Synopsis: The Committee on Foreign Investment in the United States (CFIUS) has jurisdiction to review foreign investments in U.S. businesses and real estate for national security risks. The article below provides a brief explainer regarding circumstances that may trigger CFIUS jurisdiction or the requirement for a mandatory filing with CFIUS.
Introduction
In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (“FRRMA”), which strengthened and modernized the activity of the Committee on Foreign Investment in the United Sates (“CFIUS” or “the Committee”) and for the first time required mandatory filing with CFIUS under certain prescribed circumstances. Although CFIUS has been around for nearly 50 years, the furor created by FIRRMA, its 2020 implementing regulations, and the new mandatory filing requirement caused many corporate attorneys previously unaware of the Committee to quickly familiarize themselves with its funny acronym (pronounced siff-ee-us) and when it is applicable to their deals. Additionally, in November 2019, CFIUS initiated an investigation into ByteDance Ltd. (“ByteDance”), the parent company of TikTok, eventually leading to a 2020 executive order requiring ByteDance to divest its 2017 investment in musical.ly, which was later merged with TikTok. The intense press coverage of the CFIUS investigation further pushed the Committee’s activities into the limelight.
CFIUS, which is tasked with reviewing the national security risks posed by foreign investments in U.S. businesses and real estate, can block, unwind, or impose conditions on transactions to mitigate potential risks. The earlier in the due diligence process that potential CFIUS jurisdiction or filing requirements are identified, the more smoothly the process goes for transacting parties (of note, mandatory filings must be submitted at least 30 days prior to closing). To assist non-CFIUS practitioners, below are a few issues to keep in mind when analyzing potential CFIUS impacts on deals.
Foreign Involvement
Any time there is a foreign person involved in the chain of acquisition or investment, the parties should consider the possibility of CFIUS jurisdiction. Importantly, under the CFIUS regulations, a “foreign person” includes “any entity over which control is exercised or exercisable by a foreign person.” Meaning, a transaction between a U.S. business and another U.S. business (controlled by a foreign person) can and often does trigger CFIUS jurisdiction. CFIUS jurisdiction may be triggered by both controlling investments and non-controlling investments in certain types of U.S. businesses. The CFIUS regulations define “control” more broadly than the typical corporate context, and CFIUS has found “control” in situations involving 10% or more equity and board representation.
“TID” U.S. Business
If the U.S. business in the transaction is involved with critical Technologies, critical Infrastructure, or sensitive personal Data (“TID”), there is the possibility that CFIUS jurisdiction, and a potential mandatory filing requirement, will attach. The regulations refer to these types of businesses as “TID U.S. businesses.” Foreign investments in U.S. businesses that do not rise to the level of “control” by a foreign person may still fall under CFIUS jurisdiction but only where the U.S. business is a TID U.S. businesses.
A U.S. business is involved in critical technologies if it “produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies.” “Critical technologies” are identified through reference to various export control classification regimes. “Critical infrastructure” is defined with reference to an appendix within the CFIUS regulations describing a variety of activities, including owning or operating electric storage or electric power generation or distribution facilities; owning or operating certain refineries or crude oil storage facilities; owning or operating interstate oil or natural gas pipelines; operating public water systems; manufacturing certain industrial resources; and many other infrastructure activities. U.S. businesses involved in sensitive personal data are those that collect and maintain certain identifiable data, including financial data, geolocation data, biometric data, data related to U.S. Government personnel security clearance status, and data related to application for health, life, and other insurance.
Other Issues Prompting CFIUS Scrutiny
In addition to TID U.S. businesses, the Committee also pays close attention to transactions involving U.S. businesses that are parties to U.S. Government contracts or recipients of government funding, for example through Department of Energy grants. Certain industries also receive additional scrutiny from CFIUS, including the semiconductor, artificial intelligence, and other emerging technology sectors. These are only examples, however, and many kinds of U.S. businesses may be subject to additional scrutiny depending on the identity and plans of the foreign investors and other factors.
Another hallmark of CFIUS scrutiny is the involvement of Chinese parties or other parties of concern within the chain of acquisition, even limited partners in large private equity funds. Although the Committee is technically agnostic towards the particular investor nation, it is common knowledge within the CFIUS bar that the Committee is particularly concerned with Chinese investors, including those based in Hong Kong or Macau. A prime example of such focused concern is the aforementioned CFIUS investigation into TikTok, but there are plenty of other examples of CFIUS requiring divestiture or blocking transactions involving Chinese investment in U.S. businesses.
Mandatory v. Voluntary Filings
A quick note on mandatory versus voluntary filing: the universe of transactions subject to a mandatory filing requirement is relatively small and includes only 1) certain transactions related to investment by foreign persons in U.S. businesses involved with critical technologies, and 2) certain investments in TID U.S. businesses resulting in a foreign government having a substantial interest in a U.S. business, even indirectly.
