Skip to main content
03.30.2020 Legal News

CFIUS Requirements Expanded Under New Regulations; President Orders Yet Another CFIUS Divestiture

CFIUS has adopted a series of new amendments to its regulations that significantly expand its jurisdiction in the M&A process.  In addition, President Trump has ordered another divestiture of a Chinese acquisition of a U.S. company under CFIUS authority.  These events reinforce the growing importance – and challenges – of CFIUS requirements in acquisition transactions.

A. New CFIUS Regulations.

CFIUS is the Committee On Foreign Investment In the United States.  If a foreign party acquires an interest in a U.S. company that creates national security risks, the President has the authority to block the transaction or order divestiture after the closing, unless CFIUS reviews and clears the transaction.   

CFIUS has adopted a series of new amendments under the Foreign Investment Risk Review Modernization Act (“FIRRMA”) that significantly expand its authority in the CFIUS review process.  CFIUS requirements previously applied when a foreign company acquired “control” over a U.S. company in certain sensitive industries and the parties filed voluntary notices for CFIUS review.  However, under the recent amendments, the requirements and penalties have been significantly expanded – including the requirement for mandatory CFIUS filings for certain transactions.  The amendments became effective on February 13, 2020.  The following highlight a few of the most important changes:

  1. Mandatory Filings.  Parties are now required to make mandatory CFIUS filings (called “mandatory declarations”) for certain transactions.  Such transactions include covered transactions in which the U.S. company is engaged in certain sensitive activities (e.g., involving “critical technologies,” “critical infrastructure,” or the collection of sensitive personal data of U.S. citizens – called a “TID U.S. Business”) and deals in “critical technologies” in one of 27 specified industries.  (CFIUS has stated that it anticipates replacing the 27 specified industries with a mandatory declaration requirement based on export control licensing requirements in the near future.)  Mandatory declarations are also required in covered transactions if a foreign government has a substantial interest in the foreign company that acquires certain U.S. businesses.
  2. Acquisitions of Non-Controlling Interests.  CFIUS jurisdiction, including possible mandatory filing requirements, now extends to a foreign company’s acquisition of a minority interest (of any percentage) in a TID U.S. Business, if the acquisition would afford the foreign person certain other elements of control or influence withing the company.  Similarly, CFIUS requirements may now apply in joint ventures, “incremental acquisitions” and other hybrid transactions.
  3. Certain Debt Transactions.  Certain lending transactions will be subject to CFIUS jurisdiction, such as if there is a significant possibility that a foreign lender could obtain control over a sensitive U.S. business, or acquire an equity interest in such business, and access to sensitive information and/or management rights, as a result of a default or other condition of the loan.  (In such circumstances, the foreign lender may be required to make arrangements to transfer management decisions or day-to-day control over the U.S. business to U.S. nationals.)
  4. Real Estate Transactions.  CFIUS now has jurisdiction over certain real estate transactions, including certain “pure” real estate purchases by foreign parties that are not associated with the purchase of a US company (including greenfield real estate projects).  Requirements will now apply to certain purchases, leases and concessions of U.S. real estate by foreign parties if the subject property is in close proximity to critical infrastructure such as airports, maritime ports and military facilities.
  5. Expanded Scope of Affected Industries.  The industries that give rise to national security risk continue to expand.  These now include a wide array of industries such as defense/government contracts, aerospace, critical infrastructure, “emerging and foundational” technologies, communications, computer manufacturing, optical instruments, chemical and petrochemical manufacturing, electric power and distribution, broadcasting, nanotechnology, biotechnology, aluminum smelting, navigational systems, and semiconductors, to name just a few.  Of particular note, the foreign acquisition of U.S. companies that collect sensitive personal data of U.S. citizens is considered to raise national security risks.  In its recently revised regulations, CFIUS published a list of 27 industries of particular concern[1] and a three-page chart of “critical infrastructure” business activities. 
  6. Increased Penalties – Value of the Transaction.  Penalties for violations have been increased (such as for failure to file mandatory declarations) including fines of $250,000 or the value of the transaction, whichever is greater.
  7. Other Provisions.  The new regulations address a number of additional issues including specialized provisions for investment funds, exemptions for “excepted” foreign nations and abbreviated filing requirements for declarations.  In addition, on March 4, 2020 CFIUS issued proposed regulations for the imposition of filing fees that will be required for certain CFIUS submissions which are expected to be finalized shortly.


B. President Orders Divestiture of Hotel Software Company StayNTouch By Chinese Purchaser

On March 6, 2020 President Trump issued an Executive Order requiring Chinese company Beijing Shiji Information Technology Co., Ltd. (“BSIT”) to divest its previous acquisition of the U.S. company StayNTouch, Inc. (“StayNTouch”) based upon U.S. national security risks.  StayNTouch, which was acquired by BSIT in 2018, provides cloud-based software and services for the hotel management industry.  The order requires BSIT to divest StayNTouch within 120 days of the date of the order, and further requires that during such period BSIT is prohibited from accessing hotel guest data through StayNTouch.  The order is significant in that it was issued 18 months after the date of the acquisition, and almost three and a half years after BSIT’s initial investment in StayNTouch’s series A round.

