The United States has a long history of reviewing cross-border investment (FDI) to assess the national security implications of these types of transactions. With more than 20,000 to 40,000 FDIs a year, most transactions, however, occur outside the purview of US government review. The United States maintains a robust and consistent process, managed by the Committee on Foreign Investment in the United States (CFIUS), to examine the national security implications of these types of investments. In this article, Morgan Lewis partner Carl Valenstein provides a brief history of FDI reviews under CFIUS, discusses unique concerns for life sciences transactions, and offers strategies for structuring these types of deals.
In August 2018, Congress passed and the White House signed the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) as part of the National Defense Authorization Act—the first comprehensive reform of the US FDI process since the 2007 Foreign Investment and National Security Act of 2007 amendments. FIRRMA is embedded in the Defense Production Act (DPA), a statute that includes a range of broad national security authorities. CFIUS has the discretion to review transactions, but prior to FIRRMA the statutory and regulatory focus revolved around ownership and control (both affirmative and negative), which is defined by CFIUS more broadly to include material influence and less-than-majority control. FIRRMA expanded that focus to address ownership, control, bankruptcies, and other investments that are not considered controlling. Prior to FIRRMA, CFIUS was entirely voluntary. Foreign investors, in particular, opted to voluntarily file a joint notice as it provided a sense of comfort that the US government would not come back at a later date to challenge the transaction.
Thus, the passage of FIRRMA introduced two elements for the first time: (1) mandatory filings and (2) the concept of investments that are not change of control transactions. The latter had a bigger impact on the life sciences sector considering it receives so much foreign venture capital investment. The United States’ action led to a cascading effect that has resulted in new or enhanced national security review regimes in Japan, Australia, the United Kingdom, the European Union, Germany, France, Italy, China, and Russia. In concert with CFIUS, these regimes help protect national security interests of the United States and its allies and partners.
As noted above, the CFIUS Pilot Program Regulations, which went into effect in November 2018, introduced mandatory filings for controlling and noncontrolling investments in selected industries with “critical technology.” The Pilot Program was incorporated into the final CFIUS regulations, effective in February 2020. The result was that many technology and early-state companies, particularly those in life sciences, had to scramble to determine if they were covered by one of the 27 North American Industry Classification System (NAICS) categories defining the selected industries and to classify their technology for export control purposes to determine if they had “critical technology” and if the investors would have access to it as defined under the Regulations.
Although there was concern, mainly from the venture capital and start-up communities, that this change would result in thousands of filings or abandoned investments, in actuality there was an underwhelming number of filings (approximately 120) under the Pilot Program. CFIUS nonetheless opted to keep it in place in the final regulations adopted in February 2020. In October 2020, CFIUS eliminated the reference to the 27 NAICS categories and changed the focus to whether export authorization was required for the country of the foreign person.
The explanation for the lower-than-expected number of filings is a combination of the restructuring of deals to avoid either an equity investment or an investment giving access to “critical technology,” as well as the determination that only a small number of technology companies had “critical technology” as currently defined. The feared expansion of that definition to include “emerging” and “foundational” technologies has not yet occurred in any material way, which is a source of concern for the more contentious members of the US Congress and other organizations, but heavily lobbied against by industry because of the likely effects on cross-border transactions and collaboration.
There has been a significant increase in FDI in the US life sciences industry, including both medtech and biopharmaceutical companies. Although overall Chinese FDI has declined considerably since its peak year in 2016, Chinese venture capital investment in the US life sciences industry remains remarkably resilient because of the Chinese government’s “Made in China 2025” and other industrial policies.
According to a recent report by the Rhodium Group, “In 2020 the number of VC rounds per industry fell in most industries. The exception was Health, Pharmaceuticals and Biotechnology, which was by far the top target for Chinese venture capital in the US by the number of venture capital transactions (132 individual rounds).”
Because most US life sciences companies do not have “critical infrastructure” or “covered real estate” for CFIUS purposes, the determination of whether clearance with CFIUS is required or recommended will generally turn on whether the company has “critical technology” or “sensitive personal data” for CFIUS purposes and whether the noncontrolling transaction has been structured in a way to wall the foreign investors off from the “critical technology” and “sensitive personal data.”
Determining if a life sciences company has “critical technology” for CFIUS purposes can be a fact-intensive exercise because it involves ascertaining if an export license would be required for the foreign investor(s) in question, and many emerging companies have not classified their technology or equipment for export control purposes. Most companies choose their technology/equipment for scientific reasons without attention to export control or CFIUS implications. This can result in surprises since most science-based companies think about scientific developments and regulatory approval from an FDA standpoint but do not take into consideration export-control implications, including the need for deemed export licenses for foreign lab workers. In general, the analysis is more complicated for biopharmaceutical companies, particularly in the biologics space, than for medtech companies.
