Much has been reported in the media about the efforts of the Committee on Foreign Investment in the United States (CFIUS) to investigate — and, where appropriate, mitigate, or even divest — transactions that the parties did not submit to CFIUS for review before they were consummated (so-called “non-notified transactions”). A recent Wall Street Journal article called attention to this worrisome trend, noting the Committee’s growing sophistication, enhanced funding for this outreach, appetite for investigating years-old investments, and leveraging of both the intelligence community and publicly available resources.
Although CFIUS outreach has long been a risk factor for the investment community, the Committee’s primary focus, historically, has been the foreign acquisitions of U.S. companies — particularly by Chinese interests. But today, as recent press reports reflect and experience teaches, CFIUS is training its focus on smaller, venture-capital type investments. That risk is especially acute for U.S. companies — and sometimes even for foreign companies with substantial U.S. operations — that develop sophisticated technologies, interact with sensitive personal data regarding U.S. persons, or touch U.S. critical infrastructure.
The expansion of CFIUS’s focus increasingly to include minority investments follows the sweeping CFIUS jurisdictional expansions first authorized by the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), and then implemented through successive regulatory rulemakings. The regulatory landscape has largely stabilized, with now-familiar CFIUS concepts informing negotiations among parties to cross-border transactions. Investments with a connection to China (including Hong Kong), and to a lesser extent Russia, are widely perceived as the primary national security threats targeted by FIRRMA and its implementing regulations.
To address these threats, FIRRMA granted CFIUS the power to review small, non-“controlling” investments in any “TID U.S. business” — a category of businesses whose involvement with critical technologies, critical infrastructure, or sensitive personal data about U.S. citizens pose vulnerabilities that CFIUS’s traditional jurisdiction over “control” investments could not adequately address. Some such investments are now subject to a mandatory CFIUS filing requirement, with civil penalties available if the parties fail to file. And the specific investment rights that can trigger CFIUS jurisdiction, including a mandatory filing requirement, are now reasonably well understood and parties to these investments often understand how to structure them to minimize CFIUS risk.
It was predictable, then, that CFIUS would use its increased funding and other resources resulting from FIRRMA to scrutinize smaller investments in sensitive U.S. businesses that formerly escaped evaluation. In this context, it is a good time to understand what this means for the parties that CFIUS contacts and how you can avoid being one of those unlucky parties.
By the time a U.S. business is contacted by CFIUS, much has happened within the federal government. CFIUS has leveraged its resources — relationships with other executive branch agencies, publicly available information regarding investments, and subject matter experts with CFIUS-relevant expertise — to determine that the transaction may be a “covered transaction” (i.e., within CFIUS’s jurisdiction to consider) and may raise national security concerns.
This means that CFIUS has already determined that a foreign investor may pose a threat to U.S. national security, the U.S. business may create a vulnerability for U.S. national security, and the transaction may have national security consequences. So it is through this perspective — one focused on potential threats and vulnerabilities — that CFIUS determines if the transaction is in fact a covered transaction and does in fact pose a risk to U.S. national security.
Whereas in the past, the initial CFIUS outreach was an unexpected telephone call to the U.S. business investee, today it begins with an email — the subject line of which is typically “U.S. Government Confidential Business Matter.” Some receiving this e-mail from the Department of the Treasury have wondered whether it is real or spam, and they may be inclined to disregard it. But this initial outreach sets up an initial phone call, during which CFIUS representatives introduce themselves to the U.S. business (and/or their counsel) and describe the Committee’s role. The U.S. business will then receive a list of questions designed to determine if the transaction is a “covered transaction” that the Committee can review.
If the responses indicate that the transaction is a covered transaction, CFIUS will request a notice and initiate the CFIUS review process. Through this process, CFIUS will crystalize its views of the foreign investor, the U.S. business, the resulting national security considerations, and any measures needed to mitigate the Committee’s concerns. If the transaction parties do not agree to “voluntarily” submit a notice, CFIUS has the power to unilaterally investigate the transaction and draw its own conclusions — a scenario likely to lead to a less favorable result.
