CFIUS Goes Back to the Future by Tying Mandatory Filings Pertaining to Critical Technologies to U.S. Export Controls Assessments

Pursuant to a final rule recently promulgated by the Office of Investment Security, U.S. Department of the Treasury (“Treasury”) that further implements the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), effective October 15, 2020, the determination as to whether a filing with the Committee on Foreign Investment in the United States (“CFIUS”)¹ will be required in connection with investments in U.S. “critical technology businesses” is entirely dependent on whether a U.S. export authorization would be required to export the business’ “critical technology” to certain foreign persons involved in the transaction, regardless of whether an actual export of the technology has or is intended to occur. The Treasury rulemaking also clarified the circumstances under which a foreign investor in which a foreign government has a “substantial interest” will trigger a mandatory CFIUS filing in connection with investments in or acquisitions of certain types of U.S. businesses.

Now that Treasury has issued its final rule, the Bureau of Industry and Security, U.S. Department of Commerce (“BIS”) is likely to face intensified scrutiny regarding the pace of its efforts to identify and control “emerging” and “foundational” technologies as required under the Export Control Reform Act of 2018 (“ECRA”), as such technologies are considered “critical technologies” for CFIUS purposes. Indeed, despite the fact that BIS possesses technical expertise across a range of industries, a number of members of Congress recently have advocated for CFIUS also to assume responsibility for the identification of such technologies.

Taken together, this recent CFIUS action and the ongoing BIS processes reflect the codification of the U.S. government’s keen historical interest, as expressed through CFIUS, in protecting sensitive technologies and assuring supply chain integrity. Since its inception, CFIUS has focused on sensitive technologies, such as microelectronics and composite materials, but reform efforts prior to FIRRMA primarily were geared toward infrastructure (e.g., port) security. FIRRMA recognized that new technologies are being rapidly developed and deployed and that the lines demarcating potential commercial and military applications for newer technologies are blurring. Accordingly, FIRRMA essentially compelled CFIUS to go back to the future by evolving further to focus on cutting-edge technologies in various fields, such as additive manufacturing (i.e., 3D printing), artificial intelligence, autonomous vehicles and associated technologies, robotics, and semiconductors, in an effort to ensure that the U.S. maintains its technological leadership regarding the development of critical technologies.

The potential for a greater number of mandatory CFIUS filings, coupled with CFIUS’ more recent aggressive posture regarding making inquiries about, and opening reviews of, transactions that were not notified to CFIUS, suggests that parties considering critical technology-related investments, even if not subject to a mandatory filing requirement, might be highly incentivized to file a formal notice in an effort to secure the regulatory safe harbor that is not necessarily guaranteed when parties file under the short-form declaration process.  

U.S. Export Controls Assessments Now Drive Mandatory CFIUS Filings Pertaining to Investments in U.S. “Critical Technology” Businesses

The Treasury rulemaking represents the culmination of a process initiated in October 2018 with the publication of regulations establishing a “pilot program” to implement the expansion of CFIUS’ jurisdiction to include certain non-passive, noncontrolling investments in U.S. critical technology businesses as directed by FIRRMA. The pilot program also implemented FIRRMA’s authorization to make mandatory the filing of a short-form declaration or a notice regarding covered non-passive, noncontrolling and controlling investments in U.S. critical technology businesses. The pilot program focused on U.S. businesses that produce, design, test, manufacture, fabricate or develop a critical technology item, but only to the extent that the business operated in or tailored technology for customer use in one or more of 27 specifically enumerated industries, which were identified by reference to their North American Industry Classification System (“NAICS”) codes. U.S. companies, however, generally self-assign their NAICS codes, of which there are hundreds (and many of which are closely related). This injected a certain degree of subjectivity into the process of assessing whether a particular investment might trigger a mandatory CFIUS filing.

As of October 15, 2020, the Treasury rulemaking eliminates the NAICS code prong of the critical technology filing assessment and replaces it with a test focused solely on the U.S. export controls classification of the technology at issue and whether a U.S. export authorization would be required to export the technology to certain foreign persons involved in the transaction — even if an export from the U.S. never actually occurs. While more objective in nature, a U.S. export controls assessment potentially could be a highly technical and complicated exercise, and could be burdensome for early-stage companies that may lack the funding and the resources to undertake such an assessment. Furthermore, the loss of the NAICS code criterion inevitably will result in a broader universe of U.S. businesses that are deemed to be “critical technology” businesses, which in many cases will trigger mandatory CFIUS filing requirements.

