August 16, 2018

FIRRMA Expands CFIUS Jurisdiction in 2 Major Ways

New Law Shifts Emphasis from "Control" to "Influence" and Brings Real Estate Transactions, Including Undeveloped Land, Under CFIUS Review
Holland & Knight Alert
Ronald A. Oleynik | Antonia I. Tzinova | Libby Bloxom


  • President Donald Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) into law on Aug. 13, 2018. Among other things, the NDAA contains the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), the first major legislative reform impacting reviews of foreign acquisitions by the Committee on Foreign Investment in the United States (CFIUS) since 2007.
  • FIRRMA brings important changes to the law that all involved in foreign investments in U.S. business should be aware of, and it does emphasize the continuing shift of the CFIUS process from a technical exercise toward a more political trade policy decision.
  • These changes boil down to two major expansions of CFIUS jurisdiction: 1) real estate transactions of developed and undeveloped land, and 2) non-controlling foreign interests in critical infrastructure, critical technologies or sensitive personal data.

President Donald Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 20191 (NDAA) into law on Aug. 13, 2018. Among other things, the NDAA contains the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), the first major legislative reform impacting reviews of foreign acquisitions by the Committee on Foreign Investment in the United States (CFIUS) since Congress passed the Foreign Investment and National Security Act of 2007 (FINSA) in the wake of the Dubai Ports World imbroglio.

FIRRMA is an important piece of legislation that expands the reach of CFIUS to cover more types of transactions – but the changes are far less drastic than some of the original proposals. The new law expands CFIUS jurisdiction, especially with respect to real estate transactions and non-controlling interests in businesses involved in critical infrastructure, critical technologies and access to sensitive personal data. It also makes certain filings involving foreign governments mandatory. Most of the changes affect only procedure and funding for the Committee and codify recent CFIUS practice. Nevertheless, FIRRMA brings important changes to the law that all involved in foreign investments in U.S. business should be aware of, and it does emphasize the continuing shift of the CFIUS process from a technical exercise toward a more political trade policy decision.

Expanded CFIUS Jurisdiction

The most important changes brought by FIRRMA involve the significant expansion of CFIUS jurisdiction to review certain real estate transactions that were not previously of interest to CFIUS and transactions not resulting in the foreign control of a U.S. business.

The authority of the President of the United States to suspend or prohibit certain transactions is provided in Section 721 to the Defense Production Act of 1950, as amended (50 U.S.C. § 4565) (the Act).2 The regulations implementing the Act are codified at 31 C.F.R. §800 (CFIUS Regulations).3 Under the Act, the President can suspend or prohibit any "covered transaction" when, in the President's judgment, there is credible evidence to believe that the foreign person exercising control over a U.S. business might take action that threatens to impair the national security of the United States, and the law does not otherwise provide adequate protection against such action.4 FIRRMA modifies the definition of "covered transactions."

Under the old standard, a "covered transaction" was any transaction that was proposed, pending or concluded by, or with, any foreign person, which could result in control of a U.S. business by a foreign person.5 "Critical infrastructure" was addressed within the context of a covered transaction and defined as "a system or asset, whether physical or virtual, so vital to the United States that the incapacity or destruction of the particular system or asset of the entity over which control is acquired pursuant to that covered transaction would have a debilitating impact on national security."6 Thus, CFIUS jurisdiction covered any acquisition of a U.S. business that would result in foreign control and that might threaten U.S. national security. It has long been the practice of the United States to leave the term national security undefined to allow the Committee and the President maximum flexibility in asserting jurisdiction over foreign acquisitions of U.S. businesses.

By enacting FIRRMA, Congress made certain practices explicit and, in the process, expanded the reach of CFIUS. It did this by amending the term "covered transaction" to include:

  • any non-passive investment by a foreign person in any U.S. business involved in critical infrastructure, the production of critical technologies or that maintains sensitive personal data that, if exploited, could threaten national security
  • any change in a foreign investor's rights regarding a U.S. business
  • the purchase, lease, or concession by or to a foreign person of certain real estate in close proximity to military or other sensitive national security facilities, and
  • any other transaction, transfer, agreement, or arrangement designed to circumvent or evade CFIUS.7

These changes boil down to two major expansions of CFIUS jurisdiction: 1) real estate transactions of developed and undeveloped land, and 2) non-controlling foreign interests in critical infrastructure, critical technologies or sensitive personal data.

