Final Regulations on Expanded Authority of CFIUS to Review Foreign Investor Transactions Go into Effect

February 13, 2020

Eighteen months after President Trump signed the Foreign Investment Risk Review Modernization Act (“FIRRMA”)1 which broadened the power of the Committee on Foreign Investment in the United States (“CFIUS”) to review foreign investments in the United States, final regulations to implement CFIUS’s expanded authority become effective on February 13, 2020.2  They replace the interim regulations previously issued by the Treasury Department, and mark the end of the Critical Technology Pilot Program (the “Pilot Program”) while incorporating the Pilot Program’s mandatory requirement to notify CFIUS of investments implicating certain industries and technologies.  In addition to incorporating CFIUS’s new authority to review certain types of real estate investments by foreign persons, the final regulations address several open questions that have been pending since FIRRMA’s enactment—including the identification of a set of investors who will receive less scrutiny going forward.

I.          Corporate Investments by Foreign Persons

The final regulations, codified at 31 C.F.R. Part 800, replace all existing regulations regarding foreign investments in U.S. businesses and further expand CFIUS’s authority under FIRRMA to review not only transactions resulting in control but also certain non-controlling investments associated with particular industries and technologies.

A.         Controlling Interests in U.S. Businesses

Prior to the enactment of FIRRMA, CFIUS’s review authority was limited to “covered control transactions” in which a foreign person or entity obtained “control” of a U.S. business and which could threaten the national security of the United States.3  This applied both to majority control or a “dominant minority of the total outstanding voting interest . . . to determine, direct, or decide important matters affecting an entity.”4  While no set percentage of ownership stake was defined to constitute control, there was a carve-out for transactions in which a foreign person holds ten percent or less of the outstanding voting interest in a U.S. business, regardless of the dollar value of the interest, provided the transaction is “solely for the purpose of passive investment.”5

Under the traditional review process, parties to a covered control transaction would file a voluntary notice and seek CFIUS approval. Complete filing and certification of the voluntary notice would trigger a forty-five-day review period.  CFIUS could recommend that the President approve the transaction, with or without the need for mitigation efforts to address national security concerns, or to reject the deal in its entirety.6

B.        Non-Controlling Interests in “TID U.S. Businesses”

Under FIRRMA, CFIUS now has authority to review certain non-controlling “covered investments” in U.S. businesses associated with Technology, Infrastructure and Data (a so-called “TID U.S. business”).7  A TID U.S. business is one which falls into one or more of the following categories:

(1)          A U.S. business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies.8  The definition of “critical technologies” is closely linked to the U.S. export control regime, and includes defense articles or defense services included in the United States Munitions List, certain items included on the Commerce Control List, certain nuclear-related items, select agents and toxins, and “emerging and foundational technologies” to be identified via regulations to be issued by the Commerce Department pursuant to the Export Control Reform Act of 2018 (“ECRA”).

(2)          A U.S. business that performs specified types of work on covered investment critical infrastructure.9  The term “critical infrastructure” means “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.”  The final regulations specify the systems and assets that are considered covered investment critical infrastructure in an appendix to include certain internet protocol networks, telecommunications services, internet exchange points, submarine cable systems, satellites and satellite systems, chemical manufacturing plants, public utilities, electricity generators, oil and natural gas terminals and pipelines, financial market utilities, and rail lines.10  The appendix further details the functions that the business must perform with respect to the covered investment critical infrastructure to be considered a TID U.S. business.11

(3)          A U.S. business that maintains or collects, directly or indirectly, sensitive personal data of U.S. citizens.12  This includes non-publically available identifiable data of non-employees (such as financial records, health records, and biometrics), maintained or collected by a U.S. business that targets or tailors its products or services to elements of the U.S. government with national security, homeland security, or intelligence responsibilities, that maintains or collects such data on over one million individuals, or that has a “demonstrated business objective” to maintain or collect such data on more than one million individuals and that data is integrated into the business’s primary products or services.  The definition of “sensitive personal data” also includes the results of an individual’s genetic test.13

