The Committee on Foreign Investment in the United States (CFIUS) can be expected to maintain America’s traditional open investment posture consistent with the robust protection of U.S. national security interests. The Foreign Investment Risk Review Modernization Act (FIRRMA) recognizes the important role that foreign investment plays in supporting U.S. economic growth while centering the focus of CFIUS on national security concerns. CFIUS in the new administration should expected to follow this mandate rather than advance other objectives such as economic security.
Within this overall framework, a key question is how CFIUS will address supply chain security in its evaluation of foreign investment transactions against the backdrop of pandemic-related shortages. CFIUS will also face immediate challenges in resolving the ongoing dispute with ByteDance regarding the TikTok divestiture order and in assessing and countering cyber vulnerabilities in the United States’ critical infrastructure and with respect to its critical technologies. U.S. government agencies will also need to evaluate the extent to which threats to sensitive personal data can be more narrowly addressed through effective mitigation measures and to implement the enforcement and monitoring provisions of FIRRMA. CFIUS policy is likely to play out amidst an evolving and at times contentious U.S.-China national security and economic relationship.
For organizations, planning for additional scrutiny can help support preparations for closing on important transactions that may fall within CFIUS’s purview.
Trends and Analysis
CFIUS will uphold its traditional mandate of protecting U.S. national security while maintaining America’s open investment posture. Within this framework, the focus and approach of CFIUS has changed over time to address legislative changes, an evolving understanding of foreign threats and vulnerabilities to U.S. national security, and the interests of CFIUS agencies. The Committee’s work continued at a steady pace during the Trump administration despite concerns about politicization of the review process and attention-grabbing headlines garnered by high-profile transactions like the TikTok ban.
According to the 2019 CFIUS Annual Report, of the 231 covered transaction notices reviewed by CFIUS in 2019, roughly half (113) faced subsequent investigation. Importantly in 2019, CFIUS concluded action on 28 of the 231 notices after adopting mitigation measures to resolve national security concerns. It also imposed mitigation measures to address residual national security concerns with respect to five notices that were voluntarily withdrawn, and the transactions were abandoned. The 2019 report further notes that statistics reflect a continued upward trend in the number of notices filed and mitigation measures imposed.
The statistics for 2020—the first full year of FIRRMA implementation—may not show the same upward trend due to the dampened investment environment during the pandemic and reduced Chinese investment in the United States, even with the broader CFIUS authorities under FIRRMA.
Within this context, there are trends to be aware of:
Given the COVID-19 pandemic and high-profile cybersecurity breaches, CFIUS can be expected to more proactively confront supply chain security and cybersecurity in its evaluation of foreign investment transactions. Pandemic-related supply chain shortages, particularly with respect to personal protective equipment and certain national security sensitive technologies, have forced policy makers to consider supply vulnerabilities in health, food security, national defense, and critical infrastructure. Many policy solutions will lie outside of the scope of CFIUS, but foreign investment is likely to surface threats and vulnerabilities for which CFIUS may need to provide stop-gap mitigation measures.
Similarly, the SolarWinds hack will likely provide greater impetus for U.S. government agencies to develop policies to counter malware threats to cybersecurity. As with supply chain security, CFIUS reviews of foreign investment transactions may surface cybersecurity vulnerabilities in specific circumstances, leading it to impose appropriate mitigation measures where a risk is identified. CFIUS can be expected to put in place more cybersecurity mitigation conditions and impose more physical and electronic access restrictions on investors in such instances.
China policy will continue to loom large despite expectations of reduced Chinese investment in the United States. CFIUS will continue to place significant focus on investments originating from China and Hong Kong, particularly given the Biden administration’s strong signal that it intends to maintain tough-on-China policies. CFIUS is expected to continue to clear the bulk of China-originated investments, as long as core national security concerns are not implicated. In the period from 2017 to 2019, Chinese transactions accounted for 20 percent of the CFIUS notices, although there was a 50 percent drop in Chinese transactions in 2019. The bulk of Chinese transactions filed were either in the manufacturing sector or the finance, information, and services sectors.
The Biden administration has indicated a pause to evaluate actions that were taken but not fully implemented by the outgoing Trump administration, including executive orders relating to information and communications technology, the bulk-power system, and investments in Chinese military companies by U.S. persons. During this reevaluation, CFIUS will continue to be a focal point for protecting U.S. national security interests. In addition, President Biden ordered a review of U.S. supply chain vulnerabilities in a number of sectors, including critical goods and materials and critical minerals, and CFIUS may play in a role in recommendations for action to protect U.S. supply chains. The Biden administration, however, is unlikely to use CFIUS to advance objectives outside of its national security mandate or to impose punitive measures with respect to China to allow room for cooperation on pressing international issues.
The Biden administration will also need to resolve the ongoing dispute with ByteDance and TikTok considering a broader reassessment of policy with respect to sensitive personal data. Trump administration executive orders that limit transactions involving TikTok and WeChat have been temporarily enjoined by federal courts and reported deals to carry out the divestiture of TikTok ordered by CFIUS have foundered. The Biden administration will need to find a solution to the ongoing impasse; one approach might be to permit ByteDance to divest TikTok under the terms of a CFIUS mitigation agreement. While concerns about foreign access to sensitive personal data are likely to feature prominently in the CFIUS process, the new administration may adopt a more subtle approach that seeks to identify tailored mitigation options to protect the most sensitive data, rather than broad efforts to foreclose the availability of apps in the United States or to wholly decouple U.S. and China cyber connectivity.
