FIRRMA Is Coming: How to Get Ready

Randall H. Cook is Senior Managing Director, Rosanne Giambalvo is Senior Director, and Steve Klemencic is Managing Director at Ankura Consulting. This post is based on an Ankura memorandum by Mr. Cook, Ms. Giambalvo, Mr. Klemencic, Michael Garson, Mona Banerji, and Bill Bray.

On May 22, 2018, congressional committees in both the U.S. Senate and House of Representatives advanced the Foreign Investment Risk Review Modernization Act, or “FIRRMA.” This legislation, which the Senate Armed Services Committee also included in its version of the National Defense Authorization Act, likely will be enacted into law in the next few months, with significant impact on the regulatory environment concerning foreign direct investment (“FDI”) in the United States. FIRRMA will significantly expand the jurisdiction and activity of the Committee on Foreign Investment in the United States (“CFIUS”), and most likely include provisions aimed specifically at a broader set of FDI transactions involving U.S. distressed debt, real estate, and critical technology. The driver of this change is concern that foreign countries, particularly China, are deliberately utilizing foreign investment to acquire national security-critical assets, technologies, and information to their strategic advantage.

Success in this dynamic, increasingly complex investment environment requires both quality counsel and an experienced, technically expert team that understands and can effectively address the full spectrum of CFIUS’s growing authority and concerns. This post provides background on CFIUS, describes some of FIRRMA’s key provisions and what they may mean for your business and investments, and discusses the importance of an interdisciplinary approach to successfully navigating the CFIUS process.

What is CFIUS?

CFIUS is an interagency U.S. Government committee that currently reviews certain forms of FDI into the United States to identify and address any consequent national security risks posed by potential foreign control of a U.S. business. CFIUS is chaired by the Department of Treasury and comprised of nine standing agency members [1], five observing offices [2], and two non‐voting, ex officio members. [3] CFIUS relies principally on a voluntary notification system to identify “covered transactions” for review. CFIUS reviews seek to balance the United States’ foundational commitment to maintaining a free and open investment environment with the need to protect national security.

The Committee’s national security review of a covered transaction involves a risk analysis to evaluate: 1) whether the foreign investor has the capability or intent to threaten national security, 2) whether the U.S. target or its assets, technologies, or information, if controlled, influenced, or accessed by the foreign investor, represents a vulnerability to U.S. national security, and the consequences for national security if the foreign investor exploited the vulnerability. Where risks are identified, CFIUS generally engages with the parties to fully develop and determine whether the risks can be mitigated either through modifications to the deal or post-transaction controls. If CFIUS determines that risks cannot be mitigated, the Committee can recommend that the President block or (if already completed) unwind the transaction. The current review process is based on a statutorily-defined timeline of an initial 30-day review period for CFIUS to conduct the national security risk assessment followed by a 45-day investigation period to address identified risks that may threaten to harm national security if not effectively mitigated.

New national security issues and concerns are driving change in the CFIUS review process, however. The increasing frequency and significance of cyber and data hacks, the convergence of military and commercial technologies, and the explicit policy of some foreign countries (notably China) to displace U.S. technological leadership, among other factors, have prompted more rigorous CFIUS scrutiny in recent years. Additionally, FDI in the United States is at an all-time high resulting in a significant increase in the number of covered transactions that CFIUS reviews, the frequency with which the Committee requires mitigation measures, and in the instances of deals that the Committee recommends to the President to block. Correspondingly, CFIUS has developed procedures to enable a more searching review process, including a practice of “pre-notice” consultation with the Committee, and withdrawal and refiling by the parties to extend mitigation negotiations. The increased volume and intensity of CFIUS reviews has strained the Committee’s resources and placed pressure on the current statutory timelines.

FIRRMA’s Most Impactful Provisions

Notwithstanding these administrative adjustments, a consensus of heightened concern among U.S. security agencies, Administration leadership, and a bipartisan critical mass in Congress is driving FIRRMA through an otherwise tough legislative landscape toward prompt enactment. Closely-aligned versions of the legislation have completed the committee process in both the Senate and House. The Senate version has been attached to the Senate’s version of the annual National Defense Authorization Act, making it a likely candidate for passage in the next few months.

There may be additional amendments to the FIRRMA legislation before it is signed into law. The policy debate continues to center on finding the right balance between maintaining an open investment environment and protecting national security. But it is clear that FIRRMA will add new, significant elements to the CFIUS review process.