A non-controlling investment in a TID U.S. business will be a covered investment if it will afford the foreign person one or more of the following:14

(1)          Access to material non-public technical information in the possession of the TID U.S. business.  This means information that (a) provides knowledge, know-how, or understanding not available in the public domain, of the design, location, or operation of critical infrastructure, including, without limitation, vulnerability information such as that related to physical security or cybersecurity; or (b) is not available in the public domain and is necessary to design, fabricate, develop, test, produce, or manufacture a critical technology without limitation processes, techniques, or methods.15

(2)          Membership or observer rights on the board of directors (or equivalent body) of the TID U.S. business or the right to nominate an individual to a position on the board of directors or equivalent governing body of the TID U.S. business.

(3)          Any involvement in substantive decisionmaking of the U.S. business regarding certain actions related to critical technologies, critical infrastructure, or sensitive personal data of U.S. citizens.  The term “substantive decisionmaking” means the process through which decisions regarding significant matters affecting an entity are undertaken, including pricing, sales, and specific contracts, supply arrangements, corporate strategy and business development, research and development, manufacturing locations, access to certain technologies and infrastructure, cybersecurity protocols, policies regarding sensitive personal data, and strategic partnerships.16

The final regulations provide relief for indirect investments by foreign persons in a TID U.S. business through an investment fund in which they are limited partners afforded membership on an advisory board or equivalent body.  Provided the position is passive and meets certain criteria, the investment will fall outside CFIUS’s jurisdiction.17

As a result, the question of whether an investment transaction by a foreign person constitutes a covered control transaction now must be supplemented with an analysis of whether it is a non-controlling covered investment that nonetheless is subject to CFIUS review and approval.  With the exception of certain covered investments described below, parties are not required to submit a declaration or notification to CFIUS for investments in TID U.S. businesses.

C.        The Critical Technology Pilot Program

As part of the final regulations, the Treasury Department also provided clarity on the continued effectiveness of the Pilot Program Interim Rule (the “Interim Rule”).  Under the Interim Rule at Part 801, CFIUS required the filing of a declaration for both controlling and non-controlling investments in Pilot Program U.S. businesses (i.e., U.S. businesses with a nexus to specified industries identified by a North American Industry Classification System (“NAICS”) code that produce, design, test, manufacture, fabricate, or develop critical technologies).  The final regulations make clear that the Interim Rule continues in effect for transactions for which specific actions were taken on or after the effective date of the Interim Rule (November 12, 2018) through February 12, 2020.

D.        Excepted Foreign States and Excepted Investors

FIRRMA directed CFIUS to limit by regulation its expanded jurisdiction over covered investments to certain foreign persons.  The final regulations implement that requirement through the creation of the categories of “excepted foreign states”18 and “excepted investors.”19 CFIUS has initially selected three “excepted foreign states” based on their close intelligence and defense relationships with the United States: Australia, Canada, and the United Kingdom.  The final regulations also detail the criteria that CFIUS will use to determine continued eligibility for excepted foreign state status, as well to identify new excepted foreign states.  The determination turns on CFIUS’s assessment that a foreign state has adopted a CFIUS-like program to evaluate foreign investment.20

The final regulations provide that investments in TID U.S. businesses by “excepted investors” from the “excepted foreign states”—including their governments, certain nationals, and certain entities—are not covered investments and thus fall outside of CFIUS’s expanded jurisdiction, nor are they subject to the mandatory filing requirements.  CFIUS, however, would retain jurisdiction over covered control transactions to which excepted investors are parties.

