Insight

Treasury finalizes expanded CFIUS authorities

U.S. Treasury passed two rules that will expand the jurisdiction of CFIUS

Steven Brotherton

Steven Brotherton

Principal, Tax, Trade & Customs Services, KPMG US

+1 415-963-7861

Shane Sims

Shane Sims

Principal, Cyber Security, KPMG US

+1 703-286-8738

Luis Avila

Luis Avila

Director Advisory, Accounting Advisory Services, KPMG LLP

+1 703-286-6689

Foreign investors and U.S. Businesses that are parties to covered transactions must be cognizant of the heightened attention afforded foreign investment in the U.S., the parameters of CFIUS’s expanded national security jurisdiction, as well as the potential for mandatory filings. Voluntary filings to obtain a CFIUS review and clearance prior to transaction completion should be considered to diminish the potential for a post-closing review, possible mitigation requirements, or even an unwinding of the deal. Analyses of CFIUS compliance requirements should be factored into the investment, financing, M&A, and joint venture strategies and due diligence processes of foreign investors and TID U.S. Businesses alongside other risk considerations such as Know-Your-Customer, beneficial ownership, and financial crimes. Systems and data security will be a primary focus in the areas designated as critical across technology, infrastructure, and data.

Key Points

  • Treasury has published two final rules to implement provisions of FIRRMA that expand the jurisdiction of CFIUS to conduct national security reviews of foreign investment in U.S. businesses to include certain non-controlling, non-passive investments in critical technology, infrastructure, and data (TID) businesses and real estate transactions near-certain ports or government facilities.
  • The two final rules are fundamentally similar to the proposed rules; with minor changes, the Pilot Program is now a permanent part of the CFIUS regulations.
  • Most covered transactions will be subject to voluntary filings; two types of transactions involving foreign government investors will be subject to mandatory CFIUS filing requirements.
  • Additional rulemakings are forthcoming, including a final definition for “principal place of business” and proposals to address fees and penalties as well as to define “emerging and foundational technologies”.


Pursuant to the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), the U.S. Department of the Treasury (Treasury) has published two final rules that expand the authority and responsibility of the Committee on Foreign Investment in the United States (CFIUS) to review certain foreign investments in the U.S. for national security concerns. The rules became effective on February 13, 2020 and are substantially similar to the proposed rules released in September 2019.

In particular, the two rules cover 1) CFIUS’s general jurisdiction to review investments by foreign persons in U.S. businesses, including non-controlling investments (Part 800), and 2) CFIUS’s jurisdiction to review transactions not covered by Part 800 involving (or in close proximity to) certain U.S. real estate (Part 802). Additionally, in response to public comments, the regulations include a new definition for the term “principal place of business,” which is presented as an interim rule and subject to public comment.

Non-Controlling Investments

FIRMMA expands the jurisdiction of CFIUS beyond transactions that could result in foreign control of a U.S. business to also include certain non-controlling investments made by a foreign person directly or indirectly in an unaffiliated U.S. business. CFIUS’s jurisdiction is limited to investments that: 1) involve U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data of U.S. individuals; and 2) afford the foreign person access to nonpublic material information, rights to board membership, or involvement in decision-making activities.

Covered Investment. U.S. businesses involved in critical technologies, critical infrastructure, or sensitive personal data of U.S. individuals are defined as “TID U.S. Businesses” and include U.S. businesses that:

  • Produce, design, test, manufacture, fabricate, or develop one or more critical technologies, including defense articles and defense services in the U.S. Munitions List; items controlled pursuant to international regimes on chemical and biological weapons; nuclear facilities, materials, and technology; and emerging and foundational technologies controlled under the Export Control Reform Act of 2018. “Emerging and foundational technologies” will be defined by the Department of Commerce.
  • Own, operate, manufacture, supply, or service critical infrastructure across the telecommunications, utilities, energy, and transportation sectors. Details are included as Appendix A to the final rule and include physical or virtual systems and assets.
  • Maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. Sensitive personal data include “identifiable data” and the results of an individual’s genetic testing. “Identifiable data” is defined as data maintained or collected by U.S. businesses that target or tailor products or services to certain populations, including U.S. military and employees of federal agencies with national security responsibilities, or have maintained or collected data, or demonstrated a business objective to do so, for more than one million individuals. Such data covers ten separate categories, including financial data, health information, non-public electronic communications, biometric data, and geolocation.

CFIUS will review non-controlling investments in TID U.S. Businesses when they afford the foreign person:

  • Access to any material nonpublic technical information in possession of the U.S. business
  • Membership or observer rights on, or the right to nominate an individual to a position on the board of directors or equivalent governing body of the U.S. business
  • Any involvement, other than through voting shares, in substantive decision-making of the U.S. business regarding TID activities (i.e., critical technologies, critical infrastructures, sensitive personal data).

