Authors: Michael J. Lowell Lizbeth Rodriguez-Johnson Paula A. Salamoun Courtney E. Fisher
CFIUS is an interagency committee authorized to review certain transactions involving foreign investment in the United States and the effect of those transactions on U.S. national security. The Committee is required under Section 721(m) of the Defense Production Act of 1950, as amended by FIRRMA, to provide an annual report to Congress containing, among other things, specific, cumulative, and trend information related to transaction filings. In addition to the recent release of its 2018 Annual Report, CFIUS also separately released a summary of data for covered transactions for the years 2015-2019, providing the first glimpse into statistics surrounding CFIUS filings for the 2019 calendar year. A summary of the filing data provided in these reports is set forth in the following table:
We discuss five takeaways and trends from the 2018 Annual Report below.
1. FIRRMA’s extension of the review period allowed CFIUS to clear more transactions without investigation and to continue this trend into 2019.
FIRRMA, the long-overdue legislative overhaul designed to strengthen and modernize the ability of CFIUS to protect national security, was enacted on Aug. 13, 2018. Some provisions of the legislation took effect immediately, while others were implemented at later dates. (The implementation of FIRRMA was completed on Feb. 13, 2020 – read more at reedsmith.com). Not surprisingly, this mid-year change in regulations and procedures had some immediate impact on filings, as reflected in the 2018 Annual Report data.
Prior to FIRRMA, CFIUS was required to complete a review of a notified transaction within 30 days, followed by, if necessary, an “investigation” period lasting up to 45 days if CFIUS needed additional time to complete its assessment of the transaction. In practice, the short 30-day review period meant that the overwhelming majority of cases were being held open for the second, 45-day investigation phase. Between 2017 and Aug. 12, 2018, an average of 74% of cases proceeded to the investigation phase. Moreover, CFIUS on average did not complete its investigation until the last day of the statutory period, meaning most transactions during that period faced the full statutory period of 75 days or longer before receiving clearance to close.
Beginning Aug. 13, 2018, FIRRMA extended the CFIUS statutory review period from 30 to 45 days. This extension appears to have helped CFIUS clear more transactions during that initial procedural window. In comparison to earlier months, the percentage of cases advancing to investigation dropped significantly, with the 2018 Annual Report showing that only 53% proceeded to investigation after this change was made. Similarly, initial data for 2019 shows that only 48% of notices proceeded to investigation. This is a remarkable change year-over-year and, when considered in context with the expansion to make short-form declarations available for all transactions, there is reason to be optimistic that the overall CFIUS timeline may become shorter for many transactions.
2. Early Pilot Program data confirms initial low rate of success on declarations, but parties should note improvements since that time.
FIRRMA expanded the scope of transactions that CFIUS is authorized to review to include non-controlling foreign investment in certain U.S. businesses related to critical technologies, critical infrastructure, and sensitive personal data, as well as certain real estate transactions. Before the Treasury Department fully implemented those portions of FIRRMA in 2020, it commenced a “pilot program” of temporary regulations on Nov. 10, 2018, mandating that parties notify CFIUS of certain transactions involving a U.S. business that produces, designs, tests, manufactures, fabricates or develops one or more critical technologies. The pilot program subjected transaction parties to steep penalties for failing to comply with such mandatory filing requirements.
In connection with the pilot program, CFIUS introduced the use of an abbreviated declaration form available for notification of those investments within the scope of the program. Instead of the 45-day statutory review and investigation periods applicable to written notices, the pilot program imposed a shorter assessment period for declarations, requiring CFIUS to take one of the following actions with respect to the declaration within 30 days:
- Notify the parties that CFIUS has concluded all action under Section 721 (that is, that CFIUS cleared the transaction);
- Request that the parties file a formal written notice, subjecting the parties to additional statutory periods to allow CFIUS to review and potentially investigate the transaction;
- Inform the parties that the Committee is unable to complete action upon the declaration, leaving it to the parties to decide whether to voluntarily submit a written notice to CFIUS in hopes of obtaining clearance or to proceed without further action from the Committee; or
- Initiate a unilateral review of the transaction.
In 2018, CFIUS conducted an assessment of 21 declarations that CFIUS determined to be covered transactions subject to its jurisdiction. Twelve of those declarations involved non-controlling investments in critical technologies, while the remaining nine involved transactions that would result in foreign control of the U.S. business.
Out of the 21 declarations assessed, CFIUS cleared only two transactions on the basis of the declaration. In five cases, it asked the parties to file a written notice with the Committee. CFIUS was unable to conclude action on 11 other declarations. CFIUS also found that one declaration filed was not subject to pilot program jurisdiction. This data confirms the low declaration success rate that CFIUS shared anecdotally following the commencement of the pilot program. Despite these initial numbers, however, parties should note that in the last 12 months CFIUS has significantly increased and devoted resources to reviewing declarations. Today, the use of a declaration can be an efficient means to obtain CFIUS clearance in appropriate cases, such as in benign transactions unlikely to raise national security concerns.