CFIUS will continue to focus on critical technologies, critical infrastructure, and sensitive personal data. These are longstanding national security concerns and are codified in legislation. As in prior years, the manufacturing and finance, information, and services sectors are expected to make up the bulk of transactions for which notices are filed with CFIUS. In 2019, and in years past, transactions involving manufacturing and finance, information, and services comprised around 75 percent of notices filed with CFIUS. Significant manufacturing subsectors include computers and electronic product manufacturing and electrical equipment, appliance, and component manufacturing. Within these subsectors, a significant number of transactions involving semiconductors were filed with CFIUS.
The Biden administration will likely take a whole-of-government approach to safeguard U.S. national security, of which CFIUS is just one policy tool. Ongoing intelligence reporting on identified threats and reassessments of U.S. technology developments will continue to motivate CFIUS action. The intelligence community plays a critical role in the CFIUS process by providing national security threat assessments and through regular engagement with U.S. technology innovators. It is very likely that the Biden administration will continue to focus on high-tech sectors including semiconductors, artificial intelligence and robotics, and biotechnology, and will view CFIUS as just one tool in a broader toolkit to address national security concerns in these areas. The Biden administration will likely use the other tools at its disposal, such as export controls; Department of Defense foreign ownership, control, and influence (FOCI) mitigation requirements; outreach to U.S. technology companies and start-ups by the Defense Department and other agencies; and law enforcement activities, to address threats arising from cross-border economic transactions.
There will also likely be an increase in the number of mitigation measures imposed in transactions, following the recent trend of CFIUS imposing routine mitigation requirements involving cybersecurity and data access provisions, as well as restrictions on access to sensitive personal data. The 2019 Annual Report notes that mitigation measures involved limits on the sharing of intellectual property or know-how, guidelines for handling U.S. government contracts or sensitive customer or personal information, physical and logical access limitations to facilities and/or data, governance requirements such as security officers or security committees, and supply assurance requirements. Based on anecdotal reports, the 2020 report is likely to show increasing numbers of mitigation measures. Moreover, CFIUS continues to deploy a range of mechanisms to enforce mitigation measures, including third-party audits and monitors, as well as investigations and remedial actions for violations of mitigation agreements.
Institutional considerations will also impact the Biden administration’s CFIUS approach. For example:
- There are likely to be more non-notified transactions. FIRRMA provided CFIUS with increased direction and funding to identify and exercise authority over investment transactions that have not been filed with CFIUS. This has resulted in increased staffing and capability to identify these transactions and a greater number of investors and business targets with limited CFIUS experience having to navigate the CFIUS process. For example, The Wall Street Journal has reported that CFIUS is allegedly calling in non-notified investments in U.S. startups by Chinese entities.
- CFIUS may need to provide greater clarity and certainty regarding the jurisdictional thresholds for “covered control transactions” and “covered investments,” particularly in the context of the imposition of substantial penalties for failure to submit a mandatory declaration. CFIUS has the power to impose penalties of up to $250,000 or the value of the transaction, whichever is greater, on parties that fail to submit a mandatory declaration to the Committee. While no penalties appear to have been imposed on parties for failing to submit a declaration, CFIUS may need to provide greater guidance on its jurisdictional scope and triggers for the mandatory filing requirement, including the applicability of the Export Administration Regulations license exceptions, to avoid due process issues. The 2020 regulations provide an improved reference guide for assessing jurisdictional thresholds, but leaves some questions unanswered.
- There will be an increasing trend towards enforcement. FIRRMA provided greater direction, staffing, and resources to CFIUS to enforce mandatory filing requirements and compliance with mitigation measures. Accordingly, investors and U.S. business targets can expect greater penalties or enforcement requirements if they fail to notify transactions or implement mitigation terms. This is likely to increase the use by CFIUS of monitors, auditors, and security officers to support CFIUS enforcement resources and expertise.
- CFIUS member agency perspectives are likely to evolve and result in greater nuance, except for Chinese-related investments. CFIUS has historically been represented by agency views balanced by agencies with a traditional focus on national security and agencies with a traditional focus on trade and economic perspectives, with Treasury acting as chair. This balance resulted in a considered approach towards mitigation measures that were narrowly tailored to address national security concerns. A Biden administration is likely to more closely reflect this balance than the Trump administration, during which agencies tended to defer to national security concerns. However, the widespread recognition of China as a strategic competitor means that this more calibrated approach may not necessarily carry over to CFIUS’s scrutiny of Chinese-related investments.
Examination Through a Global Lens
CFIUS is likely to increase cooperation and engagement with U.S. partners and allies to support and leverage those countries’ implementation of foreign investment review regimes. FIRRMA created significant incentives for them to implement foreign investment review regimes comparable to CFIUS, indicating it may lead to reduced U.S. scrutiny in certain areas. This cooperation may provide opportunities to engage with the U.S. government and foreign governments on programs to help develop and implement comparable regimes. This would also benefit private investors and target businesses that currently deal with a complex web of regulatory regimes for investments in cross-border businesses subject to multiple foreign investment reviews and differing standards.
For example, the UK has introduced draft legislation establishing a foreign investment review regime that parallels CFIUS in many respects. The UK regime establishes an investment security body, requires both mandatory and voluntary notifications, and focuses on 17 sensitive sectors that are comparable to the sectors that CFIUS initially targeted. In doing so, the UK mechanism will bring its review regime in line with the U.S. regime, as well as those recently established in France and Germany and the enhanced regime in Australia.
As entities seek to navigate the ongoing changes at CFIUS, they should work closely with third-party risk and compliance experts and legal counsel to ensure their risk and compliance frameworks are prepared for varying levels of scrutiny.