Because CFIUS reviews of non-notified transactions enter the review process with CFIUS having already identified potential concerns, the likelihood is greater that these transactions will come to be regarded as national security risks. And because, by definition, the parties to a non-notified transaction elected against — or perhaps did not even consider — notifying CFIUS of the transaction, they often enter the process with a deficit of trust. In other words, parties may be engaging the Committee for the first time lacking the very most important commodity for any party under CFIUS review. Rebuilding that trust is an important but challenging goal.
In some cases of CFIUS outreach, but not in all, CFIUS will conclude it has jurisdiction and will act to address the national security concerns. This can be hard or devastating for both the U.S. business and the foreign investor. Mitigation may be an option, but the Committee’s appetite for monitoring mitigation agreements has waned. If that is not an option, CFIUS, acting under the threat of referring the decision to the President, may force foreign investors to divest their interests in the U.S. business. Divestiture typically occurs within a constrained time period, to a CFIUS-approved purchaser, and often under a set of cumbersome interim protective provisions. And because suitors in this fire-sale scenario will understand that the sale must occur within an artificial market and timetable, and subject to other CFIUS-imposed constraints, the seller is unlikely to receive good value for its investment.
Even where CFIUS is unable to determine a transaction is covered, it can continue to ask follow-up questions and explore novel jurisdictional theories, largely without time constraints. Parties faced with this type of continued outreach should expect questions about the U.S. business’ corporate structure and governance. The dialogue can last for months. Not infrequently, a CFIUS investigation of foreign investment “A” in a U.S. business reveals investments “B,” “C,” and “D” in the same business, or in other U.S. businesses. Meanwhile, where applicable, the mandatory filing requirements authorize CFIUS to impose a civil penalty on the transaction parties, up to the value of the investment. Thus, even in cases that do not lead to divestiture, the stakes can be substantial.
How to Prepare
From the earliest stages of an investment transaction, the parties should cooperate to consider recent CFIUS reforms (discussed in greater detail in our prior client alerts here and here), which expanded the scope of CFIUS jurisdiction, imposed mandatory filing requirements, refocused the Committee’s work on certain categories of controlled technology, and articulated — but did not exhaustively define — what CFIUS considers most important to the national security of the United States.
Given the more prescriptive roadmap afforded by FIRRMA and its implementing regulations, parties today can better understand why a transaction does (or does not) require a filing; why it is (or is not) a covered transaction that CFIUS may still review, even if not subject to a mandatory filing requirement; and what potential knock-on effects could flow from a decision to make (or not to make) a voluntary filing, or when taking an aggressive position regarding whether the transaction must be notified to CFIUS. Whatever decision the parties make in respect of CFIUS, it should be informed and forward thinking.
For example, if a foreign person acquired a controlling interest in a U.S. business, that investment may convert the U.S. business into a “foreign person” for CFIUS purposes, thus rendering the U.S. business’ own later investment in an unrelated U.S. business a CFIUS covered transaction. This can be easy to miss but quick to snowball, potentially imposing on that later investment a mandatory CFIUS filing requirement that may be neither obeyed nor even considered. Foreign investors, meanwhile, will want to avoid the taint that can attach from adverse CFIUS action, particularly in the non-notified context, as this can make them less attractive investment partners.
If CFIUS reaches out, it is vital for the parties to the transaction each to engage experienced CFIUS counsel from the outset. The back-and-forth exchange of facts and documents with the Committee can be a lengthy process, with the better outcomes emerging from a careful cooperation among the parties. Although CFIUS conducts its initial inquiry through the U.S. business, the foreign investor usually has as much — and often more — at stake, as it is their participation being called to account. Other foreign investors in the U.S. business, related or unrelated to the primary target, may wonder if their investment too will be questioned, and they should plan as if it will be.
In all events, good counsel can render your investment transactions less visible, hardened to scrutiny if detected, and more defensible if the CFIUS non-notified process draws you within its gaze.