Treasury Department Issues Final Rule Updating CFIUS Regulations and Guidance on CFIUS National Security Assessments

December 12, 2008
On November 14 and December 1, 2008, respectively, the U.S. Department of the Treasury issued a Final Rule and Guidance regarding the process by which the Committee on Foreign Investment in the United States (“CFIUS”) reviews foreign acquisitions of controlling interests in U.S. businesses for national security risks. [1] The regulations implement Section 721 of the Defense Production Act of 1950, as amended by the Foreign Investment and National Security Act of 2007 (“FINSA”) (codified at 50 U.S.C. App. 2170). First released as a Proposed Rule on April 21, 2008, the Final Rule clarifies and codifies certain existing CFIUS procedural practices and substantially amplifies important terms that define the scope of CFIUS jurisdiction. There are relatively few changes from the Proposed Rule, none with substantive effect. The Final Rule will be effective December 22, 2008. Adoption of the Final Rule represents the first major rewrite since the current CFIUS rules were adopted in 1991.

Issuance of the Final Rule and Guidance closes a three-year process of revamping CFIUS procedures that was sparked by controversies over a mid-2005 bid by the Chinese company CNOOC to acquire Unocal Corporation, and the early 2006 acquisition of certain U.S. ports facilities by Dubai Ports World. Although the Bush Administration administratively implemented substantial reforms in 2006, the enactment of FINSA, followed by promulgation of Executive Order 13456 (January 25, 2008), the Final Rule and the Guidance, completes an overhaul of the way CFIUS exercises its responsibilities. Given the lengthy Congressional and administrative deliberations that preceded them, the Final Rule and Guidance reflect now-established CFIUS practice more than an institution of new ideas.

This Alert highlights key concepts and procedures cemented in the new regulations, including the substantial new guidance on which transactions are covered by Section 721, changes to the filing process and required notice content, and the addition of penalties. For more complete information on the changes to Section 721 and CFIUS practice resulting from FINSA, please see our client alert “Closing the CNOOC and Dubai Ports World Debate: The Foreign Investment and National Security Act of 2007,” July 30, 2007.

Which Transactions are Covered?

Transactions that are subject to Section 721, or “covered transactions,” are those that could result in the “control of a U.S. business by a foreign person.” (31 C.F.R. §800.207 [2]) The definition of “transaction” implements the statutory requirement that a covered transaction involves a “merger, acquisition, or takeover.” (§800.224) The new regulations clarify the meaning of key terms relevant to this analysis, including “U.S. business,” “foreign person,” “transaction,” and “control.” Among covered transactions are: (1) acquisitions of control of a U.S. business by a foreign entity that is owned or controlled by a foreign person, but not by a foreign entity that is controlled by a U.S. person; and (2) acquisitions of control by another U.S. business if that business is owned or controlled by a foreign person. Other key issues addressed in the Final Rule include:

(1) New businesses: Start-up (“greenfield”) investments continue to be excluded by from the definition of “transaction.” CFIUS will review only transactions, including joint ventures, involving acquisition of control over an existing U.S. business.

(2) Control: In perhaps the most important improvement of the current rules, the new regulations substantially elaborate on the factors that are relevant to the analysis whether a transaction results in “control of a U.S. business,” particularly with respect to minority investments. Gone is the prior suggestion that a “safe harbor” existed where a foreign person acquired 10 percent or less of the voting interest in the entity and held that interest “solely for the purpose of passive investment.” While continuing to refer to the concept of a “dominant minority,” the Final Rule emphasizes that CFIUS jurisdiction is not dependent on a minimum ownership threshold, nor is there a level of minority ownership that automatically triggers coverage. CFIUS will follow a “functional” analysis on a case-by-case basis (Supplemental Information, §800.204) - “dominance” is in the eyes of the beholder. Nonetheless, the Final Rule provides substantial guidance on the factors that pertain to control, and these are especially important in the context of minority ownership stakes.

The core CFIUS inquiry is whether the foreign acquirer has–

the “power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct or decide important matters affecting an entity; in particular, but without limitation, to determine, direct, take, reach, or cause decisions regarding [certain fundamental business matters], or any similarly important matters affecting an entity.” (§800.204)

These business matters include, among others, the sale or transfer of any principal assets; the reorganization, merger or dissolution of the company; the closing, relocation or substantial alteration of the production, operational or research and development facilities of the entity; the selection of new business lines or ventures that the entity will pursue; the entry into, termination, or non-fulfillment by the entity of significant contracts; the appointment or dismissal of key officers or managers; and the amendment of the Articles of Incorporation, constituent agreement or other organizational documents of the entity. (§800.204(a))

(3) Minority investor protections: A key new feature of the Final Rule, which elaborates on concepts first articulated in the Proposed Rule, is the treatment of minority shareholder protections. Certain common protections “shall not in themselves be deemed to confer control over an entity.” (§800.204(c)) These include the power to prevent the sale of the assets of an entity and anti-dilution rights. (Id.) The combination of such rights and board representation may also not trigger coverage under Section 721 - these may provide influence, but not control. The Final Rule provides these examples:

Example 5. Corporation A, a foreign person, acquires a thirteen percent interest in the shares of Corporation B, a U.S. business, and the right to appoint one member of Corporation B’s seven-member Board of Directors. Corporation A receives minority shareholder protections listed in §800.204(c), but receives no other positive or negative rights with respect to Corporation B. Assuming no other relevant facts, Corporation A does not control Corporation B.

Example 6. Corporation A, a foreign person, acquires a twenty percent interest in the shares of Corporation B, a U.S. business. Corporation A has negotiated an irrevocable passivity agreement that completely precludes it from controlling Corporation B. Corporation A does, however, receive the right to prevent Corporation B from entering into contracts with majority investors or their affiliates to prevent Corporation B from guaranteeing the obligations of majority investors or their affiliates. Assuming no other relevant facts, Corporation A does not control Corporation B.

§800.204. Notwithstanding the possible implication of these examples, however, CFIUS has found minority stakes of less than 20%, accompanied by standard minority shareholding protections, to be “controlling.”

(4) Limited partnerships: The Final Rule also usefully discusses limited partnerships, clarifying the relationship between ownership and control. Id. It makes clear that CFIUS will focus on the particular level of control within a transaction on a case-by-case basis regardless of the investment structure:

Example 8. Limited Partnership A comprises two limited partners, each of which holds 49 percent of the interest in the partnership, and a general partner, which holds two percent of the interest. The general partner has sole authority to determine, direct, and decide important matters affecting the partnership and a fund operated by the partnership. The general partner alone controls Limited Partnership A and the fund.

Example 9. Same facts as in Example 8, except that each of the limited partners has the authority to veto major investments proposed by the general partner and to choose the fund’s representatives on the boards of the fund’s portfolio companies. The general partner and the limited partners each have control over Limited Partnership A and the fund. (Id.)

(5) Leases: Long-term leases are covered where, as a result of the lease terms and the extent of authority of the lessee over the U.S. business, the lease is the equivalent of a sale. As in other areas, the Final Rule declined to provide a bright line concerning long-term leases, stating only that “[a]s a general matter … the more significant the substantive responsibilities retained by the lessor over the leased property, the likelier that the lease would not be viewed as a transaction.” (Supplemental Information, §800.224) Accordingly, public-private partnerships, such as long-term concessions to operate transportation facilities, may well be subject to CFIUS review if a foreign operator is chosen as the concessionaire. Yet, such a concession may not be covered where the owner/lessor retains responsibility for safety and security functions. (See §800.224 Example.)

(6) Lending transactions: Generally, lending transactions are not covered. The narrow exceptions include circumstances where imminent or actual default may precipitate control by a foreign person; and where the transaction has characteristics of an equity investment (e.g., acquisition of rights affecting governance). Importantly, a foreign bank will not ordinarily engage in a covered transaction where it is acting as lead bank or participating as a member of a syndicate of lenders to a borrower that has defaulted, but is not in a controlling position. (§800.303)

Procedural Changes

The Final Rule formalizes CFIUS’s current practice of encouraging pre-filing consultations and sharing draft notices with CFIUS five business days prior to filing. (§800.401(f)) Pre-filing consultations allow CFIUS time to ensure that notices contain all of the information necessary for a full and efficient review.

As required by FINSA, the new regulations generally require CFIUS, following its initial 30-day review, to undertake the 45-day investigation of any transaction that (1) is a foreign government-controlled transaction; or (2) would result in control by a foreign person of critical infrastructure within the United States. (§800.503(b)) While the term “critical infrastructure” remains largely unchanged from the Proposed Rule, the new regulations clarify that CFIUS considers the “particular” systems or assets involved in a transaction, rather than designating whole classes of systems or assets as “critical infrastructure.” (§800.208)

Notice Content Changes

The Final Rule expands the information historically required in a CFIUS notice. For the most part, the Rule simply formalizes what had become common practice for CFIUS to request once a review was launched. Noteworthy among the required items is personal identifier information for senior executives of the investor (§ 800.402(c)(6)(vi)(B)) – without which CFIUS will not initiate a review – and more detailed information on the investor’s organizational structure. (§ 800.402(j)(1)) The parties must also include detailed information on market share, downstream users of products (§ 800.402(c)(3)(i)), and cyber security plans of the U.S. business. (§ 800.402(c)(3)(viii))

The Guidance further notes that CFIUS seeks information not required in the regulations but highly relevant to its assessments. Such information most importantly would include the U.S. business’s involvement in communications or energy infrastructure at the enterprise level – for example, the production or supply of cyber security, telecommunications or internet systems; equipment and systems used to monitor, assess or control sensitive processes and functions; and equipment and systems involved with security, safety, and other specialty functions.

Mitigation Agreements and Penalties

Where a covered transaction poses national security risks, FINSA provides statutory authority for CFIUS, or a designated lead agency on behalf of CFIUS, to enter into and to monitor compliance with mitigation agreements that address such risks. The new regulations provide for civil penalties of up to $250,000 for each intentional material misstatement or omissions, false certification or violation of a material condition of a mitigation agreement. (§800.801(a)-(b)) The Final Rule also permits the inclusion of liquidated damages provisions in mitigation agreements for any intentional violations. (Id. at (c))

National Security Threat Assessments

Neither Section 721 of the Defense Production Act nor the Final Rule defines “national security,” the sole focus of CFIUS’s assessment of covered transactions. In practice, CFIUS broadly interprets that term, consistent with statutory purpose. The most important aspect of the Guidance released by CFIUS, therefore, is its attempt to shed light on how CFIUS exercises its substantive responsibility.

The Guidance usefully articulates the basic analytical framework: CFIUS conducts separate “threat” and “vulnerability” analyses, integrating the two to produce a national security risk assessment. To assess “threat,” CFIUS examines whether “a foreign person has the capability of intention to exploit or cause harm.” To assess “vulnerability,” CFIUS examines whether “the nature of the U.S. business, or its relationship to a weakness or shortcoming in a system, entity, or structure, creates susceptibility to impairment of national security.” A key component of the determination is the National Security Threat Assessment that the Director of National Intelligence prepares for CFIUS within the first 20 days after CFIUS initiates a review. (For this reason, as noted above CFIUS will not initiate a review until it has received the required personal identification information.)

The Threat Assessment and other information developed by CFIUS are not available to the parties seeking CFIUS review. It can therefore be difficult for parties to address concerns that are raised, or to offer mitigation measures that CFIUS finds adequate. The Guidance offers numerous examples of national security “considerations” that have arisen in the course of its work. While these examples remove little of the process’s inherent opacity, they serve to remind prospective investors that some types of transactions will be more sensitive than others.

Not surprisingly, for example, U.S. businesses that are suppliers to the U.S. Government of defense, security, or law enforcement goods and services will raise the threat level more than others. But solely commercial suppliers equally may raise a threat: As made clear by experience and in the Guidance, telecommunications and IT equipment suppliers, and particularly telecommunications carriers, pose profoundly difficult concerns for CFIUS. The Guidance highlights businesses involved in building or maintaining the nation’s infrastructure, doubtless echoing FINSA’s emphasis on the need to engage in searching reviews of investments involving “critical infrastructure.” Somewhat oddly, the Guidance seems to highlight the energy industry, though notwithstanding the CNOOC controversy, the United States has a very long history of foreign ownership of energy assets, both in the upstream and downstream sectors.

CFIUS also makes clear in the Guidance that it attributes great importance to the character of the foreign investor. CFIUS takes into account not only the investor’s foreign government ties, but also the investor’s own compliance record with respect to international non-proliferation regimes and other national security matters. (These might include international economic sanctions programs, for example, raising interesting questions about how to assess threat arising from a company’s doing business in a country targeted by U.S. sanctions when that business is consistent with the company’s own government’s laws and policies.) Foreign government ownership is not disqualifying, and the Guidance emphasizes the relevance of independent, transparent commercial decision making. In this regard, the Guidance signals that foreign sovereign wealth funds that adhere to the recently announced “Santiago Principles” [3] may find a more accommodating environment for potentially sensitive U.S. investments than other government-controlled entities.


The number of cases handled each year by CFIUS has roughly quadrupled since 2003. On the government side of the investment review process, the capacity and procedural discipline needed to handle that increased case load efficiently and well lagged for a time, but is now firmly in place. On the other side, the investment community has labored under concerns about the politicization of investment reviews, extending to doubt about what transactions are covered and how CFIUS discharges its responsibilities. While ultimately reserving to CFIUS and the President wide discretion to assert jurisdiction over minority investments and other types of transactions, and to determine what constitutes a threat to national security, the Final Rule and Guidance, together with Executive Order 13456, mark a welcome advance in transparency and certainty regarding the manner in which the U.S. Government will review foreign direct investments on national security grounds.

[1] Final Rule, 73 Fed. Reg. 70,702 (November 21, 2008); Guidance, 73 Fed. Reg. 74,567 (December 8, 2008).

[2] Unless otherwise noted, all citations hereafter are to sections in Title 31 of the Code of Federal Regulations.

[3] “Sovereign Wealth Funds - Generally Accepted Principles and Practices,” Report of the International Working Group of Sovereign Wealth Funds, as presented to the International Monetary and Financial Committee of the International Monetary Fund in October 2008.