After several months of back-and-forth, the Senate and House of Representatives agreed on a consensus version of the Foreign Investment Risk Review Modernization Act (FIRRMA) on July 23. FIRRMA reforms the Committee on Foreign Investment in the United States (CFIUS) process currently used to evaluate and address national security-related concerns related to foreign investment into the United States. While originally introduced separately, the bill was ultimately incorporated into the National Defense Authorization Act (NDAA) for Fiscal Year 2019. The final version of the NDAA emerged from conference on July 26 and was overwhelmingly approved by the House later that day and by the Senate on August 1. The president is expected to sign the NDAA into law shortly.

When FIRRMA was initially introduced, Yale scholar and Lawfare contributor Robert D. Williams wrote a primer on the bill that described how it would address concerns about high levels of Chinese investment in U.S. technology. (CFIUS reform was also the focus of an episode of the Lawfare podcast.) This post takes a closer look at the final version of FIRRMA to examine how it will affect the CFIUS process.

The Current CFIUS Process

Originally created as an advisory body, CFIUS began to take on more regulatory functions after Congress gave the president authority to suspend or prohibit certain types of foreign investments through the 1988 Exon-Florio Amendment. Congress subsequently codified CFIUS through the Foreign Investment National Security Act of 2007, which further reformed its structure and operations. Robert Williams described CFIUS’s current structure and process as follows:

CFIUS (the Committee) is an interagency committee that exercises delegated presidential authority to review “covered transactions,” which are currently defined by statute as mergers, acquisitions, and takeovers by or with any foreign entity that could result in foreign “control” of a U.S. business, to determine the effect of the proposed deal on U.S. national security. The Committee is chaired by the Secretary of the Treasury and its voting members include the heads of the Departments of Commerce, Defense, Homeland Security, Justice, State, and Energy; the U.S. Trade Representative; and head of the White House Office of Science and Technology. The Director of National Intelligence (DNI) and the Secretary of Labor serve as non-voting, ex officio members. Other White House offices and personnel may act as observers and participate in CFIUS reviews on an ad hoc basis. Under existing law and regulations, the CFIUS review process begins with the parties to a transaction making a voluntary filing of notice. CFIUS also has the authority to compel such a filing if it determines that a transaction poses a potential risk to national security. The process generally ranges from 30 to 90 days, with an initial 30-day review following CFIUS’ receipt of the notice; an investigation period of up to 45 days for transactions requiring additional investigation after the 30-day review; and a 15-day period for presidential review if CFIUS refers a transaction to the President for a decision on whether to suspend or prohibit it. If CFIUS finds that a covered transaction presents national security risks, it may impose certain conditions before allowing the deal to proceed or require the parties to enter into a mitigation agreement to address security risks. It may also refer the transaction to the President, as noted above, who has authority to block transactions that pose a threat to national security. In some cases, proposed deals are withdrawn voluntarily by the parties prior to such presidential actions. CFIUS regulations . . . define “control” as the “power…to determine, direct, or decide important matters affecting an entity.” National security is not defined in the current CFIUS statute, but the law provides 10 specific factors the Committee may consider when analyzing the national security implications of a transaction.

FIRRMA’s Modifications and Additions

In its findings, FIRRMA emphasizes the generally beneficial nature of foreign investment, noting its immense value to the U.S. economy and that the U.S.’s top seven foreign investor states are major allies. However, it also notes that changes in the national security environment have increased the risks created by some forms of foreign investment, and that as a result the government must balance the gains against potential national security harms. To accomplish this, the bill implements a number of major institutional and operational changes to CFIUS.

FIRRMA identifies several factors that Congress wants CFIUS to take into account when considering the national security risks posed by foreign investments. These include:

Whether a transaction involves a country of special concern that has a strategic goal of acquiring technologies that would affect U.S. technological leadership in that area;

The national security effects of cumulative market share control by foreign persons;

Whether a foreign person involved in a transaction has a history of complying with U.S. law;

How the control of U.S. industries and commercial activity affects the capability and capacity of the United States to meet the requirements of national security, including the reduction in employment of United States persons whose skills are critical to national security and the continued U.S. production of items necessary for national security;

The extent to which a transaction is likely to expose sensitive data of U.S. citizens to exploitation by foreign persons and governments; and

Whether a transaction exacerbates cybersecurity vulnerabilities or allows a foreign government to gain new capabilities to engage in malicious cyber activities against the U.S., including activities designed to affect the outcome of any federal election.

