As the COVID-19 pandemic continues to spread, U.S. businesses and global trade have both needed to quickly adapt to the conditions of this "new normal." Many companies are starting to face financial distress and a strain on their cash flow. Others view these challenging financial conditions as an opportunity for the acquisition of a distressed business or a chance to pivot to a new business model or to take advantage of unprecedented demand. Still others find themselves in need of renegotiating existing debt instruments. For these and many other reasons, U.S. companies are widely seeking new sources of capital. While maintaining operations is difficult enough in this market, capital transactions are more fraught for U.S. businesses engaged in transactions with non-U.S. businesses. Any business facing a potential change in control or ownership today must be mindful of whether the new regulations by the Committee on Foreign Investment in the United States (CFIUS or the Committee) will impact the contemplated transaction. Certain recent key changes to the process are worth a fresh look and close consideration.
Recent CFIUS Regulatory Changes Now Include Certain Non-Controlling Investments. Query: Is Your Deal Covered?
Historically, the CFIUS regulations were aimed at acquisitions and investments that could result in foreign control of a U.S. business, which CFIUS defines as any engaged in interstate commerce in the United States or certain covered "control" transactions, that raised potential concerns of national security. Many commonly understood that the primary affected industries were mostly limited to government contracting, defense and weapons systems, telecommunications, or high-tech industries. However, with the passage of the Foreign Investment Risk Review Modernization Act (FIRRMA) in 2018, and accompanying new regulations that became effective on February 13, 2020, review by the Committee has now been greatly expanded to include authority for the Committee to review certain non-controlling investments in U.S. businesses. Additionally, the new rules imposed a mandatory requirement to notify the Committee for some transactions, as we wrote about last fall. Particularly noteworthy is the Committee's recently demonstrated propensity to initiate its own investigation into certain transactions, even if the parties did not submit the transaction to CFIUS for approval.
Given this expanded authority, anyone seeking to acquire or invest in a U.S. business, as companies begin to seek funding or undertake other strategic transactions, would be wise to carefully consider the changes to Part 800 of the Treasury Regulations that implement FIRRMA's expansion. That is, in addition to the traditional considerations of a covered transaction, parties must also consider whether their deal involves any non-passive, non-controlling investments in U.S. businesses involved in "critical technologies," "critical infrastructure," or "sensitive personal data" of U.S. citizens. Notably, these "TID U.S. businesses" are those dealing with technology, infrastructure, and data, which:
- Produce, design, test, manufacture, fabricate, or develop one or more critical technologies;
- Own, operate, manufacture, supply, or service any of the listed categories1 of critical infrastructure; or
- Collect or maintain sensitive personal data of U.S. citizens.
The administration is clearly concerned that these TID U.S. businesses not fall under foreign control or ownership, whether directly or indirectly, unless appropriate foreign ownership and control mitigation protections are put in place. Three recent cases self-initiated by the Committee demonstrate that acquisition and investment by Chinese entities remain of heightened concern. In our view, as the pandemic demonstrates, previously routine medical items like face masks, ventilators, and medicines have taken on new importance for national security reasons, as the global supply chain tightens, thereby making these and similar life-saving products and devices – as well as intermediaries involved in the supply of such items – a potential target of increased scrutiny for any CFIUS review.
Recent Divestment Orders of Businesses with Sensitive Personal Data Exemplify New U.S. Concerns, Even for Deals Closed Long Ago
On March 6, 2020, the Trump administration issued a divestment order dissolving the 2018 acquisition of StayNTouch, a U.S.-based mobile hotel property management system, by the Chinese entity Beijing Shiji Information Technology (Shiji). The administration expressed concern that the acquisition could give Shiji access to hotel guest data, which presumably includes customers' credit card information, hotel stay locations and dates, and other sensitive data. The case was self-initiated by CFIUS and ultimately rejected by the Committee, which ordered that Shiji divest StayNTouch within 120 days. Additionally, Shiji and all of its subsidiaries or affiliates were immediately prohibited from accessing customer data and were required to implement controls within seven days to prevent such access until the completion of the divestment. The order also imposed a further condition that any sale by Shiji to a third party (whether or not foreign-owned or -controlled) must also undergo its own review by CFIUS.
This case follows two prior cases involving investments in U.S. businesses that provide access to sensitive personal sensitive data by Chinese businesses. In 2018, the Kunlun Tech Group (Kunlun) bought a popular dating app Grindr without any voluntary notification to CFIUS. Then, in 2019, CFIUS commenced its own review of the transaction and concluded that the deal presented a national security risk because of the access to U.S. sensitive personal data. Thus, the Committee directed that Kunlun sell the app before June 2020. Likewise, reportedly in 2017, the healthcare start-up PatientsLikeMe raised $100 million and sold a majority stake to iCarbonX, which was started by genomic scientists and backed by the Chinese company Tencent. Then, in April 2019, the deal came to the attention of the Committee. Following its review, CFIUS allegedly ordered PatientsLikeMe to divest the interest held by iCarbonX over concerns regarding the access to sensitive personal data; subsequently the business was reportedly acquired by UnitedHealth.
