October 2, 2019 – On September 17, 2019, the U.S. Department of the Treasury issued proposed regulations to strengthen the authority of the Committee on Foreign Investment in the United States (“CFIUS”) to review the national security implications for transactions involving foreign investment in the United States.  The regulations, which are required to implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), expand the scope of transactions subject to CFIUS review and introduce procedural updates to the review process.  Although the regulations provide additional clarity, they still leave open questions about the definitions and scope of certain terms, including emerging technologies and excepted foreign states.  CFIUS has until February 13, 2020 to fully implement FIRRMA, and additional future guidance and regulations can be expected. 


FIRRMA, enacted in August 2018, extends CFIUS’s review authority beyond transactions that result in foreign control of a U.S. business.  Under FIRRMA, four types of additional transactions are “covered transactions” subject to CFIUS review:  (1) the purchase by a foreign person of certain real estate in the United States; (2) non-controlling investments by foreign persons in U.S. businesses engaged in specified activities that involve critical technology, critical infrastructure, or sensitive personal data (what the proposed regulations call “TID U.S. businesses”); (3) changes in a foreign person’s rights in a U.S. business that could result in foreign control; and (4) any other transactions that could evade or circumvent FIRRMA.  FIRRMA also aims to modernize CFIUS’s review processes. 

On September 17, 2019, the Department of the Treasury issued proposed regulations to implement a number of the requirements of FIRRMA, opening a period for public comment that concludes on October 17, 2019.  The proposed regulations were issued in two parts:  a redrafted Part 800 that includes the prior CFIUS Part 800 rules relating to acquisitions that could result in control of a U.S. business, plus new provisions related to certain non-controlling investments in the United States by foreign persons, 31 C.F.R. part 800, and provisions related to transactions by foreign persons involving U.S. real estate, 31 C.F.R. part 802.  Certain process changes to the CFIUS rules to implement FIRRMA that were made in October 2018 are incorporated in the redrafted Part 800 (e.g., the expansion of the time frame for full CFIUS investigations from 30 to 45 days).  To accompany the proposed regulations, the Department of the Treasury also issued a fact sheet and frequently asked questions.  After the period of review and comment expires, a final version of the proposed regulations must be implemented by February 13, 2020. 

For the moment, Part 801 of the existing CFIUS regulations (adopted in October 2018, and referred to as the “Pilot Program”), which requires mandatory reporting to CFIUS of a subset of transactions involving investments in certain U.S. businesses involved with critical technologies, remains unchanged.  Instead, the Federal Register notice accompanying the proposed regulations states that CFIUS is still considering “the scope of mandatory declarations for covered transactions involving critical technologies,” and that the Department of Treasury “welcomes comments on the retention of the mandatory declaration aspect of the Pilot Program.”

Expanded CFIUS Jurisdiction

1.  Covered Transactions

Prior to FIRRMA, CFIUS only had the authority to review investments that could result in control of a U.S. business by a foreign person.  FIRRMA expands CFIUS’s jurisdiction to cover certain non-controlling investments by foreign persons in TID U.S. businesses if the investment would afford the foreign person, as reflected in the proposed regulations:

  1. access to “material nonpublic technical information in the possession of the TID U.S. business;”
  2. membership or observer rights on … the governing body of the TID U.S. business;” or
  3. “any involvement, other than through voting of shares, in substantive decision-making of the TID U.S. business regarding:
    1. The use, development, acquisition, safekeeping, or release of ‘sensitive personal data’ of U.S. citizens maintained or collected by the TID U.S. business
    2. The use, development, acquisition, or release of critical technologies; or
    3. The management, operation, manufacture, or supply of ‘covered investment critical infrastructure’.”

proposed regulation, section 800.211.  This tracks the criteria applied to non-controlling investments in certain critical technology industries under the Part 801 Pilot Program. 

  • Critical Technologies

The proposed regulations adopt the definition of critical technologies from FIRRMA, which includes, among other things, certain items controlled under the Export Administration Regulations (“EAR”) or included on the United States Munitions List set forth in the International Traffic in Arms Regulations (“ITAR”).  Critical technologies also include “emerging and foundational technologies,” which are controlled under section 1758 of the Export Control Reform Act of 2018.  The Export Control Reform Act of 2018, which was passed concurrently with FIRRMA, tasks the U.S. Department of Commerce with defining the term “emerging and foundational technologies;” Commerce is currently engaged in the process of defining what are emerging and foundational technologies. 

  • Critical Infrastructure

For purposes of CFIUS review of both controlling and non-controlling investments in U.S. businesses involved in critical infrastructure projects, the proposed regulations define “critical infrastructure” as  “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security.”  See section 800.215 of the proposed regulations.  To narrow the scope of reviewable non-controlling investments, Appendix A of the proposed regulations lists 28 categories of critical infrastructure that could be the subject of a reviewable “covered investment critical infrastructure.” See section 800.212 of the proposed regulations.  To narrow the definition further, Appendix A identifies specific functions related to each type of critical infrastructure that would cause a non-controlling foreign investment to be a covered transaction that CFIUS could review.  For example, satellites or satellite systems providing services directly to the Department of Defense or any component thereof are classified as critical infrastructure, but covered reviewable investments would be limited to investments in those U.S. businesses that own or operate the satellite or satellite system. 

