Implementing FIRRMA: Highlights from CFIUS’ Final Regulations

January 17, 2020

On January 13, 2020, the U.S. Treasury Department, as chair of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), finalized two sets of regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”). The final rules conclude a multi-year effort to expand CFIUS’ jurisdiction and provide clarity regarding the CFIUS process. Transaction parties should consider carefully the new CFIUS regulations, as they will impact not only timing and terms but also the feasibility of many contemplated investments.

Once the new regulations become effective on February 13, 2020, CFIUS will have jurisdiction over:

  • Mergers, acquisitions and takeovers that could result in a non-U.S. person acquiring control over a U.S. business (as it did previously);
  • Certain non-controlling investments by non-U.S. persons in U.S. businesses associated with critical technology, critical infrastructure and sensitive personal data (with mandatory filing requirements for transactions involving certain U.S. businesses dealing in critical technologies or non-U.S. persons affiliated with non-U.S. governments); and
  • Transactions involving the purchase or lease by, or concession to, a non-U.S. person of certain U.S. real estate that might raise national security concerns.

There are a number of exceptions that could result in an otherwise-covered transaction being considered outside of CFIUS’ jurisdiction, including investments by certain private equity funds that have non-U.S. limited partners. The regulations also, for the first time, set forth an exception for certain non-U.S. persons defined as “Excepted Investors” based on their ties to Australia, Canada and the United Kingdom, which had not been specified in the proposed rules. These “Excepted Investors” may receive preferential treatment, including in certain circumstances exemption from CFIUS review.

CFIUS is implementing these changes by publishing two final rules, one covering the majority of the FIRRMA requirements, in particular the expansion to cover transactions involving critical technology, critical infrastructure and sensitive personal data (technology, infrastructure and data are defined together as “TID”)(“TID Final Regulations”) and another pertaining to provisions of FIRRMA that expand CFIUS jurisdiction over certain real estate transactions (“Real Estate Final Regulations”). CFIUS also published Frequently Asked Questions along with these regulations. This client alert covers the TID Final Regulations; the Real Estate Final Regulations are discussed separately in our companion OnPoint.


CFIUS, an interagency committee principally comprising nine members and chaired by the Secretary of the Treasury, has broad powers to review foreign investments in and acquisitions of U.S. businesses to determine the potential impact on U.S. national security. CFIUS has the authority to impose mitigation measures, suspend transactions, and, where appropriate recommend that the President block or unwind transactions.

FIRRMA made several substantial changes to the CFIUS process, including by:

  • Expanding the scope of CFIUS jurisdiction to permit review of a wider range of transactions;
  • Authorizing CFIUS to mandate notifications regarding certain types of transactions involving critical technologies;
  • Adopting a new, short-form declaration process to notify the Committee about potentially covered transactions;
  • Authorizing collection of filing fees with respect to covered transactions for which a written notice is filed; and
  • Strengthening the Committee’s authority to restrict transactions that threaten U.S national security.

To implement FIRRMA, CFIUS began with a pilot program in November 2018 to expand jurisdiction to certain non-controlling investments and mandate notifications to CFIUS in certain circumstances. In September 2019, CFIUS issued proposed rules pertaining to TID and real estate (our coverage of which is available here and here, respectively). On January 13, 2020, CFIUS released final regulations that retain many of the provisions from the proposed regulations, with updates to certain provisions as a result of written submissions received during the public comment period. 

The TID Final Regulations will be codified at 31 C.F.R. Part 800 and the Real Estate Final Regulations will be codified at 31 C.F.R. Part 802. Both final regulations take effect on February 13, 2020.

Highlights from the Final Regulations

1. CFIUS Jurisdiction Expanded to Include Non-Controlling “Covered Investments” in TID U.S. Businesses

CFIUS has jurisdiction over all “covered control transactions,” which, under the previous law and regulations, included mergers, acquisitions and takeovers that could result in a non-U.S entity’s control over a U.S. business.

