The new draft regulations for national security reviews of foreign investments in the United States issued by the U.S. Treasury Department contained some surprises, lawyers said.

Christian C. Davis, an international trade partner at Akin Gump Strauss Hauer & Feld in Washington, D.C., said in an interview on Wednesday: "They opted for a very detailed approach where they saw specific national security concerns and as a result they have come up with a complex set of rules focused on those specific areas." 

The proposed rules governing review of foreign investments by the interagency Committee on Foreign Investment in the United States issued on Tuesday by the department are tailored more narrowly than some initially had feared earlier in the rulemaking process, but they also are more complex in some instances. 

Under the rules, CFIUS has new jurisdiction over minority position, venture capital and private equity investments in critical technology, critical infrastructure and sensitive personal data. The new draft rules also cover acquisitions of property located near defense and national security installations.

"In many ways, the proposed regulations reflect a somewhat unexpected, considered approach to addressing the issues of our day within the context of the traditional CFIUS regulatory framework," said Hogan Lovells global regulatory partner Anne Salladin in a statement.

For instance, the mandatory reporting requirement for foreign government involvement is at a higher threshold than some had expected under the Foreign Investment Risk Review Modernization Act of 2018 and potentially sweeps up fewer deals. Even so, the number of deals annually expected to be subject to review by the panel has increased to more than 1,000, up from 240 in 2017.

Treasury also attempted to focus CFIUS more narrowly on its jurisdiction over investments in critical infrastructure and sensitive personal data. The proposed rules do not alter the critical technology pilot programme that has been in place since November 2018, though they may be revised in the final rules, lawyers said. And the draft regulation also creates a "whitelist" for investment by certain allied countries as an incentive to make other countries step up their own national security reviews of foreign investments. 

But there is a whole new regime that creates detailed rules about what types of real estate transactions are subject to CFIUS jurisdiction, laid out in a separate 135-page document. They expand CFIUS review for land or building acquisitions in proximity to more military bases or other national security installations than previously, as well as airports or maritime ports.

According to the draft regulation: "Prior to FIRRMA, CFIUS could only review an acquisition of real estate if it was part of a transaction which could result in control by a foreign person of an entity engaged in interstate commerce in the United States. FIRRMA expands CFIUS's jurisdiction to include certain types of real estate transactions involving the purchase or lease by, or a concession to, a foreign person of certain private or public real estate located in the United States."

Davis said: "The proposed rule creates a new set of regulations governing CFIUS review of real estate that contains a great deal of specificity on which real estate transactions are subject to review. However, this expanded jurisdiction is not subject to mandatory reporting." 

David Hanke, a national security partner at Arent Fox in Washington, D.C., said the proposed rules involving sensitive personal data put a premium on genetic information and companies that target or tailor services to U.S. military or national security agencies, as well as any company that maintains or collects data on more than one million individuals or has a business objective of doing so.  

By that standard, transactions involving insurance companies, healthcare companies, mortgage insurance companies and those that collect and store geolocation or biometric data are likely to be swept up.

"A lot of companies will be surprised that the government feels their data is sensitive for national security reasons," he said. 

The Treasury Department also spelled out CFIUS's jurisdiction over outbound joint ventures when the venture involves the contribution of a U.S. business, said Stroock & Stroock & Lavan partner and chair of the national security practice group Chris Griner and colleagues in a client alert released yesterday.

The written comment period ends on October 17. Final rules are expected in January or February 2020.

Dealmakers for companies and industries that fall into one of three buckets covered by the CFIUS rules need to pay close attention to further developments, Davis said. "This continues the need to focus on CFIUS risk in the M&A process at an early stage and to determine the appropriate strategy for addressing that risk," he said. 

"The analysis still focuses on whether or not a transaction is subject to CFIUS jurisdiction, whether mandatory or voluntary reporting applies and, in the latter case, whether or not to proceed with a filing based on the national security concerns presented. The proposed rules make this analysis more complex and will result in more transactions being subject to CFIUS jurisdiction and mandatory reporting," he said.

Read More: