The Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) is a U.S. government interagency committee that has the authority to review investments that provide a foreign person with control or, in some cases, certain non-controlling rights over a U.S. business and evaluate the extent to which such transactions raise national security concerns. For decades following the establishment of CFIUS, the Committee largely only reviewed transactions that parties proactively submitted to CFIUS. This primarily was due to CFIUS’s limited resources and dedication of such resources to reviewing transactions notified to CFIUS. In 2018, Congress passed the Foreign Investment Risk Review Modernization Act (“FIRRMA”), which, among other things, provided CFIUS with additional resources to identify transactions that: (1) could be within the jurisdiction of CFIUS, (2) potentially raise national security concerns, and (3) were not notified to CFIUS (often referred to as “non-notified transactions”).
As a result of FIRRMA, there is now a team within CFIUS dedicated to identifying and investigating non-notified transactions. We suspect (because specific information regarding all non-notified transactions is not public) that the team has now identified and investigated hundreds of mergers and acquisitions, joint ventures, corporate restructurings, bankruptcies, real estate deals, early-stage fundraising rounds, investments, and other transactions. In doing so, we understand that the team has focused on non-notified transactions in a number of strategically important industries, including quantum computing, semiconductors, artificial intelligence, telecommunications, biotechnology, defense, aerospace, and additive manufacturing. We also understand that the team has focused its attention on Chinese and Russian investors in particular. 
How the Non-Notified Process Works
From a procedural and administrative perspective, there is a fair amount of work that goes on behind the scenes before CFIUS reaches out in connection with a non-notified transaction. Specifically, dozens of case officers working in the Office of Investment Security (“OIS”) at the U.S. Department of the Treasury (“Treasury”), as well as analysts working at a number of CFIUS member agencies (collectively, the “non-notified team”), review private and public databases, commercial intelligence reports, bankruptcy filings, regulatory disclosures, M&A blogs, social media posts, press releases, public interviews, and other sources for transactions that could fall within the jurisdiction of CFIUS and potentially could raise national security concerns. In addition, Treasury also receives referrals from other government agencies and departments that are not dedicated members of CFIUS, as well as tips from the public. This highlights the fact that parties now more than ever need to consider the extent to which a competitor, disgruntled insider, or other party unhappy with a particular transaction may try to use CFIUS to impact the transaction.
Once a potential non-notified transaction has been flagged, the internal CFIUS due diligence and decision-making process kicks into gear. First, the non-notified team begins collecting and aggregating information regarding the transaction, including the parties involved (e.g., the parties’ recent business dealings, historical relationship, global affiliations, and ties to any foreign governments). Once the non-notified team has a collective understanding of the transaction and the parties, it must then decide if, in fact, the transaction potentially presents risks to U.S. national security. If the team determines that the transaction raises potential national security concerns, senior leaders on the non-notified team must weigh pursuing such concerns against the availability of time and government resources, and prioritize such risks against the potential risks identified in other non-notified transactions. Finally, senior leaders on the non-notified team must decide whether other legal authorities (e.g., U.S. export control laws and regulations, sanctions, Foreign Ownership, Control, or Influence (FOCI) or Team Telecom mitigation) could more effectively address the national security risks arising from the transaction. In such cases, Treasury often will coordinate with other federal agencies (e.g., the U.S. Department of Defense for FOCI-related matters) to ensure that the appropriate regulatory actions are taken.
In parallel with the risk-based analysis above conducted by the non-notified team, attorneys within Treasury’s Office of General Counsel (OGC) conduct a preliminary assessment to determine whether a non-notified transaction may fall within the jurisdiction of CFIUS. If CFIUS appears to have jurisdiction, Treasury must make a formal announcement to the Committee and provide member agencies with an opportunity to object before contacting the target U.S. business and requesting additional information about the transaction. If the Committee fails to object or otherwise acquiesces, the target U.S. business involved in the transaction typically receives email correspondence from OIS requesting a meeting to discuss a “confidential and time sensitive” matter involving the U.S. business.
How to Handle Outreach from CFIUS
Following this initial outreach, the target U.S. business typically receives a series of questions from CFIUS aimed at (1) determining whether CFIUS, in fact, has jurisdiction to review the transaction, (2) understanding the scope, nature, and underlying rationale of the transaction, and (3) uncovering any potential national security risks, including relating to critical technology, critical infrastructure, and sensitive personal data. In addition, CFIUS often asks the U.S. business questions about the foreign investor and, for example, its ultimate owners, beneficiaries, or shareholders, investment strategy or investment portfolio, global operations, subsidiaries, and organizational structure, and governance rights over the target U.S. business. While the question sets typically are sent to or otherwise directed at the target U.S. business, providing responses to such extensive questions often requires participation of the foreign investor.