Some of the key provisions in the current versions of FIRRMA that will impact businesses and investors include:

Expanded Jurisdiction: Currently, CFIUS reviews generally have been focused upon foreign mergers, acquisitions, and takeovers of existing and operational U.S. businesses. The FIRRMA legislation would codify additional transactions subject to CFIUS review:

  • Bankruptcy and Distressed Debt. Both the Senate and House versions of FIRRMA specify that CFIUS jurisdiction covers bankruptcy and other default on debt transactions. This provision reflects concern over foreign persons acquiring critical technologies and assets through the expedited process of distressed debt transactions and will necessarily focus CFIUS attention on a class of transactions that have historically received limited Committee scrutiny. Given the time and financial constraints of distressed debt deals, this provision could be a disruptive variable for unprepared parties and investors.
  • Real Estate. Both versions of FIRRMA give CFIUS jurisdiction to review any purchase, lease, or concession by a foreign person of real estate in the U.S. proximate to a U.S. Government national security-sensitive installation or that is part of a sea, land, or airport. There are specified carve-outs for single family dwellings and urban areas. This provision will involve CFIUS in review of numerous real estate deals, particularly in the National Capital region and other areas with dense national security and port facility concentrations.
  • Transactions Involving Critical Technology. Both versions of FIRRMA give CFIUS jurisdiction to review any transaction giving foreign persons access to or influence over decision-making relating to “critical technologies”, which are defined to include items subject to international arms controls and “emerging, foundational, or other critical technologies” designated through a semi-annual review process created by FIRRMA. This provision will involve CFIUS more closely in the capital markets for start-up and breakthrough technologies.
  • Transactions Involving Critical Infrastructure. The Senate version of FIRRMA extends CFIUS jurisdiction to any “non-passive” investment in a “critical infrastructure company”, defined as any company that “owns, operates, or provides services to an entity that operates within U.S. critical infrastructure.” The bill extensively defines “passive investment” to carve out non-controlling investments through funds and other arrangements. Particularly in the context of the Administration’s push for privately-funded infrastructure development, this provision would involve CFIUS in scrutiny of a large class of foreign-backed projects.
  • Sensitive Personal Data. The House version of FIRRMA would give CFIUS jurisdiction to review any transaction giving a foreign person from a country of “special concern” access to or influence over decision-making relating to (including the release of) the sensitive personal data of U.S. persons. This provision reflects concern over Chinese and Russian cyber hacks of government and corporate systems maintaining U.S. personal data and would involve CFIUS in evaluation of a broad class of deals involving any businesses that collect or control such information, including financial, medical, and professional information.
  • Change in Rights. Both versions of FIRRMA give CFIUS jurisdiction to review any change in a foreign person’s rights to control or influence a U.S. company where the foreign person already has an investment stake.
  • Transactions Intended to Evade CFIUS Review. Both versions of FIRRMA give CFIUS jurisdiction over any transaction “designed or intended to evade or circumvent CFIUS jurisdiction.” This broad provision potentially enables CFIUS to scrutinize all manner of transactions, including complex investment vehicles and outbound transactions, where the Committee finds an intent to evade its review.

Declarations: Both versions of FIRRMA provide for an expedited declaration process, where parties may file a brief description of a transaction with CFIUS and obtain a determination whether CFIUS intends to conduct a full review. The declaration provisions also authorize CFIUS to specify classes of deals that will require mandatory declarations. The Senate version specifies that mandatory declarations will be required for investments in critical technology and critical infrastructure companies. The declarations provision should provide a vehicle for relatively efficient determination of whether particular deals will be subject to CFIUS review and will eliminate some of the indeterminacy of the current practice of “pre-notice consultation” with the Committee. But the declarations substantially qualify the voluntary character of the CFIUS process and will entail a heightened expectation that many transactions which previously occurred without any CFIUS dimension will now be declared to the Committee, introducing a new variable to these deals.

Outbound Investment: The FIRRMA initial draft included provisions extending CFIUS review to outbound investments involving critical technology transfers as well. Concern regarding the impact of such a review on U.S. businesses’ competitiveness overseas resulted in modification of FIRRMA in both the Senate and House versions to address outbound investment through enhanced export controls under the existing Export Administration Regulations, which will apply to “emerging, foundational, or other critical technologies” designated during a semi-annual review process. These provisions will likely result in increased export licensing and compliance requirements for technology development companies, particularly those that export to or from joint ventures with nationals of countries subject to a U.S. embargo (including China and Russia).

Compliance Plans: Both FIRRMA versions include a provision requiring the preparation of a written compliance plan to ensure the parties effectively execute CFIUS-mandated risk mitigation measures. The provisions include requirements for monitoring, reporting, and sanctions for non-compliance. They also explicitly contemplate the use of third-party monitors to assist with the implementation of such compliance plans. This provision will likely increase the frequency, formality, and importance of the mitigation controls negotiation and planning process. It will also increase the utility of designing transactions and engaging CFIUS with well-developed compliance plans.

Increased CFIUS Resources and Proactive Enforcement: Both versions of FIRRMA will authorize increased resources for the Committee to address the expanded volume of transactions and enable the additional CFIUS proactive activity required by the legislation, including enhanced analysis and reporting of investment trends, and identification of deals that evaded CFIUS review. These provisions indicate that CFIUS will have enhanced capabilities enabling the Committee to fully utilize and ensure compliance with its expanded authority.

