CFIUs: Is There a Fly In The Ointment?

by Dan Minutillo, Partner


If you represent a company in the US that intends to accept an investment from any non-US person or entity, including but not limited to, a non-US based venture capital firm or one that is comprised, partially or entirely of non-US investors, a non-US bank or Government, you might need to accomplish an analysis to determine if the investment meets the criteria, described below, requiring a filing with the US Committee on Foreign Investment in the United States (CFIUS).

Note that any party to a “covered transaction” as defined infra may initiate a CFIUS review, either before or after the transaction is completed, by submitting a written notice requesting such review to the CFIUS chairman, regardless of whether a filing is mandatory. See § 2170(b)(1)(C)(i), 31 C.F.R. §800.224, 800.401(a), and 800.402(c)(1)(vii). Alternatively, CFIUS may initiate a review sua sponte. See §2170(b)(1)(D).

What is CFIUS?

CFIUS (also know as the “Committee”) is a multi-US Government agency committee holding the right and authority to review transactions in the US involving foreign investment and certain US real estate transactions to determine the effect of these transactions on US National Security. Specifically, CFIUS is authorized by section 721 of the US Defense Production Act of 1950 and implemented by US Executive Order 11858, as amended, including US regulations at Chapter VIII of the US Code of Federal Regulations (CFR). These laws and directives are interpreted by US Federal case law.

The US Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) became law on August 13, 2018, broadening the power of the President of the US to allow review of certain foreign investments in the US and block or qualify that investment if it is determined to affect US National security adversely. On September 15, 2020, the US Department of the Treasury published a final rule modifying US regulations that govern mandatory filings with the Committee.

CFIUS reviews and analyzes the information provided by the company to determine if the investment and related power of the investor affects US National Security. If that determination is not made within a specified time after a CFIUS filing, the matter goes to the US President for such a determination. Post filing can be a prolonged, intrusive, labor-intense exercise. If you legally avoid filing, you avoid this exercise.

CFIUS Filing Criteria

Covered Control Transaction

A covered control transaction is any transaction that could result in foreign “control” of a US business. CFIUS takes a very broad definition of “control,” which includes the powers relating to the sale or transfer of principal assets of the US business, major expenditures or investments, issuances of equity or debt, the selection of new business lines, the entry into new contracts, etc. For example, if a proposed member of the company’s Board of Directors representing the foreign investors has power (veto power or otherwise) to direct the companies actions regarding, but not limited to, the movement or transfer of the company’s technology, CFIUS considers that power to amount to “control.” Accordingly, such a transaction is a covered control transaction.

Covered Investment

A covered investment is an investment by a foreign person in an unaffiliated TID (as defined infra) US business that is not a covered control transaction and affords the foreign person (1) access to material nonpublic technical information; (2) membership or observer rights or nomination rights on the board of directors; and (3) involvement, other than voting of shares, in the substantive decisionmaking of the US business regarding sensitive personal data, critical technologies, or critical infrastructure. For example, if the foreign investor has the right to nominate a director, the investment may therefore become a covered investment.

Mandatory Declaration

Once it is determined that the transaction is a covered transaction, the next step is to determine whether any of the criteria for a mandatory declaration (filing with CFIUS) apply.

There are two broad situations in which a mandatory declaration shall be submitted. (1) Where a covered transaction results in the acquisition of a substantial interest (25% or more) in a TID US business by a foreign person in which the national or subnational governments of a single foreign state have a substantial interest (49% or more). (2) A covered transaction where the TID US business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies for which a US regulatory authorization (CFIUS regulations only allow consideration of three license exceptions – TSU, ENC(b), and STA(c)(1) – in this analysis) would be required to export to the foreign investor and other relevant parties (See 31 C.F.R. § 800.401(c)(1)(i-v).

The threshold question, which is discussed further below, is whether the company TID US business. If the company is a TID US business, then the inquiry becomes very fact specific based on the identity of the counterparty or the specific technology of the US business.

TID US Business

The acronym “TID” stands for “technology, infrastructure, and data”. A TID US business is a US business (i.e., one that engages in interstate commerce) that (1) products, designs, tests, manufactures, fabricates, or develops one or more critical technologies; (2) performs specified functions with respect to covered investment critical infrastructure; or maintains or collects, directly or indirectly, sensitive personal data of US citizens.

Critical Technology

The critical technology label is dependent on an item’s (or technology) reason for control. If an item is included on the United States Munitions List (i.e., ITAR controlled) or controlled for National Security, Chemical and biological Weapons Proliferation, Nuclear Nonproliferation, Missile Technology, Regional Stability, or Surreptitious Listening reasons on the Commerce Control List, then it is a critical technology. Furthermore, specially designed and prepared nuclear equipment, parts, components, materials, software and technology; nuclear facilities equipment and material; specified agents and toxins; and emerging and foundational technologies are also considered to be critical technologies. See 31 C.F.R. § 800.215.

To illustrate the complexities of this analysis in the context of a mandatory declaration, consider an item classified as US ECCN 5A002, license exception ENC. License exception ENC may be considered under CFIUS and may be used when determining exportability, but ENC does not remove the national security reason for control imposed by ECCN 5A002, it merely excepts it. This means such an item is critical technology, but may exportable to the foreign investor and other relevant parties.

Covered Investment Critical Infrastructure

Criteria concerning covered investment critical infrastructure is specifically set forth in Appendix A to 31 C.F.R. § 800. Column 1 of this appendix describes a system or asset that constitutes a covered investment critical infrastructure and column 2 describes the corresponding function(s) relating to that covered investment critical infrastructure that make a company a TID US business.

Sensitive Personal Data

Sensitive Personal Data within the meaning of CFIUS is highly specific and is not the plain meaning of the phrase. Two initial definitions are important. First, a “personal identifier” is information that identifies a specific individual (e.g., a name, address, e-mail, SSN, phone number). Second, “identifiable data” is data that can be used to distinguish an individual’s identity, including through the use of a personal identifier.

Sensitive Personal Data is identifiable data that is:

(1) Within any of the categories identified at 31 C.F.R. § 800.241(a)(1)(ii) and

(2) Maintained or collected by a US business that:

  1. Targets or tailors products or services to any US executive branch agency or military department.
  2. Has maintained or collected identifiable data described in (1) on greater than one million individuals at any point over the last 12 months.
  3. Has a demonstrated business objective (e.g., statements in investor presentations) to maintain or collect identifiable data described in (1) on greater than one million individuals, and such data is an integrated part of the US business’s primary products or services.


Before you instruct a US client to move forward with any investment involving “foreign money” you must accomplish a CFIUS analysis to determine if a CFIUS filing is required. In the long term, this analysis will provide your client with insight into US restrictions on foreign investment to help the client better understand US priorities for future investments.

In the short term, depending on the results of the analysis based on the criteria above, you may be able to provide some good news to the client that there’s no “fly in the ointment” requiring a US CFIUS filing.