On January 12, 2016, Grindr announced it had sold a 60% controlling stake in the company to Beijing Kunlun Tech, a Chinese gaming firm, valuing the company at $155 million. Champagne bottles were surely popped at the small-ish firm.
Though not at a unicorn-level valuation, the 9-figure exit was still respectable and signaled a bright future for the gay hookup app. Indeed, two years later, Kunlun bought the rest of the firm at more than double the valuation and was planning a public offering for Grindr.
On March 27, 2019, it all fell apart. Kunlun was putting Grindr up for sale instead.
What went wrong? It wasn’t that Grindr’s business ground to a halt. By all accounts, its business seems to actually be growing. The problem was that Kunlun owning Grindr was viewed as a threat to national security. Consequently, CFIUS, or the Committee for Foreign Investment in the United States, stepped in to block the transaction.
So what changed? CFIUS was expanded by FIRRMA, or the Foreign Risk Review Modernization Act, in late 2018, which gave it massive new power and scale. Unlike before, FIRRMA gave CFIUS a technology focus. So now CFIUS isn’t just an American problem—it’s an American tech problem. And in the coming years, it will transform venture capital, Chinese involvement in US tech, and maybe even startups as we know it.
Here’s a closer look at how it all fits together.
What is CFIUS?
Image via Getty Images / Busà Photography
CFIUS is the most important agency you’ve never heard of, and until recently it wasn’t even more than a committee. In essence, CFIUS has the ability to stop foreign entities, called “covered entities,” from acquiring companies when it could adversely affect national security—a “covered transaction.”
Once a filing is made, CFIUS investigates the transaction and both parties, which can take over a month in its first pass. From there, the company and CFIUS enter a negotiation to see if they can resolve any issues.
The way this usually ends is a mitigation agreement. A mitigation agreement is a contract between the acquirer and the government that is intended to address the national security issues at hand. It might involve selling some assets, surrendering some control, agreeing to government monitoring, or any number of remedies.
In practice, the government acts with a lot of secrecy to avoid giving away its national security intelligence; sometimes, you might not fully understand why the government wants some mitigation term. While CFIUS almost never blocks deals, sometimes the deal just falls apart, either because the mitigation agreement is too onerous to be worth it or the press is too negative.
The President also has the power to block the transaction, which almost never happens, or the deal can just get the green light, which does from time to time occur. The penalties for violating a mitigation agreement can be quite severe.
While there might be fines, CFIUS has the power to reopen an investigation if a mitigation agreement is breached, or even if CFIUS just thinks the agreement has been breached. That means that, even years after the fact, CFIUS can undo a transaction, or require a new mitigation agreement so onerous that the acquirer is forced to sell.
You might be wondering, what does it mean to be a covered entity that has introduced a risk to national security? The answer is pretty frustratingly vague. Congress intentionally never defined national security, but it’s understood to be different than economic security and related to things like nuclear power and semiconductor manufacturing.
This is keeping in line with the Washington free trade consensus, where national security exceptions to things like NAFTA and the WTO are understood to be quite narrow. This is in contrast with, say, the Beijing theory of national interest, where economics and national strength are linked.
CFIUS is headed by the US Treasury Department, with representation by over a dozen permanent member agencies, including Commerce, Defense, and State.
On top of a workforce whose size is not public, until recently, the actual secretaries of those departments sat on CFIUS—so imagine Steve Mnuchin, Jim Mattis, and Wilbur Ross sitting together with half a dozen other secretaries trying to decide whether a transaction impacts national security. Every covered transaction has a “lead” agency that handles the review, and a covered transaction must have unanimous consent to go forward.
CFIUS was created by executive order in 1975 to study foreign acquisitions and to mollify Congress. This worked for a little while, but foreign companies kept on trying to buy American firms while CFIUS did essentially nothing. Eventually, in 1986, Fujitsu tried to buy Fairchild Semiconductors, bringing Congress’s anger to a boil.
