Highlights from CFIUS’s New Proposed Regulations Implementing FIRRMA

September 24, 2019

The Committee on Foreign Investment in the United States (CFIUS) on September 17 released its long-awaited proposed regulations implementing many aspects of the Foreign Investment Risk Review and Modernization Act of 2018 (FIRRMA), issuing both general proposed regulations and a new set of detailed proposed regulations focused specifically on real estate transactions.[1] While the proposed regulations provide guidance on new mandatory filings and clarify the scope and types of transactions, data and technology that will come within CFIUS’s jurisdiction, several important areas remain unaddressed and are therefore not yet clear until Treasury publishes future regulations or guidance.

Key Takeaways – Major Items in the Proposed Regulations that Provide Guidance or Clarify FIRRMA’s Language

  • The proposed regulation articulates requirements for cross-border investments where foreign parties maintain a non-controlling interest in the US business.
  • The proposed regulation identifies three types of non-controlling investments, termed “TID Businesses,” that would fall within CFIUS’s jurisdiction: investments involving certain critical technologies; investments involving certain critical infrastructure; or investments where a US business collects or stores “sensitive personal data” for a certain number of customers and for particular purposes.
  • The proposed regulation establishes a risk-based framework for assessing the national security implications of a covered cross-border investment. This framework applied prior to FIRRMA but has now been proposed for inclusion directly in the CFIUS regulations. The elements of this analysis focus on “threats”, “vulnerabilities”, and “consequences to national security” and are briefly defined.
  • The proposed regulations provide additional guidance regarding investment fund transactions that fall within CFIUS’s jurisdiction.
  • Mandatory filings for foreign-government-controlled investors in certain circumstances would be required.
  • The proposed regulations clarify when CFIUS jurisdiction exists over investment funds making certain non-controlling minority “covered investments”, as they are newly termed.
  • The proposed regulations include definitions of the scope and type of “sensitive personal data” that the US business may collect or store and when those activities subject the investment to CFIUS jurisdiction.
  • The regulations propose to grant CFIUS jurisdiction over the creation of foreign joint ventures, when they involve a contribution of a US business.
  • The proposed regulations include definitions of “material non-public technical information” and “substantive decision-making” capability for purposes of making covered investment determinations.
  • The proposed regulations related to real estate transactions now include a list of US military bases/installations and refer to lists of other facilities such as air/maritime ports where nearby investments may result in CFIUS scrutiny.

Key Takeaways – Major Items Deferred or Not Clarified in the Proposed Regulations

  • FIRRMA’s requirement that the US Department of Commerce define when critical technologies include “emerging” or “foundational” technologies limits Treasury’s ability to refine when cross-border investments involving these types of technology fall within CFIUS’s jurisdiction. While the Department of Commerce published an Advanced Notice of Proposed Rulemaking for emerging technologies in November 2018, it has yet to publish a final rule or an Advanced Notice of Proposed Rulemaking for foundational technologies. As of now, cross-border investments fall outside of CFIUS’s purview, absent other considerations that may subject the transaction to CFIUS’s jurisdiction. The current proposed regulations do not define or address “emerging or foundational technologies” potentially covered by CFIUS or constituting critical technologies.
  • No definition as yet of specific countries or investors which would be exempt from CFIUS jurisdiction concerning non-controlling “covered investments” or covered real estate investments. The proposed regulations note that Treasury will publish a list of “excepted investors” – which will include foreign governments that may be treated differently than other governments under CFIUS reviews. The proposed regulations note that the list is expected to be short and focused, given the sensitive national security concerns that arise with exceptions.
  • No decision as yet on the future of CFIUS’s interim pilot program requiring mandatory filings for certain industries and critical technologies, begun in November 2018
  • No determination as yet on filing fees.

Significant New Aspects

FIRRMA’s changes necessitated a broad reconsideration of various aspects of the CFIUS process and an updating of the changing geopolitical circumstances that drove, in part, the development and passage of FIRRMA. In that light, the proposed regulations provide new definitions and more depth, as well as additional examples to highlight potential CFIUS interpretations related to matters subject to the committee’s review. Some of the more significant aspects include, but are not limited to, the new definitions identified below:

TID Businesses: Non-controlling investments in certain critical technology, critical infrastructure, and companies collecting sensitive personal data (TIDs) will now be subject to CFIUS jurisdiction. However, the scope of what is intended to be covered remains unclear pending the forthcoming proposal defining emerging and foundational technologies from the Department of Commerce’s Bureau of Industry and Security.[2]

Foreign Government-Controlled Investments: Transactions where a foreign government maintains a “substantial interest” in an investment is subject to CFIUS review,  as will an investment by a sovereign wealth fund. To fall within this category of transactions, a foreign government would need to have a 49% or more voting interest in a foreign investing entity, which in turn would have to be acquiring or be granted at least a 25% voting interest in the US business. The proposed regulations create an exception for certain foreign “excepted investors” provided that foreign control of a US business is not contemplated by the transaction. However, there is no definition as yet of what governments or types of foreign investors would be exempted.