How to Get Ready

Companies and investors engaged in transactions involving U.S. companies and non-U.S. investors need to understand how FIRRMA’s expansion of CFIUS’s authority may affect your business and take action to ensure continued success in the new regulatory environment. Because CFIUS is explicitly charged with maintaining an open U.S. investment climate and is most focused on transactions involving specific threats and vulnerabilities, most businesses will probably find the enhanced CFIUS process manageable after implementing reasonable preparation. But failure to prepare, particularly if your business involves critical technologies, critical infrastructure, or transactions with Chinese or other “special concern” nationals, could be catastrophic for your deals. Conversely, by preparing effectively and putting together an interdisciplinary team expert in CFIUS matters, you can set the conditions for success.

It is essential to consult with CFIUS-competent counsel to interpret and provide a legal opinion regarding the applicability of the CFIUS statute and ultimate FIRRMA reforms to your business. Because CFIUS’s concerns are so intimately intertwined with issues of business operations and systems, financial relationships and transactions, technology, and national security analysis, however, it is important to include interdisciplinary capabilities in your CFIUS response approach. Optimally, your team should integrate people with:

  • direct experience and fluency in the CFIUS review process and equities (including intelligence and counterintelligence);
  • expertise in the technologies, systems, and issues (such as bankruptcy, real estate, data management, or trade controls) applicable to the particular transaction;
  • sophistication and experience achieving results in business and financial organizations; and
  • credibility and a reputation for independence with CFIUS stakeholders.

An effective interdisciplinary team will help by setting the conditions for success at each stage of the CFIUS transaction review lifecycle:

  • Pre-Transaction Assessment and Planning: Before engaging in a cross-border transaction, you should engage in the same kind of analysis and diligence that CFIUS would: Is the transaction subject to CFIUS review? Who are the real parties in interest of the foreign acquirer? Does the transaction involve any potential threats or vulnerabilities that may prompt CFIUS intervention? Is there a way to design the deal (e.g., different acquirers; different acquisition vehicles; partition of sensitive assets) that will either remove or reduce the salience of any identified risks? Are there mitigation measures that can effectively address identified risks without destroying the value of the deal? Engaging in this analysis will enable you to set appropriate expectations with stakeholders, plan (and price) the CFIUS process into the deal, and determine the most effective approach to engage CFIUS to maximize the prospects for success with minimal friction and surprises.
  • Mitigation Planning and Implementation: When a potential risk is identified during your own assessment or a CFIUS review, the parties will need to develop and propose measures to effectively address the underlying national security concerns, while enabling the business to operate successfully. Mitigation measures will typically include a combination of policies, procedures, processes, systems modifications, and oversight that limit foreign control of, or access to, sensitive information, products, services, technologies, and infrastructure. The credibility of the mitigation measures, and of the parties’ demonstrated ability to implement them, can be the difference between obtaining clearance for a transaction or getting blocked, and can dramatically facilitate the CFIUS clearance process.
  • Compliance Plans, Third-Party Monitoring, and Audits: FIRRMA will require that every mitigation measure must be reflected in a compliance plan with specified elements for continuous monitoring, periodic compliance reviews, reporting, and sanctions for non-compliance. Formulation of credible, effective, and sustainable compliance plans; monitoring by a trusted, pragmatic, and independent third party; and periodic, credible, fluently reported audits are essential to assuring an approved transaction’s persistent success.
  • Outbound Technology Transfers: For many companies involved in critical technologies, FIRRMA will introduce a new dimension of export control requirements. Businesses unfamiliar with export controls can find them bewildering, as they apply to every transfer of the subject technology to a non-U.S. person, regardless of where the transfer occurs or the intention of the transferring party. Thus, seemingly innocuous interactions, such as a customer visit, a maintenance or service call by a contractor, or an email with a potential business partner can each be the source of compliance violations. Effectively addressing these compliance risks requires a technology control program predicated on deliberate assessment of your company’s business processes.


FIRRMA will likely be enacted in the next few months and will authorize a significant increase in CFIUS’s authority and activity. Although the legislation continues a several-year trend of increasing CFIUS assertiveness, many business opportunities that involve U.S. assets and non-U.S. investment will be substantially affected. Particularly if your business involves critical technologies, critical infrastructure, real estate near national security-sensitive facilities, distressed debt, and/or transactions with Chinese or other “special concern” nationals, you should prepare for a more complex regulatory environment. Building a team of competent counsel and interdisciplinary experts who can help you understand the new CFIUS environment and deliberately set conditions for success may be essential to your business’s future.


1Departments of Treasury, Justice, Homeland Security, Commerce, Defense, State, and Energy and the Offices of the U.S. Trade Representative and Science & Technology Policy.(go back)

2Office of Management & Budget, Council of Economic Advisors, National Security Council, National Economic Council, Homeland Security Council.(go back)

3The Director of National Intelligence and Secretary of Labor.(go back)

Both comments and trackbacks are currently closed.