But the lack of a mandatory filing requirement should not lull transaction parties (or their counsel) into a false sense of security regarding potential CFIUS impacts on the transaction. The Department of the Treasury, which chairs the Committee, has a dedicated division tasked with discovering and reaching out to transaction parties involved in “non-notified” transactions, which are transactions subject to CFIUS jurisdiction but where no filing has been submitted to the Committee. Non-notified outreach can lead to requests for information, and CFIUS can issue subpoenas to compel responses to these requests. Non-notified outreach from CFIUS in some cases leads to a request from the Committee that the original transaction parties formally file the transaction with CFIUS, which can lead to mitigation or even unwinding of the deal.
Therefore, when jurisdiction-triggering circumstances exist, it is prudent to discuss the deal with a CFIUS practitioner to determine if a voluntary filing would be advisable even if no mandatory requirement exists. A transaction that receives clearance from the Committee is afforded a safe harbor from future CFIUS action, which “limits CFIUS from subsequently initiating a review of a transaction except in certain limited circumstances.” For this reason, many cross-border deals regularly include CFIUS clearance as a closing condition of the transaction.
Increased Enforcement and Increased Penalties
In its first 48 years, CFIUS only issued penalties in two enforcement actions: one from 2018 and one from 2019. But in August 2024, the Committee updated its enforcement webpage to include six additional actions from 2023 and 2024. This enforcement blitz alone tripled the total number of published enforcement actions and included a $60 million penalty against T-Mobile – the first and only time a party to CFIUS enforcement has been identified.
CFIUS also recently increased the monetary penalty for violations to an amount twenty times greater than the prior maximum penalty. As of December 26, 2024, penalties for violations of the CFIUS regulations increased from a maximum of $250,000 per violation to $5 million per violation. Failure to submit a mandatory filing to CFIUS when required can now lead to a maximum penalty of the greater of $5 million or the value of the transaction. There is no monetary threshold for CFIUS jurisdiction, so the $5 million dollar penalties could be applicable to transactions with values much lower than the maximum penalty amount.
Often, the possibility of significant mitigation or divestment is a more troubling potential outcome for foreign investors than civil penalties. For example, returning to the TikTok case, ByteDance has expended significant resources attempting to mitigate national security concerns and mounting legal challenges to divestment, and it still may face divestment of TikTok or a ban of the app in the United States pursuant to legislation passed in 2024.
The Committee’s reach and ability to review, mitigate, and potentially block foreign investments will likely grow in the coming years. Corporate attorneys would be wise to keep the aforementioned CFIUS jurisdictional triggers in mind for all deals.
Endnotes
1 Foreign Investment Risk Review Modernization Act of 2018, Pub. L. No. 115-232, §§ 1701-1728, 132 Stat. 2174 (2018).
2 Exec. Order No. 13,942, 85 Fed. Reg. 48,637 (Aug. 6, 2020).
3 31 C.F.R. § 800.208 (2024)
4 31 C.F.R. § 800.401 (2024).
5 31 C.F.R. § 800.211 (2024).
6 31 C.F.R. § 800.215 (2024).
7 See, e.g., Press Release, Holu Hou Energy, Borqs to Establish with the U.S. Government a Plan to Divest its Ownership of Holu Hou Energy Due to Deemed Critical Technology (Dec. 19, 2022), available at https://holuhou.com/press/borqs-to-establish-with-the-u-s-government-a-plan-todivest-its-ownership-of-holu-hou-energy-due-to-deemed-critical-technology/ (describing CFIUS requirement for a Chinese company to divest its ownership interests and rights in a Hawaiian solar energy storage supplier); see also, e.g., Press Release, MoneyGram, MoneyGram And Ant Financial Announce Termination Of Amended Merger Agreement (Jan. 2, 2018), available at https://www.prnewswire.com/news-releases/moneygram-and-ant-financial-announce-termination-of-amended-merger-agreement-300576618.html (announcing termination of planned merger between Dallas-based MoneyGram and Chinese company Ant Financial Services Group after failing to receive CFIUS approval of the transaction).
8 31 C.F.R. § 800.401 (2024).
9 CFIUS Overview, U.S. Department of the Treasury, https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-overview (last visited Jan. 2, 2025).
10 CFIUS Enforcement, U.S. Department of the Treasury, https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-enforcement (last visited Dec. 2, 2024).
11 Penalty Provisions, Provision of Information, Negotiation of Mitigation Agreements, and Other Procedures Pertaining to Certain Investments in the United States by Foreign Persons, 89 Fed. Reg. 93,179 (Nov. 26, 2024) (to be codified at 31 C.F.R. § 800.901).
12 See Protecting Americans’ Data from Foreign Adversaries Act of 2024, Pub. L. No. 118-815, 138 Stat. 1234 (2024); TikTok Inc. v. Garland, No. 24-1113 (D.C. Cir. Dec. 6, 2024).