FIRRMA expanded CFIUS jurisdiction to include certain non-controlling but non-passive investments, termed "covered investments," in certain U.S. businesses that permit a non-U.S. person to: (i) access material non-public technical information, (ii) appoint a board director or observer, or (iii) participate in substantive decision-making of the U.S. business beyond voting shares. To illustrate this point, the Committee provides the following example:

Corporation A, a foreign person that is not an excepted investor, makes a non-controlling investment in Corporation B, a U.S. business, that affords Corporation A the right to nominate one of the directors on Corporation B’s board of directors. Corporation B, through its wholly-owned subsidiary Corporation X, designs and manufactures a critical technology. Corporation A’s investment in Corporation B is a covered investment.

CFIUS has retained the term "covered transaction" to include both "covered control transactions" and "covered investments" as well as transactions designed to evade CFIUS review.

The new authority expands CFIUS jurisdiction to cover a non-controlling investment by a non-U.S. person in a TID U.S. business that:

(i) produces, designs, tests, manufactures, fabricates or develops one or more “critical technologies,”

Critical technology includes defense items on the U.S. Munitions List, certain items on the Commerce Control List, specified items related to the nuclear energy industry, select agents and toxins and “emerging and foundational technologies,” which, as discussed below are still being defined. Distinct from the pilot program for mandatory filings in connection with critical technology investments implemented in late 2018 (which will continue to apply in a modified form), the Proposed Regulation applies to voluntary filings and does not include a requirement that the critical technology be involved in one of 27 selected industries. As a result, a non-U.S. investment in any U.S. business that produces, designs, tests, manufactures, fabricates or develops critical technologies could be subject to CFIUS jurisdiction.

(ii) owns, operates, manufactures, supplies or services “critical infrastructure,” or

Critical infrastructure under FIRRMA refers to systems and assets “whether physical or virtual, so vital to the U.S. that the incapacity or destruction of [them] would have a debilitating impact on national security.” Covered critical infrastructure has a wide range, including, among other sectors, the defense-industrial base, energy, telecommunications, utilities and financial services.

The TID Final Regulations delineate what constitutes critical infrastructure in Appendix A to Part 800 (Column 1 (covered infrastructure type), and Column 2 (covered infrastructure function)). Only non-controlling investments in a U.S. business that is listed in Column 1 and performs the function in Column 2 will be captured by CFIUS’ expanded jurisdiction. For example, while internet protocol networks are identified as a potential critical infrastructure sector, only investments in U.S. businesses that own or operate such networks would be considered a covered investment in critical infrastructure. U.S. businesses that merely supply or service internet protocol networks would not be captured (unless they are caught by other provisions).

(iii) maintains or collects sensitive personal data (“SPD”) that may be exploited in a manner that threatens U.S. national security.

FIRRMA expanded CFIUS’ jurisdiction to include authority to broadly review transactions involving SPD. The TID Final Regulations focus this authority based on the sensitivity of the data, the sensitivity of the population about whom the data is maintained or collected and whether the data can be used to distinguish/trace a person’s identity. This focused definition narrows the range of U.S. businesses potentially subject to review.

Under the TID Final Regulations, SPD is defined as “identifiable data” across 10 categories which is maintained or collected by a U.S. business that:

(i) targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security or homeland security responsibilities;

(ii) maintains or collects SPD of more than one million individuals at any point in a given 12-month period; or

(iii) has a demonstrated business objective to maintain or collect SPD of more than one million individuals and such data is an integrated part of the U.S. business’ products or services.

Identifiable data” means SPD through which an individual can be distinguished or traced, including the use of any personal identifier. The 10 categories of SPD enumerated in the TID Final Regulations include genetic, biometric and medical data as well as data pertaining to personal finances, personal communications and security clearances. These examples demonstrate that some sectors of the economy not traditionally considered sensitive from a national security perspective now may be subject to CFIUS scrutiny.

2. Certain Non-U.S. Government Investors and Investments Subject to Extra Scrutiny and Mandatory Filing Requirements

Under the TID Final Regulations, certain non-U.S. government-controlled investments in TID U.S. businesses will be subject to mandatory filing requirements. Specifically, mandatory filing requirements will apply to transactions in which a “substantial interest” in a TID U.S. business is acquired by a non-U.S. person in which a non-U.S. government holds a “substantial interest.”

