On September 17, 2019, the Department of Treasury (“Treasury”) released for public comment two proposed rules (the “Proposed Rules”) implementing the Foreign Investment Risk Review Modernization Act (“FIRRMA”) enacted in August 2018.  FIRRMA expanded the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS”) and granted CFIUS new tools to regulate foreign investments raising national security concerns.  Our previous analysis of FIRRMA is available here, and our analysis of the “critical technologies” pilot program under FIRRMA implemented by interim regulations issued by Treasury on October 10, 2018, (the “Pilot Program”) is available here.

Treasury will accept comments on the Proposed Rules until October 17, 2019, and the final regulations are to become effective no later than February 13, 2020.  Companies that may be affected by the Proposed Rules are encouraged to comment.  The full text of the Proposed Rules on investments by foreign persons in US businesses can be found here and on real estate transactions here.  We would be pleased to assist our clients with the submission of comments.

Key Changes

The Proposed Rules, intended to implement FIRRMA, would replace and expand the existing CFIUS regulations by expanding CFIUS’ jurisdiction, imposing a mandatory pre-closing declaration requirement for foreign investments involving a substantial foreign government interest, and defining CFIUS procedures.  Highlights of the Proposed Rules are as follows:

  • Mandatory Pre-Closing Declarations for Investments in which a Foreign Government has a Substantial Interest — The Proposed Rules would require pre-closing declarations to CFIUS for investments in certain critical infrastructure and sensitive personal data businesses by foreign investors in which a foreign government holds a substantial interest. The explanatory note to the Proposed Rules indicates that CFIUS is still considering whether to apply the same approach to foreign investments in technology businesses or to maintain some version of the Pilot Program where declarations are required for all foreign investments in US businesses developing, testing or producing critical technology for use in listed sectors.
  • Expanded Jurisdiction over Investments in Technology, Infrastructure, and Data US Businesses (TID US Businesses) — While CFIUS has had authority since 1988 to review investments where a foreign person acquires “control” over a US business, the Proposed Rules would extend CFIUS’ jurisdiction to review non-controlling foreign investments in TID US Businesses where the foreign person acquires board representation or observer rights, access to nonpublic technical information, or rights to involvement in substantive decision making regarding the infrastructure, technology, or data (the “Non-Controlling Rights”). The definition of “critical technology” and “sensitive personal data” for purposes of jurisdiction are among the more important provisions of the Proposed Rules.
  • Excepted Investors — The Proposed Rules would excuse certain “excepted investors” from the expanded CFIUS jurisdiction and declaration requirements described above, though such excepted investors would remain subject to CFIUS’ jurisdiction for the purposes of reviewing non-controlling investments in businesses in any sector. For a foreign investor to be an “excepted investor,” it must be from an “excepted foreign state” and must meet certain criteria relating to ownership, board membership, and legal compliance.  The “excepted foreign states” will include national security allies of the United States that have effective investment security procedures similar to CFIUS.  The explanatory note indicates that the list of “excepted foreign states” will initially be short.
  • Real Estate — The Proposed Rules would bring certain real estate transactions within CFIUS’ jurisdiction. Previously, real estate unconnected to a US business was outside of CFIUS’ jurisdiction.
  • Voluntary Declarations — The Proposed Rules would, as authorized by FIRRMA, allow parties to file voluntary declarations, before or after closing. Declarations, being short forms with a 30 day timeline, could potentially provide an expedited procedure for securing a CFIUS clearance that insulates a transaction from subsequent questioning by CFIUS.

The Proposed Rules do not include provisions imposing filing fees for CFIUS notice files.  Under FIRRMA, CFIUS is authorized to impose filing fees not exceeding the lesser of 1 percent of the transaction value or $300,000 (adjusted annually for inflation) on the filing of notices, but not on declarations.  Proposed rules on filing fees are to be published subsequently.

Mandatory Declarations

Currently, all investors are required to submit a mandatory declaration under the Pilot Program.  Unlike the Pilot Program, the Proposed Rules limit the mandatory declaration requirements, with regard to infrastructure and personal data companies, to foreign investments involving a substantial interest held by a foreign government.  A declaration is required for the acquisition of 25% or more of a voting interest in a TID US Business by a foreign person in which a foreign government in turn holds 49% or more of a voting interest.  Under this formulation, an investment that does not meet both thresholds would not require a declaration, even if the transaction implicated relevant rights.  For example, an acquisition of 24% of a voting interest in a TID US Business by an entity 100% owned by a foreign government would not require the submission of a mandatory declaration.