1. Real Estate Transactions – the Close Proximity Test

Until FIRRMA, CFIUS had jurisdiction over transactions that involved a "U.S. business," i.e., a going concern. While assets of a business that comprised most of the business would qualify, the mere acquisition of land did not warrant, and was specifically excluded from, CFIUS jurisdiction. However, during the past few years, CFIUS has developed and applied the so-called "locational test" and weighed in on transactions involving the acquisition of a U.S. business in close proximity to sensitive U.S. Government facilities.8

The most well-known example of this occurred in 2012, when CFIUS reviewed the completed acquisition of an Oregon wind farm by Chinese-owned Ralls Corp. and referred the case to President Barack Obama with a recommendation for divestiture. The concern was the close proximity of the wind farm to a Navy training facility where experimental drone operations were conducted. This was the first publicized case where CFIUS used a "close proximity" test in evaluating the potential threats to U.S. national security.9 Since then, the test has been applied to a number of transactions, and CFIUS's unpublished practice has changed to expand the line of questioning regarding proximity to government facilities.

For example, in 2015, Hilton Worldwide Holdings Inc., a U.S. corporation, sold the Waldorf Astoria New York hotel to a Chinese insurance company, Anbang Insurance Group Co. Ltd., for $1.95 billion. Shortly after the announcement, CFIUS turned its attention to the transaction to determine if there might be any national security implications. In February 2015, CFIUS gave its approval four months after the announcement of the transaction.10 Waldorf Astoria and Anbang filed voluntarily with CFIUS, unlike Ralls Corp. This was the first publicized filing following Ralls that was filed under the location test. However, the hotel was a going concern, i.e., a U.S. business in the real estate sector. The transaction was approved by CFIUS under the Obama Administration. The latest example of a transaction in the real estate sector involves the HNA Group Co., a Chinese conglomerate which was just told by CFIUS that it had to sell its majority stake in a Manhattan skyscraper whose tenants include a police precinct tasked with protecting Trump Tower.11

FIRRMA takes this further. It expands the scope of CFIUS jurisdiction to include any type of real estate transaction, i.e., both developed and undeveloped real estate. FIRRMA specifies that "CFIUS jurisdiction includes the purchase, lease, or concession of private or public real estate that: is located within, or will function as part of, an air or maritime port; [or] is in close proximity to a U.S. military installation or another facility or property of the U.S. Government that is sensitive for reasons relating to national security."12 Under the old statute, the acquisition of a building that might be leased to a government agency would already fall within the purview of CFIUS review as an ongoing concern. However, a piece of undeveloped land on its own was specifically excluded from the scope of CFIUS jurisdiction under prior law and regulations.13

FIRRMA changes this. It not only codifies recent CFIUS practice with respect to real estate businesses but also expands CFIUS jurisdiction to allow CFIUS to block the purchase of even undeveloped land that is in close proximity to a U.S. military installation or another facility or property of the U.S. Government that is sensitive for reasons relating to national security.14 This is a significant change that, for the first time, inserts CFIUS review into purely "greenfield" investment in vacant land. This change allows CFIUS to speculate about the potential use or development of land, or lack thereof. As we saw in the Qualcomm/Broadcom transaction in spring 2018, CFIUS speculated about how the changed ownership of a business would result in reduced research and development investment in 5G technology, thereby allowing China to surpass the United States in this sector and affect U.S. national security. CFIUS recommended blocking the transaction based on concerns that economic inactivity might allow a Chinese company with no nexus to the proposed transaction to benefit from the change of ownership.

2. Non-Controlling Interests in Critical Infrastructure, Critical Technologies or Sensitive Personal Data

Another major departure from the prior regime is the ability to block the acquisition of non-controlling interests in critical infrastructure, critical technologies or sensitive personal data. Since the inception of CFIUS, it was dogma that the foreign acquisition had to result in foreign control, which could pose a threat to U.S. national security. This is no longer the case.

