Committee on Foreign Investment in the United States (“CFIUS”) regulations have increasingly been in the news. There is good reason—CFIUS regulations have become more robust to address U.S. national security concerns. Given this, business lawyers should consider CFIUS implications when advising on any transactions or investments, to include real estate transactions, involving foreign persons. Below is a brief summary of ten things a business lawyer should know when working on transactions involving foreign entities or persons.
What Is CFIUS? CFIUS is an interagency committee, chaired by the Secretary of the Treasury, charged with the duty to review certain foreign investment in the United States to assess whether the transaction may impact U.S. national security. Since Treasury chairs the committee, Treasury maintains a website with useful information on CFIUS and manages the CFIUS Case Management System used for CFIUS filings.
Other CFIUS members include the Departments of Justice, Commerce, Defense, State, and Energy as well as the Office of the U.S. Trade Representative and the Office of Science & Technology Policy. White House offices, such as the National Security Council and the Council for Economic Advisors, as well as the Director of National Intelligence and the Department of Labor, may also provide input during the review process.
What Is the Purpose of CFIUS? Although CFIUS reviews foreign investment in the U.S., CFIUS is not designed to limit or impede foreign investment in the U.S. Its mission is to protect U.S. national security. Through the years, the U.S. government has made this clear by explaining that foreign investment is welcomed, and, given the strength of the U.S. economy; U.S. policies encouraging economic growth; the U.S. spirit of innovation; and the sophistication of U.S. financial markets, it is the best place in the world to invest.
What Is the Legal Construct for CFIUS? Through executive orders, laws, and regulations dating back to 1975, the president is given authority to suspend or prohibit foreign investment that may impact U.S. national security. CFIUS regulations implement these requirements. The Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) updated CFIUS regulations to address U.S. national security risks as a result of the changing geopolitical landscape to include, among other things, expanding the types of transactions that must be disclosed to CFIUS.
What Types of Real Estate Transactions Must CFIUS Review? CFIUS reviews “covered real estate transactions” as that term and related terms are defined in CFIUS regulations. Generally, these regulations require CFIUS review of real estate transactions involving foreign persons related to real estate in and around certain airports, ports, and military bases that are either listed by name in the regulations or published by the Department of Transportation.
What Types of Transactions and Investments Are Subject to CFIUS Jurisdiction? CFIUS has jurisdiction over “covered control transactions” and “covered investments,” which are transactions and investments that could result in a foreign person controlling a U.S. business. CFIUS regulations broadly define “control” and may even include minority investment in some situations. CFIUS also has jurisdiction over direct or indirect investment by a foreign person in a U.S. Technology, Infrastructure, Data (“TID”) U.S. business, even if non-controlling, if a foreign person will have access to material non-public technical information in the possession of the TID U.S. business; board membership; observer rights; rights to nominate individuals to the governing body of the TID U.S. business; or involvement in substantive decision-making of the TID U.S. business regarding sensitive personal data of U.S. citizens maintained or collected by the TID U.S. business, or critical technologies, or covered investment in critical infrastructure.
For purposes of CFIUS, critical technology includes producing, designing, testing, manufacturing, fabricating, or developing technology or critical components that are essential to U.S. national security. Covered infrastructure transactions include foreign investment in systems or assets, whether physical or virtual, so vital to the U.S. that their incapacity or destruction would be debilitating, like energy infrastructure or major telecommunications infrastructure. Data is sensitive personal data on U.S. persons that the business maintains or collects directly or indirectly.
Only certain transactions mandate disclosure to CFIUS. A disclosure to CFIUS is mandatory if the transaction involves a foreign person and TID U.S. business that produces, designs, tests, manufactures, fabricates, or develops “critical technologies” that are controlled by U.S. export regulations. CFIUS disclosure is also mandatory if a foreign government, even if indirectly, will obtain “substantial interest,” as that term is defined in CFIUS regulations, in a TID U.S. business.
Other than these situations, disclosing to CFIUS is voluntary. Since CFIUS may unwind a transaction, even after closing, if the transaction impacts national security, parties should assess whether filing a voluntary notice with CFIUS would be prudent. Voluntary notices allow for the possibility of CFIUS clearing the transaction, thus for the most part mitigating the risk that CFIUS will review, and possibly unwind, the transaction at a later date in the interest of national security.
CFIUS regulations include some exemptions for certain passive investment and for transactions involving close U.S. allies.
What Is the Process for CFIUS Review? Filings are submitted to the Treasury through its online system. Generally, the parties work together to file with CFIUS. Parties may choose to file a declaration, which is an abbreviated disclosure form. CFIUS has thirty days to act on declarations by clearing the transaction; requiring the parties to file a notice, which requires more information than a declaration and extends the review period; or ending review without a formal clearance. If parties do not receive formal clearance or direction to file the longer notice, it conveys that CFIUS did not have concerns with the transaction, but it is not as definitive as if CFIUS had cleared the transaction. For mandatory declarations, the parties must file their declaration with CFIUS at least thirty days before the transaction’s expected completion date.