3. Mitigation measures continue to impact a significant proportion of transactions.
In 2018, CFIUS concluded action on 29 of 229 notices after the parties adopted mitigation measures to resolve the Committee’s national security concerns, the report indicates. In other words, at least1 12.6% of notified transactions (up from 12.2% in 2017 and 9.8% in 2016) received CFIUS clearance only after agreeing to adjust aspects of the U.S. business or provide other assurances to the Committee that would resolve its national security concerns. Another 10.4% of transactions were abandoned altogether either because the parties chose not to accept the Committee's proposed mitigation measures or because the Committee was unable to identify any mitigation measures that would resolve its concerns, signaling it would instead refer the matter to the U.S. President absent the parties’ abandonment of the transaction. In total, nearly one quarter of all transactions notified to CFIUS in 2018 met at least some degree of barrier to closing.
The 2018 Annual Report provides a list of examples of mitigation measures negotiated and adopted in 2018 but, in practice and in our experience, the scope of potential mitigation measures varies widely depending on the unique circumstances of each transaction and the particular national security concerns surrounding the businesses. For example, mitigation measures proposed in some of our recent matters have involved a range of actions including the following:
- Restrictions on access to data and information: CFIUS has imposed measures that prohibit or limit the transfer or sharing of sensitive information to the foreign acquirer or other parties, including information related not only to intellectual property, technical data, personally identifiable information (PII), and technology know-how, but also virtually all customer-related data. Such measures are designed to ensure that only authorized persons have access to sensitive information and that the foreign acquirer does not have direct or remote access to systems that hold such information, among other goals
- Separation of products, services and facilities: In addition to access restrictions, CFIUS has prohibited the comingling of certain products or services between the U.S. business and its foreign parents. In practice, this has prevented some U.S. businesses from bundling foreign parent products or services with their own offerings or from providing back-office support internally to the foreign parent.
- Appointment of external auditors and compliance monitors: CFIUS has required transaction parties to engage independent parties to audit sensitive areas of the U.S. business, such as sources of access to protected data, and to monitor the transaction parties’ compliance with adopted mitigation measures. The third-party auditors and monitors generally must be U.S. citizens, must provide reports to the U.S. government agencies tasked with enforcing the mitigation measures, and may be appointed for periods of one to three years or longer.
- Appointment of internal oversight and security resources: CFIUS has required U.S. businesses to appoint or hire security officers, board members, or committees who are dedicated to internal oversight of mitigation compliance efforts. Security officers generally must be U.S. citizens, and in some instances, CFIUS has prohibited dual-U.S. citizens from serving in the role. CFIUS generally requires all such appointments to be approved by necessary U.S. government agencies, and parties should anticipate the possibility that critical components of its management—such as the members of its Board of Directors—can become subject to U.S. government approval.
- Customer notifications: CFIUS has required U.S. businesses to notify their customers of foreign ownership, including via private notices (e.g., U.S. mail) and public means (e.g., adding boilerplate language on company website pages to publicly disclose foreign ownership).
- Supply assurances to U.S. government: CFIUS has imposed a number of terms designed to protect the performance of existing or future U.S. government contracts, ranging from ongoing dialogues with government agencies to discuss business plans that might affect supply or national security considerations, notifying the U.S. government of certain events and changes in business activities, and providing assurances of continuity of supply.
- Enhanced export compliance programs: CFIUS has required U.S. businesses to strengthen, adopt and implement policies and procedures approved by the U.S. government, including Technology Control Plans and other export compliance programs. CFIUS also has required U.S. businesses to submit commodity jurisdiction (CJ) requests to the U.S. Departments of State and Commerce in order to solidify necessary export controls surrounding the sharing of certain sensitive technologies and products.
- Divestiture and exclusion of assets: CFIUS has required transaction parties to exclude sensitive assets from the scope of an acquisition, including by requiring the divestiture of part or all of the U.S. business involved in the transaction. In our experience, the period of time CFIUS has allowed to complete a divestiture has ranged from mere months to one year or longer, depending on the complexities of the assets, the urgency with which divestiture is required, and the circumstances of the case. In some cases, CFIUS has required ownership interests in the U.S. business to be transferred immediately to a trust formed under U.S. law lasting the duration of the divestiture; in other cases, the creation of a trust is triggered only by the occurrence of certain conditions. In all instances, the U.S. government maintains some oversight of the divestiture and, not surprisingly, new buyers are subject to U.S. government (and potentially CFIUS) approval.
- Extension to ultimate foreign parents: In some cases, CFIUS has required the ultimate foreign parent to be a signatory to the mitigation agreement, even where the ultimate parent is not a party to the transaction. This requirement has caught more than one foreign acquirer by surprise and, as it often is revealed in the final day or two of the investigation period, leaves the foreign acquirer scrambling to engage its ultimate controller or parent so that CFIUS will conclude action with respect to the transaction. Parties instead should anticipate at the outset of the CFIUS process that their parents may be required to be signatories to an agreement, and they should prepare in advance for the steps necessary to obtain parent signatures (e.g., understand approval requirements and timing considerations).
4. Statistics on withdrawals.
Consistent with recent years, a significant number of parties withdrew their notices from CFIUS review in 2018, as demonstrated in the below table.