The ensuing back and forth that occurs between the parties to a non-notified transaction and CFIUS is incredibly important because this is when the parties, often with the assistance of seasoned CFIUS legal counsel, can advocate, including by describing or otherwise navigating the nuanced facts, timing, governance rights, and realities and practicalities that are not always apparent when reading a press release about a transaction or reviewing a corporate M&A database. This is also the time when the parties to a non-notified transaction might explain to CFIUS why they did not originally notify CFIUS of the transaction (this, of course, assumes that the parties considered CFIUS issues before closing the deal). If parties did not consider CFIUS issues before closing, parties contacted by CFIUS should begin with evaluating whether, pursuant to the actual facts and circumstances of the transaction (and not facts from public sources on which the non-notified team relied to make certain conclusions), CFIUS potentially could have jurisdiction over the transaction.
For example, perhaps there is an argument that the transaction does not involve a U.S. business (e.g., no tangible or intangible U.S. assets, no U.S. offices or operations, no employees in the United States, and a U.S. nexus limited to sales from outside the United States). In addition, perhaps there’s an argument that a foreign person did not obtain control by virtue of the transaction. This requires a detailed review and understanding of the nature and extent of any governance rights (including, but not limited to, veto rights) a foreign investor received and the extent to which, in connection with transactions involving multiple foreign person investors, there are no formal or informal agreements or arrangements between the investors to act in concert or to assert control or leverage over the target U.S. business. CFIUS has broad discretion to interpret the scope of its jurisdiction. As such, even solid arguments against a finding of jurisdiction may not be enough to avoid a request from CFIUS to review the transaction if it’s a transaction of particular interest to CFIUS (e.g., a transaction involving a high risk investor or high risk U.S. business). In addition to jurisdictional-focused arguments, parties facing outreach from CFIUS should consider whether the transaction raises potential national security issues or whether the transaction or the U.S. business may not be as sensitive as they appear to be based on publicly available information. For example, perhaps a foreign person that invested into a company that collects and maintains sensitive personal data or develops critical technologies does not have the ability to access such information or technology. Similarly, if the U.S. business operates in U.S. critical infrastructure, perhaps the minority investment by a foreign investor does not provide the investor with physical, virtual, or otherwise remote access to the critical infrastructure assets. Also, perhaps public reports regarding the scope of the U.S. business’s operations are incorrect or misleading. This requires a deep dive into the information on which CFIUS likely relied in connection with deciding to reach out to the parties. The above-described back and forth between CFIUS and the parties can be, and often is, undertaken and accomplished in a non-adversarial manner and, in our experience, senior leaders at Treasury welcome transparency and open dialogue.
Following the question and answer period (which can last weeks or even months), CFIUS will review the parties’ responses to determine whether it has jurisdiction to review the transaction and internally discuss whether the risks arising from the transaction are enough to warrant requesting a filing. It is not uncommon for the non‑notified team to reach out to parties regarding a transaction and, after conducting further due diligence, confirm that CFIUS does not have jurisdiction or that the transaction does not actually present substantive national security risks. According to the most recent CFIUS annual report, 117 transactions were presented to the Committee for formal consideration by the non-notified team during 2020 (we suspect that these 117 transactions represent a relatively small subset of transactions that were identified by the non-notified team, but ultimately were not put forth to the Committee for formal consideration). Of the 117 transactions, only 17 transactions (approximately 15 percent) ultimately resulted in a request for filing.
Unfortunately, CFIUS does not always notify the parties that it has decided not to further pursue a particular transaction. Instead, CFIUS will simply stop engaging with the parties. This, of course, leaves parties with uncertainty regarding if and when CFIUS will reinvigorate its review of the transaction when, for example, it has additional time or resources. That being said, if CFIUS remains “radio silent” for, say, six months, it likely is reasonable to assume that the inquiry is over.
A Request for a Filing — Going Through the CFIUS Review Process
If CFIUS believes that it has jurisdiction, there are potential unresolved national security risks associated with a particular transaction, and no member agency objects to CFIUS’s intent to request a filing, CFIUS will request that the parties submit a notice. Parties typically comply with such a request. Once the notice is prepared and submitted and CFIUS begins its official review, CFIUS typically has up to 90 calendar days to conduct its review (which begins with an initial 45-day review period that can be followed by an additional 45-day investigation period). During that time period, CFIUS can, and often does, ask the parties additional questions regarding, for example, the U.S. business’ products and services, customer base, information and cyber security policies and procedures, research and development activities, government contracts, manufacturing operations, facility access controls, supply chain security, export control, and risk management programs. CFIUS, which has the authority to impose interim mitigation measures on the parties while CFIUS conducts its review (e.g., suspending integration of the businesses), also has the authority to impose mitigation measures if it determines that such measures are necessary to mitigate U.S. national security concerns associated with the transaction. This really is a risk for the foreign investor given that it is, at that point, required to accept such mitigation measures (i.e., the investor does not have the ability to walk away from the transaction if CFIUS sought to impose mitigation measures that, for example, impact the value proposition for the transaction pre-closing).
