On April 23, 2008, the Treasury Department, the agency chairing the Committee on Foreign Investment in the United States ("CFIUS"), proposed regulations to implement the Foreign Investment and National Security Act of 2007 ("FINSA"). FINSA amended the U.S. law that authorizes the President to suspend or modify any merger, acquisition, or takeover of a U.S. entity by a foreign person (a "covered transaction") that might impair U.S. national security. That law, the Exon-Florio provision, has been in effect since 1989, but recent, controversial proposed foreign takeovers of U.S. companies prompted Congress to codify the existence of CFIUS, impose new requirements on parties to covered transactions, and increase executive and legislative scrutiny of those transactions.
The proposed regulations primarily make explicit many of the informal practices CFIUS had established as part of its review process before FINSA was enacted. However, they also substantially increase the communication and reporting burdens on parties to a covered transaction and make clear that while the CFIUS process is still theoretically voluntary, CFIUS now expects parties to seek review of a very broad range of transactions with respect to both the type of transaction involved and the nature of the U.S. entity being acquired.
Broad Scope Of Covered Transactions: What Constitutes "Control"?
A key issue to be resolved in determining whether to file a voluntary notice seeking CFIUS review is whether, as a result of the transaction, a foreign person will obtain control of a U.S. person. A very substantial portion of the proposed regulations involves defining "control." In keeping with historic CFIUS regulations, the proposal defines control as the
power, direct or indirect, whether exercised or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.
The proposal substantially expands the illustrative list of matters that are considered to "affect" transactions and makes clear that "any other similarly important matters" can also evidence control. The list covers not only major corporate decisions (asset disposition, reorganization, closing or relocating key facilities, adopting an operating budget, issuing debt or equity, dividend declaration), but also day-to-day operating decisions (new business lines, significant contracts, company confidentiality policies, hiring or firing officers, senior managers, and "employees with access to sensitive technology or classified U.S. Government information").
The proposal also states that traditional minority shareholder protections do not confer control on a foreign entity, absent other considerations. Such protections include the right to prevent the U.S. entity from (1) selling or pledging all or most corporate assets, (2) entering into contracts with majority investors, (3) guaranteeing obligations of majority investors, and (4) amending corporate documents to allow any of those matters, as well as rights to purchase additional shares to avoid dilution of ownership.
The proposal, and public comments by CFIUS officials, states that a foreign acquisition of less than ten percent of the voting interests of a U.S. business will not be considered presumptive evidence of lack of control. Ownership of less than ten percent must be accompanied by evidence that the voting interests are being acquired for passive investment purposes only and that no attributes of control are being conferred on the minority owner. The proposal indicates that, if ownership of less than ten percent of voting interests were to be accompanied by even one seat on the board of directors of a U.S. business, this could be viewed as evidence of control and bring the transaction under CFIUS jurisdiction.
Foreign acquisitions of convertible voting instruments but not control are not covered transactions, unless the acquirer can determine when conversion takes place and the level of voting interests that will be acquired on conversion at the time of the acquisition. Acquisitions of assets that do not constitute a business are not covered transactions, but a sale involving more than real estate and equipment, such as an operating plant, could be covered even if the plant is not a legally organized company.
If there is a "significant possibility" that a foreign person might acquire control of a U.S. entity as a result of a loan or similar financing, the loan could be a covered transaction. Acquiring control through bankruptcy could also be a covered transaction.
A transaction in which a U.S. acquirer is in turn controlled by a foreign person would be a covered transaction. Transactions involving U.S. acquirers not controlled by foreign investors such as limited partners would not be covered. However, each such situation should be reviewed on a case-by-case basis.
The Standard For Review: What Constitutes "National Security"?
