology: CFIUS filings are not required for foreign investments in a critical technology TID Business supporting one of 27 industries, as described above, if the critical technology at issue is eligible for export, reexport, and transfer (in-country) pursuant to License Exception ENC under the Export Administration Regulations (see 15 C.F.R. § 740.17). License Exception ENC covers certain types of encryption-related commodities, software, and components. This exception does not apply to mandatory CFIUS filings for acquisitions by foreign governments in TID Businesses.
  • Foreign investments in U.S. air carriers: CFIUS filings are not required for foreign investments in U.S. air carriers certified by the U.S. Department of Transportation.

In some cases, even if a transaction is exempt from a mandatory CFIUS filing, a voluntary filing may still be appropriate, particularly if the parties want to avail themselves of FIRRMA’s continuing “safe harbor” protecting parties from subsequent reviews once a transaction has been cleared by CFIUS.

Timing, Process, and Strategy for Mandatory CFIUS Filings

Mandatory filings under the Final Rules must be made at least 30 calendar days prior to the “completion date” of the transaction—effectively the date of the first closing or other event giving rise to CFIUS jurisdiction. For a transaction closing within the first 30 days after the Final Rules take effect on February 13, 2020, the mandatory filing is due on February 13 or promptly thereafter.

Mandatory filings can be made in the form of “declarations,” five-page documents, supplemented with exhibits, providing basic information about the parties and the transaction. As with the “pilot program,” CFIUS is expected to provide forms for use in preparing the declarations. CFIUS staff is then obligated to promptly accept the declaration or reject the declaration because it is incomplete. In either case, the parties are notified of the staff determination. Once the declaration has been accepted, it is disseminated to the CFIUS member agencies and a 30-calendar day assessment period begins. During the assessment period, CFIUS may request that the parties provide supplemental information; this information must generally be provided within two business days unless CFIUS grants an extension. By the end of its 30-calendar day assessment, CFIUS must take one of five alternative actions:

  • Determine that CFIUS does not have jurisdiction over the transaction;
  • Request that the parties file a full notice of the transaction because CFIUS has reason to believe the transaction could raise national security concerns;
  • Tell the parties that CFIUS is unable to clear the transaction on the basis of the declaration, but that the parties may file a full notice to seek CFIUS clearance;
  • Initiate a unilateral review of the transaction following the filing by a CFIUS member of an “agency notice” of the transaction;
  • “Clear” the transaction by advising the parties that CFIUS has concluded all action under the principal law governing CFIUS.

As an alternative to short-form declarations, parties may meet their filing requirements by submitting full notices of a transaction. A full notice is considerably longer than a declaration, and generally involves the submission of more and lengthier exhibits. Of particular note, a full notice is accompanied by personal identifier information for directors, senior officers, and any five percent individual owners of the acquiring entity and its immediate, intermediate, and ultimate parents.

A full notice takes longer to prepare than a declaration and also takes longer for CFIUS to process. Typically, a full notice is provided to CFIUS in draft form, so CFIUS staff can review it for completeness. This preliminary review and resulting changes to the document can take a number of weeks.  Once the notice is revised and submitted formally, FIRRMA allows CFIUS to conduct a 45-calendar day “review” of the transaction. If necessary, CFIUS can extend the process by an additional 45-calendar day “investigation” phase (in extraordinary circumstances, the investigation phase can be lengthened by 15 calendar days). At the end of the investigation period, CFIUS must either reach its decision or refer the matter to the President for decision within 15 calendar days. In rare instances, when more time is needed for CFIUS to continue its evaluation of the transaction and/or negotiate mitigation conditions, the parties may be permitted to withdraw and refile the notice administratively, effectively restarting the clock. Considering all these steps, the CFIUS process for a full notice can take several months after signing of a transaction agreement.

Despite the longer time involved, satisfying the CFIUS filing requirement with a full notice in lieu of a short-form declaration may be a better choice in certain circumstances.

  • Anecdotal information regarding CFIUS’s “pilot program” for critical technology investments suggests that relatively few declarations resulted in conclusive CFIUS clearances. Inconclusive results may have reflected the time required by CFIUS to understand the targets’ critical technologies and to determine where and how the technologies are or might be used.

- For transactions in which CFIUS clearance was a condition precedent, this meant that the parties waited several weeks for an assessment before filing a full CFIUS notice.

  • CFIUS is unlikely to be able to complete its diligence in only 30 days for foreign investments in certain types of businesses. For example, if the target U.S. business is a direct or indirect supplier to U.S. government customers with defense, intelligence, homeland security, or law enforcement responsibilities, CFIUS will likely require more time to check with government end-customers on the nature of the supply relationship, including the sensitivity of the products or services and the availability of acceptable alternatives.

Declarations may be more likely to result in 30-day CFIUS clearances if (i) the potential national security vulnerabilities associated with the U.S. business can be identified relatively quickly and (ii) the foreign investor and/or its home country has a favorable history with CFIUS.

The Final Rules’ treatment of transactions requiring mandatory CFIUS filings is highly nuanced; whether a filing is required requires a fact-specific analysis. If a CFIUS filing is required, deciding whether to submit a short-form declaration or a full notice can also have important ramifications. We strongly recommend that prospective parties consult with the counsel listed to the right when assessing whether a mandatory CFIUS filing is in order and how it should be undertaken.