The meaning of “substantial interest” differs based on the context. A non-U.S. person is considered to be acquiring a “substantial interest” in a U.S. business if the non-U.S. investor obtains an indirect or direct voting interest of 25% or more in the U.S. business. A non-U.S. government is considered to hold a “substantial interest” in the non-U.S. investor if the government holds a 49% or greater direct/indirect voting interest in the non-U.S. person. In the case of an investment fund, or an entity with a general partner, managing member or equivalent, the non-U.S. government will be considered to hold a “substantial interest” if it holds 49% or more of the interest in the general partner, managing member or equivalent of the entity.

The TID Final Regulations add a number of clarifying examples. For instance, the regulations illustrate how the “substantial interest” test will be applied in indirect investments involving non-U.S. governments:

Corporation A, a foreign person, plans to acquire a 30% voting interest in Corporation X, an unaffiliated TID U.S. business. Corporation B holds 51% of the voting interest in, and is a parent of, Corporation A. A foreign government holds 75% of the voting interest in Corporation B, and private, non-government controlled individuals hold the remaining 25%. Under [these facts], Corporation B is deemed to have 100% of the voting interest in Corporation A because it is Corporation A’s parent, and therefore the foreign government’s indirect voting interest in Corporation A is imputed to be 75%. Corporation A is acquiring a substantial interest in Corporation X, and a foreign government has a substantial interest in Corporation A.

Parties subject to a mandatory filing may submit a short-form declaration instead of a full notice. Such mandatory filings must be submitted 30 days prior to the completion of the transaction. Failure to comply with the mandatory filing requirement may result in potential penalties of the greater of $250,000 per violation or the value of the transaction.

Importantly, the foregoing thresholds for mandatory filings apply only in the non-U.S. government context described above. A voluntary CFIUS filing may be advisable for non-U.S. investors acquiring less than these threshold amounts. Moreover, investments in U.S. businesses that deal in critical technologies might require mandatory filings under other CFIUS provisions.

3. Australia, Canada and the United Kingdom Added to White List

Historically, CFIUS did not provide country-wide exemptions from applicable regulations. However, the final regulations provide an initial list of “excepted foreign states”: Australia, Canada and the United Kingdom (including Northern Ireland). The Committee identified these countries based on their robust intelligence-sharing and integration of their defense industrial base with the United States. Under certain circumstances, “excepted investors” from “excepted foreign states” will not be subject to mandatory filing requirements and will be shielded from CFIUS’ expanded jurisdiction over non-controlling investments in TID businesses and certain U.S. real estate transactions.

The countries identified on the initial white list will be considered “excepted foreign states” for a two-year period ending February 13, 2022. During this period, these countries must ensure that their national security-based foreign investment review processes and bilateral cooperation with the United States on such reviews meet the Committee’s criteria. The Committee indicated that it expects to publish criteria to determine what other countries may be eligible to join the list of “excepted foreign states” in the future.

Under the new provisions, non-U.S. investors with ties to “excepted foreign states” may be exempted from CFIUS’ expanded jurisdiction regarding non-controlling investments in TID Businesses, expanded jurisdiction over certain U.S. real estate transactions and mandatory filing requirements related to investments in certain U.S. businesses dealing in critical technologies. In order to meet the definition of “excepted investor,” the investor must be a:

(i) foreign national of an excepted state (and not also a foreign national of a non-excepted state);

(ii) a foreign government of an excepted state; or

(iii) a foreign entity which meets all of the following conditions with respect to itself and each of its parents (if any):

  • the entity is organized under the laws of an excepted foreign state or in the United States; 
  • the entity has its principal place of business in an excepted foreign state or the United States; and 
  • 75% or more of the members and 75% or more of the observers of the board of directors or equivalent government body of the entity are U.S. nationals or nationals of one of the excepted states (and not also a foreign national of a non-excepted state). 

The evolution and development of the white list will be important to monitor given the potential implications. It is clear that the white list offers the U.S. government an important diplomatic tool to leverage in future bilateral negotiations. At the same time, transactions by “excepted investors” that result in control of a U.S. business will remain subject to CFIUS jurisdiction. Fund managers will need to continue to diligence potential investors and carefully consider the rights to be afforded to limited partners to assess the potential impact on CFIUS exemptions and mandatory filing requirements. 