Parties to a transaction may elect to file a voluntary notice. Generally, notices require far more information than does a declaration, and notices have a longer review process. Once CFIUS has what it considers a complete filing, it has forty-five days to assess the filed notice. If CFIUS cannot make its assessment on a notice within the forty-five-day review period, CFIUS will initiate an investigation, which it has forty-five days to complete. If needed, after an investigation, CFIUS has fifteen days to obtain presidential review of the transaction.
The CFIUS review takes longer than regulations suggest. For purposes of starting the CFIUS review clock, Day 1 is not the day a CFIUS notice is filed. Instead, the clock starts on the day Treasury accepts a notice. which is the day after Treasury has determined that the notice complies with filing requirements; confirmed that the filing fee has either been paid or was waived; and all CFIUS members have received the notice. The time it takes to get to Day 1 depends on a number of factors, including whether the notice included all required information and whether CFIUS decides to ask for additional information.
Are There Other Legal Considerations When a Transaction Involves Foreign Investment? CFIUS regulations may not be the only disclosures a U.S. business must file when it is involved in transactions with foreign persons. For example, export regulations International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR), and the National Industrial Security Program Operating Manual (NISPOM), which regulates U.S. government contractors with classified contracts, also require notice to designated government agencies for review and approval of transactions involving foreign entities. Notifying CFIUS of a transaction does not fulfill these legal obligations. Finally, review by the agencies that manage export regulations and the NISPOM may actually take longer than the CFIUS review.
Does CFIUS Accept Risk Mitigation Strategies to Blunt National Security Risks in a Transaction? CFIUS may approve a transaction but require the parties to implement mitigation strategies that may limit foreign control or limit or prohibit access to a business’s critical technology in the interest of national security.  Treasury’s Office of CFIUS Monitoring and Enforcement has the authority to monitor mitigation plans. Further, other agencies charged with protecting national security through export regulations or through the NISPOM may independently require that a business obtain export licenses or implement other controls pursuant to export and NISPOM regulations.
Are CFIUS Filings Confidential? Information provided to CFIUS must be maintained in confidence. CFIUS may not disclose whether a transaction has been submitted for review. Given the nature of CFIUS filings, the information filed is exempt from public disclosure under the Freedom of Information Act. If parties to a transaction reveal they have submitted a transaction to CFIUS for review, CFIUS may then comment publicly.
What Are CFIUS Penalties? CFIUS requirements give the president authority to prohibit certain foreign investment in the United States, to include the authority to suspend or unwind a transaction that implicates national security. There are also financial penalties up to $250,000 per violation for intentionally or negligently submitting a material misstatement or omitting material information in a CFIUS filing. If CFIUS orders an entity to implement a mitigation plan and the entity either intentionally or negligently violates the plan, the entity may incur a civil penalty up to $ 250,000 per violation or for the value of the transaction, whichever is greater. Since mitigation agreements may include liquidated or actual damages for breaches, offending entities may be liable for damages in addition to the civil penalties.
Foreign person is a defined term in CFIUS regulations. 31 CFR 800.224, Foreign person. ↑
See, e.g., U.S. Department of Treasury, CFIUS FAQs, Background Information on FIRRMA (last visited Sept. 20, 2023); 73 FR 74567, 74568 (Dec. 8, 2008); “Treasury Issues Proposed CFIUS Regulations; Lowery to Hold Briefing Today,” Apr. 21, 2008; Foreign Investment Risk Modernization Act of 2018. ↑
See, e.g., Executive Order 11858 (May 1975) as amended by Executive Order 13456 (Jan. 2008); Executive Order 14083 (Sept. 15, 2022); § 721 of the Defense Production Act of 1950, as amended; 31 CFR Part 800. ↑
31 CFR Part 800; Foreign Investment Risk Modernization Act of 2018. ↑
31 C.F.R. Part 802, Regulations Pertaining to Certain Transactions by Foreign Persons Involving Real Estate in the United States. ↑
31 CFR 800.210, Covered Control Transaction; 31 CFR 800.301, Transactions that are covered control transactions; 31 CFR 800.211, Covered investment. ↑
31 CFR 800.208, Control. ↑
31 CFR 800.248, TID U.S. Business. ↑
Id.; 31 CFR 800.215. ↑
31 CFR 800.214, Critical Infrastructure. ↑
31 CFR 800.248, TID Business; 31 CFR 800.241, Sensitive Personal Data. ↑
31 CFR 800.401, Mandatory disclosures. ↑
31 CFR 800.401, Mandatory disclosures; 31 CFR 800.244, Substantial Interest. ↑
31 CFR Subpart D, Declarations. ↑
31 CFR Subpart E, Notices. ↑
U.S. International Traffic in Arms Regulations (22 C.F.R. §§120–130); U.S. Export Administration Regulations (15 C.F.R. §§730–774) (together “U.S. export regulations”). ↑
32 CFR Part 117, National Industrial Security Program Operating Manual. ↑
31 CFR 800.802, Confidentiality. ↑
31 CFR 800 Subpart I, Penalties and Damages. ↑