  • Sensitive Personal Data

The proposed regulations also expand CFIUS jurisdiction to foreign investment in U.S. businesses that maintain or collect “sensitive personal data,” which could be “exploited in a manner that threatens to harm national security.”  The proposed regulations recognized that most U.S. companies collect at least some types of data on individuals, and thus provide a relatively narrow definition of “sensitive personal data” intended to “minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself.” 

The regulations carve out three specific types of U.S. businesses to which the “sensitive personal data” provisions could apply:

  1. U.S. businesses that provide goods or services to the U.S. government or military agencies; 
  2. U.S. businesses that maintain or collect data on more than one million individuals at any point during the preceding 12 months; or
  3. U.S. businesses that have expressed a business objective to maintain or collect data on more than one million individuals, and the data is an integrated part of the U.S. business’s primary product or services. 

Within these categories of businesses, the proposed regulations defined ten types of data that constitute sensitive personal data, including geolocation data, health data, and data included in applications for health insurance, life insurance and other types of insurance.  The regulations also define genetic information as sensitive personal information, regardless of the type of U.S. business collecting the genetic information. 

Excluded from the definition of sensitive personal data are certain types of data that a U.S. business maintains or collects about its own employees and data that are in the public record. 

2.  Excepted Foreign States

For purposes of CFIUS’s expanded jurisdiction to review certain non-controlling investments, FIRRMA requires CFIUS to narrow the definition of “foreign persons” whose non-controlling investments are subject to review to certain categories of individuals and nationality, taking into consideration “how a foreign person is connected to a foreign country or foreign government, and whether the connection may affect the national security of the United States.”  During the legislative process, the Senate version of the bill would have required a “positive” white list of favored categories of individuals and countries, while the House version of the bill would have required a “negative” black list of disfavored categories of individuals and countries.  In reconciliation, Congress ultimately left the provision ambiguous as to whether the country list should be positive or negative. 

The proposed regulations respond to this directive by laying the groundwork for a type of “white list” of foreign investors and states and creating standards for designating certain foreign states and foreign entities as “excepted foreign states” and “excepted investors.”  However, these are narrow exceptions, and investments in the United States by excepted foreign states or excepted investors that could result in foreign control of a U.S. business remain subject to CFIUS review. 

To fall under the category of excepted foreign states, the state must first be included in a list of eligible foreign states, which will be published by the Treasury Department later.  An eligible state must also demonstrate to CFIUS, by receiving the agreement of a super-majority of Committee member agencies, that the state implements comprehensive measures to assess foreign investment and will coordinate with the United States in ensuring the mitigation of national security risks.  The proposed regulations contemplate that it may take foreign states time to develop adequate investment security procedures, noting that the excepted foreign state designations will not go into effect until two years after the final rule goes into effect.  CFIUS has indicated that it “initially intends to designate a limited number of foreign states.”

The proposed rules also narrowly define excepted investors.  Excepted investors must have strong ties to excepted foreign states, including nationals, governments, or entities organized under the laws of excepted foreign states.  Entities organized under the laws of an excepted foreign state must be located in an excepted state, and each member of the board of directors (or comparable body) must be a national of an excepted foreign state or the United States.  The proposed regulations also include criteria that would disqualify a foreign person from being an excepted investor, including prior non-compliance with CFIUS regulations or other U.S. laws (including U.S. sanctions penalties issued by the Treasury Department’s Office of Foreign Assets Control). 

3.  Covered Real Estate Transactions

FIRRMA also grants CFIUS new authority to review transactions that involve “the purchase or lease by, or a concession to, a foreign person” of certain real estate in the United States, whether or not the transaction involves the acquisition of a U.S. business.  Proposed rules to implement this authority will be included in a new 31 C.F.R. Part 802.  Although real estate transactions have been a growing concern for CFIUS in recent years, until now CFIUS has lacked a formal set of procedures governing these transactions.

Perhaps as a reflection of the fact that it is treading new regulatory ground, Treasury’s proposed regulations in this space only apply to transactions that afford a foreign person “three or more of the following property rights: to physically access; to exclude; to improve or develop; or, to affix structures or objects.”  Moreover, CFIUS review would only extend to transactions involving real estate that is:  

  • Located within, or will function as part of, an airport or maritime port
  • Located within “close proximity,” i.e. 1 mile, to specific military installations
  • Within an “extended range,” i.e. 99 miles or 12 nautical miles offshore, of a subset of these specific military installations
  • Certain geographic areas identified in connection with other military installations
  • Any part of certain military installations located within 12 nautical miles seaward of the U.S. coastline

The term “airport” applies to a subset of airports in the United States, specifically “the major passenger and cargo airports in the United States based on volume, as well as ‘joint use airports’ where both military and civilian aircraft make shared use of the military airfield,” which are published on a list from the Federal Aviation Administration.  The term “maritime port” is similarly limited to “the top 25 tonnage, container, and dry bulk ports as well as strategic seaports” that are published on a list from the Department of Transportation.  The proposed FIRRMA real estate regulation supplies an appendix that lists military installations for which certain real estate transactions are covered.