CFIUS counsel have detailed checklists that they use with their life sciences company clients to help them make the classifications, but sometimes it is necessary or advisable to obtain a formal classification from the US government. There are specific International Traffic in Arms Regulations (ITAR) controls on biodefense or biowarfare technology as well as Department of Energy (DOE) controls on nuclear medicine. If a company has “select agents” regulated by the Centers for Disease Control and Prevention (CDC), then it will have “critical technology.”
It is currently unclear when and if the Department of Commerce will fill the largely empty buckets for “emerging and foundational technologies” included in the definition of “critical technology.” In November 2018, the Department of Commerce announced an Advance Notice of Proposed Rulemaking (ANPRM) for “emerging technologies” that included the fields of nanobiology, synthetic biology, genomic and genetic engineering, and neurotech.
On October 5, 2021, the Department of Commerce, Bureau of Industry and Security (BIS) published a final rule amending the Export Administration Regulations to include new controls on genetic editing software and related technology. Specifically, this final rule “updated the Australia Group Common Control List for dual-use biological equipment by adding controls on nucleic acid assembler and synthesizer ‘software’ that is capable of designing and building functional genetic elements from digital sequence data.” BIS previously identified this software, in a notice of proposed rulemaking on November 6, 2020, as potential emerging technology essential to US national security that have the capability of being misused for biological weapons purposes. These controls will impact future foreign investment, funding, and transaction evaluations for the US biotech industry.
The life sciences industry, however, is lobbying very heavily against how “emerging techonlogies” will be defined. Current interagency conflicts may further delay the proposed regulations, and the biotech and medtech industries will challenge any additional export controls as undermining further collaboration and scientific development. This is a huge battle and one that will continue.
“Sensitive personal data” is broadly defined as comprising personal, financial, and healthcare information of US citizens, including identifiable data that is in applications for insurance; nonpublic email or messaging among users of a US business’s products or services; biometric data; geolocation data; or personnel security clearance data. “Identifiable data” will be treated as “sensitive personal data” if it is maintained or collected by a US business (1) that targets or tailors products or services to US security personnel, including contractors, or (2) that has maintained or collected such data, or has a demonstrated business objective to do so, on more than one million individuals at any point in the preceding 12 months.
Sensitive personal data also includes genetic data, which is not subject to the above limitations on security personnel or minimum size of data population. In an attempt to narrow the scope of genetic data covered, and following concerns expressed by the life sciences industry regarding the proposed rules, CFIUS limited the definition in the final rules to “the results of an individual’s genetic test, including any related genetic sequencing data.” Genetic tests are defined by reference to the Genetic Information Non-Discrimination Act of 2008, are limited to identifiable genetic tests, and exclude any data derived from US government databases and given to third parties for research purposes.
When structuring an FDI transaction, life science companies should ask the following questions:
In FDI transactions, foreign investors are most at risk since the US government will never unwind the transaction, but instead will make the foreign investor divest. Here are some strategies to mitigate risk to both foreign investors and US companies:
Unless the investor is a government, mandatory filing requirements are triggered by critical technology. One can eliminate the board/observer seat by including screening language that is fairly standardized in NAICS documents to avoid having Defense Production Rights until the transaction is cleared by CFIUS. There is a new mandatory filing requirement for foreign-owned government-controlled transactions where a “substantial interest” (49% or more voting interest or 25% or more investment) is acquired in a US business that has critical technology, critical infrastructure, or sensitive personal data. There are some exceptions to this mandatory filing requirement, including investments made by “excepted foreign investors” from Australia, Canada, and the United Kingdom as well as transactions by funds controlled by certain US persons.
There is a fast-track process that is being used more frequently by the venture capital community for a 30-day review period, since these deals can move very quickly—in some instances, start to finish can occur within three days. If the mandatory filing requirements apply, one can file a short-term declaration that will be reviewed in 30 days, but CFIUS may require a full joint submission or give a regulatory “shrug” indicating that it has had insufficient time to make a determination. Some parties are willing to accept the risk and close on a regulatory “shrug,” even though it provides no protection from a later CFIUS review. By contrast, full joint submissions can take one to two months to prepare and be accepted by CFIUS, and three to four months to complete even in routine cases. Declarations increased from 94 in 2019 to 126 in 2020.
Effective May 1, 2020, CFIUS introduced a sliding scale of required filing fees depending on the size of the transaction. Fees range from zero up to $300,000. Fees would apply only to joint voluntary notices—not mandatory or voluntary declarations—and generally are paid by the buyer/investor. CFIUS is starting to implement penalties.
In any transaction involving a foreign person and a US business, particularly a US TID business, there is a potential CFIUS issue that should be analyzed early on given the complexity of the rules. Due diligence checklists have been developed for determining mandatory filing requirements as well as those areas of CFIUS concern based on the required contents of a declaration of joint filing, but those need to be customized for the particular transaction in question to avoid missing issues. Companies planning to seek foreign investment or offering themselves for sale to foreign persons should conduct self-CFIUS due diligence to identify the CFIUS concerns early on because they might affect transaction structure.