As a consequence of the Treasury rulemaking, an assessment as to whether there would be a mandatory CFIUS filing requirement in connection with a transaction that results in foreign person control over a U.S. critical technology business or a noncontrolling “covered investment”² by a foreign person in a U.S. critical technology business would be expected to take the following three steps:

Step One: Determine the U.S. Export Controls Status and Classification of the Technology Produced, Designed, Tested, Manufactured, Fabricated or Developed by the U.S. Business

For purposes of the CFIUS regulations, “critical technologies” generally include:

1. military technologies subject to the International Traffic in Arms Regulations (“ITAR”), as classified by reference to the U.S. Munitions List;
2. civilian/military dual-use technologies subject to the Export Administration Regulations (“EAR”) that are described within Export Control Classification Numbers enumerated on the Commerce Control List (a) pursuant to multilateral export control regimes relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation or missile technology, or (b) for reasons relating to regional stability or surreptitious listening;
3. nuclear technologies covered by rules relating to foreign atomic energy activities and export and import of nuclear equipment and materials;
4. select agents and toxins; and
5. emerging and foundational technologies controlled pursuant to FIRRMA’s companion legislation, the ECRA.

Thus, any items that the target U.S. business produces, designs, tests, manufactures, fabricates or develops must be considered, regardless of whether such items are made commercially available and regardless of whether such items have ever been or are intended to be exported from the U.S.

Note that the assessment of what constitutes a “critical technology” item is made as of the earliest date among the following: (i) the completion date of the transaction; (ii) the execution of a binding written agreement, or other binding document, establishing the material terms of the transaction; (iii) the making of a public offer to shareholders to buy shares of a U.S. business; or (iv) solicitation by a shareholder of proxies in connection with an election of the board of directors of a U.S. business or an owner or holder of a contingent equity interest has requested the conversion of the contingent equity interest. Tying the date of the critical technology assessment to a transaction event effectively guards against the risk that a change in the U.S. export controls status of an item during the pendency of a transaction could impact the CFIUS risk profile, particularly given that the failure to make a mandatory filing potentially could trigger penalties amounting to the value of the transaction.

Step Two: Determine Whether a U.S. Export Authorization Would Be Required in Connection with a Hypothetical Export-Related Transaction

Once the U.S. export controls jurisdiction and classification of the technology at issue is determined, the Treasury rulemaking requires an assessment of whether a “U.S. regulatory authorization”³ would be required to export, reexport or transfer the technology to a person that:

1. could directly control the U.S. business;
2. is directly acquiring an interest that is a “covered investment,” as described above, in such U.S. business;
3. has a direct investment in such U.S. business, the rights of such person with respect to such U.S. business are changing, and such change in rights could result in a covered control transaction or a “covered investment”;
4. is a party to any transaction, transfer, agreement or arrangement with respect to such U.S. business the structure of which is designed or intended to evade or circumvent the application of the CFIUS regulations; or
5. individually holds, or is part of a group of foreign persons that, in the aggregate, holds, a covered voting interest for purposes of critical technology mandatory filings in a person described in (1) through (4) above.⁴

The rule provides that determinations as to whether an export authorization is required are to be without regard to the availability of license exemptions under the ITAR or license exceptions under the EAR, except as described below, and are based on the principal place of business of the entities under consideration or the nationality or nationalities of any individuals under consideration under the relevant U.S. regulatory regime. The rule further requires an assumption that the foreign person at issue is an “end user” of the relevant critical technology, thus requiring an assessment of whether an export licensing requirement applies based on “end user”-based controls applicable to that particular foreign person, regardless of the person’s principal place of business or nationality. (For example, a person designated on the BIS Entity List would be subject to such end-user-based controls.) Under the ITAR, licenses or other forms of approval are required for virtually all destinations, but under the EAR a more careful assessment of the technology at issue, in combination with applicable destination-based, end user-based and end use-based, controls, is required.

Step Three: Assess Available License Exceptions

While EAR license exceptions mostly do not factor into the analysis, the Treasury rulemaking provides that there will not be a requirement to make a CFIUS filing with respect to critical technology subject to the EAR where the following license exceptions would authorize export of the technology to the foreign person at issue: (i) License Exception Technology and Software Unrestricted (TSU) (Section 740.13 of the EAR); (ii) License Exception Encryption Commodities, Software, and Technology (ENC) (Section 740.17(b) of the EAR); and (iii) License Exception Strategic Trade Authorization (STA) (Section 740.20(c)(1) of the EAR). Note that for purposes of License Exception ENC, certain items may be self-classified in accordance with Section 740.17(b)(1) of the EAR, whereas certain other items require submission to BIS of a request for a formal commodity classification determination in accordance with Sections 740.17(b)(2) and (b)(3) of the EAR (though in certain limited instances License Exception ENC eligibility is assured as of the date of the submission to BIS). In the latter case, there also may be certain end user restrictions that could impact the availability of the license exception, such as limitations pertaining to certain foreign government end users. As noted above, any evaluation of the availability of this license exception must address all critical technology encryption items produced, designed, tested, manufactured, fabricated or developed by the target U.S. business, which, in the case of encryption items, potentially could include object code software, source code and technology.

