Is CFIUS Sharpening Its Knife? Publication of First-Ever CFIUS Enforcement and Penalty Guidelines

On October 20, 2022, the U.S. Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States (“CFIUS”), released the first-ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”).¹ The Guidelines set forth the process by which CFIUS will assess penalties for non-compliance with the CFIUS regulations—including for failure to submit mandatory pre-closing filings—and describe aggravating and mitigating factors that the Committee will consider in determining the appropriate administrative response.

The Guidelines closely follow President Biden’s September 15, 2022 Executive Order, which ratified CFIUS’s increasingly expansive interpretation of its national security remit.² Collectively, these Executive Branch actions signal continued, enhanced scrutiny of foreign investment in U.S. businesses and underscore the importance of adhering to appropriately tailored due diligence protocols.

Background

CFIUS is an interagency committee of the U.S. government with authority to review certain foreign investments in the United States. Historically, the CFIUS regime was entirely voluntary, meaning that the parties to covered transactions were not required to provide notice of the transactions to the Committee. The Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) introduced a mandatory filing for certain investments (1) in critical technology companies; or (2) that involve foreign government-affiliated investors.

Parties to CFIUS filings are required to provide truthful and accurate information on a wide range of subjects, both in the initial filing and in response to questions that CFIUS poses during the review process. CFIUS may impose mitigation measures on the parties to a covered transaction—or recommend that the president block a transaction entirely—if the Committee determines that the foreign investment threatens to impair U.S. national security. Mitigation measures generally are imposed through entry into a National Security Agreement (“NSA”) with the transaction parties, which sets forth restrictions and ongoing obligations related to the target business (e.g., investment standstills or divestment obligations, restriction on governance rights for the foreign investor, policy and procedure requirements for the U.S. business, compliance monitoring and reporting mechanisms).

CFIUS is empowered to impose civil monetary penalties of up to:

• $250,000 for false certifications or material misstatements or omissions during the CFIUS review process; and
• $250,000 or the value of the transaction, whichever is greater, for (1) failure to comply with a mandatory filing requirement; or (2) breach of a mitigation agreement.

The Enforcement and Penalty Guidelines

The Guidelines identify three categories of violations that may be subject to enforcement:

• Failure to File a mandatory declaration or notice, as applicable, in the required time (i.e., at least 30 days prior to closing);
• Non-Compliance with CFIUS Mitigation, including breaches of NSAs; and
• Material Misstatements, Omissions, or False Certifications, which will typically reflect the provision of false information to CFIUS during the review process, or the omission of relevant information in response to questions from the Committee.

The Guidelines explain that CFIUS considers information from a range of sources when determining whether a violation has occurred, including:

• Requests for Information. The Guidelines note that CFIUS routinely requests information to support its monitoring of compliance with NSAs, in addition to the Committee’s statutory subpoena authority.
• Self-Disclosures. The Guidelines state that CFIUS strongly encourages timely self-disclosures of violations. Although the self-disclosure program is not yet fully established, the Guidelines preview that it “will consider the timeliness of any self-disclosure” as well as “whether discovery of the conduct at issue by CFIUS or other government officials has already occurred or was imminent prior to the self-disclosure.”
• Tips. The Guidelines encourage third parties who believe a violation may have occurred “to submit tips, referrals, or other relevant information to the CFIUS tips line” available on the Treasury Department’s website. 

The Guidelines describe the following penalty process upon identification of a suspected violation:

• CFIUS will send a notice of penalty to an individual or entity who may be liable (a “Subject Person”). The notice will include a written explanation of the conduct to be penalized, the amount of any monetary penalty to be imposed, and the legal basis for concluding the conduct is a violation. The penalty notice also may cite aggravating and mitigating factors (as discussed below).
• Upon receipt of a penalty notice, the Subject Person will have 15 days to submit a petition for reconsideration to CFIUS, including any defense, mitigating factors, or justification. CFIUS will have discretion to extend the 15-day period for good cause.
• CFIUS will consider a petition for reconsideration if timely received and render final judgment within 15 days. If no petition is timely received, CFIUS will issue the final penalty determination by way of formal and final notice.

The Guidelines state that the Committee, when determining the appropriate penalty amount, will engage “in a fact-based analysis [that] weighs aggravating and mitigating factors,” consistent with the approach taken by other U.S. regulators. The Guidelines set forth a range of factors that could be deemed to be aggravating or mitigating factors including:

• Accountability and Future Compliance, defined as the impact of the enforcement action on protecting national security, including by ensuring Subject Persons are held accountable and that compliance is incentivized.
• Harm, defined as the extent to which the conduct at issue impaired national security.
• Negligence, Awareness, and Intent, defined to include the level of culpability (e.g., simple negligence, gross negligence, intentional action, or willfulness), whether there were efforts to conceal the misconduct, and the seniority of personnel involved.
• Persistence and Timing, defined to include the frequency and duration of the conduct and the length of time between the misconduct and CFIUS becoming aware. For violations of NSAs, the Guidelines note that the length of time since mitigation became effective is a key consideration; for failure-to-file violations, the date of the transaction at issue is a key timing issue.
• Response and Remediation, defined to include whether the Subject Person submitted a self-disclosure, cooperated with CFIUS, remediated the violation, and whether the Subject Person conducted an internal review to identify the cause of the issue and ensure no future violation occurs.
• Sophistication and Record of Compliance, defined to include the Subject Person’s history and familiarity with CFIUS (including any prior NSAs), the internal and external resources dedicated by the Subject Person to compliance (e.g., legal counsel, consultants), whether the Subject Person has policies and training in place to prevent violations, variation in the consistency of compliance across the organization, the organization’s compliance culture, the Subject Person’s compliance history with other regulators, and the extent to which any violation of an NSA resulted from inadequate NSA compliance procedures or implementation.

Key Takeaways

A Potential New Age of CFIUS Enforcement

CFIUS’s authority to impose monetary penalties is not new; however, to date, the Committee has exercised this authority sparingly. Over its nearly 50-year existence, CFIUS has publicly reported only two penalties, both relating to failures to comply with CFIUS mitigation requirements: 

• a $1,000,000 penalty in 2018 for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS”; and 
• a $750,000 penalty “for violations of a 2018 CFIUS interim order, including failure to restrict and adequately monitor access to protected data, as defined in the order.”

Notably, although failure-to-file penalties were introduced in 2018, CFIUS has not yet penalized any party for failure to comply with a mandatory filing obligation. 

The Guidelines suggest that CFIUS’s enforcement posture is likely to change. Regarding the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen stated, “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”³

A Call to Investors to Implement (or Refresh) Their CFIUS Strategy

For repeat investors, the Guidelines underscore the importance of developing and adhering to a CFIUS strategy. Specifically, the aggravating and mitigating factors described in the Guidelines—which are not exhaustive—imply an expectation that investors and U.S. businesses will dedicate appropriate resources to assessing national security risk presented by prospective investment opportunities.

Factors set forth in the Guidelines include (1) level of culpability (e.g., negligence versus willfulness); (2) the extent to which internal and external compliance resources are dedicated to address CFIUS issues; and (3) whether policies, procedures, and trainings are in effect. Extrapolating from these points, investors—and particularly active investors—should consider:

• Establishing template CFIUS representations and warranties, and seeking these provisions in connection with investment activity, including to rebut a presumption of negligence. For example, investors may seek representations that a target business does not qualify as a “TID U.S. business,” and U.S. businesses may seek representations regarding investors’ foreign government affiliation, each to assess whether the transaction may be subject to a mandatory filing requirement. 
• Establishing a regular and thorough CFIUS diligence process for assessing investment opportunities (and, for U.S. businesses, assessing potential CFIUS risk in connection with foreign investment).
• Engaging external CFIUS resources in appropriate cases (e.g., outside counsel, CFIUS consultants) and developing internal compliance expertise.

Importantly, these considerations are not limited to foreign investors or U.S.-headquartered businesses. 

• U.S. sellers would be well served to consider the national security risks presented by prospective acquiring parties. Given CFIUS’s practice—recently ratified by Executive Order—of considering risks that do not specifically arise as a result of the transaction before the Committee, this assessment can require more than simple determination of an acquiring party’s nationality or principal place of operations. For example, an otherwise non-threatening foreign party may be perceived to present risk due to its relationships with countries or parties (e.g., customers; joint venture partners) of concern.
• Similarly, the CFIUS regulations’ definition of “U.S. business” is not limited to U.S.-organized or headquartered businesses. Rather, the term encompasses “any entity, irrespective of the nationality of the persons that control it, engaged in interstate commerce in the United States.” As a result, CFIUS risk assessments may be relevant to “foreign-to-foreign” transactions.

Large, Sophisticated, and/or Active Investors May be Held to a Higher Standard

The Guidelines identify “Sophistication” as a relevant enforcement factor and in this regard, are consistent with virtually all U.S. regulatory enforcement guidelines. U.S. regulators have a history of pursuing enforcement actions against market-leading firms across industries. Access to resources, commercial sophistication, and experience make for an attractive enforcement target, including due to (1) ability to pay penalties imposed; and (2) the opportunity to “send a message” to other industry participants.

While smaller investors and U.S. businesses are not immune from enforcement—and CFIUS has demonstrated a willingness to initiate non-notified reviews of transactions in situations where the review would impose a disproportionate financial burden on the parties—experienced, well-resourced, and/or active investors may be the subject of increased scrutiny.

Conclusion

The Guidelines appear to signal that CFIUS intends to revamp its enforcement approach and more aggressively penalize parties for non-compliance with their obligations. If they didn’t already, investors and U.S. businesses should consider themselves on notice.