CFIUS Reform: Our Analysis

August 14, 2018

Click for PDF

On August 13, 2018, President Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (“FY 2019 NDAA”), an omnibus bill to authorize defense spending that includes—among other measures—legislation that will significantly expand the scope of inbound foreign investments subject to review by the Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”).  Named for John McCain, the senior senator from Arizona who is battling brain cancer after six terms in the Senate, the FY 2019 NDAA incorporates the Foreign Investment Risk Review Modernization Act (“FIRRMA”), legislation that was proposed late last year to reform the CFIUS review process, as well as the new Export Control Reform Act of 2018 (“ECRA”).

CFIUS is an inter-agency committee authorized to review the national security implications of investments made by foreign companies and persons in U.S. businesses (“covered transactions”), and to block transactions or impose measures to mitigate any threats to U.S. national security.[1]  Established in 1975 and last reformed in 2007, observers have pointed to an antiquated regulatory framework that hinders the Committee’s ability to review the national security implications posed by an increasing number of Chinese investments targeting sensitive technologies in the United States.  During its consideration, FIRRMA enjoyed bipartisan congressional support and was endorsed several times in the process by the Trump administration, but encountered a fair amount of criticism from U.S. industry groups.  After months of intense negotiation between the House, Senate, and the Trump administration, the final version of the bill includes several important changes from its earlier iterations, which we described here and here.

Summary of Key Changes

After months of intense lobbying and negotiations, the House and Senate have agreed upon language that will expand the scope of transactions subject to CFIUS review beyond those in which a foreign company gains control of a U.S. business.  The Committee will now have the authority to review certain real estate transactions, as well as investments that impact the critical infrastructure and critical technologies sector, even if the foreign acquirer does not have control over such businesses.  Provisions that would have included certain outbound investments in the scope of covered transactions have been abandoned in favor of language requiring updated U.S. export controls to regulate “emerging” and “foundational” technologies.  Furthermore, the CFIUS review process will be reformed in several significant ways, as FIRRMA provides for mandatory short-form “light” filings and tightens the timeframe for CFIUS reviews.  Taken together, these changes represent a significant departure from the Committee’s past practice.

FIRRMA includes the following reforms:

  • Expanded Scope of Review.  FIRRMA expands the scope of transactions subject to the Committee’s review by granting CFIUS the authority to examine the national security implications of a foreign acquirer’s non-controlling investments in U.S. businesses that deal with critical infrastructure, critical technology, or the personal data of U.S. citizens.  FIRRMA also provides CFIUS with authority to review real estate transactions—including leases, sales, and concessions—involving air or maritime ports or in close proximity to sensitive U.S. government facilities.  Critically, as we discuss below, a carve out for indirect investments through investment funds may exempt certain transactions involving private equity funds from the Committee’s expanded jurisdiction.  According to Frequently Asked Questions (“FAQs”) published by the U.S. Department of the Treasury, the FIRRMA provisions which expand the scope of transactions subject to review will take effect at a later date, most likely after the publication of implementing regulations.[2]
  • Extended Formal Timeline.  Effective immediately, FIRRMA extends the Committee’s initial review period from 30 to 45 days, and authorizes CFIUS to extend the subsequent 45-day investigation phase by 15 days “in extraordinary circumstances” (the Senate draft had proposed a 30 day extension period).  Although these measures provide for longer formal review times, other changes to the review process will eliminate much of the uncertainty with regard to the timing of a CFIUS review, and could ultimately cut down on the duration of the Committee’s deliberations.  According to the Treasury Department FAQs, notices that were accepted on or before the effective date of FIRRMA will remain subject to a 30-day review period.
  • “Light” Filings.  In lieu of the lengthy notice that is currently required in voluntary CFIUS filings, new  “light” filings may now be submitted for certain transactions instead of the lengthy voluntary notices that are currently required.  FIRRMA makes filing with the Committee mandatory in certain circumstances, but provides the Committee the authority to set the precise criteria.  The streamlined “light” filing review process will go live on the earlier of 18 months after FIRRMA’s enactment or 30 days after the publication of implementing regulations.  Notably, FIRRMA authorizes the Committee to conduct pilot programs to implement the new review procedure for 18 months after the enactment of the bill.
  • Filing Fee.  FIRRMA also imposes a filing fee, but again authorizes the Committee to shape this requirement in its implementing regulations.