Exceptions for Specified Foreign Investors and Countries Deemed ‘Excepted Investors’: While these were not specified in the proposed regulations as yet, CFIUS’s statements in the preamble to the proposed regulations stressed that the lists would initially be quite limited. In addition, a new element of national reciprocity was included as part of making these determinations, with CFIUS noting that an exemption would not be provided unless a nation had its own “robust” system of prior review of national security issues relating to proposed investments, acceptable to at least a super-majority of CFIUS’s member agencies, and that it coordinated with the United States on matters relating to investment security. The preamble statements align with FIRRMA’s focus on the need for multilateral engagement with US partners and allies to enhance the effectiveness of review over cross-border investments that raise national security implications. The regulatory national security modifications or enhancements to the foreign direct investment review processes, in place or proposed, of Canada, Japan, the United Kingdom, Australia, the European Union, Germany, France, and Italy demonstrate a concerted effort by the United States and its allies and partners to implement a more coordinated strategy. It would not be unexpected for Treasury to draw the list of potential “excepted investors” from the countries or multilateral entities that are in the process of enhancing their own analytical constructs.

Sensitive Personal Data: CFIUS may review transactions involving sensitive personal data of US citizens that may be exploited in a way that would impact national security. This is further defined and limited by the requirements that the TID businesses operate within certain parameters, have a certain number of customers or individuals for which they collect the data, and manage the information for specific circumstances. While the concept of sensitive personal data outlined in FIRRMA appeared broad, the proposed regulations limit the committee’s reach by substantially excluding certain types of businesses and, for example, the sensitive personal information that an employer may keep on its employees.

The scope of “sensitive personal data” collected or maintained by the US business that will come within CFIUS’s jurisdiction are significant: a threshold of 1 million individuals or targeting of US executive branch or military personnel with responsibilities with its data collection, should serve to limit the number of investments that will come within CFIUS’s jurisdiction on the basis of access to this type of data.

However, the exclusion of “genetic information” from these scope requirements raises questions regarding a potentially broader applicability to the biotech and medtech industries. Rather than developing a tailored definition, CFIUS references the definition of “genetic information” from the US Department of Health and Human Services’ (HHS) regulations under the Social Security Act relating to healthcare insurers and providers. Those regulations, intended for payment purposes, state that genetic information includes information about an individual’s genetic tests and those of family members, but distinguish between “an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, chromosomal changes”, which are defined as genetic tests, and “an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition,” which is not. Since genetic information generated from clinical trials testing focused on or involving individuals with existing conditions (that is, directly relating to a manifested disease or condition) is not included, the use of this imported HHS definition presents questions as to whether investments in US biotech or medtech businesses engaged in specific product developmental genetic testing trials would be within CFIUS’s jurisdiction.

FIRRMA’s Provisions on Real Estate Transactions: In FIRRMA, Congress authorized CFIUS to review “the purchase or lease by, or a concession to, a foreign person of private or public real estate that

  • “is, is located within, or will function as part of, an air or maritime port…;”
  • “is in close proximity to a United States military installation or another facility or property of the United States Government that is sensitive for reasons relating to national security;”
  • “could reasonably provide the foreign person the ability to collect intelligence on activities being conducted at such an installation, facility, or property; or”
  • “could otherwise expose national security activities at such an installation, facility, or property to the risk of foreign surveillance.”

This authority does not extend to “a single ‘housing unit’” and does not apply to “real estate located in ‘urbanized areas’ . . . except as otherwise prescribed by [CFIUS] in regulations in consultation with the Secretary of Defense.” (Emphasis added)

FIRRMA directs CFIUS to “prescribe regulations to ensure that the term “close proximity” refers only to a distance or distances within which the purchase, lease, or concession of real estate could pose a national security risk.”

FIRRMA also requires that CFIUS prescribe regulations that further define the term “foreign person” for real estate transactions by specifying criteria to limit its applicability over certain categories of foreign persons.

