New CFIUS Regulations: More Powerful, Transparent, and Complex
For years, the fear of China using its financial clout to obtain highly sensitive or national security-related US technology and data has preoccupied presidents and lawmakers. In 2018, President Donald Trump signed into law the Foreign Investment Risk Review Modernization Act (FIRRMA), a bipartisan measure that expanded the powers of the Committee on Foreign Investment in the United States (CFIUS), an interagency group in the executive branch, to scrutinize foreign investments for national security risks. The new law also authorized the Commerce Department to step up controls on technology exports. Then this month, the US Treasury proposed detailed regulations to implement part of CFIUS's new powers, aimed at safeguarding investments without stifling legitimate and beneficial transactions—and without overwhelming a strapped bureaucracy with a mountain of countless minor investigations.
Overall, the new regulations are more carefully drawn than many expected, apparently reflecting the Treasury’s concern that overly broad powers can cause. a “chilling effect on beneficial foreign investment.” But an unintended side effect is that the process of complying with rules designed to protect US security has become significantly more complex. In the past, CFIUS scrutiny would not have applied to investments that fall short of a controlling interest. Companies with potential foreign investors will be wondering whether their deal falls under CFIUS, requiring them to navigate multiple regulatory processes at Commerce and Treasury, which are not yet finalized. They and their lawyers must then determine whether the investor arrangements pass several multi-part tests. Those remaining question marks also make it difficult for observers and even the US Treasury to predict the ultimate impact and scope of the coming rules.
The new regulations will limit reviews on investments from companies in allied countries, or “excepted foreign states” that are not yet determined, and they provide narrow designations of “critical infrastructure.” These definitions should help limit new CFIUS powers to the most pressing security concerns. But the rules on sensitive data are also complex and broad. As currently drafted, they may well chill venture capital (VC) investment and strategic investments that can benefit startups by helping them leverage their technology and data. Depending on the volume of potential reviews exempted by the “excepted foreign state” status, the data rules as proposed could overload CFIUS’s limited manpower with filings of little relevance to national security, reducing its ability to focus on the most serious cases. These and other issues are explored below.
Loophole for Minority Investments in Critical Technology, Infrastructure, and Data Is Closed
Chaired by the US Treasury Department, CFIUS has—since its inception in the 1970s—become an increasingly powerful but secretive body with authority to review any investment that gives a foreigner control of a US business. It can force changes to or reject deals and even force divestment. The Trump administration is not the first to use CFIUS to block or raise warning signals about foreign investments, especially from China, but it is far more active under Trump than in the past.
The new authority established last year was motivated by concerns that restricting CFIUS to transactions with high levels of investor control left a loophole. The concern was that Chinese investors, especially those associated with its military, could employ minority investments to get under CFIUS’s radar and jeopardize national security by gaining access and influence over US businesses with “sensitive” and “critical” technology (T), infrastructure (I), and data (D). (Regulators use the term “TID businesses” for this category.) The new regulations cover foreign investment in TID businesses that falls between control (which CFIUS could always review) and purely passive investment like buying a few shares of stock (which it still cannot review).
Importantly, the excepted foreign states designation could significantly shrink the scale of new reviews on investment coming from US allies, but Treasury has not given concrete information on which countries will be included. It is thus difficult to know whether only countries like France, the UK, and Germany will be included, or also Japan, Korea, Israel, and India. The expanded investment rule will give countries on the initial list of exempted countries two years to adopt their own versions of CFIUS and meet the requirement to have “a robust process to assess foreign investments for national security risks and to facilitate coordination with the United States on…investment security" to qualify. To benefit, firms must also determine if they comply with onerous requirements to qualify as “excepted investors.” A good overview of those rules can be found here.
The definition of “TID” businesses is partly settled by these regulations but still lacks clarity on a key dimension and could be expansive. Until the Commerce Department finishes the laborious definition process (analyzed in an earlier post), there will be confusion. Treasury will incorporate the completed definitions into its critical technology initiatives, including a pilot program (also discussed in the same post).
The regulations lay out 28 types of critical infrastructure for which non-controlling investments should be more heavily scrutinized, such as ports, large capacity oil pipelines, electricity grids, systemically important financial market utilities, key chokepoints in internet infrastructure, and products key to military supply chains with few alternative suppliers. Fears that the administration would consider just about anything to be critical infrastructure have proved unfounded. Each category of critical infrastructure Treasury included has a clear link to national security, and the threshold for scrutiny within each category is carefully tailored to the potential risk.
Definition of Sensitive Data Casts a Wide Net
Additional rules define whether these new powers extend to foreigners taking non-controlling stakes in US companies that collect “sensitive personal data,” including biometric markers (e.g. fingerprints or retina scans that give access to secured locations), security clearance status, health and genetic data, financial condition, insurance applications, location, and private communications like those held by chat and email apps. The new review powers apply if a US business collects or possesses this “sensitive” data and targets its products to “sensitive U.S. government personnel or contractors,” meaning the military, intelligence, or homeland security. Also covered by the new rule are businesses that have or intend to collect or store sensitive data on 1 million individuals or more. The latter two specifications are included because large datasets are likely to capture some of the sensitive population, even if unintentionally.
The intent of these regulations appears to be to avoid undue burdens on companies in industries not important for national security by narrowly construing the mandate for scrutiny. Data are “sensitive” only if they are “identifiable” to specific people, ruling out truly anonymized data. Notably, sensitive data on the company’s own employees does not count, and companies like cloud storage providers are not covered by the regulations if the data are encrypted and the company does not possess the key to decrypt them. Firms that occasionally do credit checks are not supposed to be covered. Despite these apparent narrow definitions of what constitutes sensitive data, the impact will nevertheless be widespread. The threshold of 1 million individuals is low enough to catch any ambitious consumer tech company in spaces with “sensitive” data, and companies with a more international focus will trip the requirements faster because users outside the United States count towards the 1 million mark.
Impact on early stage funding
Venture capital (VC) and private equity (PE) investments are most likely to be affected by the new rules. These firms tend to gain board seats and influence the strategic direction of the company they are investing in, even if they make minority investments without control. Startups tend to raise equity capital in several discrete “rounds” from these investors, with tight timelines that investors must meet to be included in what is often a competition to join the round for hot companies. Foreign investors participated in venture capital funding rounds worth $38.9 billion in 2017, nearly 25 percent of all VC capital raised by US firms that year; 87 percent of the rounds with foreign investors did not involve investors from China or Russia, but some will face tougher scrutiny as well.
The regulations exempted most limited partners in VC funds, who contribute capital but do not make investment decisions, but there is uncertainty about whether the rules will cover venture funds managed by people with nationalities outside the whitelist of “excepted foreign states” if the company receiving investment has this “sensitive” data. Accordingly, most startups in financial technology and insurance, health and biotech, maps, and even weather apps that collect user locations could be subject to the new rules.
The regulations could become a competitive advantage for VC general partners (GPs)—the people who manage venture capital funds, make investment decisions, and often sit on boards—if they are citizens of the United States and excepted countries (dual citizens do not count unless all their citizenships are with excepted foreign states). A fund managed by an American will generally not face CFIUS scrutiny, but foreign VCs and domestic VCs with foreign GPs will. Talented GPs with nationalities outside the whitelist may have to leave the United States and take their expertise elsewhere, because their employer may decide that having to comply with CFIUS is not worth the delay. In another potential unfortunate side effect, more investments may become fully “passive” to avoid tripping CFIUS reviews, which would deprive startup entrepreneurs from benefitting from the advice and expertise of their investors—one of the core functions of venture capital.
To avoid these side effects—as well as better focus the data provision—Treasury could consider taking a similar approach on sensitive data as it did on critical infrastructure. Rather than applying the new regulations to all companies in sectors designated as critical infrastructure, Treasury set specific size thresholds and roles companies must play in each category, based on how critical each one is to national security. It could do the same with sensitive data. To match the threat risk with the threshold for review, size thresholds higher than 1 million people could be tied to the category of data. The user counts could also apply only to American residents or citizens to avoid burdening companies that may be based in the United States but that collect data on people outside the country.
1. The most difficult requirement is that all beneficial owners of over 5 percent of a company must be from excepted countries, along with all board members. For example, French energy giant Total would need all five of the nationalities of its board members (more if some carry multiple nationalities), including Portugal, Australia, Canada, and the Netherlands to be excepted foreign states if it wanted to qualify as an excepted investor.
2. The rule specifies that simply having emails or chats does not qualify as sensitive data. They qualify only if the “primary purpose of such product or service is to facilitate third-party user communications.”
3. The actual contribution of foreigners would be much less than the total value of the round. Funds and companies tend not to disclose how much they raise from each investor, just the total raised from all investors at once and the valuation it implies for the company.