Expanded Scope of Transactions Subject to CFIUS Review

1.      Real Estate Transactions

The Committee has focused on the national security risks associated with foreign real estate transactions in close proximity to sensitive U.S. government installations or military bases, but until now it did not have the authority to address transactions that did not involve the acquisition of an existing U.S. business, including leases or concessions.  FIRRMA effectively codifies the Committee’s standard practice of examining the proximity of a physical property to any sensitive military or U.S. government facility, as well as key U.S. air or maritime ports, but it also provides the Committee with the authority to examine a wider array of real estate transactions.  However, FIRRMA also gives the Committee the authority to prescribe regulations that limit or clarify the scope of this expanded jurisdiction over real estate transactions.  For example, the Committee is empowered to narrow the types of “foreign persons” that are required to seek the Committee’s approval.

Specifically, FIRRMA authorizes CFIUS to review the purchase or lease by, or concessions to, a foreign company of U.S. real estate that is:

  1. “located within or will function as part of, an air or maritime port;”
  2. “in close proximity to a U.S. military installation or another facility or property of the United States government that is sensitive for reasons relating to national security;”
  3. “could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility or property;”
  4. “could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance;” and
  5. “meets such other criteria as the Committee prescribes by regulation, except that such criteria may not expand the categories of real estate to which this clause applies ….”

At first glance, these provisions provide a drastic expansion of the Committee’s authority over a foreign person’s non-controlling investments in U.S. real estate.  However, FIRRMA gives the Committee significant leeway to propose regulations that would limit the scope of real estate transactions subject to review.  First, the bill exempts the purchase of any “single housing unit” as well as real estate in “urbanized areas” as defined by the U.S. Census Bureau, except as otherwise prescribed by the Committee in regulations in consultation with the Defense Department.  Second, FIRRMA specifies that the Committee shall prescribe regulations to ensure that the term “close proximity” “refers only to a distance or distances within which the purchase, lease or concession of real estate could pose a national security risk” in connection to a U.S. government facility.  Third, FIRRMA allows for the further narrowing of the scope of this provision by granting the Committee authority to prescribe regulations that further define the term “foreign person” for purposes of such transactions.

This last limitation is perhaps the most important.  As written, the Committee would appear to have jurisdiction over any real estate transaction that falls within the categories specified above, even if the foreign person is only a passive, minority investor.  FIRRMA grants the Committee the authority to limit the transactions subject to its review by providing that it “shall specify criteria to limit the application of such clauses to the investments of certain categories of foreign persons,” and that such criteria shall take into consideration “how a foreign person is connected to a foreign country or foreign government, and whether the connection may affect the national security of the United States.”  We expect such guidance to consider the extent to which foreign persons from countries with a heightened security risk—in particular, China—would have control or physical access to such properties.

2.      Critical Infrastructure, Critical Technologies and Sensitive Data

FIRRMA will also expand the scope of transactions subject to the Committee’s review to include—subject to further implementing regulations—“any other investment” by a foreign person in an unaffiliated U.S. business or “change in the rights that a foreign person has” with regard to any U.S. business that:

  1. owns, operates, manufactures, supplies or services critical infrastructure;
  2. produces, designs, tests, manufactures, fabricates or develops one or more critical technologies; or
  3. maintains or collects sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.