Key Aspects of the Proposed Regulations Regarding Real Estate Transactions

As with the proposed regulations included in Part 800 (the current regulations for CFIUS), Treasury published a proposed rule, new Part 802, for real estate transactions that provide additional definitions, factors to consider, and exclusions where appropriate. In addition, the proposed regulations provide the US Department of Defense’s input into the sensitive real estate in “urbanized areas” where national security concerns may presumptively exist. The following definitions and concepts are of particular interest for real estate transactions:

Types of Transactions Covered: The purchase or lease by, or a concession to, a foreign person of certain real estate in the United States that affords the foreign person three or more of the following property rights: to physically access; to exclude; to improve or develop; or, to affix structures or objects.

Voluntary Process: There is no mandatory filing requirement for real estate transactions. Parties may file a notice or submit a short-form declaration notifying CFIUS of a covered real estate transaction in order to potentially qualify for a “safe harbor” letter (which prevents CFIUS from initiating a review of the transaction except in certain limited circumstances).

Covered Sites: Coverage is focused on transactions in and/or around specific airports, maritime ports, and military installations. The relevant military installations are listed by name and location in an appendix to the proposed regulations. The relevant airports and maritime ports are on lists published by the US Department of Transportation.

Locations Around Covered Sites: The proposed regulations focus on real estate that

  • is, is within, or will function as part of an air or maritime port;
  • is within “close proximity” (defined as one mile) of certain specified US military installations;
  • is within the “extended range” (defined as between one mile and 100 miles) of certain military installations; and
  • is within certain geographic areas associated with missile fields and offshore ranges.

Foreign Person and Excepted Real Estate Investor: The regulations create exceptions from coverage applicable for real estate transactions by certain foreign persons defined as “excepted real estate investors” based on their ties to certain countries identified as “excepted real estate foreign states,” and their compliance with certain laws, orders, and regulations. This concept mirrors the “excepted investor” term outlined in the proposed rules for Part 800.

Urbanized Areas and Urban Clusters: The regulations create exceptions from coverage for real estate transactions in an “urbanized area” or “urban cluster,” as defined by the Census Bureau, except those relating to relevant ports and those in “close proximity” to certain military installations.

Other Excepted Real Estate Transactions: Exceptions from coverage for the following, in addition to other transactions, include

  • the purchase, lease, or concession of a single “housing unit,” as defined by the Census Bureau; and
  • transactions involving certain commercial office space in a multiunit commercial office building.

Interaction With Other CFIUS Regulations: Real estate transactions that are also subject to CFIUS’s existing and proposed regulations regarding control transactions and non-controlling investments involving US businesses should be analyzed under those regulations.

Declarations: The proposed regulations provide for:

Voluntary Declarations: The proposed regulations provide for a short-form declaration as a substitute for the voluntary notice. However, CFIUS states that one of the actions it might take in response is to recommend or suggest filing of a complete Joint Voluntary Notice, making use of this avenue less certain though potentially more expedited if there is an acceptance by CFIUS.

Mandatory Declarations: FIRRMA creates a mandatory declaration requirement if a foreign government has a substantial interest in certain covered transactions, in addition, at least temporarily, to its existing pilot program requiring declarations for certain industries and technologies.

Timing for Public Comment and Finalization: The proposed regulations issued in two parts:

Both proposed rules remain open for public comment until October 17, 2019. While it is possible the regulations may be issued in final form earlier, FIRRMA requires that the final regulations become effective no later than February 13, 2020.

CFIUS also published a Press Release, Fact Sheet, and FAQs regarding the proposed regulations.

Questions for Clarification and Potential Consequences:

  • Much more detailed due diligence will be required of foreign investors regarding US investment targets, concerning their operations and the types of personal and financial data to which they generate or have access.
  • Likelihood of a substantial increase of filings with CFIUS (potentially at least quadruple the more than 200 currently filed per year, based on CFIUS estimates in the proposed regulations’ preamble).
  • The scope of the definition of sensitive personal data with respect to genetic information likely will need to be clarified in the final regulations.
  • The list of exempted investors and nations is likely to be much smaller than expected in view of the stringent qualifications set out in the proposed regulations for qualifying nations.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Washington, DC
Giovanna M. Cinelli
Kenneth J. Nunnenkamp
Ulises S. Pin
Christian Kozlowski
Katelyn Hilferty

Carl A. Valenstein

[1] The proposed real estate regulations will be the subject of a separate LawFlash.

[2] See Carl Valenstein, Stephen Paul Mahinka and Beverly Dale, Foreign Investment in US Biotech Gets Greater Gov’t Scrutiny (July 11, 2019).