They responded by passing Exon-Florio in 1986 and the Byrd Amendment in 1993, both of which gave CFIUS formal powers and mandated review when a state-owned enterprise tries to buy a US company. Ironically, although both bills were passed in frustration with CFIUS’s complacency neither actually mentions CFIUS by name. CFIUS’s name wouldn’t appear in any law until 2007, when Congress passed FINSA, which expanded and formalized the review process.
The infamous Uranium One controversy involving then-Secretary of State Hillary Clinton was specifically about a CFIUS decision to allow the sale of a uranium company to a Russian-based acquirer. In 2017, the United States successfully blocked Broadcom from purchasing Qualcomm. The lever was threatening to block the acquisition through CFIUS.
What is FIRRMA?
Image via Getty Images / boonchai wedmakawand
FIRRMA is the most important piece of legislation affecting CFIUS since its inception. It’ll take this whole section to explain what it does, but suffice to say that despite the occasional update CFIUS’s mandate and scope hadn’t changed much since its inception.
Sure, the process had changed with the times, but there were still several gaps, including bankruptcy proceedings, real estate acquisitions, minority investments, fund positions, and shell companies, that were exploited by foreign actors to acquire American technical know-how. The result was a law that was passed nearly unanimously. You can read a detailed legal analysis of it here.
FIRRMA is also all about China. Congress was worried about Ralls Corporation buying sensitive land overlooking a military site in Oregon; acquisitions of semiconductor firms, from Xcerra to Lattice, by Chinese SOEs; companies like Genworth and Moneygram selling personal financial data to Chinese firms; companies like A123 and Fisker helping Wanxiang establish an electric automaker powerhouse; and dozens more. Congressmen couldn’t mention CFIUS and FIRRMA without also mentioning China, and it’s the only country whose name appears anywhere in the legislation.
Why is this important? CFIUS just put out a pilot program, which means that the law is now implemented through regulations—that is, in effect right now.
Here are the major changes.
This is the biggest change by far. CFIUS used to have a somewhat narrow definition of its focus: it only intervened in an outright acquisition by a foreign entity. FIRRMA accomplishes this in two ways: by expanding the definition of a covered transaction and by expanding the definition of a covered entity.
The biggest change is in covered transactions. Now, a covered transaction includes an investment. That means that if Sequoia China or Ant Financial wants to invest in your round their participation might be held up by CFIUS. Other kinds of transactions, like bankruptcy asset acquisitions, also may be covered transactions.
The expansion of covered transactions is deeply tied to the expansion of a covered entity. No longer must they purely be state-owned or -controlled entities. It is merely enough for there to be sufficient influence by state actors. Similarly, the transaction becomes covered if a covered entity is given too much influence. What’s “too much influence” in practice? CFIUS hasn’t been forthcoming on this yet.
2. National security now has a technology focus
National security used to have a relatively secure physical nexus, but in recent years Congress became fed up with the limited scope of national security used by CFIUS. The two main ways this affects technologies is the expansion of CFIUS’s mission to protect technical knowledge, or “material nonpublic technical information,” and the protection of “personal data.”
Nonpublic technical information is anything related to a company’s technology that isn’t already publicly known, like in a patent filing or revealed in a blog post. CFIUS has a broad notion of access to nonpublic information, and its view of which technologies matter is getting broader and broader. FIRRMA’s notion of data is extremely expansive. It includes personally identifiable information, financial data, and genetic data.
CFIUS also got plugged into the broader technology regulation apparatus. It now has the power to recommend technologies be included in export control schedules and emerging technologies lists used for sundry purposes. It is supposed to consider technologies not only in isolation but also in a broader strategic context.
3. CFIUS has a bunch of new powers and a more expansive review process
In the past few years, CFIUS got overwhelmed with the increasing volume and complexity of its investigations. As a result, FIRRMA made CFIUS bigger than ever and made the CFIUS process more comprehensive than ever.
The review process is now way more extensive. Rather than the old 30 days, CFIUS now has up to 45 days to review an application, with the ability to ask for an extension. CFIUS can undertake unilateral reviews and vastly expanded the scope of covered transactions that have to put in a mandatory filing—most applications used to be voluntary while now it is the reverse. Mercifully, CFIUS now has a “light filing” that is no more than 5 pages, which hopefully will lead to faster turnaround times.
