After months of negotiation, Congress recently passed, and the president is expected to sign, the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).[1] FIRRMA updates the national security review of inbound investments undertaken by the Committee on Foreign Investments in the United States (“CFIUS” or “the Committee”), an interagency body located within the Treasury Department. The bill is broad, expanding and clarifying the Committee’s jurisdiction, codifying CFIUS practices, amending the Committee’s administrative procedures, and granting judicial review of CFIUS decisions. However, the final legislation did not adopt several proposals, including expanding the Committee’s authority over export control regulations and certain joint ventures. Overall, we expect FIRRMA to create a more aggressive, transparent, and efficient CFIUS process.

Expansion and clarification of jurisdiction

FIRRMA both expands CFIUS jurisdiction and codifies certain existing practices. CFIUS reviews certain “covered transactions” to determine whether proposed foreign investments in a U.S. business would impair U.S. national security, and has the authority, along with the president, to block or amend transactions. Under current law, a “covered transaction” requires that a foreign person have effective control over a U.S. business.[2] FIRRMA expands CFIUS jurisdiction to several non-controlling transactions, if the investment involves:

  • Critical technologies. This includes items or technology that are subject to export controls under either the International Traffic in Arms Regulations (“ITAR”) or the Export Administration Regulations (“EAR”), as well as certain undefined “emerging and foundational technologies.”[3]
  • Critical infrastructure. The Committee will “enumerate specific types and examples” of critical infrastructure, and will presumably include defense and military, energy, telecommunication, and financial infrastructure, among others. However, because the regulations will likely enumerate a non-exhaustive list, the Committee may interpret this term broadly.
  • Sensitive personal data of U.S. citizens. This will broadly include consumer data, as well as information regarding financial services, insurance, and health care.
However, CFIUS is authorized to exempt certain countries from these non-controlling transactions.

Other expansions of CFIUS jurisdiction include the Committee’s ability to review certain changes in a foreign investor’s existing rights in a U.S. entity, which could allow the Committee to review both the initial investment by a foreign person, as well as any future investment or change to an entity’s governance structure or authorities. Further, CFIUS may review transactions in real estate located near military facilities, ports, or other sensitive national security facilities. These expansions largely formalize our experience with current CFIUS practices. though it may signal the Committee’s intention to assert this jurisdiction more aggressively.

Administrative procedures and appeals

FIRRMA made significant changes to the CFIUS process, including changes regarding expedited reviews for less sensitive transactions, mandatory filings for certain transactions, timing of the review and investigation procedures, and transparency.

  • Expedited reviews. CFIUS will permit parties to file a short “declaration,” rather than a full joint voluntary notice, describing less sensitive transactions. CFIUS will then have 30 days to respond to the declaration by either clearing the transaction or demanding a full joint voluntary notice.
  • Mandatory filings. Under current law, submitting a transaction to CFIUS for review and investigation is a voluntary process. Although most transactions will remain subject to voluntary filing, CFIUS will require notification of transactions in which the U.S. business involves either critical infrastructure or critical technology, and a foreign government has a substantial interest in the foreign investor. CFIUS will define “substantial interest” in subsequent rulemakings.
  • Review and investigation timelines. When considering a transaction, CFIUS currently has a 30-day review period and an additional 45-day investigation period, if necessary. FIRRMA extends both of these timeframes, automatically making the review period 45 days and allowing the Committee to extend the investigation phase to 60 days, if necessary.
  • Increased transparency. CFIUS currently provides an annual report to Congress, but focuses almost exclusively on broad, aggregated statistics (such as the nationality of foreign investors and the economic sector of the U.S. business). FIRRMA will require CFIUS to report at least basic details regarding all reviews that include a full notice, which will include the results of the case. CFIUS will also be required to provide statistics on the length of time the CFIUS review process takes. The increased transparency will offer parties significantly more information regarding how CFIUS has handled transactions in the past and may allow the development of some baseline precedents.
  • Judicial review. Currently, only very limited substantive due process appeal rights exist in the CFIUS context.[4] FIRRMA will allow appeals of CFIUS determinations to the DC Circuit Court of Appeals, though presidential determinations are not included in the right to judicial review.
  • Filing fees. CFIUS will establish by regulation a filing fee for full notices, though the fee may not exceed either $300,000 or one percent of the value of the transaction. These fees will allow CFIUS to increase its staff to handle CFIUS’ notoriously heavy workload.
FIRRMA reflects Congressional recognition that CFIUS requires broader direct authority to perform its national security reviews, especially over critical technologies and infrastructure, as those terms will be defined under the regulations. The new statutory authority to review transactions implicating sensitive personal data will give the Committee the opportunity to greatly expand its jurisdiction beyond cases traditionally associated with national security and into other, rapidly increasing economic sectors and businesses that store significant amounts of personal data. Even though certain FIRRMA provisions are arguably codifications of current CFIUS practices, the Committee now has direct authorization to continue to aggressively interpret transactions falling within its jurisdiction.


[1] Although the majority of the statutory provisions will come into force 180 days after FIRRMA’s effective date, some provisions will be in force immediately after the president signs the bill, including the changes to the review and investigation period timeframes and the right to judicial review.

[2] In our experience, any transaction not meeting the regulatory 10 percent foreign ownership threshold has been potentially subject to CFIUS review.

[3] An interagency committee will be established to identify emerging and foundational technologies.

[4] See Ralls Corp. v. CFIUS.