The type of non-controlling “other investments” that trigger the Committee’s review includes several types of non-passive investments.  Such investments subject to CFIUS jurisdiction include those which afford a foreign person “access to any material non-public technical information in the possession” of the U.S. business; “membership or observer rights” or “the right to nominate an individual” to the board of directors or equivalent governing body of the U.S. business; and “any involvement, other than through voting of shares, in substantive decision-making” of the U.S. business with regard to:

  1. the use, development, acquisition, safekeeping, or release of sensitive personal data of United States citizens maintained or collected” by the U.S. business;
  2. the use, development, acquisition or release of critical technologies, or
  3. the management, operation, manufacture or supply of critical infrastructure.

Again, FIRRMA grants CFIUS the authority to limit this expanded scope in several important ways.  First, the definition of the term “material nonpublic technical information” is subject to further regulations prescribed by the Committee, and is limited to information not available in the public domain that “provides knowledge, know-how, or understanding … of the design, location, or operation of critical infrastructure” or “is necessary to design, fabricate, develop, test, produce or manufacture crucial technologies, including processes, techniques or methods.”  FIRRMA excludes financial information regarding the performance of a U.S. business from the definition of material nonpublic technical information.  Second, FIRRMA grants the Committee the authority to prescribe regulations providing guidance on the types of transactions that are considered to be “other investment” for purposes of this provision.

Moreover, FIRRMA delegates authority to the Committee to prescribe regulations that limit the types of investments in critical infrastructure that are subject to review to include “the subset of critical infrastructure that is likely to be of importance to the national security of the United States,” including an enumeration of specific types and examples.

As with real estate transactions, FIRRMA limits the scope of these provisions by granting the Committee the authority to prescribe regulations that further define the term “foreign person” for purposes of such transactions.  The extent to which this provision evolved in the negotiation process is also noteworthy.  The final language replaces provisions of the Senate draft that would have exempted transactions from certain U.S. allies or those with parallel procedures to review foreign investment.  The final version of the bill also eliminated heightened scrutiny for transactions involving countries of “special concern.”  Instead, the FIRRMA expresses the “sense of Congress” that the Committee may consider the involvement of such countries when assessing the national security risks of a proposed transaction.

FIRRMA also subjects to CFIUS review any “other transaction, transfer, agreement, or arrangement, the structure of which is designed or intended to evade or circumvent” the Committee’s review.

3.      A Private Equity Exception: Indirect Investments Through Investment Funds

An express carve-out for indirect foreign investment through certain investment funds may prevent many transactions by private equity funds from falling into the Committee’s expanded jurisdiction.  Specifically, FIRRMA clarifies that an indirect investment by a foreign person in the types of U.S. businesses described above through an investment fund shall not trigger CFIUS review under certain circumstances, including where:

  • the fund is managed exclusively by a U.S. general partner, managing member, or equivalent;
  • the advisory board does not control the fund’s investment decisions or the investment decisions of the general partner, managing member, or equivalent; and
  • the foreign person does not otherwise have the ability to control the fund or access to material nonpublic technical information as a result of its participation on the advisory board or committee.

In this regard, if the foreign person is a limited partner and the fund is “managed exclusively” by U.S. persons, provided that the advisory board authority is limited accordingly, indirect investments by foreign persons through such funds will not be subject to CFIUS’ expanded jurisdiction over non-controlling “other investments,” as described above.

4.      Streamlined Review Process and Mandatory, “Light” Filings

FIRRMA also seeks to streamline the CFIUS review process—a notoriously onerous procedure.  Under current practice, most CFIUS reviews commence when the parties to a transaction submit a joint voluntary notice, a lengthy filing that must include detailed information about the transaction, the acquiring and target entities, the nature of the target entity’s products, and the acquiring entity’s plans to alter or change the target’s business moving forward.[3]

In practice, parties are expected to submit a “draft” notice to CFIUS prior to the commencement of the official 30-day review period, which provides the Committee and the parties with an opportunity to identify and resolve concerns before the official clock starts ticking.  In recent years, this informal review process has added a degree of unpredictability in terms of timing, as the “pre-filing” phase can consume several weeks.  FIRRMA requires that the Committee must respond to the draft pre-filing of a notice within 10 days, effectively closing a loophole CFIUS often used to manage its workflow and extend the transaction review period.

