United States: CFIUS To Base Mandatory Critical Technology Reviews On Export Control Criteria

In Short

The Situation: The U.S. Department of the Treasury ("Treasury Department") recently issued proposed regulations that will alter and in some cases expand the scope of critical technology foreign investments subject to mandatory review by the Committee on Foreign Investment in the United States ("CFIUS" or "Committee").

The Result: The proposed regulations align CFIUS' mandatory review of foreign investments in critical technology U.S. businesses with existing export control regimes, which could subject new categories of investments and foreign investors to mandatory review by the Committee once the proposed regulations become effective.

Looking Ahead: The proposed regulations would require parties to adjust due diligence procedures early in the life cycle of a transaction by shifting from an industry-level analysis of the U.S. business to instead account for the export controls governing the target's sensitive technologies to the foreign parties to the transaction.

On May 22, the Treasury Department published proposed revisions to existing regulations that implemented the Foreign Investment Risk Review Modernization Act ("FIRRMA"), a law passed in 2018 that expands the Committee's jurisdiction over transactions involving certain sensitive U.S. businesses.

Among other things, the proposed regulations would modify the scope of transactions that are subject to mandatory review by CFIUS—namely, those foreign investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop "critical technologies." We have previously discussed the mandatory declaration process and what constitutes a "critical technology," as well as various aspects of the Treasury Department's final rules implementing FIRRMA, here and here respectively.

Existing regulations require transaction parties to submit a mandatory declaration to CFIUS based on a determination of whether a U.S. business with critical technologies participates in a certain industry or industries. Under the proposed regulations, this mandatory declaration requirement will instead be based on whether a regulatory authorization would be required to export the U.S. business's critical technologies to the foreign investor. The Treasury Department explained that this change is designed to leverage "the national security foundations of the established export control regimes."

Failing to notify CFIUS of a transaction subject to a mandatory declaration requirement could result in the Committee requesting a filing, unilaterally initiating review post-closing and requiring a buyer to potentially divest its interest in a U.S. business, and imposing a fine up to the value of the transaction on both the buyer and the seller. As a result, parties should carefully consider early in the life cycle of a deal whether a contemplated transaction involves "critical technologies" and whether the transaction will require a mandatory notification to the Committee.

We discuss the proposed regulations' key changes to the existing CFIUS landscape in turn below, as well as how parties can effectively navigate the Treasury Department's regulations to determine whether a contemplated transaction will require a mandatory declaration to the Committee.

A Shift in Focus: Export Controls Determine Mandatory Declaration Requirement

Under the proposed regulations, parties must submit a mandatory declaration to the Committee if the U.S. business must obtain a "U.S. regulatory authorization" to export, re-export, transfer (in country), or retransfer the U.S. business's relevant critical technology to the foreign parties to the transaction. The proposed regulations also introduce a new provision referred to as "voting interest for purposes of critical technology mandatory declarations." This term sets forth criteria for identifying which investors in the foreign buyer's ownership chain must be considered for purposes of determining when a mandatory declaration is required. If a foreign investor holds a 25% voting interest, direct or indirect, in the foreign buyer, parties must consider the license and authorization requirements for that foreign investor's country as well.

The proposed regulations define U.S. regulatory authorization as encompassing regulatory authorization from one of four distinct export regimes:

1. A license or approval issued by the Department of State under the International Traffic in Arms Regulations ("ITAR");
2. A license from the Department of Commerce under the Export Administration Regulations ("EAR");
3. A specific or general authorization from the Department of Energy; and
4. A specific license from the Nuclear Regulatory Commission.

The shift away from an industry-based focus (i.e., reviewing North American Industry Classification System codes of the U.S. business) to the particular export controls applicable to the critical technologies likely will streamline the mandatory declaration analysis. Moreover, the new rule may increase mandatory declarations for transactions involving critical technologies and especially for foreign investors in countries subject to more significant export controls.

Limited Exceptions Remain Available

Just as the export control rules provide for certain exceptions to license requirements, the proposed regulations provide for a narrow set of license exceptions listed below, if applicable, to excuse an otherwise mandatory filing.

These available license exceptions are:

• License Exception for Technology and Software Unrestricted ("TSU") (15 C.F.R. § 740.13), which relates to the transfer of broadly available technology;
• License Exception for Encryption Commodities, Software, and Technology ("ENC"), paragraph (b) (15 C.F.R. § 740.17(b)), which applies to certain encryption items; and
• License Exception Strategic Trade Authorization ("STA"), paragraph (c)(1) (15 C.F.R. § 740.20(c)(1)), which applies to certain controlled items and technology for transfer to certain allies.

If a license is required to send the technology to the foreign investor and an export of the U.S. business's critical technology between the parties does not qualify for one of these license exceptions, the parties must make a mandatory filing.

In addition, existing exemptions for foreign persons qualifying for "excepted foreign investor" status or that are subject to a foreign ownership, control, or influence ("FOCI") agreement and operate under a valid facility security will continue to apply.

We include here a flow chart summarizing how the new rule will apply.

Three Takeaways

1. The proposed regulations will align CFIUS' mandatory declaration requirement with existing export control regulations, which likely will subject certain foreign investors to new declaration requirements.
2. Parties must be prepared to adjust due diligence procedures to assess the sensitivity of the U.S. business's technologies as well as the composition and voting interest of foreign parties to the transaction.
3. Parties should carefully consider whether the new exceptions may excuse the parties from making a mandatory notification.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.