4. Interim Definition “Principal Place of Business” Offers Clarity for Investment Funds

Investments by U.S. persons are excluded from CFIUS’ jurisdiction. Defining what does and does not constitute a “foreign entity” therefore has important implications. Under current regulations, a “foreign entity” is “any branch, partnership, group or sub-group, associate, estate, trust, corporation or division of a corporation, or organization organized under the laws of a foreign state if either its principal place of business is outside of the U.S. or its equity securities are primarily traded on one or more foreign exchanges.” Previously, CFIUS had not defined the term “principal place of business,” which resulted in ambiguity regarding how the term would be applied. The TID Proposed Regulations added an interim rule using the U.S. federal courts’ “nerve center” test, which defines “principal place of business” as the “primary location where an entity’s management (i) directs, (ii) controls, or (iii) coordinates the entity’s activities.”

U.S. private equity funds and investors with a principal place of business in the United States, but with non-U.S. investment vehicles, have relied on the position that their U.S. investments were not subject to CFIUS’ jurisdiction. However, under current regulations, there was ambiguity about the definition of principal place of business. The interim definition reduced the uncertainty regarding what is needed to establish the principal place of business of a U.S.-managed investment fund. The TID Proposed Regulations included an important caveat: if an entity has represented in an official filing (e.g., filings with U.S. federal or state authorities or any non-U.S. filings) that its principal place of business is outside of the United States, CFIUS will deem that non-U.S. location to be the fund’s principal place of business unless it can be demonstrated that the facts have changed. Investment fund managers relying on this exception may need to carefully review whether they have made representations regarding their principal place of business in any official filings.

Because this definition is included in the TID Final Regulations as a proposed interim rule, it is open for comment; the public comment period will close 30 days after the publication of the TID Final Regulations in the Federal Register. The proposed definition will nonetheless become effective on February 13, 2020, but may later be amended as a result of comments received by CFIUS.

5. CFIUS Maintains Private Equity Exception for U.S. Investment Funds

FIRRMA also narrows CFIUS’ jurisdiction by exempting certain investments by funds with non-U.S. limited partners.

An indirect investment by a non-U.S. person through an investment fund in which the non-U.S. investor is a limited partner is not a covered transaction as long as certain requirements are met, including that:

(i) the fund is managed by a U.S. general partner (or equivalent),

(ii) the fund board or committee on which the non-U.S. limited partner sits does not have control over the U.S. fund’s management or investment decisions, and

(iii) the non-U.S. limited partner does not have access to material non-public technical information of the target company, and other potential requirements.

Accordingly, investments in U.S. businesses by a fund in which one or more non-U.S. limited partners hold an indirect, non-controlling interest will not be subject to CFIUS jurisdiction simply because the non-U.S. limited partner (or a designee) is given membership or observer rights regarding advisory boards or committees of the fund – as long as the fund otherwise meets the above criteria. However, a fund investment may be subject to CFIUS jurisdiction if the non-U.S. limited partner has access to certain information of the U.S. target or is granted certain control or decision-making rights regarding the actions taken by the fund. The TID Final Regulations add clarity on this point with the following example:

Limited Partner A, a foreign person, is a limited partner in an investment fund that invests in Corporation B, an unaffiliated TID U.S. business. The investment fund is managed exclusively by a general partner, who is not a foreign person. The investment affords Limited Partner A membership on an advisory board of the investment fund. The advisory board provides industry expertise, but it does not control investment decisions of the fund or decisions made by the general partner related to entities in which the fund is invested. Limited Partner A does not otherwise have the ability to control the fund. Limited Partner A’s investment in Corporation B does not afford it access to any material nonpublic technical information in the possession of Corporation B, the right to be a member or observer, or to nominate a member or observer, to the board of Corporation B, nor any involvement in the substantive decision-making of Corporation B. Assuming no other facts, the indirect investment by Limited Partner A is not a covered investment.

The exception is intended to facilitate investments in U.S. businesses by a U.S.-controlled investment fund that has passive non-U.S. limited partners. As discussed above, if a non-U.S. person has control over the fund’s management/investment decisions, and/or has access to material non-public technical information of the U.S. target, CFIUS would not consider such an investment to meet the private fund exception.