Under FIRRMA, CFIUS jurisdiction now also includes any foreign, non-passive15 investment in U.S. critical infrastructure or critical technology, or a U.S. business that maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security.16 Removing the control test will greatly expand the number of reviewed and reviewable transactions, particularly in the high-tech startup sector, and will likely be used to try to protect new U.S. technologies from the perceived threat of Chinese acquisition under a parallel export controls regime.17

Similarly, CFIUS has not shied away from reviewing and blocking transactions, or requesting restructuring of certain proposed acquisitions that involved access to U.S. consumer data. For example, in 2016, AppLovin Corp. (AppLovin), a U.S. corporation, proposed to sell a majority stake to Shanghai-based Orient Hontai Capital and Orient Securities Limited for approximately $1.4 billion. AppLovin tracks consumer data to provided targeted ads for app companies.18 The parties filed with CFIUS, and then abandoned the deal in November 2017 due to CFIUS's concerns about "the security of the company's data under a foreign owner." The parties restructured the agreement outside of the jurisdiction of CFIUS, with Orient Hontai Capital providing a debt investment of $841 million and acquiring 9.98 percent in AppLovin for $140 million in January 2017. The parties notified CFIUS of the new deal, but CFIUS has not scrutinized the restructured transaction, as Orient Hontai has no control of the company.19

On Jan. 26, 2017, MoneyGram International Inc. (MoneyGram), a Texas-based provider of money transfer services, entered into an agreement whereby MoneyGram would become a wholly owned subsidiary of Alipay, a United Kingdom-based company and subsidiary of Ant Financial Services Group (Ant Financial), a Chinese financial services provider. Approval by CFIUS was a mandatory closing condition.20 The companies terminated the deal after CFIUS rejected their mitigation proposals, with MoneyGram's CEO stating, "[d]espite our best efforts to work cooperatively with the U.S. Government, it has now become clear that CFIUS will not approve this merger."21 CFIUS was concerned about the safety of data that can be used to identify U.S. citizens, as, had the deal closed, Ant Financial would have had access to a large number of records of financial data within the United States. In addition, Ant Financial is reported to have close ties to China's government.

These are just a couple of examples of transactions that were affected in one way or another by CFIUS. But the one thing these transactions had in common is that they involved efforts by foreign investors to acquire control of a U.S. entity. Now, under FIRRMA, CFIUS can also reach transactions that involve any foreign, non-passive investment.22 Such non-controlling interests will include minority equity interests with no board participation and no specific rights with respect to major decisions of the business. In essence, FIRRMA moves the focus from control to influence. That is, can even a minority stake in a company provide the foreign investor the ability to influence decisions of the company? Coupled with the ever-expanding list of critical technologies, this will affect most investments in technology firms, and especially startups that might be looking for investments of even less than $1 million.

Mandatory Filings and Countries of Special Concern

In addition to these substantive changes, FIRRMA also makes several procedural changes to CFIUS reviews. First, it creates a new, short form of filing (a "declaration")23 that will contain basic information regarding the transaction. These declarations are filed in two instances:

  1. Parties may voluntarily submit such a declaration to request that CFIUS determine whether a full, formal filing is necessary. CFIUS is required to take action within 30 days following receipt of a declaration.
  2. Parties must submit a declaration in certain government-control cases involving the acquisition of a "substantial interest" in a critical infrastructure company, critical technology company or other instances to be enumerated in the forthcoming regulations.

FIRRMA authorizes CFIUS to impose civil penalties on any party that fails to comply with the mandatory declaration requirement. Furthermore, parties to covered transactions that are subject to the mandatory declaration requirement may elect to submit a full written notice instead of a declaration.24

Additionally, FIRRMA authorizes CFIUS to "specify criteria to limit the application of [jurisdiction with respect to real estate and 'other investments'] to the investment of certain categories of foreign persons," including mandating CFIUS to "take into consideration how a foreign person is connected to a foreign country or foreign government, and whether the connection may affect the national security of the United States."25 FIRRMA expresses the "sense of Congress" that CFIUS should give particular consideration to covered transactions involving "a country of concern that has a demonstrated or declared strategic goal of acquiring a type of critical technology or critical infrastructure." Moreover, FIRRMA requires CFIUS to produce a report biannually (through 2026) that analyzes and includes information on investment in the United States by Chinese entities.26

Coupled with the reporting requirements on Chinese investment in the United States, FIRRMA appears to be targeting China, and likely Russia for its meddling in the 2016 U.S. presidential elections.27 Earlier versions of FIRRMA contained provisions that authorized two lists – one for countries of concern, which would be subject to heightened scrutiny, and one for countries of which investment would be excepted from certain categories. However, the list-based approach was dropped in the final version of the law. It is now left to CFIUS to decide how to approach the issue.

Procedural Changes

In addition, FIRRMA implements a number of procedural changes.