This is the latest of a series of instances in which the U.S. has “prohibited” a transaction or ordered divestiture after the transaction closed based on national security grounds, including:

  • President Trump’s September 13, 2017 order prohibiting the acquisition of Lattice Semiconductor Corporation by Chinese investors;
  • President Trump’s March 12, 2018 order prohibiting the proposed acquisition of Qualcomm Inc. by Broadcom Ltd. of Singapore;
  • According to public press reports, CFIUS’ 2019 order that the acquisition of U.S. social media company Grindr by the Chinese gaming company Beijing Kunlun Tech Company Ltd. be divested;
  • According to public press reports, CFIUS’ 2019 order that the controlling investment in U.S. healthcare data company PatientsLikeMe by Chinese company iCarbon X be divested; and
  • According to press reports, the 2018 termination of the proposed acquisition of MoneyGram by Alibaba affiliate Ant Financial after the parties were unable to obtain CFIUS approval for the deal.

These cases demonstrate that CFIUS will not only prohibit proposed transactions prior to closing, but also retroactively order divestiture of transactions that have previously closed, sometimes years after the closing.

C. The Growing Importance Of Export Control Classifications Under CFIUS.

One of the most important factors in a CFIUS review is if the target company’s products, technologies and software are subject to U.S. export controls, ie., listed on the U.S. Munitions List (under the ITAR) or the Commerce Control List (under the Export Administration Regulations).  Traditionally, this has been an important factor in analyzing national security risks.  However, under FIRRMA, there is an even greater emphasis on export control classifications since the soon-to-be-adopted export requirements on “emerging and foundational technologies” will be another major factor in determining national security risk.  Also, as referenced above, CFIUS will soon replace the identification of high risk industries by reference to the NAICS codes of the 27 industries with identifications based upon export control licensing requirements.  So, understanding the export classifications of the target company’s products, technologies and software will be of paramount importance in conducting future CFIUS reviews. 

Every company should know the export classifications of its products as part of its normal business activity.  However, if it is contemplating being acquired, these will be significant factors in assessing CFIUS risk.  It typically takes time and resources to determine a company’s export classifications.  If you are considering selling your company or soliciting a major investment and potential investors may include foreign companies, it would be prudent to determine the export control classifications of your products far in advance of any major transaction.

D. Steps For Planning A CFIUS Review.

CFIUS raises important issues in the acquisition of U.S. companies by foreign parties.  If the parties to a transaction do not address properly the risks posed by CFIUS review, they could wake up and learn that their transaction has been prohibited or rescinded – with all of the attendant legal and economic consequences this brings.  In addition, parties could face significant penalties for violations of the CFIUS laws, such as failure to file mandatory declarations.  

If companies are involved in any transactions where a foreign party is purchasing, investing in or lending to a U.S. company (including a minority investment, joint venture, or other hybrid transaction), CFIUS issues may arise.  Questions companies can ask in conducting a CFIUS review include: (i) Does the target company operate in an industry that creates national security risk (including businesses that collect sensitive personal information about U.S. citizens)? (ii) Are the target company’s products, technologies or software listed on the U.S. Munitions List or the Commerce Control List?  (iii) Is the transaction a “covered transaction” under CFIUS regulations? (iv) Is there a requirement to file a mandatory declaration for the transaction? (v) If there is no mandatory filing requirement, would it nonetheless be advisable to obtain CFIUS clearance of the transaction to reduce these risks? (vi) Are there ways to structure the purchase of the target company or its assets to reduce the CFIUS risks? (vii) Does the transaction involve any of the specialized issues under the CFIUS regulations such as involving investment funds, real estate for critical infrastructure, certain debt transactions, “excepted” foreign countries and/or the involvement of foreign governments in the transaction? 

These developments are a reminder for parties to put CFIUS on their list of issues to consider in their acquisition transactions and, if risks arise, to take appropriate actions.


To be placed on our list to receive additional articles on export and import law please click here. Should you have any questions on this topic or others related to import/export law, please contact our team. Additional articles on ITAR, EAR and US sanctions programs are available at: “Export Articles.”

Note:  This article contains general, condensed summaries of actual legal matters, statutes and opinions for information and education purposes.  It is not intended and should not be construed as legal advice.

[1] As referenced above, CFIUS has stated in the Federal Register release related to the amendments that it was in the process of changing the identification of certain sensitive industries from reference to the NAICS codes for 27 specific industries to identification based upon export control licensing requirements.