For years, investing in technology start-ups in the United States was easy from a U.S. law perspective. As long as an investor was not from a small list of countries (like North Korea, Iraq, and the Sudan), there were generally no issues except potentially some post-investment information reporting.
That changed completely as of August 13, 2018 when the Foreign Investment Risk Review Modernization Act of 2018 became U.S. law; true to the American predilection for designating legal acts with snappy acronyms, it is widely referred to as FIRRMA.
As it turns out, a prospective investor looking to put her money in Silicon Valley or another new technology hotspot in the United States now may face a significant regulatory hurdle. This presents something of a paradox, at least to those of us reared on the vision of the United States as a promised land of unfettered possibilities and unbounded freedom. Please read on for details.
Pre-FIRRMA. Before FIRRMA, the U.S. Department of Treasury administered an inter-agency known as “CFIUS” to monitor certain investments by foreign parties and foreign governments into U.S. companies with “critical technologies” vital to U.S. national security where the result of the investment was that the foreign party had “control” over the U.S. business.
There was never a precise definition of these “critical technologies” or what constituted “control”; but, over time, CFIUS practitioners focused on technologies that directly related to national defense or those that could put critical U.S. infrastructure at risk. CFIUS routinely took the position that “control,” at a minimum, was having board representation that could steer major decisions. The bottom-line was that a “typical” VC investment into things like data analytics, therapeutics, SaaS, mobile, etc. probably would have never triggered CFIUS review. Because of this, CFIUS compliance was never on the radar screen for non-U.S. VCs.
Post-FIRRMA Expansion. Under FIRRMA, interpretations of “control” and “critical technologies” have been greatly expanded, meaning the number and types of transactions requiring CFIUS compliance have grown exponentially and likely cover a significant percentage of U.S. start-up investment opportunities. Now, if you are a foreign investor that makes a “non-passive” investment into a U.S. entity with “critical technologies”, you are deemed to have sufficient control and CFIUS compliance is required.
Non-Passive Investments. A non-passive investment is any non-acquisition investment that gives a foreign investor any of the following rights:
This list is almost impossible to avoid in most VC-style equity investments. Most VCs can at least “nominate” an individual to the board of directors and receive information from the target post-closing.
Emerging and Foundational Technologies. Importantly, the definition of “critical technologies” triggering CFIUS compliance has been expanded to now include “emerging and foundational technologies”, a new, yet-to-be-defined concept. However, the words alone seem to indicate almost any US emerging growth technology company would be covered.
In fact, the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce (Commerce), an agency tasked with helping define what “emerging and foundational technologies” published a notice on November 19, 2018 identifying currently fourteen (14) categories of technologies that Commerce is evaluating whether or not to include in the final definition of “emerging technologies”:
If these types of technologies are adopted within the final “emerging technologies” definition, given the new breadth of what constitutes “control”, a non-US investor will need to investigate whether CFIUS compliance is necessary to make an investment in a U.S. start-up.
A separate alert will be published soon on how CFIUS compliance works, in general, including an overview of a new “pilot program” implemented by CFIUS to govern target companies that fall within 27 specifically identified industries.