When Chinese tech giant ByteDance acquired LA-based Musical.ly in 2019 to create TikTok, they didn't think the U.S. federal government would even note the transaction.

Then, an obscure group of Treasury Department regulators wrote a report.

Fast-forward to today: TikTok is sitting in legal purgatory, under pressure from the White House, as companies like Oracle and Microsoft attempt to carve off pieces of it from ByteDance. Should the sale fall apart, there's a real possibility the Department of Justice will sue ByteDance to force a divestment.

The TikTok saga is the tip of the iceberg. As recently as 2017, Chinese venture investors were breaking records, putting in billions of dollars across hundreds of deals in U.S. based startups. By 2019, those numbers had fallen by about half, as this graph from Preqin shows.

Simultaneously, regulators forced the divestment of Grindr and StayNTouch, and blocked a $1.2B deal between Moneygram and Ant Financial.

What happened? FIRRMA happened.

This law, passed in August 2018, gave significant new powers to a traditionally toothless Treasury agency, and turned it into one of the most important players in the tech world. We're talking about the Committee on Foreign Investment in the U.S., or CFIUS.

Almost immediately after Congress beefed up CFIUS, there were reports of previously solid deals that began falling apart as VCs and entrepreneurs became cold on working with foreign sources of capital.

Their new reluctance was well-founded. CFIUS 2.0 has created a lot of risk for entrepreneurs and investors that work with foreign-based capital. This post is a guide on when CFIUS comes into play, and a breakdown of how this Treasury agency has changed venture investing in the last two years.

It's the Critical Technology

The Foreign Investment Risk Review Modernization Act (FIRRMA) didn't get a lot of press coverage when President Trump signed it into law in August 2018, but it made CFIUS powerful.

It expanded their jurisdiction to cover a much larger spread of investments made by foreigners — defined as people who aren't citizens or legal residents of the U.S. — compared to before. Previously, CFIUS review was almost always voluntary, and the agency only reviewed deals where a foreign investor would take a majority stake in a company. FIRRMA gave CFIUS the ability to evaluate any investment in a private company, even a minority stake, so long as all one or more of these triggers apply:

• The business receiving investment "owns, operates, manufactures, fabricates, or services critical infrastructure"
• If the company works with a "critical technology" (this includes 27 broad categories, like artificial intelligence, autonomous mobility, battery technology, Fintech, VR, and cybersecurity)
• If the company maintains or collects exploitable, sensitive personal data of U.S. citizens.
  • Grindr's sale to a Chinese company in 2016 prompted this, and in March 2019, CFIUS ordered Kunlun Tech to divest Grindr over expected concerns about access to personal data. That's right - CFIUS can launch an investigation and force divestment any time.

If CFIUS identifies a security risk, the White House can block a deal or force a divestment. This article from the law firm Holland and Knight gives a deeper dive on the regulations and covers some of the nuances, like the exempted countries.

CFIUS has had a significant impact in early-stage investing, because lot of VC deals fall the agency's broad definition of critical technology.

If you're an entrepreneur working in their critical technology space, and you try to take on foreign funding, what happens?

Before 2018, nothing. Now, both parties (the company and the investors) are legally obligated to apply for review by CFIUS. They give out big fines for failing to apply, and they work with the FBI to monitor for deals that tried to sneak through without review. They reject any applications where the investment would pose a "national security risk" - which puts Chinese-based investments under high scrutiny given geopolitical tensions.

This might not sound too onerous, and CFIUS reportedly approves a fair percentage of applicants. The issue is time - CFIUS reviews can take up to 90 days. Entrepreneurs that are raising need a fast yes/no from investors, and many haven't been willing to submit to the delays and scrutiny that come with taking foreign capital. Investors are also advising their companies to hunt for capital elsewhere, instead of from a foreign source that might lead to a CFIUS review or a block.

Now, there is a caveat here. CFIUS only comes into play in a non-controlling investment if the foreign investor gains access to "material nonpublic technical information", or "has substantive involvement in the U.S. business's decision-making with respect to the technology, infrastructure, or data."

This leaves room for a lot of exemptions. For example, a VC firm with American general partners could have all foreign-based LPs, and as long as those LPs were kept in the dark on their portfolio companies (and you can bet the FBI will monitor that) the firm would be in the clear. A "silent money" investor, who gives capital but has no real involvement in the business, would also be safe. But, most founders want more from their investors than capital, and most investors aren't going to make a deal where a single update email could lead to regulatory scrutiny.

So while there are potential workarounds, the broad definition of "critical technology" and the long review process is chilling certain foreign investment in U.S. startups.

CFIUS Makes Their Mark

Let's not overstate it. Despite CFIUS, billions in foreign capital is still flowing through the U.S. startup ecosystem. They try to approve most applications within a month, and the committee has reviewed then approved hundreds, if not thousands, of deals.

At the same time, a lot less deals are being made by Chinese-based investors compared to before. U.S. investors and entrepreneurs aren't accepting their money with such ease, and prospective Chinese investors are deciding the headache just isn't worth it. Given how broad the "critical technology" category is, too many of their deals are required to file the application. For example, Alibaba, which has invested billions in U.S. based startups since 2013, made no publicly disclosed investments in the U.S. in 2019. In fact, publicly disclosed investments in US start-ups by Baidu, Alibaba and Tencent fell 84 per cent from 2018, according to an analysis by PitchBook. A number of Chinese VC firms, like Sinovation Ventures, have completely stopped making U.S. investments.

Why have Chinese investors been especially hard hit? It's because CFIUS makes a final decision on whether or not to approve a deal based on national security risk. Current political tensions, the Chinese Communist Party's deep involvement in "private" Chinese companies/investors, and the Communist Party's publicly-admitted habit of IP theft, puts investments stemming from China in a high risk category, according to the federal government.

Post-FIRRMA, the environment has changed so much that Chinese investors are willingly opting out of the U.S. market. Their logic is that successful entrepreneurs running hot startups have plenty of options for financing that won't trigger a review by the U.S. government, so a China-based VC firm is unlikely to get in to the best deals, anyway.

Theodore Schleifer has a solid piece in Recode on foreign cash in Silicon Valley, and collected some interesting words from VCs on how they are cautioning their portfolio companies:

One venture capitalist active in financing companies in frontier technologies said he now assumed that his portfolio companies could never raise money from foreign investors from now on. A second said his firm recommended to a CEO that going through CFIUS review in order to take Chinese capital was not worth the headache. Schleifer writes that "Some in Silicon Valley have even undertaken projects to identify all venture firms primarily backed by the Chinese government — crafting their own private investor blacklists."

These investors are playing it safe for good reason. Ultimately, the new CFIUS, combined with rising U.S.-China tension, has made it riskier and much more burdensome for entrepreneurs to work with foreign investors. It's also made it riskier for VCs to take on foreign LPs, unless said LPs are truly passive and kept almost completely in the dark on how their portfolio companies are performing. The years of CFIUS flying under the radar have come to an end, and they're going to be a big player in the tech world for decades to come.