The explanatory note to the Proposed Rules points out that CFIUS is still considering whether to continue the mandatory declaration requirement under the Pilot Program.  Given the technology transfer concerns that motivated Congressional passage of FIRRMA, CFIUS may well preserve broader declaration requirements for critical technology than for critical infrastructure and sensitive personal data.  Moreover, it is likely that critical technology and sensitive personal data investments would be more visible to CFIUS than technology investments involving start-ups with no market presence.

Mandatory declarations would need to be submitted to CFIUS at least 30 days in advance of the completion date.  After a 30-day review, CFIUS would revert to the parties with the same potential outcomes as under the Pilot Program – specifically, it may (1) issue a safe harbor letter, (2) inform the parties that CFIUS was unable to conclude its review and that the parties may file a voluntary notice, (3) request that the parties file a voluntary notice, or (4) initiate unilateral review of the transaction.  The Proposed Rules provide, in contrast with the Pilot Program, that CFIUS may invite parties to a declaration to discuss and clarify issues pertaining to the transaction in a meeting.

Notwithstanding the new proposed mandatory filing requirement, CFIUS’ broad authority to review transactions may be exercised even if a foreign government’s interest is less than 49%.

Investment funds exception

Similarly to the Pilot Program, the Proposed Rules provide, as largely dictated by the detailed provisions in FIRRMA, that the submission of a declaration shall not be required with respect to an investment by a qualified investment fund.  Investments via funds managed exclusively by a US general partner are exempted from the expanded CFIUS jurisdiction where: the foreign person is a limited partner or equivalent on an advisory committee of the fund, the advisory committee does not have the ability to control investment decisions of the fund, the foreign person does not otherwise have the ability to make certain important decisions regarding the fund, and the foreign person does not have any of the Non-Controlling Rights in the TID US business as a result of the investment. Out previous analysis of how the CFIUS reform affects the private equity funds is available here.

CFIUS’ Expanded Jurisdiction

While CFIUS has long had authority to review investments where a foreign person acquires “control” of a US business, the Proposed Rules would expand CFIUS’ authority to review certain investments in US businesses that handle “critical technology,” “critical infrastructure,” and “sensitive personal data” where a foreign investor acquires Non-Controlling Rights.

Covered investments involving critical technology

Investments by foreign persons with Non-Controlling Rights into the TID US Businesses involving critical technology are currently the subject of the Pilot Program.  The Proposed Rules would not make any changes to the Pilot Program.

Covered investments involving critical infrastructure

The Proposed Rules would provide CFIUS with authority to review transactions in which a foreign investor gains Non-Controlling Rights in a US business that owns, operates, manufactures, supplies, or services certain “critical infrastructure” identified in an annex to the Proposed Rules.  The annex includes categories such as internet and telecommunications networks, electric power generation systems, certain natural gas pipelines, and maritime ports.  There are also descriptive categories; for example, an “industrial resource other than commercially available off-the-shelf items” manufactured for a defense acquisition program, for which the US business is a “single source,” or where the resource is a “long lead” item, would be considered part of the critical infrastructure subset triggering expanded jurisdiction.

Covered investments involving sensitive personal data

The Proposed Rules also provide CFIUS with authority to review investments where the foreign person gains Non-Controlling Rights in a US business that maintains or collects sensitive personal data of US citizens that could be exploited in a manner that threatens national security.  Under the Proposed Rules, certain categories of data, including, among other things, identifiable financial data, consumer reports, health-related data, geolocation and biometric data, and security clearance-related data, may constitute “sensitive personal data” if the US business (1) targets or tailors their products or services to sensitive US government personnel or contractors, (2) maintains or collects such data on greater than one million individuals, or (3) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the US business’ primary products or services. The Proposed Rules carve out from the “sensitive personal data” definition the data pertaining to a US business’ own employees and public records.