Whether to file a voluntary notification with CFIUS also depends on the potential impact of a transaction on U.S. "national security." Neither the statute nor the proposed regulations define this term. Instead, the proposed regulations define what CFIUS considers to be major elements of national security"critical infrastructure" and "critical technologies." The implication of the proposal is that transactions involving either of these areas warrant notification and will receive careful scrutiny. "Critical infrastructure" is defined as physical or virtual systems or assets "so vital to the United States that the incapacity or destruction of" the acquired entity's systems or assets "would have a debilitating impact on national security." This definition offers little additional help in that there is no guidance as to what would constitute a "debilitating impact."
The definition of "critical technologies" is much more specific and helpful: goods or services covered by the United States Munitions List set out in the International Traffic in Arms Regulations ("ITAR"), certain items subject to Department of Commerce export controls, goods and software related to nuclear weapons or nuclear power, and trade-restricted agents and toxins. Foreign acquisitions involving U.S. companies involved in these activities, or doing classified work for the U.S. government should almost certainly be notified to CFIUS.
Notifying CFIUS: What Is Required?
The voluntary notification to CFIUS has historically required basic information about the transaction, the U.S. entity being acquired and the foreign acquirer. The proposed regulations expand significantly the information required to be supplied, change the certification requirement, and incorporate the concept of informal, prenotification consultation with CFIUS.
Noteworthy new information requirements for notification include:
• identification of the ultimate foreign parent, and if that is a public company, identification of any five percent or greater shareholder;
• identification of "any and all financial institutions involved in the transaction, including as advisors, underwriters, or a source of financing";
• identification of the primary product or service lines of the U.S. business being acquired and "a list of direct competitors for thoselines";
• identification of products or services that the U.S. business supplies to third parties that the U.S. business knows are rebranded "or incorporated into the products of another entity, and the names or brands under which suchproducts or services are sold";
• a "description and copy of the U.S. company's cyber security plan, if any";
• a description of any production or trading in goods or services subject to the U.S. export or other controls listed in the definition of "critical technologies";
• description of any foreign government power or control over the foreign acquirer;
• description of any arrangements among foreign owners of the foreign acquirer to act together on matters affecting the U.S. entity;
• biographical and "personal identifier" information (including passport and national identity numbers) for board members, senior management, and five percent or greater beneficial owners of the foreign acquirer or its intermediate or ultimate parents; and
• a "statement of the view" of the acquirer as to whether it is a foreign person, controlled by a foreign government, and acquiring control of the U.S. entity, and the bases for that view.
The proposed regulations require that each party to a transaction provide a separate certification that the information regarding that party is complete and correct.
The proposal encourages parties to consult informally with CFIUS, submit a draft notification, and respond to CFIUS information requests before filing a formal notification, and extends statutory confidentiality protections to informally provided information.
CFIUS may reject a notification for failure to file all required information, or to provide follow-up information "within two business days of [CFIUS's] request" (unless upon written request CFIUS allows more time). Intentional filing of false information, or making a material misstatement or omission, is subject to civil penalties of up to $250,000, as is any violation of any agreement entered into as a condition of receiving CFIUS's clearance.
The proposed regulations indicate that CFIUS review has become a major regulatory clearance obligation that is effectively required in a very broad range of transactions. This situation is coupled with heightened CFIUS scrutiny, including self-initiated investigations of transactions for which no notification was filed, and more aggressive enforcement of mitigation agreements imposing conditions on cleared transactions.
Parties to transactions involving U.S. business operations in which there will be foreign participation should consider, early in the deal-making process, the potential impact of CFIUS review. Questions to review include whether critical infrastructure or technology is involved, who has "control," the role, if any, of a foreign government, and the countries involved and their strategic relationships with the United States. While the timetables for CFIUS review once a formal notification has been accepted have not changed (30-day initial review, with an additional 45-day investigation if national security issues are unresolved), the time and resources necessary for preparing a notification, and for prefiling briefings and consultations with CFIUS, will increase as a result of the proposed regulations. Parties should also be prepared to negotiate mitigation agreements with CFIUS agencies to address real or perceived national security concerns, and to be subject to ongoing oversight by those agencies even after a transaction has been completed.