Exceptions. Foreign persons are defined to include any foreign government, foreign person, or foreign entity. Exceptions to CFIUS’s expanded jurisdiction include:

  • Excepted Investor – Certain foreign persons, defined as “Excepted Investors” based on their ties to certain countries identified by CFIUS as “Excepted Foreign States” and their compliance with certain laws, orders, and regulations, including threshold limits outlined in the rule related to board members, foreign investors, and ownership interests. (This exception does not apply to investments that could result in control of a U.S. business.)
  • Excepted Foreign State – CFIUS has identified Australia, Canada, and the United Kingdom of Great Britain and Northern Ireland as excepted foreign states “due to aspects of their robust intelligence-sharing and defense industrial base integration mechanisms with the United States.” The designation of these countries will be reviewed in two years; the list of excepted foreign states may be expanded in the future.
  • Certain Foreign Entities – that are organized under the laws of a foreign country but are managed and controlled by U.S. nationals (i.e., have their principle place of business in the United States). 

Filing Requirements. Parties to a Covered Investment may make a voluntary filing for CFIUS clearance prior to completing a transaction in order to receive a “safe harbor” letter against CFIUS initiating a later review (subject to exceptions). Parties may file either a long-form notice or short-form declaration. A 30-day review period applies to the declaration.

  • Mandatory declarations. Filing a declaration is mandatory in cases where a) a foreign government has a “substantial interest” (49 percent or more) in the general partner of a financial entity acquiring a direct or indirect voting interest of 25 percent or more in a TID U.S. Business; b) the Covered Investment is in a TID U.S. Business that produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies used in connection with specific industries listed in Appendix B to the final rule.
    • Exceptions to the mandatory declarations may apply where i) the investment is by an Excepted Investor; ii) the foreign investor is already subject to mitigation for foreign ownership, control, or influence; iii) the investment vehicle is a fund managed exclusively by, and ultimately controlled by, U.S. nationals; and iv) the TID U.S. Business is designated as such solely because of certain non-sensitive encryption technology.

Real Estate Transactions

FIRRMA provides CFIUS authority to review the purchase or lease by, or a concession to, a foreign person of private or public real estate that is located within or functions: as part of an air or maritime port; in close proximity to a U.S. military installation or other U.S Government facility that is sensitive for reasons of national security; could provide the foreign person the ability to collect intelligence on activities conducted at such an installation or facility; or could expose the national security activities at such an installation or facility to the risk of foreign surveillance.  Collectively, these properties are referred to as “Covered Real Estate”.

Covered Transactions. A U.S. real estate transaction entered into by a foreign person and involving a Covered Real Estate will be considered a Covered Transaction if it affords the foreign person three of more of these rights to: physical access; exclude physical access; improve or develop, or affix structures or objects.

The final rules limit Covered Real Estate to transactions in and/or around specific airports, maritime ports, and military installations named within the regulation or identified by the Department of Transportation.

Exceptions. Exceptions are provided for certain real estate transactions including:

  • Excepted Real Estate Investor – Covered real estate transactions involving foreign persons defined as “excepted real estate investors” based on their ties to countries identified by CFIUS as “excepted real estate foreign states”. CFIUS has named Australia, Canada, and the United Kingdom of Great Britain and Northern Ireland as excepted real estate foreign states.
  • Urbanized areas or clusters – As defined by the Census Bureau, except those relating to relevant ports and those in “close proximity,” defined as one-mile, to certain military installations.
  • Other real estate – including the purchase, lease, or concession of a single “housing unit,” real estate for purposes of retail sales, and certain commercial space in multi-unit commercial buildings.

Filing Requirements. Parties may file a long-form notice or submit a short-form declaration notifying CFIUS of a real estate transaction in order to potentially qualify for a “safe harbor” letter. If a transaction could result in control of a U.S. business by a foreign person, it would be covered by Part 800 and would not be considered a real estate transaction under Part 802.

Interim Rule

Within the final rules, CFIUS has included an interim final rule to define a party’s ‘‘principal place of business’’ as ‘‘the primary location where an entity’s management directs, controls, or coordinates the entity’s activities, or, in the case of an investment fund, where the fund’s activities and investments are primarily directed, controlled, or coordinated by or on behalf of the general partner, managing member, or equivalent.” The definition helps to clarify that U.S. entities such as investment funds that are established offshore will not be considered foreign persons whose investments are subject to the jurisdiction of CFIUS provided their “nerve center” is in the United States. The comment period on the interim final rule has closed.

CFIUS Background

The Committee on Foreign Investment in the United States is an interagency committee chaired by the Secretary of the Treasury. It is authorized to review certain transactions involving foreign investment in the United States to determine the effect of such transactions on the national security of the United States. On August 13, 2018, the Foreign Investment Risk Review Modernization Act of 2018 was enacted. The law broadens the authorities of the President and CFIUS regarding national security concerns to include transactions arising from certain foreign non-controlling investments and real estate transactions that previously fell outside CFIUS’s jurisdiction.

Membership of CFIUS includes the heads of the Department of the Treasury, Department of Justice, Department of Homeland Security, Department of Commerce, Department of Defense, Department of State, Department of Energy, Office of the U.S. Trade Representative, and Office of Science and Technology Policy.


Related content