The current CFIUS review process includes a 30-day initial review of a notified transaction, potentially followed by a 45-day investigation period, for a possible total of 75 days.  In certain circumstances, CFIUS may also refer a transaction to the President for decision, which must be made within 15 days.[4]  As the volume of transactions before the Committee has increased, it has become more common for CFIUS to ask parties to refile notices at the end of the official 75-day review period, thereby restarting the clock.  This has added a significant degree of uncertainty to the CFIUS review, compelling some parties to abandon deals or not to file at all.

To address these timing issues, the bill extends the initial review period from 30 to 45 days, and authorizes CFIUS to extend the subsequent 45-day investigation phase by 15 days “in extraordinary circumstances” (the Senate draft had proposed a 30 day extension period).  The combination of these measures may allow longer official review times, but will eliminate much of the uncertainty associated with the timing of the process.  Critically, these new timeframes are effective immediately.

In lieu of the lengthy voluntary notice required in the current CFIUS review process, FIRRMA authorizes parties to submit short form “declarations”—not to exceed 5 pages in length—at least 45 days prior to the completion of a transaction.  FIRRMA requires the Committee to respond to a declaration within 30 days of receipt by approving the transaction, requesting that the parties file a full written notice, or initiating a further review.

FIRRMA generally authorizes CFIUS to prescribe regulations specifying the types of transactions for which such declarations will be required.  The bill also requires the submission of declarations for transactions by which a foreign entity in which a foreign government has a substantial interest acquires a substantial interest in U.S. critical infrastructure or critical technology companies.  This “mandatory filing” requirement is a significant departure from past practice, where all CFIUS filings were voluntary.  However, CFIUS is authorized not only to define “substantial interest,” thereby limiting the transactions that are subject to this requirement, but also to waive the declaration filing requirement if the investment is not directed by a foreign government or the foreign buyer has historically cooperated with CFIUS.  This provision could be used to ease the regulatory burden on a number of state-owned financial institutions, such as state-owned pension plans and investment funds, that are not controlled by a foreign government.

In contrast to the updated procedures for the full review and investigation process, the declaration review process will not be effective immediately, but will go live on the earlier of 18 months after FIRRMA’s enactment or 30 days after the Secretary of the Treasury determines that the Committee has the regulations, organizational structure, personnel and other resources necessary to administer the new procedure.  FIRRMA authorizes the Committee to conduct pilot programs to implement the new review procedure for 18 months after the enactment of the bill.

5.      Filing Fees

Prior to the passage of FIRRMA, there were no filing fees associated with submitting a transaction for CFIUS review.  The new legislation provides for the imposition of such fees.  The House version capped CFIUS fees at the lesser of one percent of the value of the transaction or $300,000 (adjusted for inflation).  The Senate version provided a list of criteria for CFIUS to consider when determining the fee, and would have allowed for the imposition of an additional fee when requested to prioritize the handling of filings.  The final version of FIRRMA retains the House caps and authorizes the Committee to set the fee based on certain enumerated criteria.  Fees will only be assessed for transactions requiring a written notice, not the shorter declarations.

6.      Regulation of Outbound Technology Transfers Through Export Controls

The inclusion of the ECRA in the NDAA is a remarkable development in several ways.  First, the modernization of the United States’ primary authority for U.S. export controls on non-military items, the Export Administration Act of 1979 (“EAA”), has been an achievement just out of reach for Congress for decades.  Second, the ECRA grants the President authority to regulate and enforce export controls in several new ways, and specialists at the Department of Commerce will be busy for many months (and likely years) drafting regulations to implement these authorities.  Third, and most relevant to technology transfers, the inclusion of the ECRA in the NDAA is an acknowledgement by Congress that the export licensing process administered by the Department of Commerce Bureau of Industry and Security (“BIS”) is likely to be a better way to implement at least some of the policy objectives that motivated earlier iterations of FIRRMA.