The proposed regulations further limit CFIUS’s jurisdictional authority by carving out “excepted real estate transactions.”  These exceptions would exempt certain real estate transactions from CFIUS review; transactions that involve the following are not considered covered real estate transactions:

  • Single housing units, as defined by the Census Bureau
  • Commercial office space in multi-unit commercial office buildings
  • “Urbanized areas” and “urban clusters,” as defined by the Census Bureau, except in “close proximity” to certain military installations, or within, or will function as part of, an airport or maritime port
  • “Excepted real estate investors,” who are persons with a substantial connection to an “excepted real estate foreign state,” which are to be determined by a two-thirds vote of CFIUS members

The parties in real estate transactions involving a foreign acquirer that are within CFIUS’ jurisdiction may file a notice or submit a short-form declaration.  They are not subject to mandatory filing, however, unless the acquisition would be considered a “covered transaction” within the meaning of Part 800.  This is discussed further below.

Procedural Changes

1.  Mandatory Filings

FIRRMA requires mandatory CFIUS filing when a foreign government acquires a “substantial interest,” direct or indirect, in a U.S. business that deals in critical technologies, critical infrastructure, or sensitive personal data (“TID U.S. business”).  Under proposed regulations, this filing requirement is triggered when a foreign person holds “a 25 percent voting interest, direct or indirect” in the TID U.S. business, and a foreign government holds “a 49 percent or greater voting interest, direct or indirect” in the foreign person.

For purposes of establishing indirectly held voting interests, “any voting interest of a parent entity in a subsidiary entity will be deemed to be a 100 percent voting interest.”  However, when a foreign person indirectly invests in a TID U.S. business through an investment fund that affords them membership “as a limited partner or equivalent on an advisory board or committee of the fund,” and the fund “is managed exclusively by a [U.S.] general partner, a managing member, or an equivalent,” then that indirect investment is not considered a covered transaction.

FIRRMA authorizes CFIUS to mandate through regulations “the submitting of a declaration for covered transactions involving certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies.”  Accordingly, the proposed regulations create a new requirement to file a declaration for transactions that “result[] in the acquisition of a substantial interest in a TID U.S. business by a foreign person in which a foreign government has a substantial interest,” subject to a limited exception for foreign investment funds.  

Parties subject to mandatory filing must file their notice at least 30 days prior to closing.  This is a more permissive timeline than the mandatory filing requirement under the Pilot Program, which required filing at least 45 days prior to closing.  However, the proposed regulations do not modify the Pilot Program regulations, which will remain in effect. 

2.  Streamlined Voluntary Disclosure

FIRRMA authorizes a streamlined process for parties that wish to submit a voluntary declaration; rather than submit a full notice, they can submit a short-form declaration that is not as extensive as would be required by a full notice.  Proposed regulations clarify that parties would be able to electronically submit a short-form declaration providing 24 different items of information, including the names of the parties to the transaction, a description of the transaction and its effect on voting and economic interests, whether the foreign party would obtain access to material nonpublic technical information, observer rights, or substantive decision-making authority, the nature of the business, and the ownership structure of the foreign party. 

As under the existing CFIUS Pilot Program in 31 C.F.R. Part 801, if a party elects to provide a short-form declaration as opposed to a full notice, CFIUS will be able to take one of four actions in response – request the parties to file a full notice; inform the parties that it is unable to conclude action based on the information in the declaration, and advise the parties that they may wish to provide a full notice; initiate a full review of the transaction; or notify the parties that it has concluded its review and found no threat to U.S. national security.  Declarations filed under the Pilot Program have frequently resulted in no action by the Committee, requiring the parties to file a full notice if they seek the comfort of definitive clearance from the Committee.  Unless the expanded use of short-form declarations can more efficiently result in approval or disapproval from the Committee, it is likely that many parties subject to foreign investment review wishing to get definitive CFIUS clearance will continue to submit traditional long-form notices. 

3.  Filing Fees

While FIRRMA authorizes CFIUS to assess filing fees up to the lesser of 1% of the value of transaction or $300,000, inflation-adjusted, the proposed regulations do not establish filing fees pursuant to FIRRMA.  CFIUS is still “still considering how to implement this authority,” and “will publish a separate proposed rule regarding fees at a later date.”


Although there is still a number of issues remaining to be clarified, the proposed rules create additional considerations for foreign investors in business in the U.S. or with U.S. subsidiaries and affiliates.  Perhaps most significantly, once effective, the proposed rules will expand substantially the scope of non-controlling investments that could be subject to CFIUS review, create a new mandatory filing requirement for controlled and certain non-controlled investments in TID U.S. businesses (in addition to the existing mandatory filing requirement under the Pilot Program), and expand CFIUS’s jurisdiction to non-controlling investments and investments in certain U.S. real estate.  We anticipate that further guidance and regulations will be issued in the coming months prior to the February 2020 implementation deadline required under FIRRMA.