Investments through funds controlled by non-U.S. persons will be subject to the expanded CFIUS jurisdiction described above. As discussed below, all investment funds should monitor how CFIUS will handle investors from “Excepted Foreign Countries.”

6. Transactions Involving Real Estate Co-Located Near U.S. Ports or Defense Facilities Will Be Subject to Review by CFIUS

FIRRMA expanded CFIUS jurisdiction to cover real estate transactions that pose national security risks – including real estate near certain U.S. military installations or in or near air or maritime ports – as described in detail in our companion analysis.

7. Mandatory Filings for Investments in U.S. Critical Technology

In October 2018, CFIUS launched a Critical Technology Pilot Program (“Pilot Program”) to protect the U.S. national security innovation base and to address what policymakers view as key shortfalls in regulators’ ability to secure the predominance of U.S. innovation and the industries and businesses that support it. The Pilot Program was intended to expire in March 2020, but has been formally adopted as part of the TID Regulations and appears permanent.

The Pilot Program implemented a mandatory declaration process for transactions that involved critical technologies and 27 specified industries that are closely associated with national security designated by their North American Industry Classification System (“NAICS”) codes, including manufacture of missiles, tanks and space vehicles as well as industries whose products and technologies might have broader application, such as semiconductors, batteries, aviation and petrochemicals. We cover the Pilot Program in a prior OnPoint

Under the Pilot Program, the Committee requires abbreviated filings for Pilot Program transactions that were investments by non-U.S. persons involving “Pilot Program U.S. Businesses” (i.e., U.S. businesses that produce, design, test, manufacture, fabricate or develop a critical technology in connection with one of the specified industries) – referred to as “Pilot Program Covered Transactions.” Parties may also elect to file a formal notice in lieu of a declaration.

The mandatory declarations must be no longer than five pages, and must be filed at least 45 days prior to the expected completion date of the transaction. The mandatory declarations must also contain the information described in detail in the interim rules. Required information includes, but is not limited to, the size, timing, and governance rights implicated by the transaction, statements about the non-U.S. acquirer and the U.S. target, and information related to the critical technologies involved.

Following the filing, CFIUS may request that parties file a formal notice, inform the parties that it cannot complete its action and invite them to file a notice seeking written notification of the completion of the process, initiate a unilateral review of the transaction or notify parties that it completed its review of the transaction.

The TID Final Regulations integrate the mandatory declaration requirement under the Pilot Program interim regulations into the final regulations. However, CFIUS anticipates issuing a separate notice of proposed rulemaking that would base the mandatory declaration requirement on export control licensing requirements instead of NAICS codes. The TID Final Regulations also exempt certain critical technology transactions, such as those which relate to “excepted investors,” FOCI-mitigated entities, certain encryption technology and investment funds managed and controlled exclusively by U.S. persons.

What’s Ahead?

While the final regulations offer important guidance and implement much of FIRRMA’s provisions, investors should expect additional proposed regulations to complete implementation of FIRRMA.

1. Filing Fees?

FIRRMA authorized CFIUS to impose filing fees not in excess of the lesser of 1% of the value of the transaction or $300,000 (inflation-adjusted). The final regulations state that CFIUS soon will publish a proposed regulation regarding filing fees.

2. Emerging/Foundational Technologies Definitions Forthcoming from Commerce Department

The TID Final Regulations do not change the Pilot Program’s definition of a critical technology. Critical technologies include items controlled under the U.S. export control measures, including items that the U.S. Commerce Department will identify as “emerging” or “foundational” technologies pursuant to the Export Control Reform Act of 2018. It is anticipated that the Commerce Department will provide meaningful guidance in this regard in the near future.


The TID Final Regulations give effect to a wide array of changes to CFIUS’ powers and to the CFIUS review process. Although the final regulations provide considerable guidance on FIRRMA’s implementation, the regulations add complexity to the CFIUS review process. The changes reinforce the importance of considering CFIUS implications early in the process of developing plans to pursue investments in and acquisitions of U.S. businesses. The final regulations also make clear that investors should stay tuned -- there will be further refinements of the CFIUS process to monitor.

Subscribe to Dechert Updates