CFIUS 2.0: Mandatory Filings Now Pegged to Export Control Rules

As a refresher, CFIUS is the US Government’s interagency mechanism for screening foreign investments into the United States for national security risks. On behalf of CFIUS, the US Department of the Treasury’s Office of Investment Security had initially issued proposed regulations on May 20, 2020. After considering public comments, Treasury made minor revisions to the proposed regulations and published a Final Rule on September 15, 2020, which went into effect on October 15, 2020.

The Final Rule abandons the US Census Bureau’s system of NAICS codes, which CFIUS had previously used to determine whether a CFIUS declaration (i.e., short-form filing) was required for certain transactions that fall within CFIUS’s jurisdiction. Transaction parties had found the NAICS-based rule to be difficult to use in ascertaining whether a CFIUS filing was required. Instead, in delineating which transactions would require the filing of a declaration, the Final Rule zeroes in on whether an export authorization would be required to transfer the US business’s critical technology to either the relevant foreign investor or parties holding significant interests in the foreign investor.

In updating its mandatory filing rules in this way, CFIUS has further aligned them with longstanding US export control regimes and requirements. This Final Rule requires US companies that are being acquired by a foreign person or receiving investment from one to consider the intricacies of US export control regulations, including knowing the export jurisdiction and classification of its technology, in order to determine whether a CFIUS declaration is mandatory.

Background and Origins of the Mandatory Filing

This Final Rule completes the implementation of a key provision of the Foreign Investment Risk Review Modernization Act (FIRRMA), a 2018 law passed as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which represented a sweeping overhaul of the jurisdiction and processes of CFIUS. In FIRRMA, Congress directed CFIUS to issue regulations specifying the types of transactions for which a declaration is mandatory. However, FIRRMA limited the scope of the transactions to those involving either investment by a foreign government or investment in US “critical technology” companies. On November 10, 2018, CFIUS launched an interim effort called the “Critical Technology Pilot Program,” in which it first exercised this authority to mandate filings in certain types of technology deals. In the pilot program, CFIUS utilized the NAICS code-based approach, exercising its newly expanded jurisdiction under FIRRMA to cover both “control transactions” and non-controlling investments involving US businesses that produce, design, test, manufacture, fabricate, or develop critical technologies in connection with any of 27 specified industries (identified by NAICS codes). Then, on February 13, 2020, CFIUS temporarily carried forward that NAICS-based approach as part of a long-awaited Final Rule that essentially rewrote the primary CFIUS regulation and implemented the bulk of FIRRMA’s other provisions.

Effective Date of the Final Rule

The previous provision governing critical technology mandatory declarations, based on NAICS codes, will continue to apply to transactions for which specified actions occurred between February 13, 2020, and October 15, 2020. The modifications to the provision, per the Final Rule, apply starting on October 15, 2020.

Regulatory Authorizations Test for Mandatory Filings

The Final Rule replaces the NAICS code-based filing requirement with a requirement that a declaration be filed if “US regulatory authorization” would be required for the export, re-export, in-country transfer, or retransfer of the critical technology (produced, designed, tested, manufactured, fabricated, or developed by the US business) to either the foreign investor or a foreign person holding a significant ownership or control stake in a foreign investor. More specifically, if the US business involved in the transaction would require US regulatory authorization to reexport, transfer (in-country), or retransfer the US business’s critical technologies to the following persons, then a mandatory filing must be submitted to CFIUS:

1. A person who could directly control a US business involved with “critical technologies,” “critical infrastructure,” or “sensitive personal data” (a so-called “TID US business”) as a result of the covered transaction;
2. A person who is directly acquiring an interest that is a “covered investment” (i.e., a non-controlling, non-passive investment) in a TID US business;
3. A person who has a direct investment in a TID US business, where the rights of such person with respect to the TID US business are changing and that change could result in a covered control transaction or a covered investment;
4. A person who is a party to any transaction, transfer, agreement, or arrangement the structure of which is designed or intended to evade or circumvent CFIUS review with respect to the TID US business; or
5. A person who individually holds (or is part of a group of foreign persons that, in the aggregate, holds) a qualifying voting interest in a person described in the previous four clauses.