While the updated regulations were under review, the definition of "sensitive personal data" at Section 800.241 was challenged by certain commenters as potentially exceeding "what is necessary to protect national security" and "unnecessarily burdensome." The commenters asserted that such a broad definition "negatively impacts technological advancements, such as artificial intelligence." 2 The administration, however, roundly rejected this opinion and instead announced that "the Treasury Department is cognizant of the potential impacts of the CFIUS process on foreign investments and has endeavored to be specific and circumspect in delineating the Committee's new authorities over covered investments where appropriate and consistent with national security." 3 Thus, CFIUS retained broad discretion to interpret what constitutes "sensitive personal data" in these updated regulations, a decision that is only just starting to play out as noted above.
And Team Telecom Is Now Formally Recognized as Playing a Key Role in the CFIUS Review Process
Consistent with apprehension over access to U.S. citizens' personal data, another area of critical focus has been the telecommunications system, including the technology and applications that are so common on personal phones, which gather and track a myriad of personal data. The high-profile case in May 2019, which blocked China Mobile from interconnecting with the U.S. telecommunications system, best demonstrates that stance. Therefore, it should come as no surprise that the formerly ad hoc group of agencies that comprise "Team Telecom" was formally acknowledged as playing a key role in the CFIUS process. By executive order dated April 4, 2020, the president formalized the input of Team Telecom, now known as the "Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector," as a resource for the U.S. Federal Communications Committee (FCC) in applicable CFIUS reviews and investigations, among other matters involving national security. We anticipate that potential deals in the telecom arena to now undergo even more careful and in-depth scrutiny.
Be Wary of Minority Investments and Lending Transactions That Can Unwittingly Trigger a CFIUS Review
While most understand the traditional rule that CFIUS may review an acquisition of a U.S. business operating in an industry classically thought to impact "national security" by a foreign entity or government, few are fully aware of the impact of these new rules and how they now also cover an incremental acquisition of a U.S. business or an investment or lending transaction. Therefore, each deal involving a foreign entity looking to engage in any sort of strategic transaction with a U.S. business, directly or indirectly, should be analyzed for potential coverage by the amended CFIUS regulations.
Importantly, the new regulations impose 30-day advance mandatory declarations in certain circumstances, including for "covered investments" as defined in the regulations. To provide clarity regarding the scope, the new regulations at Sections 800.303 and 800.304, respectively, provide examples of transactions that are and are not covered transactions. The factors that may trigger the investment within the scope of the new CFIUS rules include:
- Whether the foreign entity that is not an "excepted investor" 4 proposes to acquire a minority, non-controlling interest in a U.S. target that produces a "critical technology," has observer rights to board of director meetings in the target business, or is involved in substantive business decision-making by the target;
- Whether a minority, non-controlling investment, regardless of whether it is immediate or incremental, will afford the foreign party (a non-excepted investor) access to material non-public technical information in an unaffiliated TID business; or, for example,
- Whether a minority, non-controlling investment by the foreign party (a non-excepted investor) will afford access to material non-public technical information in an unaffiliated TID business that became controlled by means of the Export Control Reform Act of 2018 before their agreement was signed.
Certain transactions are clearly excluded from the Committee's authority. Specifically, if the investor is an excepted investor (defined at Section 800.219), the transaction would not need to be reviewed. In a more nuanced exception, an investment that will not result in any "control" of a TID business, or would not give rise to access, rights, or involvement in substantive decision-making in a TID business or access to non-public technical information, would not fall within the scope of the new regulations. Of course, it remains to be seen how those exceptions will be interpreted. The Committee also acknowledged that lenders do not typically automatically acquire title to assets in the event of a default on a loan, so the Committee recognizes that control may not necessarily occur merely through the lending process. Even that exception is a fact-specific exercise, and, as with the others, the devil is in the details.
In summary, as companies now face unprecedented business and financing challenges, it is critical that the particular facts of every investment or lending arrangement that may involve foreign parties be carefully scrutinized to ensure that the new CFIUS regulations are not triggered. If the parties do not bring a transaction to the Committee's attention, the process may nevertheless be commenced by CFIUS. If you have any questions regarding whether your potential transaction or financing arrangements may be impacted by CFIUS, please reach out to Venable's International Trade and Corporate Group attorneys for guidance.
1 See Appendices, Provisions Pertaining to Certain Investments in the United States by Foreign Persons, Final Rule, 85 Fed. Reg. 3112 (Jan. 17, 2020).
2 85 Fed. Reg. 3112, 3118 (Jan. 17, 2020).
4 Section 800.219 to the regulations introduced the concept of an "excepted investor," which focuses on the investor's connections to an excepted foreign state (i.e., those foreign countries that have implemented robust processes to review foreign investment in their country and have sufficient cooperation with the U.S.), which currently includes Canada, the UK, and Australia. For example, a foreign national who is a national of one or more of the excepted foreign states who is not also a dual national of any foreign country that is not an "excepted" foreign state, a foreign government of an excepted foreign state, or certain identified foreign entities, would quality if it meets certain enumerated conditions. However, an "excepted investor" remains subject to CFIUS for any control transaction (versus a non-controlling covered investment) that may apply.