a.      Controls on Exports of Emerging and Foundational Technologies

The ECRA replaces one of the most controversial provisions included in earlier versions of FIRRMA, which sought to include outbound investments—such as joint ventures or licensing agreements—in the list of covered transactions subject to CFIUS review.  As originally drafted, the CFIUS reform legislation would have subjected to CFIUS review any contribution (other than through an ordinary customer relationship) by a U.S. critical technology company of both intellectual property and associated support to a foreign person through any type of arrangement.  In its final form, the ECRA will require the President to establish, in coordination with the Secretaries of Commerce, Defense, Energy, and State, a “regular, ongoing interagency process to identify emerging and foundational technologies” that are essential to national security but not are not “critical technologies” subject to CFIUS review.

In an effort to close gaps in the existing export controls regimes that do not restrict the transfer of such emerging or foundational technologies, the NDAA adopts the language of an earlier Senate draft requiring the Secretary of Commerce to establish controls on the export, re-export, or in-country transfer of such technology, including requirements for licenses or other authorizations.

With several notable exceptions, Congress generally stops short of specifying how the Secretary of Commerce should establish such controls.  First, the bill requires exporters to obtain a license before exporting any emerging and foundational technologies to countries subject to an arms embargo, such as China.

Second, the bill directs the Secretary of Commerce to not place additional licensing requirements on several types of transactions.  These include:

  • The sale or license of a finished item and the provision of associated technology if the U.S. party to the transaction generally makes the finished item and associated technology available to its customers, distributors, and resellers;
  • The sale or license to a customer of a product and the provision of integration services or similar services if the U.S. party generally makes such services available to its customers;
  • The transfer of equipment and the provision of associated technology to operate the equipment if the transfer could not result in the foreign person using the equipment to produce critical technologies;
  • The procurement by the U.S. party of goods or services, including manufacturing services, from a foreign person that is party to the transaction, if the foreign person has no rights to exploit any technology contributed by the U.S. person other than to supply the procured goods or services; and
  • Any contribution and associated support by a U.S. person that is a party to the transaction to an industry organization related to a standard or specification, whether in development or declared, including any license or commitment to license intellectual property in compliance with the rules of any standards organization.

Third, for several transaction types, the bill now shifts to the Department of Commerce the obligation to gather and consider the kinds of information on foreign ownership that would normally be included in CFIUS submissions.  If a proposed transaction involves joint venture, joint development agreement, or similar collaborative arrangement, the bill suggests that the Secretary of Commerce “require the applicant to identify, in addition to any foreign person participating in the arrangement, any foreign person with significant ownership interest in a foreign person participating in the arrangement.”[5]

For those exporters operating in sectors that are identified as involving foundational or emerging technologies, such requirements could significantly increase the diligence they will need to conduct on counterparties, and at least some counterparties are likely to walk away from proposed transactions to avoid having to provide sensitive information regarding their ownership.  In addition, the new information gathered on foreign person participation and ownership is likely to lead Commerce to block transactions by denying license applications.

b.         Addition of Defense Industrial Base Policy Considerations to Export Control Regulation and Licensing

The ECRA also introduces two new policy considerations to the mix of policies the Department of Commerce is obligated to consider in its regulation of exports.  Historically, the EAA required the Department of Commerce to restrict the export of goods or technology that would significantly contribute to the military potential of other countries and to limit export controls to only those items that were militarily critical goods and technologies.[6]  Through these and other expressed policy objectives, Congress sought to promote export activity and to restrict it only when necessary.  In the ECRA, Congress introduces two new policy considerations that arguably shift U.S. export policy toward a more protectionist stance.  First, Congress directs the Secretary of Commerce to regulate exports so as to help preserve the qualitative military superiority of the United States.  Second, Congress directs the Secretary to regulate exports in ways that build and maintain the U.S. defense industrial base.[7]

