At long last, Treasury released the draft CFIUS regulations—and more draft CFIUS regulations—intended to implement FIRRMA. It’s still early, so everything that follows is subject to wholesale revision as this Firm continues to review. But that didn’t stop the Firm from discussing the regulations with the Wall Street Journal and the New York Times yesterday.

The quick-hit version is that there are significant changes to the process and the types of transactions CFIUS will have jurisdiction over. The substantive changes of what CFIUS will review are relatively modest and aligned with where most observers believed CFIUS was heading (i.e., focusing more on technology, infrastructure and data). How sweeping these changes will be post-implementation depends upon the as-yet-undecided fate of the Critical Technology Pilot Program and the degree to which the agencies pursue their significantly expanded enforcement mandate.

Here’s a bit more detail:

The changes to what types of investments CFIUS can review are significant.

First, the core of what CFIUS will review continues to be “covered control transactions,” which are transfers of “control” of a U.S. business to a foreign person. This remains the low but blurry threshold of the acquisition of approximately 10% or more of a target’s equity plus nonpassive governance rights.

The draft regs give CFIUS the authority to review non-controlling investments (referred to as “covered investments”) in “technology, infrastructure or data” (“TID”) U.S. businesses. “TID U.S. Businesses” are as they sound—businesses that:

• deal in “critical technology” (which uses the same definition of “critical technology” that we’ve come to know and love);
• perform specified functions in a variety of infrastructure sectors; or
• maintain or collect “sensitive personal data” of U.S. citizens
  • “sensitive personal data” includes a broad set of personal data, but only if materiality thresholds are met, including the number of people the business collects on (or intends to collect on) or whether the business specifically targets the U.S. government national security functions in its product offerings)

“Covered investments” are those that do not transfer control, but do provide the investor (i) a board seat, (ii) access to material nonpublic technical information or (iii) the ability to influence substantive decisionmaking with respect to the technology of the business.

For non-“TID” businesses, CFIUS will only review transfers of control.

The expansion of mandatory filings is modest.

The regs only *require* a filing in one new type of transaction: when a foreign government will own a “substantial interest” in a foreign person that is in turn acquiring a “substantial interest” in a TID U.S. business. The regs, curiously, set the threshold of “substantial interest” as a 49% or more governmental interest in an entity that is itself taking a 25% or greater interest in the TID U.S. business.

Following the lack of participation in the Pilot Program, many industry participants believed that CFIUS would aggressively expand the category of mandatory filings. The draft regs show a fair amount of restraint by the agencies. It is clear that the drivers of industry participation will not be compulsory filings but rather the agencies’ enforcement actions and overall process reforms. The Pilot Program, if retained or expanded, may drive filings going forward as well.

The changes to the process are significant.

In expanding away from a pure “covered control transaction” analysis, CFIUS has used the dual-tier filing process it initially adopted in the Pilot Program. Parties to any transaction that is subject to CFIUS jurisdiction are permitted to file a “declaration” rather than a “notice.” (The distinctions around these terms will confuse anyone not steeped in CFIUS-speak for years). “Declarations” are short-form filings that get expedited treatment and may yield a quick approval. “Notices” are long-form filings that undergo a 45-day initial review and generally are more thoroughly scrutinized. Notices also require formal certifications by the parties regarding the accuracy of the information being provided.

This distinction—if the CFIUS agencies actively work to provide meaningful feedback to short-form declarations—should be useful. Most questions of whether or not to file with CFIUS are not obvious either way. In the large grey zone, the option to do a light undertaking and receive valid feedback from CFIUS will save parties from having to “roll the dice” on a nonobvious transaction.

If, however, the agencies refuse to clear out transactions that are filed on the short-form basis, then a massive traffic jam will occur and private parties will have more incentive to avoid formal engagement with CFIUS unless it is required or obviously necessary.

There won’t be a single outcome here. At times, the agencies will have a clear policy mandate and will diligently process cases filed as declarations. At others, unclear policy dictates will lead to indecision at the staff level, which inevitably leads to risk aversion and a failure to clear unless the agencies are procedurally required to.

It should be noted: While conferring a speed advantage, declarations sacrifice some certainty—if the investor acquires any new interest in the future that was not described in the declaration, the parties do not have safe harbor from CFIUS action. Conversely, parties that file a long-form notice receive the full safe harbor and the investor can subsequently acquire new rights in the business without triggering a new CFIUS review.

The “white list” lives on.

At this Firm, we thought that a “white list” of countries whose investors would be exempt from CFIUS requirements was an impossible (and impractical) goal. But you can’t win ’em all: The draft regs indeed included a provision for a “white list.” This is in the first instance a diplomatic gesture, as to qualify for white listing, countries must have their own “robust” foreign investment risk review process and must share information with the U.S.. Separately, two-thirds of the CFIUS member agencies must vote to include a country on the white list. The white list won’t go into effect for two years after the regs become effective, and CFIUS states in the commentary that the initial group of white listed countries will be very small.

For an investor to specifically qualify as a white list investor, they must genuinely (editor’s word, not CFIUS’s) come from a white list country and have a clean track record of no violations of things like U.S. export controls laws or dealings with sanctioned entities/individuals.

Detached real estate.

Structurally, the agencies did something very curious with real estate. They put it in a new, separate section of the regulations entirely. The old regs were at 31 C.F.R. Part 800. The Pilot Program is Part 801. Yesterday, CFIUS announced a re-write to Part 800 and said they didn’t know what they’re going to do with part 801. Then they added a new part 802 that deals with real estate separately. (Perhaps this indicates that the Pilot Program is here to stay—it would be unseemly to have a gap between Part 800 and Part 802!).

What are the contents of the new real estate provisions? There’s a lot to it, but ultimately it looks like if you’re an overseas investor buying an airport, a seaport or property within 100 miles of a military installation (with a handy list provided), then you may have to file. Lawyers are paid to find nuance and complications—and we will—but that’s the core of it.

The Unmanned Pilot Program.

The commentary to the draft regs states that CFIUS is still considering what to do with the Pilot Program. The Pilot Program in many ways failed to launch due to the delays in defining “emerging” and “foundational” technology. Those delays left a big hole in the application of the program. If CFIUS scraps the pilot program, without ever having reviewed investments in “emerging” or “foundational” tech companies, one must guess at the point of the program in the first place—indeed, one major justification for FIRRMA—to maintain awareness of overseas investment in early-stage U.S. tech companies—will be ignored.. The wager here is that the pilot program will be modified and retained, to give more time for the definitions of emerging and foundational technologies to have an effect.

Enforcement Multipliers.

One of the biggest changes in the CFIUS process may come via a single line in the regs. Historically, the agencies worked on a consensus (and sometimes unanimity) basis when pursuing enforcement actions. The draft regs give every agency unilateral authority to initiate a review when the parties fail to file. This significantly increases the risk to parties seeking to avoid a CFIUS review. We’ve heard for months that the agencies are ramping up their enforcement capabilities. The draft regs indicate that they’re serious about their police duties.