  • Expanded Timeframe for CFIUS Review: CFIUS currently undertakes an initial 30-day review, with the option for an additional 45-day investigation. FIRRMA extends the review period to 45 days, retains the 45-day optional investigation period and authorizes a one-time extension of 15 days in "exceptional circumstances," which will be defined through CFIUS regulations.28
    (In practice, CFIUS would request the parties to withdraw and refile if it needs additional time; it is unlikely that this practice would be abandoned, but the extended review periods may cut down on the number of requests to withdraw and refile.)
  • Timing for Review of Draft Filings: FIRRMA requires that CFIUS provide comments on draft notices that parties submit in advance of formal filing within 10 business days.29
    (This is a welcome change for filing parties. Because of expanded workflow and a loophole in the law, CFIUS used to informally extend the time it has for review by delaying comments on notified transactions, sometime close to a month. This rule benefits filing parties by providing a stricter timeline for CFIUS.)
  • Timeline for Acceptance of Formal Filings: FIRRMA requires that CFIUS accept formal filings within 10 business days and start the official review period clock.30
    (Like the above point, this change favors parties to a notified transaction.)
  • Authority to Suspend Transactions: FIRRMA provides the authority for CFIUS to suspend transactions or refer transactions to the President prior to the conclusion of the full review period.31
    (It is debatable whether this is expanding CFIUS powers. In the recent Qualcomm review, CFIUS did refer the case to the President prior to the conclusion of the full review period. Had the parties chosen to take the matter to court, it is unlikely they would have prevailed given that CFIUS is tasked with protecting the national security of the United States.)
  • Filing Fee: Currently, there is no filing fee for submitting a notice to CFIUS; however, FIRRMA permits CFIUS to assess a fee of no more than 1 percent of the transaction or $300,000, whichever is less.32
    (This might become a deterrent to some filings, especially relating to investments in startups where the U.S. party is sensitive to costs and where there is uncertainty as to whether a transaction really warrants CFIUS review.)
  • Committee on Foreign Investment in the United States Fund: FIRRMA provides for the creation of a funding mechanism to be administered by the CFIUS chairperson and authorizes $20 million in appropriations to this fund for each of fiscal years 2019 through 2023 for CFIUS to perform its duty.33
  • Expanded Reporting Requirements: FIRRMA requires that CFIUS produce a report biannually (through 2026) that analyzes and includes information on investment in the United States by Chinese entities.34
    (This is in addition to the current annual reporting by CFIUS and reflects the current, widely held perception that China has strategic motives in investing in the U.S. to acquire U.S. intellectual know-how.)
  • Voluntary and Mandatory Declarations: As discussed above, parties would be given the opportunity to file a short-form declaration to obtain CFIUS's view on whether a transaction is subject to review.
    (It will be interesting to see how this would develop. It has been CFIUS's practice not to provide such an opinion unless it has conducted a full review of the transaction. We do not see this practice changing; rather, these short-form declarations would likely result in a full review. What is important here is the mandatory filing of a declaration in certain cases of a foreign-government related transaction, under regulations yet to be developed.)
  • Monitoring Mechanism: FIRRMA requires that CFIUS create a monitoring mechanism with respect to transactions where the parties have not filed a notice with CFIUS.35
    (We note that CFIUS could initiate a review sua sponte under prior law; this is how the Ralls Corp. case developed. However, CFIUS now has a mandate to develop a mechanism to actively monitor such transactions.)

Implementation Timing

While certain sections of FIRRMA become effective immediately, other sections have a delayed effective date by leaving the details to CFIUS to address through regulation. Most provisions do not take effect until 18 months after passage, unless the CFIUS chair determines that all necessary regulations are in place prior to that time.36 Therefore, interested parties should continue to fully engage with the Committee during this process.


The last amendment of the CFIUS process was in 2007, following the infamous Dubai Ports World case. At the time, the CFIUS process was strengthened by introducing political accountability for clearing a transaction and codifying a safe harbor for reviewed transactions. It also introduced a certain level of transparency by requiring CFIUS to issue implementing regulations and guidelines on how the regulations are interpreted and applied.  

Coupled with the current political environment – China's rise as a global political power and Russia's meddling in the 2016 U.S. presidential elections – the timing was right for introducing changes to the CFIUS review process that codify existing CFIUS practice developed since the 2007 amendment and, to the extent perceived necessary, expanding CFIUS jurisdiction over the types of transactions to be reviewed.

The CFIUS process likely will continue to take on a more political role as the Trump Administration, and likely all future presidential administrations, will find it a useful tool for protecting national security – and for use in the broader politics of U.S. trade policy.


