President Donald Trump signed a bill reforming the Committee on Foreign Investment in the United States reform Monday afternoon leaving U.S. companies dealing with foreign investors a whole new reality to contend with.

The bill, the Foreign Investment Risk Review Modernization Act of 2018, was included in the John S. McCain National Defense Authorization Act for fiscal year 2019. It expands the jurisdiction and the powers of the national security review process for transactions, making more reviews by the interagency panel mandatory instead of voluntary. The act also starts a long rulemaking process during which new regulations will be codified under the U.S. Treasury Department—which oversees the committee. They are expected to have a major impact.

Michael Leiter, national security and CFIUS partner at Skadden, Arps, Slate, Meagher & Flom, said the expansion of covered transactions “really does shape the way transactions of all sorts will have to be structured going forward.”

CFIUS was thrust into the spotlight when high-stakes deals like Broadcom's bid for Qualcomm were either blocked outright by Trump on CFIUS' recommendation or held up for a long period before being scuttled, as was the case when Chinese conglomerate HNA Group's withdrew its bid for most of SkyBridge Capital.

The legislation is the first major overhaul of the national security review process for foreign investment in more than a decade and was prompted by concerns about the outbound transfer of strategic technologies, trade secrets and the personal information on American citizens, mainly but not exclusively to China.

The new law brings expanded oversight over previously uncovered transactions, including minority stakes and other non-controlling investments. It expands CFIUS jurisdiction over real estate transactions including leases near sensitive locations; authorizes collection of a filing fee of 1 percent or up to $300,000; imposes some administrative changes including the addition of short-form declarations; and establishes a new timetable for reviews. The law also opens CFIUS actions and decisions to judicial review on constitutional grounds within the D.C. Circuit Courts and provides some transparency to a process that's typically been strictly confidential.

Additionally, the act requires the U.S. Treasury Dept. and CFIUS to develop regulations that more clearly define “critical infrastructure” and “critical technologies.” Those are expected to continue the committee's recent focus on personally identifiable information (PII) on Americans, as well as its longstanding concerns about technology and equipment with military applications, and certain manufacturing and energy assets. But it's not just high-tech industries that will be affected.

“The reform bill has potential to apply to any U.S. business that takes on foreign investment,” said Jacob Osborn, counsel in Goodwin Procter's litigation group in Washington, D.C., and a member of its global trade, digital currency and cybersecurity practices.

Ama Adams, an international trade and litigation partner at Ropes & Gray in Washington, D.C., said the CFIUS overhaul also will affect Russian investment and the oil and gas industry, for example. “U.S. energy independence is a critical national security issue for the U.S. government and the committee has been focused on that for a very long time. With FIRRMA we will see a continued focus on that and an expansion” she said.

Some provisions of the bill will take effect immediately, and others may take as long as 18 months after rulemaking. Counsel seeking compliance should give special attention to safeguarding IP and sensitive personal information—including genetic data, for instance—in order to win CFIUS approval. In particular, companies may have to sequester some operations or sell off units. Some formerly common deal structures also may no longer be viable under the new law.

More Companies Will Need to File

One effect of the new law is that many more transactions will probably require CFIUS notice.

Mandatory notice will be required for deals that would result in a foreign person or entity holding a “substantial interest” in a critical technology or infrastructure company or in a U.S. company holding sensitive personal information, and must be filed at least 45 days prior to closing. Transactions involving bankruptcy also are explicitly covered. But the final legislation did not single out China and Russia as countries of special concern as in some early drafts, a controversial point.

Until now, deciding whether to file for CFIUS approval in advance of a merger or acquisition has been part of the overall strategizing in cross-border dealmaking, but the new law may make deciding not to file more risky, partly because of the provision for a short-form declaration. The act also explicitly gives CFIUS the right to review transactions designed to evade review.

Leiter, said, “We don't know how Treasury will regulate on that front but that is a massive change. CFIUS has always been voluntary and that major strategic decision of do we file, do we not file is going to be eliminated, and that is a big deal.”

Another significant shift involves U.S. private equity and limited partnerships, he said. “Over the past several years, CFIUS has been increasingly aggressive in policing such limited partners, causing significant private equity anxiety. FIRRMA is a big win for PE, as it provides a clear roadmap to avoid scrutiny of limited partners in a way that would otherwise be very disruptive.”

Some Deal Structures Will Go Away

Skadden's Leiter explained that FIRRMA and the new regulations it brings makes some formerly common deal structures obsolete: “One of the most common strategies is to start with 9.9 percent equity and then, once you get clearance, acquire more equity and additional rights. Under the new rules, this strategy becomes more challenging to execute because in some cases even the initial 9.9 percent investment will be a covered transaction,” he said.

Ivan Schlager, head of Skadden's National Security practice, elaborated: “Under 10 percent with standard minority investor protections—depending on the investors and the asset—has been a reasonably safe structure, the new law sweeps in a broader scope of investments, that depending on the asset may cover those standard minority investments. The minority investment provisions may have the most sweeping effect on venture capital investments in Silicon Valley.”

Safeguarding Personal Data: A Big Issue

Under the new law, PII is treated as its own national security concern, apart from critical industries or technologies. Given the extensive collection of personal data in many enterprises—even kitchen appliances, given the fast-developing Internet of Things—counsel should be prepared for CFIUS concerns to crop up unexpectedly in many deals.

“To avoid unnecessary delay, they should come to the committee better prepared with the national security concerns and plans to enhance cyber protections to mitigate them,” said D.J. Rosenthal, associate managing director and chair of Kroll Inc.'s CFIUS advisory practice in investigations and disputes. “If there is any complication or any lingering doubt on CFIUS' part, it is more likely they will say no thank you and pass and move on to the next deal.”

Both the acquirer and the target also should focus attention early on reputations and backgrounds of the company officers and their ties to foreign governments, and the sensitivity of the technology and knowledge that could be transferred to the potential acquirer, he said.

CFIUS will want to know how the companies plan to isolate U.S. information from the foreign acquirer or parent company and how they plan to audit compliance. Increasingly, the agreements include a requirement to provide a neutral third party to ensure compliance and report back to the committee.

Be prepared to let go of a part of the company if that's the only way to deal with the issues, Rosenthal said.

“It is becoming more common that a sensitive part of the business can't be sent to the foreign buyer. A spinoff is common on those kinds of cases,” he said.

Parallel legislation governing export controls of developing technology will also be important. Edward Lebow, international trade counsel at Haynes and Boone in Washington, D.C. said, “if their investment is aimed at developing technology in the U.S. and then exporting it, the parallel export control legislation passing at the same time as FIRRMA could subject it to additional scrutiny.”

As a result, Lebow said companies “will have to think of whether they just want to make money or they want to develop technology in the U.S. for ultimate export and use abroad. The counsel has to know what is their goal in order to get through the CFIUS approval process.”

Deals Can Still Get Done

CFIUS practitioners pointed to the panel's recent approval in June of the China Oceanwide Holdings Group Co. Ltd's $2.7 billion acquisition of Genworth Financial Inc. after several withdrawals and refilings as evidence that despite increased scrutiny, deals can get done (though that transaction is still subject to other regulatory approvals including in China).

Securing CFIUS' approval required Genworth to agree to mitigation that included requiring a third party to “manage and protect” information on U.S. policyholders.

The fact that the hurdles were finally overcome, however, suggests that while new CFIUS expanded requirements may be burdensome for companies to meet, they may not be insurmountable.

Nonetheless, Schlager said: “We will see growing pains among dealmakers and foreign investors in the next 18 months.”