The bill’s “sense of Congress” section also includes two provisions that might be seen as a mild rebuke to the president: it encourages the president to work closely with allies and partners, and it encourages that “any penalties imposed by the United States Government with respect to an individual or entity pursuant to a determination that the individual or entity has violated sanctions imposed by the United States or the export control laws of the United States should not be reversed for reasons unrelated to the national security of the United States.”

Institutional Structure. FIRRMA centralizes certain CFIUS operations in the Treasury Department, creating two new Senate-confirmed positions in the department responsible for overseeing CFIUS operations. It also requires dedicated CFIUS staff, including an assistant secretary or equivalent position, at all other member agencies. The bill allows agencies to appoint new staff for CFIUS positions. It also requires CFIUS to establish procedures for members to recuse themselves in the case of a conflict of interest and to publish dissenting opinions if CFIUS cannot reach consensus.

The bill establishes a CFIUS fund which may receive both appropriated funds and fees for a variety of CFIUS-related functions, which CFIUS may establish through regulations based on the value of the transactions in question. Any fees are to be deposited into a fund exclusively for CFIUS use, although the chair may transfer money to CFIUS member agencies if necessary for them to perform CFIUS duties. The bill also authorizes CFIUS to study the implementation of a “prioritization fee.”

No later than 180 days after the bill’s enactment, the CFIUS chair would be obligated to submit to Congress a report and in-person testimony that describes the timeline and process for implementing the bill, as well as any additional staff and resources required for implementation. The president is then responsible for determining whether additional resources are needed for to handle CFIUS responsibilities and, if so, to include a request for such resources in the annual budget request.

FIRRMA expands the permissible uses of confidential information collected by CFIUS; the information may be used to inform Congress and other executive agencies as well as to collaborate with allied governments. (The latter is to occur pursuant to a formal process that the CFIUS chair must establish).

Many of FIRRMA’s provisions do not take effect until 18 months after passage, unless the CFIUS chair declares that all necessary structures and regulations are in place. However, the bill authorizes CFIUS to conduct pilot programs during this period, as long as relevant notices are published at least 30 days in advance in the Federal Register.

Jurisdictional Scope. Arguably FIRRMA’s most substantial change is to the scope of “covered transaction,” which defines much of CFIUS’s jurisdiction. The bill retains the existing definition—“any merger, acquisition, or takeover that is proposed or pending . . . by or with any foreign person that could result in foreign control of any United States business”—but defines “control” to include the ability to decide or direct important matters, whether exercised or not, and further expands covered transactions to include:

The purchase or lease by foreign persons of certain U.S. real estate near a U.S. port, military facility, or other “sensitive” government property;

All non-passive foreign investments in any company that deal with “critical technology,” “critical infrastructure,” or “sensitive personal data of United States citizens that may be exploited in a manner that threatens national security.” Covered investments are those that provide corporate control, any position on the board of directors, a role in sensitive decision-making, or access to “material non-public technical information,” with detailed exemptions for investment funds;

Changes in existing ownership rights that could result in foreign ownership or control of a U.S. business; and

Any other transactions structured to evade CFIUS review.

Critical technologies in FIRRMA include “emerging and foundational technologies” that will be controlled under the Export Control Reform Act of 2018, a separate part of the NDAA. These are technologies critical to U.S. national security but not controlled under any other export control provisions, and FIRRMA authorizes the CFIUS chair to recommend additional technologies. Critical infrastructure is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems or assets would have a debilitating impact on national security." The bill also authorizes CFIUS to develop more nuanced definitions through regulations, within certain limitations.

Procedure. The bill amends the CFIUS process in several ways, including extending the timeline, adding to the options available for companies to notify CFIUS of transactions, and expanding CFIUS’s authority to mandate reviews or take unilateral action. The bill leaves in place current procedures allowing any party to a transaction to initiate CFIUS review by submitting a written notice, but provides a 10-day window for CFIUS to accept or provide comments on the notice or inform the parties that a given notice is incomplete in cases where the parties have stipulated that the transaction at issue is a covered transaction. In addition, it requires that notices now include all partnership and other side agreements, including agreements regarding intellectual property transfer.

The bill also creates an expedited process of “declarations” that are no longer than five pages in length and whose specific content is to be laid out in CFIUS regulations. Parties to some transactions (also to be defined in regulations) can submit declarations in lieu of notices. CFIUS would then be required to make a decision on the basis of the declaration, request a full notice, or initiate a unilateral review within 30 days. CFIUS may mandate declarations for certain transactions as a minimum, although a party can always choose to submit a notice instead. CFIUS can define by regulations which transactions have mandatory declarations, although they must include transactions in which a foreign government has a “substantial interest” (to be defined by CFIUS) in a party.