Enforcement got beefed up too. CFIUS can now demand a retroactive mitigation agreement, can require a mitigation agreement to abandon a transaction, and can go to court to enforce a mitigation agreement. These retroactive agreements can even apply to pre-FIRRMA transactions. CFIUS also now has dedicated funding and can charge a fee for its reviews. It is charged with rapidly increasing its staff and appointing Senate-approved high-level staff members.
Who Does This Affect?
Image via Getty Images / domin_domin
Venture Capital
There is probably no group in tech FIRRMA affects more than venture capital. Venture capital firms do not acquire companies (mostly due to the Advisors Act), and venture capital was not disproportionately affected by CFIUS when portfolio companies were acquired before.
This is all turned upside down because CFIUS now monitors investments too. The key matter is making sure that no one foreign gets access to material nonpublic technical information. That’ll be tougher than it sounds.
CFIUS has already made its name heard—CFIUS was even the reason Softbank didn’t appoint any Uber directors. Venture capital firms will have to be careful when hiring partners who aren’t US citizens, and it’s unclear whether dual citizenship will complicate this.
If it does, those foreign partners might not be able to get board representation without scaring CFIUS, or they could even reject the firm’s investment. This will be especially challenging for firms with lots of former operators, many of whom are immigrants, and highly international firms, which may receive input on domestic investment from partners in foreign offices.
This also creates a lot of complexity around limited partners. Limited partner agreements are usually structured to give LPs as little access to portfolio companies as possible. Expect this part to get tighter. You probably will even see the term “material nonpublic technical information” appear in LPAs, and you also might see the right to exclude particular LPs from certain briefings for CFIUS purposes.
Venture capital firms will also be careful in deciding who to put on their limited partner advisory committee, as anything that looks like it gives a foreigner control or influence over someone who does see any material nonpublic technical information could also be suspect even though the CFIUS guidance seems lax.
LP selection therefore is now more of a quandary. Good funds are already discerning with their LPs, so at first blush it might not seem like a great sacrifice to further filter for foreign exposure. But some of the biggest checks come from foreign institutions and foreign billionaires.
While they may have some of the most complicated taxes, they also sometimes have some of the fewest strings otherwise attached. And as the startup scene becomes more and more global, having a more international investor base also becomes more attractive.
That also creates a downstream effect in the legal domicile for the fund. Essentially any fund with significant foreign LP money or with a significant international presence has a Cayman master management company. This is done for a mix of tax and flexibility purposes (Cayman is essentially the Delaware of the world, and in recent years it has greatly cleaned up its image).
CFIUS has made a point to allow itself the flexibility to reject an investment on the pure basis of legal domicile, and it previously wouldn’t comment on whether it would allow foreign-based shell companies to get by scot-free even when every other company in the mix was US-based!
One does wonder whether certain VC firms will become known to CFIUS and get special treatment. The natural question is whether this will become a competitive advantage for those firms. Obviously, their lawyers will make a lot of money.
Startups
Image via Getty Images / Morsa Images
Startups will also be deeply affected. More broadly, companies—especially software startups—that are used to a diligence process of at most 2 weeks, often with only a light technical dive, might have to get used to a new third-party interloper called CFIUS prolonging the process and adding uncertainty to fundraising, which is already too long and extremely painful.
The top companies are always selective when it comes to their investors, and speed is a factor—this will add to it. Some more desperate companies that need to turn to international funding will find the process is now more painful thanks to Uncle Sam. Due to the increasing importance of foreign strategics for tech development joint ventures or international expansion, this will probably hurt the ability of US companies to grow abroad.
The US government has made quite clear that it’s taking data extremely seriously, even when it seemingly tenuous consumer drone applications. As a result, one of the only things we can say for sure is that we’ll see more CFIUS activity where there is more data.
CFIUS is explicitly tasked with caring about consumer data, whether it’s personal data, financial data, or even genetic data. However, it’s not clear what the metes and bounds are of this mandate.
