This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Dan Minutillo

Attorney for Centre Law Group, Centre Law Group

Quotation Marks
“CFIUS reviews the information provided by the company to determine if the investment and related power of the investor affects US National Security”

Foreign investment in the US: Is there a fly in the ointment?

Foreign investment in the US: Is there a fly in the ointment?


Dan Minutillo explores regulations around foreign investment in the US

If you represent a company in the US that intends to accept an investment from any non-US person or entity – including, but not limited to, a non-US based venture capital firm or one that is comprised, partially or entirely of non-US investors, a non-US bank or government – you might need to determine if the investment meets certain criteria requiring a filing with the US Committee on Foreign Investment in the United States (CFIUS). 

Note that any party to a “covered transaction” as defined infra may initiate a CFIUS review, either before or after the transaction is completed, by submission of a written notice to the CFIUS chairman to request such review, regardless of whether a filing is mandatory. See § 2170(b)(1)(C)(i), 31 C.F.R. §800.224800.401(a), and 800.402(c)(1)(vii). Alternatively, CFIUS may initiate a review sua sponte. See §2170(b)(1)(D).

What is CFIUS?

CFIUS (also known as the ‘Committee’) is a multi-US government agency committee holding the right and authority to review transactions in the US involving foreign investment and certain US real estate transactions to determine the effect of these transactions on US National Security. Specifically, CFIUS is authorized by section 721 of the US Defense Production Act 1950 and implemented by US Executive Order 11858, as amended, including US regulations at Chapter VIII of the US Code of Federal Regulations (CFR). These laws and directives are interpreted by US Federal case law. 

The US Foreign Investment Risk Review Modernization Act 2018 (FIRRMA) became law on August 13 2018, broadening the power of the US president to allow review of certain foreign investments in the US and block or qualify that investment if it is determined to affect US national security adversely. On September 15 2020, the US Department of the Treasury published a final rule modifying US regulations that govern mandatory filings with the Committee. 

CFIUS reviews the information provided by the company to determine if the investment and related power of the investor affects US national security. If that determination is not made within a specified time after a CFIUS filing, the matter goes to the US president for such a determination. Post filing can be a prolonged, intrusive, labor-intense exercise. If you legally avoid filing, you avoid this exercise. 

CFIUS filing criteria

A covered control transaction is any transaction that could result in foreign control of a US business. CFIUS takes a broad definition of control, which includes the powers relating to the sale or transfer of principal assets of a US business, major expenditures or investments, issuances of equity or debt, the selection of new business lines, the entry into new contracts, etc. For example, if a proposed member of the company’s board of directors representing the foreign investors has power (veto power or otherwise) to direct the companies actions regarding, but not limited to, the movement or transfer of the company’s technology, CFIUS considers that power to amount to “control.” Accordingly, such a transaction is a covered control transaction. 

Covered investment

A covered investment is an investment by a foreign person in an unaffiliated TID (as defined infra) US business that is not a covered control transaction and affords the foreign person (1) access to material non-public technical information; (2) membership or observer rights or nomination rights on the board of directors; and (3) involvement, other than voting of shares, in the substantive decision-making of the US business regarding sensitive personal data, critical technologies, or critical infrastructure. For example, if the foreign investor has the right to nominate a director, the investment may therefore become a covered investment.

Mandatory declaration

Once it is determined that the transaction is a covered transaction, the next step is to determine whether any of the criteria for a mandatory declaration (filing with CFIUS) apply.

There are two broad situations in which a mandatory declaration shall be submitted. (1) Where a covered transaction results in the acquisition of a substantial interest (25 per cent or more) in a TID US business by a foreign person in which the national or subnational governments of a single foreign state have a substantial interest (49 per cent or more). (2) A covered transaction where the TID US business produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies for which a US regulatory authorization (CFIUS regulations only allow consideration of three license exceptions – TSU, ENC(b), and STA(c)(1) – in this analysis) would be required to export to the foreign investor and other relevant parties (See 31 C.F.R. § 800.401(c)(1)(i-v).

The threshold question, which is discussed further below, is whether the company TID US business. If the company is a TID US business, then the inquiry becomes very fact-specific based on the identity of the counterparty or the specific technology of the US business.

TID business

In the US, TID (technology, infrastructure and date) business is one (i.e., one that engages in interstate commerce) that (1) products, designs, tests, manufactures, fabricates, or develops one or more critical technologies; (2) performs specified functions with respect to covered investment critical infrastructure; or maintains or collects, directly or indirectly, sensitive personal data of US citizens.

Critical technology

The critical technology label is dependent on an item’s (or technology) reason for control. If an item is included on the United States Munitions List (i.e., ITAR controlled) or controlled for National Security, Chemical and Biological Weapons Proliferation, Nuclear Nonproliferation, Missile Technology, Regional Stability, or Surreptitious Listening Reasons on the Commerce Control List, then it is a critical technology. Furthermore, specially designed and prepared nuclear equipment, parts, components, materials, software and technology; nuclear facilities equipment and material; specified agents and toxins; and emerging and foundational technologies are also considered to be critical technologies. See 31 C.F.R. § 800.215.

To illustrate the complexities of this analysis in the context of a mandatory declaration, consider an item classified as US ECCN 5A002, license exception ENC. License exception ENC may be considered under CFIUS and may be used when determining exportability, but ENC does not remove the national security reason for control imposed by ECCN 5A002, it merely excepts it. This means such an item is critical technology but may be exportable to the foreign investor and other relevant parties.

Sensitive personal data

Sensitive Personal Data within the meaning of CFIUS is highly specific and is not the plain meaning of the phrase. Two initial definitions are important. First, a “personal identifier” is information that identifies a specific individual (e.g., a name, address, e-mail, SSN, phone number). Second, “identifiable data” is data that can be used to distinguish an individual’s identity, including through the use of a personal identifier. 

Sensitive Personal Data is identifiable data that is:

  1. Within any of the categories identified at 31 C.F.R. § 800.241(a)(1)(ii); and
  2. Maintained or collected by a US business that:
    1. Targets or tailors products or services to any US executive branch agency or military department.
    2. Has maintained or collected identifiable data described in (1) on greater than one million individuals at any point over the last 12 months.
    3. Has a demonstrated business objective (e.g., statements in investor presentations) to maintain or collect identifiable data described in (1) on greater than one million individuals, and such data is an integrated part of the US business’s primary products or services.


Before you instruct a US client to move forward with any investment involving ‘foreign money’, you must accomplish a CFIUS analysis to determine if a CFIUS filing is required. In the long term, this analysis will provide your client with insight into US restrictions on foreign investment to help the client better understand US priorities for future investments. 

In the short term, depending on the results of the analysis based on the criteria above, you may be able to provide some good news to the client that there’s no ‘fly in the ointment’ requiring a US CFIUS filing.

Dan Minutillo is an attorney, lecturer and author based in San Jose, California. He is also director of Minutillo Law