Treasury has made clear, however, that the availability of License Exception ENC for these purposes is not contingent on the submission of annual or semi-annual reports to BIS, as may be required. Similarly, Treasury disregards the recordkeeping requirements associated with License Exception TSU and the requirement to furnish certain commodity classification determinations to third parties in accordance with License Exception STA.

Key Clarifications for Mandatory CFIUS Filings Involving a Substantial Foreign Government Interest in “TID U.S. Businesses”

A mandatory CFIUS filing also is triggered by transactions that result in a foreign government having a “substantial interest” in a Technology, Infrastructure, or Data ("TID") U.S. business. A substantial interest arises when a foreign person obtains a 25% or greater voting interest, directly or indirectly, in a U.S. business if a foreign government in turn holds a 49% or greater voting interest, directly or indirectly, in the foreign person.

The Treasury rulemaking clarified that for entities whose activities are primarily directed, controlled or coordinated by or on behalf of a managing partner, managing member or equivalent, the term “voting interest” is construed to mean 49% or more of the interest in the general partner, managing member, or equivalent. Furthermore, for purposes of determining the percentage of voting interest held indirectly by one person in another, any interest of a parent, as that term is defined for purposes of the CFIUS regulations (e.g., holding at least 50% of the outstanding voting interest in an entity), will be deemed to be a 100% interest in any entity of which that person is a parent.  

Status of BIS Identification of “Emerging” and “Foundational” Technologies and Growing Criticism

One of the driving forces behind FIRRMA was the concern that foreign persons were gaining access to sensitive U.S. technologies by virtue of investments that fell outside of CFIUS’ jurisdiction. Equally as concerning to Congress were outbound transfers of sensitive technologies. As a result, the earliest negotiations relating to what ultimately became FIRRMA included provisions expanding CFIUS’ jurisdiction beyond inbound investments to capture transfers of sensitive technologies outside the U.S. (e.g., in connection with license agreements and/or joint ventures). Of course, the prevailing U.S. export controls regimes already provided the foundation for controlling such technology transfers, which eventually resulted in the more limited expansion of CFIUS’ jurisdiction via FIRRMA. But as an acknowledgment of the risk to U.S. national security presented by technology transfers, Congress also enacted the ECRA, which, among other things, directed the U.S. Department of Commerce (“Commerce”) to spearhead the establishment of a formal, ongoing process to identify and review “emerging and foundational technologies that are essential to the national security of the United States” and require appropriate export controls for these technologies. As noted above, any such technologies also are treated as “critical technologies” for CFIUS purposes.

To date, Commerce has identified only a relatively small number of “emerging technologies” and has opted to impose controls only through multilateral regimes, such as the Wassenaar Arrangement and the Australia Group, including most recently through a notice published in the Federal Register on October 5, 2020.⁵ While Commerce enjoys the authority to impose unilateral controls, export controls are maximally effective when applied consistently by the U.S. and its allies. Nevertheless, as detailed below, there has been mounting criticism of the slow pace of the Commerce process, both with respect to the identification of “emerging” technologies, which at least has been initiated, and with respect to the identification of “foundational” technologies.

Indeed, it was only on August 27, 2020, that BIS finally issued a long-awaited Advance Notice of Proposed Rulemaking (“ANPRM”) soliciting comments on the criteria to be used to identify “foundational technologies” that are essential to U.S. national security. But the “foundational technologies” ANPRM was not nearly as detailed as the corollary “emerging technologies” notice published in November 2018. Comments on the ANPRM initially were due to be submitted by October 26, 2020, but BIS recently extended the comment period until November 9, 2020.

Because the treatment of “foundational technologies” will impact the scope of transactions within the jurisdiction of CFIUS, there has been recent congressional criticism regarding the slow pace of the rulemaking, including an attempt to legislatively authorize CFIUS to determine which technologies are deemed essential to U.S. national security.

Specifically, a Congressional Research Service report, dated August 21, 2020, noted that the “absence of new technology controls arguably impedes not only ECRA implementation but also congressional reforms that expanded the authority of [CFIUS] to review Chinese and other foreign investments in critical and emerging technologies below a traditional threshold of foreign control . . . CFIUS can only act against noncontrolling foreign investments if the technologies involved in the transaction are [export] controlled.” Sensing this potential implementation gap, in August 2020, Senators Thom Tillis (R-NC), John Cornyn (R-TX) (who was a driving force behind FIRRMA) and Marco Rubio (R-FL) introduced legislation to expand CFIUS’ jurisdiction to review foreign investments in emerging and foundational technology in the U.S. In a press release, Sen. Tillis explained the need for this legislation as follows: “Right now, CFIUS relies heavily on the Commerce Department to determine what qualifies as an emerging and foundational technology as it relates to reviewing foreign investments . . . This legislation will simply extend the powers of the CFIUS chair and one other member of CFIUS to determine what technologies are deemed essential to the national security of the United States.” House Republicans and members of the so-called China Task Force echoed Sen. Tillis’ remarks in a report, dated September 30, 2020: “If [the Department of Commerce’s] Bureau of Industry and Security is unable to make substantial and measurable progress in fulfilling this requirement, Congress should consider whether a different bureau or department can better fulfill this statutory obligation.”