Is sufficiently large billing information enough? Does social media count as personal information? The answer will unfortunately be hashed out behind closed doors on a case-by-case basis, and at great time cost to the startup world.
Plus, we’ve all seen companies that made the case that they would be acquired for their data—those startups’ lives just got harder, and some of them will fail as their expected exits are no longer viable.
Let’s take the case study of Grindr. There’s the obvious reality of its potential as a source of blackmail. There’s also the issue of location and sensitive military assets. Grindr is no stranger to location service controversies, and has has been an issue with online services before, like Strava revealing troop movements and Fitbit showing the location of a secret military base.
Should companies take away from this episode that location service companies will face more scrutiny from CFIUS? It’s somewhat hard to say given the secrecy of the process, and it will make the ability to take learnings away from CFIUS actions difficult, though we do have a sense as to some of the technologies CFIUS and the broader export control regime are thinking about thanks to an advance notice of proposed rulemaking.
One other subtlety: the actions regarding Grindr (as well as PatientsLikeMe) were both ex-post rescissions of pre-FIRRMA transactions. So startups might have to be cautious when looking at M&A and investment from companies associated with certain governments or countries, even if they are confident that the deal would pass muster today.
China
Image via Getty Images / Michael Macdonald / EyeEm
FIRRMA was clearly a bill about China, and so it shouldn’t be surprising that China will get un-special treatment. The US government has often failed to provide clear definitions to important terms, like influence or access, instead opting for a sliding-scale approach reflecting the perceived risk of the foreign partner.
This has been a particular problem for Chinese firms, which were already forced to withdraw more often and had a harder time reaching mitigation agreements. This also means that everything mentioned above will be harder for Chinese entities.
For example, regardless of LPAC structure, a Chinese pension fund will have a harder time getting representation on it, and Chinese companies will have a harder time getting CFIUS approval to invest as strategic partners.
This will be particularly detrimental to the current Chinese expansion strategy. Unlike American firms, which tend to overtly acquire companies and then unite them under one flag, Chinese companies have taken a more Romanesque approach where they prefer to invest in or even acquire many startups without making them surrender their identity.
The result is a string of pearls investment across dozens of startups with the general public, but not the startup world, largely unaware of the expanding influence of the Chinese over their world. It is also a strategy that, to put it delicately, is made much more difficult when CFIUS must approve every such investment with an eye towards a different set of strategic objectives—oftentimes, in fact, with the express goal of thwarting the Chinese partner’s interests.
That will mean that the absolute cratering of Chinese investment will likely continue. Chinese companies used to be some of the most prolific investors in US startups, including the majors (BAT more than TMD). The viability of Chinese investment more generally, whether through the significant exposure of Chinese money to venture capital funds or through Chinese investment vehicles like Danhua or LYFE Capital, is somewhat in question.
Chinese exits will continue to be rejected, and as a result Chinese companies will just try to acquire US companies less often to avoid a costly rejection process, or at least the risk of it. They should certainly expect to see more CFIUS resistance, delays, and rejections.
In an increasingly global world where corporate strategics are essential, this will create challenges for American startups, especially when it comes to entering the Chinese market. This will exacerbate the coming balkanization of the internet and become just another lever for the technology great power war taking place across the globe.
Wrap-up
Here are the key takeaways.
- CFIUS is a government body that now has the ability to block an acquisition or even investment by a company that’s “too” foreign if it gives the company access to nonpublic technical information or personal data.
- The review process can be up to 45 days, with the possibility of extensions, and with no formal cap on the mitigation agreement negotiation process.
- Many more companies now have to file a CFIUS filing, which will probably result in a mitigation agreement limiting data transmission, selling assets, or just outright rejecting the ability of a certain foreign investor to participate or have board representation.
- This creates a huge quandary for venture capital, which will have to reject certain LPs, partners, and co-investors to avoid falling afoul of the US government.
- The effect on startups will be significant, as many startups, especially startups with the personal data of US citizens, will now have to deal with a new regulatory agency.
- While regulation is still a thing, when dealing with China, startups will need to be particularly careful when it comes to equity partners, whether that partnership is in the form of a strategic investment or outright acquisition.