1 See text at U.S. House of Representatives website.

2 This authority was initially provided by the addition of Section 721 to the Defense Production Act of 1950 by a 1988 amendment commonly known as the Exon-Florio amendment. In October 2007, the Foreign Investment and National Security Act of 2007 (FINSA) substantially revised Section 721.

3 73 Fed. Reg. 70716 (Nov. 21, 2008).

4 31 C.F.R. §800.101.

5 31 C.F.R. §800.207 (emphasis added).

6 31 C.F.R. §800.208.

7 FIRRMA §1703(a)(4).

8 The "locational test" was first invoked in 2012 in the review of the Ralls Corp. acquisition of a windfarm in Oregon. See "Obama Orders Chinese Company to End Investment at Sites Near Drone Base," New York Times (Sept. 28, 2012).

9 It ultimately involved litigation up to the U.S. Court of Appeals for the District of Columbia Circuit that addressed only procedural matters but deferred to the executive branch on the issue of national security. See Ralls Corp. v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014).

10 See "CFIUS Clears $1.95B Waldorf Sale To Chinese Insurance Co.," Law360 (Feb. 2, 2015). See also "Waldorf Astoria Deal is Likely Headed for CFIUS Review," Law360 (Nov. 3, 2014). ("While Hilton Worldwide will continue to operate the hotel for the next 100 years, the major renovations that Anbang plans for the hotel raises the potential for cyberespionage and eavesdropping, which are both of significant concern to the U.S. Government, particularly with respect to China. This is a particular concern given that the hotel has, for decades, served as the residence of the United States ambassador to the United Nations, as well as headquarters for U.S. diplomats, including the U.S. president, as they attend the United Nations General Assembly each year. Numerous foreign heads of state and government officials also frequent the hotel.")

11 See "U.S. Orders Chinese Company to Sell Manhattan Building Near Trump Tower," The Wall Street Journal (Aug. 10, 2018).

12 FIRRMA §1703(a)(4)(B).

13 See CFIUS Regulations at 31 C.F.R. §§800.301(d), Example 2; 800.302(c), Example 1.

14 FIRRMA allows for certain exclusions of single family dwellings and urban areas.See FIRRMA §1703(a)(4)(C)(i).

15 Passive investment in a critical infrastructure company or critical technology company is defined as one that 1) is not an outright acquisition; 2) does not afford the foreign investor access to a business's material nonpublic technical information (which does not include financial information regarding the U.S. business); 3) does not afford the foreign investor the right to appoint or nominate directors, observers or similar positions on a business's governing body; and 4) does not provide any involvement, other than the voting of shares, in substantive decision making of the U.S. business regarding the use, development, acquisition, safekeeping or release of sensitive personal data of U.S. citizens, the use, development, acquisition or release of critical technologies, or the management, operation, manufacture or supply of critical infrastructure. §1703(a)(4)(D)(i).

16 See FIRRMA §1703(a)(4)(B)(iii).

17 Note that draft legislation language expanded CFIUS jurisdiction. However, this was dropped from FIRRMA before passage. Therefore, this function remains with the traditional regulators of exports of defense and critical technologies. However, following recent revelations that Chinese investors target U.S. knowhow through startup investments in new technologies developed in the United States, the list of controlled technologies will likely start growing faster. See "HIGH TECH: The Next Wave of Chinese Investment in America," Rhodium Group (April 2014).

18 "Orient Hontai Capital Takes a Majority Stake in AppLovin," Business Wire (Sept. 26, 2016).

19 "Exclusive: AppLovin tweaks Chinese takeover deal after U.S. pushback," Reuters (Nov. 21, 2017).

20 "MoneyGram International Reports First Quarter 2017 Financial Results," Ex-99.1, Form 8-K, SEC Filing (May 4, 2017).

21 "U.S. blocks MoneyGram sale to China's Ant Financial on national security concerns," Reuters (Jan. 2, 2018).

22 FIRRMA §1703(a)(4)(B)(iii)(III).

23 Not to exceed five pages in length.

24 FIRRMA §1706.

25 FIRRMA §1703(a)(4)(E).

26 FIRRMA §1719.

27 FIRRMA §1702(c).

28 FIRRMA §1709.

29 FIRRMA §1704.

30 FIRRMA §1709.

31 FIRRMA §1718.

32 FIRRMA §1723.

33 Id.

34 FIRRMA §1719.

35 FIRRMA §1710.

36 FIRRMA §1721.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.

Related Insights