In practice, the most important data points for parties to follow with respect to withdrawals are (1) the number of notices withdrawn and abandoned in light of CFIUS national security concerns, and (2) the number of withdrawn notices subsequently refiled.
Parties should be mindful that between 2017 and 2018, at least 10% of notified transactions were abandoned in light of CFIUS national security concerns and related barriers. Specifically, in 24 instances in 2017 and 18 instances in 2018, parties withdrew their notice and abandoned the transaction altogether because either CFIUS informed the parties it was unable to identify any mitigation measures that would resolve the Committee’s national security concerns with respect to the transaction, leaving the parties little choice but to abandon the deal, or because CFIUS required mitigation measures as a condition to clearance that the parties chose not to accept. Required mitigation measures in those circumstances often include the divestiture of part or all of the U.S. business or other extreme measures that frustrate the underlying rationale or value of the transaction. Parties accordingly should recognize that although the Committee has referred only a handful of transactions to the president in recent years, CFIUS, through its robust reviews, effectively has prohibited many other transactions from closing without necessarily escalating the matters for presidential review.
Second, the number of notices withdrawn and refiled is one measure of how many parties experience extended regulatory hurdles to closing. Parties request approval from CFIUS to withdraw and refile their notice for a number of reasons, including to provide the parties more time to answer questions received from the Committee, to address national security concerns identified by the Committee, or to negotiate and reach an agreement on mitigation terms. Absent a withdrawal, CFIUS remains bound by its regulatory clock with respect to the notice and generally must conclude action or refer the matter to the president within 90 days. When parties withdraw and refile their notice, the regulatory clock resets and affords the parties an opportunity to address necessary items without the urgent threat of rejection or referral of the transaction to the president. Of course, such resetting also subjects the parties to new regulatory periods for CFIUS to review and (if necessary) investigate the transaction. Some refiled notices may need only a few additional days to finalize and execute a mitigation agreement. Other notices may face another 45-day review and 45-day investigation periods after being refiled, as the fact that a refiled notice already has been before the Committee is no guarantee that CFIUS will complete its review or investigation early. In any event, the general result is that parties who refile notices endure some degree of extended regulatory review before CFIUS clears the transaction. According to the 2018 Annual Report, at least 18% of transactions met this outcome in 2018.
5. Chinese investors continue to account for largest proportion of CFIUS filings, but investors from nearly any foreign state may be subject to mitigation.
Not surprisingly, with respect to notices filed from 2016 to 2018, Chinese investors accounted for the most notices filed each year and for 26.5% of the notices filed over that three year period – the largest proportion of notices attributable to any single country. This data reflects practice trends in which parties to Chinese-origin transactions acknowledge an increasing likelihood that CFIUS will identify national security concerns with respect to the transaction and elect to voluntarily notify CFIUS of the transaction in order to mitigate those concerns before closing. In practice, however, not all Chinese acquisitions raise national security concerns, nor are Chinese investors the only foreign parties who have been subject to mitigation requirements. In the last twelve months, for example, we have seen a Chinese company obtain control of U.S. businesses with no mitigation required while seemingly benign transactions, such a French corporation’s acquisition of a small U.S. business, have been subject to mitigation requirements. Given that CFIUS is placing heightened scrutiny on the investor’s third-party relationships, foreign parties from U.S.-friendly nations should not assume their investments are immune from raising national security risks.
Chinese investors also accounted for the largest proportion of notices reviewed in the manufacturing sector (36.5%) and in the finance, information, and services sector (22%) during that period. Of the 76 transactions involving acquisitions of U.S. critical technology companies in 2018, eight originated from China, roughly equal to the number of such acquisitions originating from Japan (9), Canada (9), France (7), and Germany (7).
Aside from China, investors from Canada, Japan, and France account for the next largest proportions of filings. Declarations from Canadian investors are expected to drop slightly beginning in 2020 as Canada has been identified as an eligible “excepted foreign state” under FIRRMA, which will result in the exception of certain Canadian-origin non-controlling investments from CFIUS review, provided a number of conditions are met. Parties should note, however, that such exceptions require each parent of the foreign investor to be organized under and have its principal place of business in the excepted foreign state, among other criteria, meaning that a Chinese-owned Canadian company would not be considered an “excepted foreign investor.”
- CFIUS does not appear to adjust its data to account for transactions that are the subject of more than one notice, i.e. transactions that are withdrawn and refiled as a new notice. As a result, the report data may underreport filing trends. The 2018 Annual Report identifies that CFIUS reviewed 229 notices in 2018 and that 34 notices were refiled in 2018. This suggests that CFIUS reviewed only 195 unique transactions in 2018, which heightens the impact of certain data points provided in the report. For example, the report’s disclosure that parties adopted mitigation measures in 29 notices in fact suggests that nearly 15% of the unique transactions reviewed by CFIUS in 2018 met mitigation barriers to closing – not the 12.6% that the report suggests on its surface. Accordingly, in light of these apparent adjustment gaps in the report, this article flags statistical percentages based on the report data as “at least” the amount denoted.
Client Alert 2020-407