A federal agency that tries to shut out hostile foreign investors now can review more life and insurance deals.
New regulations give the Committee on Foreign Investments in the United States (CFIUS) jurisdiction over any proposed deal that could give a foreign entity influence over a sensitive U.S. business, even if the foreign entity would not end up with control over the sensitive U.S. business.
CFIUS now can review an insurance deal if it thinks a hostile foreign entity will end up with ”any involvement, other than through voting of shares,” in decisions about “sensitive personal data of U.S. citizens maintained or collected by the U.S. business.”
- A link to new foreign person’s investment regulation is available here.
- Links to more resources concerning the regulations, including a fact sheet, are available here.
- An article about Genworth Financial Inc.’s CFIUS process experience is available here.
In the past, CFIUS had jurisdiction only if a foreign investor would be getting control over a sensitive U.S. business.
The Office of Investment Security, an arm of the U.S. Treasury Department, published the new regulations in the Federal Register Friday. The regulations are set to take effect Feb. 13.
The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA)
CFIUS was formed in 1975, when Gerald Ford was president.
The chair of CFIUS is the U.S. Treasury secretary. The Treasury secretary presides over 15 other voting and non-voting committee members.
CFIUS has jurisdiction over deals that could affect control over critical technology or critical infrastructure as well as control over personally sensitive information.
The Office of Investment Security developed the new regulations to implement the Foreign Investment Risk Review Modernization Act of 2018 (2018). Members of Congress developed FIRRMA in response to concerns that hostile foreign entities could use loopholes in the current CFIUS review rules to hurt U.S. national security.
FIRRMA amends rules given in Section 721 of the Defense Production Act of 1950. Former President George W. Bush issued an executive order asking the U.S. Treasury Department to develop Section 721 regulations in January 2008, according to the introduction to the regulations. The department has been using interim regulations. It released draft final regulations this past fall.
In the text of the regulations, which come with the title, “Provisions Pertaining to Certain Investments in the United States by Foreign Persons,” officials give a definition of “sensitive personal data” that includes “the set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance.”
The definition also includes the results of genetic tests, “data relating to the physical, mental, or psychological health condition of an individual,” and “financial data that could be used to analyze or determine an individual’s financial distress or hardship.”
Officials do not use the terms “annuity,” “pension” or “retirement” in the new regulation, but the sensitive data definition appears to include the kind of information that might be collected through a client needs analysis process.
But the expanded CFIUS deal review authority applies only to a deal involving a U.S. business that collects sensitive personal data, and has collected sensitive person data for 1 million or more individuals in the preceding 12 months.
The regulations would apply to a company that held health data for 1.1 million people sometime in the previous 12 months, even if it now holds health data on about 900,000 people, and even if it held health data on 900,000 people when it agreed to be acquired by a foreign buyer, according to an example given in the new regulations.
The regulations would also apply to a company that held sensitive financial data for 400,000 people and sensitive health data for 700,000.
The regulations could increase the acquisition value of life and health insurers that serve fewer than 1 million people relative to the acquisition value of bigger insurers, because foreign entities would not have to go through the CFIUS review process when acquiring an insurer with sensitive records for fewer than 1 million people.
The regulations could also increase the appeal of smaller insurers to any foreign intelligence agencies or other parties that want to buy access to U.S. residents’ personal information.
In most cases, CFIUS says, the CFIUS deal review process is a voluntary process. The seller asks CFIUS for a “safe harbor” letter verifying that the deal looks good. If the parties complete a deal without getting a CFIUS safe harbor letter, CFIUS could end up reviewing the deal.
CFIUS can recommend that the president of the United States block a proposed deal. The president can then suspend or block the deal.
Genworth Financial Inc. ran into delays in the CFIUS review process when it first began the process of selling itself to a company based in China.
Early on, Genworth did not discuss anything about the delay, other than it involved CFIUS concerns. Genworth executives later said the CFIUS concerns related to the security of customers’ personal data. Genworth addressed the data security concerns by arranging to have an outside company handle the sensitive customer data.
The new regulations include a confidentiality that provision that exempts most documents sent to CFIUS from Freedom of Information Act disclosure rules, and providing that “no such information or documentary material may be made public” by CFIUS.
The confidentiality provision allows CFIUS to disclose information relevant to administrative or judicial actions, information requested by Congress, and information that the parties have consented to be disclosed to third parties.
CFIUS can also disclose information to any domestic governmental entity or any foreign governmental entity of a U.S. ally or partner, if that disclosure is necessary for national security purposes, according to the regulation text.
Nothing in the CFIUS confidentiality provision “shall be interpreted to prohibit the public disclosure by a party of documentary material or information that it has submitted or filed with the committee,” according to the regulation text. “Any such documentary material or information so disclosed may subsequently be reflected in the public statements of the chairperson, who is authorized to communicate with the public and the Congress on behalf of the committee, or of the chairperson’s designee.”
The provision appears to provide that an insurer involved in a deal under CFIUS review could disclose the information sent to CFIUS, if the insurer wanted to do so.
— Read Hacked in the U.S.A.: China’s Not-So-Hidden Infiltration Op, on ThinkAdvisor.