Under the Final Rule, the term “US regulatory authorization” includes the following:

1. A license or other approval issued by the Department of State’s Directorate of Defense Trade Controls (DDTC) under the International Traffic in Arms Regulations (ITAR);
2. A license from the Department of Commerce’s Bureau of Industry and Security (BIS) under the Export Administration Regulations (EAR);
3. A specific or general authorization from the Department of Energy under the regulations governing assistance to foreign atomic energy activities at 10 CFR part 810, other than the general authorization described in 10 CFR § 810.6(a); or
4. A specific license from the Nuclear Regulatory Commission under the regulations governing the export or import of nuclear equipment and material at 10 CFR part 110.

If any of these are applicable to a given transaction described under the rule, a mandatory declaration must be filed, unless one of the license exceptions described below is available.

Eligibility for License Exceptions

The US regulatory authorization test will apply without regard to any ITAR license exemption or EAR license exception, except where an item is “eligible” for EAR License Exceptions technology and software-unrestricted (TSU), encryption commodities, software, and technology (ENC), and strategic trade authorization (STA).

In its summary of the Final Rule, Treasury clarifies that “‘eligibility’ for an EAR license exception refers to having satisfied all requirements imposed by the EAR prior to the release of export-controlled technology (even if no export is to occur).” This includes, for example, the limitations on all license exceptions at EAR §740.2 and filing a classification request under 15 CFR §§ 740.17(b)(2) and (b)(3) to BIS, including, as applicable, waiting for 30 days to elapse since submission of the classification request to BIS, for License Exception ENC. On the other hand, filing semiannual reports as required by ENC is not required for parties to avail themselves of the exception to the mandatory declaration unless there is a qualifying export under the EAR. Similarly, the recordkeeping requirement under license exception TSU and requirement to furnish certain commodity classifications to third parties under license exception STA is not a condition of eligibility for purposes of the CFIUS regulations.

Treasury also notes that “certain end users, such as entities listed in EAR, Part 744, Supplement No. 4 (the Entity List) are subject to license requirements, limitations on availability of license exceptions, and license application review policies that are in addition to those set forth elsewhere in the EAR.”

Voting Interest for Purposes of Critical Technology Mandatory Declarations

The Final Rule makes use of a new term – “voting interest for purposes of critical technology mandatory declarations” – which enumerates those persons in the ownership chain whose activities should be analyzed in the context of needing US regulatory authorization. For entities with activities that “are primarily directed, controlled, or coordinated by or on behalf of a general partner, managing member, or equivalent,” a mandatory declaration will be required where a person “holds 25 percent or more of the interest in the general partner, managing member, or equivalent of the entity.” 31 CFR § 800.256(b). Additionally, for indirectly held voting interests, “any interest of a parent will be deemed to be a 100 percent interest in any entity of which it is a parent.” Id. at (c).

The Final Rule aggregates the individual holdings of foreign persons that are “related, have formal or informal arrangements to act in concert, or are agencies or instrumentalities of, or controlled by, the national or subnational governments of a single foreign state.” Id. at (d).

Investments by Foreign Governments

The other area of mandatory CFIUS filings, as mentioned, is where a foreign government has a “substantial interest” in a foreign person that acquires a substantial interest in a TID US business. The Final Rule tweaks several of the relevant parameters that CFIUS initially laid out in its February 13, 2020, comprehensive Final Rule. For example, it redefines “substantial interest” where the activities of an entity are primarily directed, controlled, or coordinated by or on behalf of a general partner, managing member, or equivalent.

What Does This Final Rule Mean for US Businesses?

Stakeholders involved in covered transactions with TID US businesses and foreign persons will need to determine their product’s export control status, as well as whether license exceptions ENC, STA, or TSU apply, in order to assess whether a mandatory CFIUS declaration must be filed. Due to the many nuances of this Final Rule, TID US businesses and foreign persons who are potentially covered by it should consult experienced CFIUS and export control counsel to determine whether they have such a requirement to file with CFIUS.