Covered investments involving real estate

The Proposed Rules would extend CFIUS’ jurisdiction to review certain real estate transactions, specifically, the purchase or lease by, or concession to, a foreign person of real estate in specific airports or maritime ports, and real estate near certain military facilities, to the extent such transactions afford the foreign person certain rights regarding the property.  The relevant sensitive airports, ports, and military facilities are listed in Appendix A to Part 802.  The military facilities are divided into lists indicating which geographic area triggers CFIUS’ jurisdiction, i.e. one list indicates that real estate investments within one mile of the relevant facilities would be covered, while another list indicates that investments within 100 miles would be covered.

The Proposed Rules would also provide CFIUS with jurisdiction to review real estate investments near other, non-military, facilities of the US Government that are sensitive for national security reasons.  The Proposed Rules do not list any such facilities.

The proximity criteria provided by the Proposed Rules with regard to real estate transactions might, to some degree, be used as a guideline for analyzing potential proximity-related vulnerabilities in the context of investments in US businesses.  For example, parties to a transaction where a foreign person is acquiring a US business within 100 miles of a military installation listed in Part 2 of Appendix A to Part 802 might be more inclined to submit a voluntary notice or declaration to CFIUS in light of potential proximity-related national security concerns.

Exceptions from CFIUS’ expanded jurisdiction

“Excepted investors” and “Excepted foreign states”

The Proposed Rules seek to implement FIRRMA’s requirement to specify criteria to limit the expanded jurisdiction and the mandatory declaration requirement to certain categories of foreign persons by introducing an “excepted investor” definition.  Such an investor would have a substantial connection, such as nationality of ultimate beneficial owners and place of incorporation, to one or more eligible foreign states to be identified by Treasury in a separate list on its website.

As a second step, Treasury would determine, two years after the effective date of the final regulations (likely, February 2022), the eligible foreign states that are effectively utilizing a robust process to assess foreign investments for national security risks and to facilitate coordination with the United States on matters relating to investment security.  The purpose of this proposed two-stage system is to encourage other advanced countries to implement investment security regimes.

Notably, certain past and future missteps, such as violating certain US laws and regulations, material misstatements or omissions in a CFIUS notice or declaration, or even failing to meet certain criteria after the completion of a transaction may disqualify someone from qualifying for excepted investor status, in which case CFIUS may choose to review the closed transaction.

Specific real estate exceptions

The Proposed Rules would except certain types of real estate transactions – such as urban clusters, single housing units, and commercial office space – from CFIUS’ review, subject to some restrictions set out in the Proposed Rules.  Leases by or concessions to foreign persons at airports or maritime ports that are covered real estate are excepted if the property may be used only as retail trade, accommodation, or food service establishments.

US Business Regulations

Currently, the CFIUS regulations define “US business” broadly to mean a “person engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce in the United States.” The Proposed Rules suggest defining US business simply as a person engaged in interstate commerce in the United States.  Removing the second part of the US business definition and not limiting it to US operations could allow CFIUS to further expand its jurisdictional reach to cover the businesses outside of the United States where their only nexus with the United States is that they sell or supply US customers.  We would expect this modification to generate comments and the need for clarity from CFIUS on the intended meaning and consequences of this revision.

The authors acknowledge the assistance of Ryan Poitras in the preparation of this blog post.


Rod Hunter, a partner in the Washington, DC office, regularly advises on U.S. foreign investment regulation, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS) and procedures relating to mitigation of foreign ownership, control or influence (FOCI) under national industrial security regulations. He previously served as Special Assistant to the President for National Security Affairs and senior director for international economics at the National Security Council (NSC), the White House office that coordinates trade policy and supervises CFIUS. A recognized expert in the field, he has served as an expert witness on CFIUS in civil litigation and has testified before Congress during the legislative process leading to recent amendments to CFIUS’ authorizing legislation.


Sylwia Lis is a partner in the Washington, DC office. She has extensive experience advising clients on national security reviews of foreign investments, including representation before the Committee on Foreign Investment in the United States (CFIUS). Sylwia also advises companies on US law relating to exports and reexports of commercial goods and technology (EAR), defense trade controls (ITAR), and trade sanctions (OFAC) - including licensing, regulatory interpretations, M&A due diligence and regulatory notifications (DDTC/ITAR notification process), compliance programs and enforcement matters.


Callie is an Associate in Baker McKenzie's Washington, DC office in the International Commercial practice. She has experience advising on international trade law, particularly national security reviews of foreign investments and compliance with US export controls and trade and economic sanctions.