Congress provides the Secretary with specific direction on how to implement these new policy mandates.  In particular, the Secretary is to create a licensing procedure that will enable it to gather information to assess the impact of a proposed export on the U.S. defense industrial base.  To inform this assessment, the Secretary is to require applicants to provide information that would enable Commerce to determine whether the purpose or effect of the export would be to allow for the production of items relevant for the defense industrial base outside of the United States.[8]  ECRA further directs the Secretary to deny license applications when the proposed export would have a “significant negative impact” on the defense industrial base of the U.S.

The Secretary can determine a proposed export would have a “significant negative impact” if it meets any one of three criteria:

  • Whether the export would have the effect of reducing the availability or production of an item in the United States that is likely to be required by the Department of Defense (“DoD”) or other Federal department or agency for the advancement of national security;
  • Whether the export would lead to a reduction in the production of an item in the United States that is the result of research and development carried out, or funded by the DoD or other Federal department or agency, or a federally funded research and development center; and
  • Whether the export would lead to a reduction in the employment of U.S. persons whose knowledge and skills are necessary for the continued production in the U.S. of an item that is likely to be acquired by the DoD or other Federal department or agency for the advancement of national security.[9]

These criteria are familiar ones to CFIUS and to CFIUS practitioners but are less so for many of those charged with administering the Department of Commerce’s export controls, and even lesser still for the many companies that rely on BIS export licensing to conduct business.  While it is unclear how BIS will specifically implement these new policy and licensing directives, we predict it will be difficult for many license applicants to gather and present the kind of information BIS will need to make its licensing determinations.  We also believe that the introduction of these defense industrial base considerations could make it more difficult for companies to obtain authorization to export their technologies generally.

Final Thought

Critically, most of the substantial changes mandated by FIRRMA will not take effect until the Committee has issued new regulations.  As a result, the true impact of the legislation will not be clear for some time.


   [1]   CFIUS operates pursuant to section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007 (FINSA) (section 721) and as implemented by Executive Order 11858, as amended, and regulations at 31 C.F.R. Part 800.

   [2]   U.S. Dep’t of the Treasury, FIRRMA FAQs, (Aug. 13, 2018) available at

   [3]   31 C.F.R. §§ 800.401(a)-(b), 800.402(c).

   [4]   31 C.F.R. § 800.506.

   [5]   ECRA § 1758(a)(3)(C).

   [6]   Export Administration Act of 1979, § §  3(2)(A) and 5(d).

   [7]   ECRA, Section 1752(2)(B) and (C).

   [8]   ECRA, Section 1756(d)(1) and (2).

   [9]   ECRA, Section 1756(d)(3)(A)-(C).

The following Gibson Dunn lawyers assisted in the preparation of this client update:  Judith Lee, Jose Fernandez, Christopher Timura, Stephanie L. Connor and R.L. Pratt.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the above developments.  Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s International Trade Group:

United States:
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Jose W. Fernandez – New York (+1 212-351-2376, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Ben K. Belair – Washington, D.C. (+1 202-887-3743, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Laura R. Cole – Washington, D.C. (+1 202-887-3787, [email protected])
Stephanie L. Connor – Washington, D.C. (+1 202-955-8586, [email protected])
Helen L. Galloway – Los Angeles (+1 213-229-7342, [email protected])
William Hart – Washington, D.C. (+1 202-887-3706, [email protected])
Henry C. Phillips – Washington, D.C. (+1 202-955-8535, [email protected])
R.L. Pratt – Washington, D.C. (+1 202-887-3785, [email protected])
Scott R. Toussaint – Palo Alto (+1 650-849-5320, [email protected])

Peter Alexiadis – Brussels (+32 2 554 72 00, [email protected])
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 (0)207 071 4276, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Richard W. Roeder – Munich (+49 89 189 33-160, [email protected])

© 2018 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.