A declaration must be submitted at least 45 days before the transaction is completed; if notice is chosen, it shall be filed no later than 90 days before completion. CFIUS can impose penalties for failure to notify.

FIRRMA also expands CFIUS’s ability to engage in unilateral reviews. The bill specifically authorizes CFIUS to initiate unilateral review in the case of any breach of a prior agreement with CFIUS where there are no other “adequate or appropriate” remedies, even if the breach is unintentional. It also directs CFIUS to create a process for identifying covered transactions that are not submitted to CFIUS. A party’s failure to submit the required certifications, or including false or misleading information or omitting material information in a notice, means that CFIUS may not complete a review but instead recommend that the president take action against the transaction.

The Director of National Intelligence (DNI)’s investigation into transactions must be a thorough analysis of any threat, including identification of any gaps in intelligence and incorporates views of the intelligence community. This analysis must be updated at the request of the lead agency for any transaction for which an agreement is reached. The DNI may instead produce “basic threat information” if all parties have been analyzed within the prior 12 months or if other agreed-to criteria are satisfied. The DNI may also choose to include an assessment of the transaction’s impact on the intelligence community.

FIRRMA extends timing for CFIUS reviews and investigations to 45 days each, but it allows CFIUS-defined “extraordinary circumstances” to extend the investigation period once, for 15 days. It also tolls the timeline during a lapse in appropriations, so a government shutdown will not reduce CFIUS’s time. The president has 15 days to take action after the earlier of (1) the investigation is complete or (2) the transaction is otherwise referred to the president.

Additionally, the bill makes certain CFIUS actions—but not those undertaken by the president on referral—subject to judicial review by providing for civil action challenging a CFIUS act, which must be brought in the D.C. Circuit Court of Appeals. It mandates that if privileged information is necessary for such a suit, it shall be reviewed in-camera and maintained under seal, but the use of information provisions in FISA shall not apply.

Remedies. The bill expands the remedies CFIUS can pursue to address national security concerns to include agreements, conditions, suspension of transactions, and referral of transactions to the president for decision at any time. CFIUS may also take measures to effectuate a party’s abandonment of a transaction and interim measures intended to mitigate risks until CFIUS completes its action (provided that CFIUS believes that the interim action will resolve the risk).

If an agreement is reached, a compliance plan must be created, adhered to, and kept updated. The plan must include specifics as to how compliance will be monitored, how frequently compliance reviews will be conducted, and what actions will be taken if the parties fail to cooperate. If, at any time after an agreement the government determines that a party is non-compliant, CFIUS may take a variety of actions, from a unilateral review up to injunctive relief. Any agreement or condition is binding on all successors and assigns until it terminates or CFIUS permits its termination, and CFIUS shall create compliance evaluation methods that permit effective monitoring without diverting necessary resources from assessing new transactions.

Reporting Requirements. The bill significantly increases the reporting requirements for CFIUS. It requires that CFIUS’s interactions with Congress address not only the current financial committees but also the both intelligence committees. It also expands the required components of the annual report to include detailed information on all CFIUS activity, especially monitoring and compliance activities. The report may be classified, but an unclassified version shall be made available to the public “as appropriate, consistent with safeguarding national security and privacy.” The bill provides a list of information that must be included in the unclassified report, largely related to summary statistics about the time required for reviews and investigations.

FIRRMA also requires the following new reports:

Biennial reports, through 2026, on Chinese investment in the U.S., including how it comports with the objectives of the Made in China 2025 plan, how it compares to U.S. investment in China, and any data collection difficulties;

A report, within a year, assessing national security threats related to foreign direct investment in the U.S. by foreign-state-owned or -controlled entities in manufacturing assets required for rail systems, and how CFIUS can respond to any such threats; and,

A briefing to the congressional finance committees on CFIUS investigations in the past five years that would have allowed foreign persons to influence domestic and foreign democratic institutions and processes and any actions taken as a result of those investigations.

What’s Missing

Notably, members of Congress had proposed language in earlier versions of FIRRMA and the NDAA to reinstate penalties against ZTE, a Chinese telecommunications company that was placed under various restrictions by the Commerce Department in April 2018 only to have those restrictions lifted following discussions between President Trump and Chinese President Xi Jinping. The conference committee ultimately omitted these provisions, which the White House had vehemently opposed. That said, the committee kept in place separate prohibitions barring federal agencies from procuring telecommunications or video surveillance technology from ZTE absent a waiver from the agency head