New Changes to the United States Foreign Investment Laws: What Foreign Investors Need to Know

By: Torres Law
Date: 08/13/2018

On August 13, 2018, President Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) into law. The NDAA contains the Foreign Investment Risk Review Modernization Act (FIRRMA), which makes significant changes to the Committee on Foreign Investment in the United States (CFIUS). This article briefly summarizes a number of changes to the current CFIUS process that will significantly impact foreign companies seeking to invest in U.S.-based businesses. The changes introduced by FIRRMA are the most significant changes made to CFIUS in over a decade.

As discussed in previous articles published by Torres Law,[1] CFIUS is an interagency body with authority to assess the national security implications of investment transactions that could result in control of U.S. businesses by foreign persons. CFIUS is comprised of nine members from the federal executive branch, two ex officio members, and other members as appointed by the president.  Chaired by the U.S. Department of the Treasury, CFIUS reviews for national security concerns transactions in which a foreign entity acquires control of a U.S. business. CFIUS reviews have typically focused on deals involving national security such as defense, transportation infrastructure, telecommunications, technology, and most recently financial services and personally identifiable information.

FIRRMA impacts the CFIUS process in several ways and expands CFIUS applicability to the following types of “Covered Transactions”:

  1. Real estate transactions. Real estate transactions where a foreign person leases or purchases real estate in close proximity to U.S. military or other sensitive U.S. government locations, or where the property is located in or will function as part of an air or maritime port and if such property could reasonably facilitate the collection of intelligence, expose the property to the risk of foreign surveillance, or otherwise expose national security activities at such U.S. government site.
  2.  Non-controlling investments involving “critical infrastructure,” “critical technology,” or “sensitive personal data” of U.S. persons. Transactions where foreign persons invest in critical technology and critical infrastructure will be subject to CFIUS jurisdiction if the foreign person could gain access to material nonpublic technical information possessed by the U.S. business; if the investment could provide the foreign person the right to observe or join the board or nominate board members; or allow the foreign person to be involved in any substantive decision making related to sensitive personal data of U.S. persons, critical technologies, or critical infrastructure.
  3. Change in Rights. Changes to a foreign person’s rights if they result in control of a U.S. business or critical technology and critical infrastructure companies (or any of the other types of investments described above).
  4. Evasion. Any transaction designed or intended to evade or circumvent CFIUS jurisdiction.


Other important changes include modifications to the CFIUS review and investigation process, including the modification of CFIUS timelines to expedite certain reviews while strategically targeting others for more in-depth review (e.g., Chinese transactions); new filing fees up to $300,000 per transaction and potential “fast track” fees to presumably expedite filings for parties who pay an additional fee; additional resources for CFIUS staffing; more authority for CFIUS to investigate transactions for which it was not notified; and the introduction of “light” CFIUS filings,[2] which will streamline the CFIUS notification process and aim to reduce the resources and costs involved in conducting the filing. Further, certain transactions will now be subject to a mandatory CFIUS filing (i.e., transactions where a foreign government obtains a substantial interest (more than 10%) in critical infrastructure or critical technology or a company that maintains sensitive data about U.S. persons). Notably, CFIUS is now instructed to review the foreign person’s history of compliance with U.S. laws and also evaluate whether the proposed transaction could create cybersecurity risks for the United States. FIRRMA will also require CFIUS to establish formal plans to monitor mitigation plans imposed on approved transactions and is now empowered to impose penalties if the parties fail to comply with mitigation plan conditions imposed by the CFIUS clearance process.


FIRRMA will apply to all pending and future transactions on or after August 13, 2018. Although some of the FIRRMA provisions will become effective immediately, others will not go into effect until the implementing regulations are rolled out over the next 18 months. The public will have an opportunity to comment on proposed rulemakings, so it is important to monitor for any new developments.

Torres Law will continue to monitor the CFIUS process and any additional changes over the next 18 months as additional FIRRMA provisions come into effect. If you have any questions regarding the potential impact of FIRRMA to your business, or need assistance with advance planning please do not hesitate to contact us.


[1] See Olga Torres and Jonathan Creek, 2018 Trends for CFIUS Reviews, Torres Law Insights (Feb. 20, 2018),; also see Andrea Fraser-Reid, CFIUS, Foreign Investment and Trade Relations in the New Administration, Torres Law Insights (May 3, 2017),

[2] Whereas the traditional written CFIUS notification is often 30 or more pages, FIRRMA introduces a short form declaration of no more than 5 pages.