In our experience, a CFIUS review associated with a non-notified transactions is more likely to result in some degree of mitigation than a transaction proactively notified to CFIUS pre-closing, particularly given that a request for a filing in connection with a non-notified transaction signals that CFIUS has identified national security concerns associated with the transaction. Mitigation measures may include, for example, implementation of measures to protect sensitive personal information or technology, government supply-related assurances, and routine or periodic use of a third-party monitor, compliance auditor, or cybersecurity auditor who are required to report directly to CFIUS.
What to Expect Moving Forward
We understand that the number of non-notified transactions for which CFIUS requested a notice doubled in 2020 compared to 2018 and 2019 combined, with an expected further increase of 50 percent in 2021. With that in mind, as the non-notified team hires additional personnel and receives additional funding and resources, we expect that many more parties to non-notified transactions will hear from CFIUS and potentially receive a request to go through the CFIUS review process. Accordingly, it is important that parties proactively engage expert CFIUS counsel in the early stages of a transaction to potentially avoid receiving an email with a “confidential and time sensitive” subject line and a Treasury official signature block one month, six months, or even a year or more post-closing.
 In mid-2021, for example, CFIUS identified and investigated the Chinese private equity firm Wise Road Capital’s acquisition of Magnachip Semiconductor Corporation, a South Korean-based semiconductor company with business activities in the United States. In mid-2020, CFIUS also identified and investigated Tik Tok’s 2017 acquisition of Musical.ly apparently due to the sensitive end user data that was collected and maintained on U.S. citizens. In early 2020, CFIUS identified, investigated, and forced the unwinding of a joint venture involving Ekso Bionics Holdings, Inc., a U.S. manufacturer of robotic mechanical suits (“exoskeletons”), and multiple Chinese venture capital firms. In early 2020, CFIUS identified and investigated China-based Beijing Kunlun Tech’s 2016 acquisition of Grindr, a U.S. social media and technology company that collected and maintained sensitive personal data on U.S. citizens, including U.S. government officials and military personnel. In early 2020, CFIUS identified and investigated the Chinese company Beijing Shiji Information Technology Co., Ltd.’s 2018 acquisition of StayNTouch, Inc., a U.S. developer of hotel property and hospitality management software-as-a-service products. In mid-2019, CFIUS identified and investigated a Russian oligarch-backed company Pamplona Capital Management’s minority stake in Cofense, a U.S. based cybersecurity firm with extensive access to sensitive data and U.S Government contracts. In mid-2019, CFIUS identified and investigated a majority stake acquired by China-based iCarbonX in PatientsLikeMe, a U.S. healthcare startup company that collected and maintained Protected Health Information and other types of sensitive personal data on U.S. citizens.
 We also understand that the non-notified team has requested filings for transactions involving non-Chinese and non-Russian investors as well.
 Members of the public may provide relevant information to the non-notified team by calling (202) 622-1860 or emailing CFIUS.firstname.lastname@example.org. We understand that the tip hotline has already provided dozens of legitimate leads on non-notified transactions. See https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-monitoring-and-enforcement.
 When conducting a risk-based analysis or assessing national security risk, CFIUS not only analyzes whether the foreign acquirer is a threat (with intent and capability) but also considers the type, extent, and magnitude of any potential vulnerabilities and potential consequences associated with each transaction.
 If the parties are not cooperative, CFIUS can subpoena information and unilaterally initiate a review of a non-notified transaction.
 Treasury typically seeks buy-in from certain member agencies that have a direct interest or subject matter expertise in particular types of transactions (e.g., Department of Homeland Security typically is involved in transactions involving U.S. critical infrastructure) and asks them to co-lead or co-manage the review of such transactions before formally requesting that the parties submit a notice.
 In addition, if CFIUS determines that the parties to a non-notified transaction failed to satisfy mandatory filing obligations, CFIUS has the discretion to impose monetary fines or penalties up to the value of the transaction and force a divestiture.
 See https://home.treasury.gov/system/files/206/CFIUS-Public-Annual-Report-CY-2020.pdf.