Consistent with the views expressed by key members of Congress, on October 15, 2020, the White House announced the issuance of the “National Strategy for Critical and Emerging Technologies,” which describes a more holistic approach to promoting and protecting U.S. technological leadership in a number of industries (detailed in Annex A below).⁶ One priority action identified by the report relates to ensuring that critical and emerging technologies are adequately controlled under relevant U.S. export laws and regulations, as well as under multilateral export regimes. Shortly after the issuance of the report, Commerce Secretary Ross lauded the Commerce Department's supportive efforts, noting that 37 technologies have been designated as “emerging” thus far.

Key Takeaways

• The elimination of the NAICS code prong of the prior test to determine whether there is a mandatory filing requirement in connection with an investment in a U.S. critical technology business will substantially increase the number of U.S. businesses that are considered critical technology businesses. This may, consequently, result in an increase in transactions subject to a mandatory CFIUS filing, which, in turn, might nudge parties toward filing notices, rather than short-form declarations, in an effort to ensure safe harbor protection.
• The reliance on the prevailing U.S. export controls regimes likely will result in a greater degree of certainty regarding which investments will be subject to mandatory filing requirements, but also will likely increase the diligence burden significantly and, in a limited number of instances, could impact deal timing.
• Congress is likely to be more actively policing BIS with respect to the implementation of controls on “emerging” and “foundational” technologies, which may force BIS to impose unilateral controls before proceeding with multilateral engagement. If so, U.S. exporters may suffer as customers turn to alternative non-U.S. suppliers for which there are limited or no export-related regulatory considerations.     
  
  

^{1. Technically, the regulations address the mandatory submission of a short-form declaration, but depending on the facts and circumstances, critical technology transactions often warrant the filing of a full notice. Accordingly, we refer throughout more generally to mandatory CFIUS filing requirements.↩}

^{2. A non-controlling foreign investment must be analyzed if it would afford the foreign investor (i) access to material nonpublic technical information held by the U.S. business; (ii) membership or observer rights on the board of directors or similar governing body of the U.S. business; or (iii) the right to appoint a member of the U.S. business’ board of directors; or (iv) any involvement, beyond the mere voting of shares, in substantive decision-making regarding the U.S. business’ use, development, acquisition or release of the critical technology.↩}

^{3. A U.S. regulatory authorization includes: (i) a license or other approval issued by the Directorate of Defense Trade Controls, U.S. Department of State in accordance with the ITAR; (ii) a license issued by BIS in accordance with the EAR; (iii) a specific or general authorization from the U.S. Department of Energy under the regulations governing assistance to foreign atomic energy activities; and (iv) a specific license from the U.S. Nuclear Regulatory Commission under the regulations governing the export or import of nuclear equipment or material.↩}

^{4. The term “voting interest” in this context means a voting interest, direct or indirect, of 25% or more. For entities whose activities are primarily directed, controlled or coordinated by or on behalf of a managing partner, managing member or equivalent, the term “voting interest” is construed to mean 25% or more of the interest in the general partner, managing member or equivalent. Furthermore, for purposes of determining the percentage of voting interest held indirectly by one person in another, any interest of a parent, as that term is defined for purposes of the CFIUS regulations (e.g., holding at least 50% of the outstanding voting interest in an entity), will be deemed to be a 100% interest in any entity of which that person is a parent.↩}

^{5. In early 2020, Commerce also imposed unilateral controls on certain geospatial imagery software, though we understand the impetus for such controls was unrelated to the ECRA process.↩}

^{6. This list will be reviewed and updated annually via an interagency process coordinated by the National Security Council.↩}

Annex A

Advanced Computing

Advanced Conventional Weapons

Technologies

Advanced Engineering Materials

Advanced Manufacturing

Advanced Sensing

Aero-Engine Technologies

Agricultural Technologies

Artificial Intelligence

Autonomous Systems

Biotechnologies

Chemical, Biological, Radiological, and Nuclear ("CBRN") Mitigation Technologies

Communication and Networking

Technologies

Data Science and Storage

Distributed Ledger Technologies

Energy Technologies

Human-Machine Interfaces

Medical and Public Health Technologies

Quantum Information Science

Semiconductors and Microelectronics

Space Technologies