E.         Mandatory Filings

While the Pilot Program and the Interim Rule will no longer apply to transactions initiated on or after February 13, 2020, the final regulations nevertheless maintain a mandatory filing regime for covered investments and covered controlled transactions in critical technology U.S. businesses.21  The final regulations also expand the mandatory filing requirement to transactions in which a foreign person obtains a “substantial interest” in a TID U.S. business where a foreign government in turn holds a “substantial interest” in the foreign person.22  A “substantial interest” is defined as a voting interest, direct or indirect, of 25% or more by a foreign person in a U.S. business and a voting interest, direct or indirect, of 49% or more by a foreign government in a foreign person.23  In both cases, the parties to the transaction must submit a mandatory notice at least thirty days prior to the closing date.24

In addition to the carve-out for excepted investors, the final regulations provide for other exceptions to the mandatory filing requirement, including:

  • Covered transactions involving investment funds in which a foreign government has a “substantial interest” in the fund, provided that (i) the general partner or equivalent is not a foreign person and exclusively manages the fund; (ii) the advisory board on which a foreign person limited partner sits does not have the ability to control investment decisions of the fund or decisions of the general partner with respect to the business in which the fund is invested; and (iii) the foreign person partners do not have the ability to control or direct the fund or the general partner.
  • Indirect investments from foreign persons through entities subject to an agreement to mitigate foreign ownership, control, or influence under the National Industrial Security Program regulations or an entity that operates under facility security clearance pursuant to the National Industrial Security Program.
  • Covered transactions by an investment fund where the fund is managed exclusively by a general partner or equivalent and that general partner is either controlled exclusively by U.S. nationals or is not a foreign person, and the fund otherwise satisfies the limitations on foreign limited partners.
  • Covered transactions that are covered investments in or could result in the control of a TID U.S. business solely because the critical technology involved is one that is eligible for export, reexport, or transfer (in country) pursuant to License Exception ENC under 15 C.F.R. §17.

II.         Real Estate Investments by Foreign Persons

The final regulations also contain a second part, 31 C.F.R. Part 802, which implements CFIUS’s new authority to review purchases, leases, and other changes in certain rights of foreign persons, entities, or governments over U.S. real property.  A “covered real estate transaction” subject to these new rules includes transactions involving property that:25

(a)           Is, is located within, or will function as part of, an airport or maritime port; or

(b)          Is located within: (1) close proximity of any military installation (as described in an appendix to the final regulations); (2) 100 miles (or twelve nautical miles) of certain military training centers; (3) any county or geographic area identified in connection with United States Air Force ballistic missile facilities; or (4) any part of a naval offshore range complex or operating area; and

(c)           Provides at least three of the property rights described in 31 C.F.R. § 802.233, which includes the right to (1) physically access the real estate; (2) exclude others from physically accessing the real estate; (3) improve or develop the real estate; or (4) attach fixed or immovable structures or objects to the real estate.

The final regulations contain carve-outs for “excepted real estate investors” connected to an “excepted real estate foreign state.”26  The “excepted real estate foreign states” are the same as the “excepted foreign states” under Part 800—Australia, Canada, and the United Kingdom.  Purchases or leases by, or concessions to, excepted real estate investors are considered “excepted real estate transactions,” which fall outside CFIUS’s jurisdiction.27

In its comments to the final regulations, CFIUS indicated that it intends to provide a web-based tool for relevant parties to understand the geographic coverage of the regulations.  As with most covered control transactions and non-controlling covered investments in U.S. businesses, seeking CFIUS approval for a covered real estate transaction remains voluntary.

III.        Conclusion

Key takeaways from the final regulations include:

  • Short-Form Declarations Universally Available. Formerly only usable for mandatory filings under the Pilot Program, short-form voluntary declarations with thirty-day review periods are now available for all transactions in which CFIUS approval is sought. However, the potential that CFIUS may want additional details for more complicated transactions could lead practitioners to skip the declaration option and file a notice from the onset.
  • Number of Excepted Foreign States Unlikely to Grow. The final regulations identified three of the four non-U.S. members of the “Five Eyes” intelligence-sharing relationship as the initial “foreign excepted states.” These countries, along with New Zealand, arguably have the closest intelligence and military relationship with the United States of any countries in the world.  Although technically the criteria for adding states in the future (and maintaining those three) turns on CFIUS’s assessment of the foreign states’ investment review regime, in practice, parties should not expect this list to expand far beyond the three already identified.
  • Decoupling Critical Technology Mandatory Declarations from NAICS Codes. Under the Interim Rule, mandatory filings were required for certain transactions involving U.S. businesses with a nexus to specific industries identified by a NAICS code. As part of the comments to the final regulations, CFIUS indicated that it will issue a separate notice of proposed rulemaking that would substitute the nexus to specific industries (self-) identified by NAICS code with one based upon export control licensing requirements.
  • “Emerging Technologies” Guidance Remains Forthcoming. It is expected that, in the coming months, the Commerce Department will issue regulations under the ECRA to clarify what constitute “emerging technologies that are essential to U.S. national security.” This will be an important development, because while the implications will fall primarily on export control laws, its impact on the definition of “critical technology” will affect the definition of TID U.S. businesses and the mandatory filing requirement.
  • Proximity to Sensitive Facilities Remains Relevant to Covered Control Transactions and Covered Non-Controlling Investments. Foreign investors should not consider the issuance of the final rule regarding CFIUS’s expanded real estate transaction jurisdiction as an indication that CFIUS will not take into account issues of proximity to sensitive locations in control or covered investment transactions.
  • Filing Fees. While FIRRMA authorizes CFIUS to assess and collect fees in connection with the filing of a notice of a covered transaction, the Treasury Department declined to include regulations implementing such authority at this time.

The CFIUS review and approval system is only getting more complicated with additional types of transactions subject to review.  As a result, it is more essential than ever that practitioners understand the various types of investments that fall within CFIUS’s jurisdiction; can cite the few but growing instances in which mandatory filing is required; and be able to identify real estate transactions that are captured by FIRRMA.


1   Title XVII, Pub. L. No. 115-232, available at

2   31 C.F.R. Part 800, available at; 31 C.F.R. Part 802, available at

3   Whether a transaction presented a threat to national security depended on an analysis which took into account eleven factors including the potential effects on U.S. international technological leadership, the impact on U.S. critical infrastructure, and whether the U.S. business would fall under the control of a foreign government or state-owned entity.

4   31 C.F.R. § 800.208(a).

5   31 C.F.R. §§ 800.302(b), 800.243(a).

6   See U.S. Department of the Treasury, Filing Instructions–Voluntary Notice,

7   31 C.F.R. § 800.248.

8   31 C.F.R. § 800.215.

9   31 C.F.R. § 800.214.

10 31 C.F.R. § 800.212, Appendix A to Part 800 at Column 1.

11 31 C.F.R. § 800, Appendix A to Part 800 at Column 2.

12 31 C.F.R. § 800.241(a)(1).

13 31 C.F.R. § 800.241(a)(2).

14 31 C.F.R. § 800.211.

15 31 C.F.R. § 800.233.

16 31 C.F.R. § 800.245.

17 31 C.F.R. § 800.307.  Such criteria include that the fund is managed exclusively by a general partner or managing member who is not a foreign person; that the advisory board or committee does not have the ability to approve, disapprove, or control the investment decisions of the fund or the decisions of the general partner with respect to entities in which the fund is invested; the foreign person does not have the ability to control the fund; the foreign person has no access to material nonpublic technical information as a result of its participation on an advisory board or committee; and the foreign person enjoys none of the access, rights, or involvement to the TID U.S. business described in 31 C.F.R. § 800.211(b).

18 31 C.F.R. § 800.218.

19 31 C.F.R. § 800.219.

20 31 C.F.R. § 800.1001.

21 31 C.F.R. § 800.401(c).

22 31 C.F.R. § 800.401(b).

23 31 C.F.R. § 800.244(a).

24 31 C.F.R. § 800.401(e).

25 31 C.F.R. §§ 802.211, 802.212.

26 31 C.F.R. §§ 802.214, 802.215.

27 31 C.F.R. § 802.216.