The Committee on Foreign Investment in the United States ("CFIUS" or the "Committee") recently issued its Enforcement and Penalty Guidelines (the "Guidelines"). The Guidelines, the first of their kind for the Committee, provide information on how the Committee assesses violations of U.S. laws, regulations, and orders governing transactions subject to CFIUS jurisdiction. They also discuss Committee expectations for self-disclosures of violations.

Background

CFIUS is an interagency committee that reviews foreign person acquisitions of and investments in U.S. businesses and domestic real estate that implicate national security concerns. Parties to these transactions may, and in certain circumstances are required to, submit detailed information on transactions subject to CFIUS jurisdiction through a declaration or notice to the Committee.

Regardless of whether information on a transaction is submitted, the Committee has the power to investigate transactions subject to its jurisdiction, seek mitigation of national security concerns presented by transactions through agreements, conditions, and orders (collectively, “mitigation measures”), or recommend that the President issue an order to block or unwind a transaction. The Committee can take these actions at any time (before or after a transaction has closed) unless the transaction was previously cleared by the Committee though issuance of a “safe harbor” letter to the transaction parties.

Types of Violations

Pursuant to authority granted under Section 721 of the Defense Production Act of 1950, as amended, CFIUS operates under regulations administered by the U.S. Department of Treasury Office of Investment Security (OIS).[2] Consistent with these regulations, the Guidelines call out three primary types of violations:

1. Failure to timely file a mandatory declaration (or a notice in lieu of a declaration), which can lead to a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.[3]
2. Failure to comply with a CFIUS mitigation measure, which can lead to a civil penalty of up to $250,000 or the value of the transaction, whichever is greater, or liquidated damages, as provided for in an agreement.[4]
3. Providing a material misstatement or omission or a false or materially incomplete certification to the Committee, which can lead to a civil penalty of up to $250,000.[5]

Penalties are assessed on a per violation basis and as noted in the Guidance, the Committee may seek penalties and other remedies without prejudice to civil or criminal penalties that may be applicable under other authorities. CFIUS also may refer conduct to other government enforcement authorities where appropriate.

Focus on Mitigation Compliance

The Treasury Department press release [6] accompanying issuance of the Guidelines includes a statement from Paul Rosen, the Assistant Secretary of the Treasury for Investment Security:

“Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”

This Committee focus on compliance with mitigation agreements is also reflected in recent enforcement actions, which are presently limited to penalties issued for violations of CFIUS mitigation measures.[7]

How violations are discovered

The Guidance explains how information on prospective violations can come to the Committee from a variety of sources, including other government agencies, publicly available information, tips from the public, information provided by filing parties, voluntary disclosures, and third-party service providers, such as auditors and monitors.

In addition, over the last couple of years, the Treasury Department has built a Monitoring & Enforcement (M&E) team within OIS to monitor public records and other sources for non-notified transactions. According to CFIUS’s 2021 Annual Report to Congress, the M&E team identified 135 non-notified transactions in 2021. Of these, the Committee requested parties to file notices for 8 transactions.[8]

Once a potential violation is identified, CFIUS may request further information on potential violations from transaction parties. When necessary and appropriate to gather information, CFIUS may also use its subpoena authority under the Defense Production Act.

Self-Disclosures

The Guidance provides detailed instructions on how to provide tips of violations and strongly encourages any person who engaged in conduct that may constitute a violation to submit a timely self-disclosure, even if not legally obligated to do so.

CFIUS instructs that a self-disclosure should take the form of a written notification describing all of the conduct that may constitute a violation and all of the persons involved. Where discovery of conduct that may constitute a violation requires further investigation, a company may submit an initial self-disclosure and follow up later with a more detailed self-disclosure.

In assessing timeliness of a self-disclosure and the appropriate response to a self-disclosed violation, CFIUS will consider whether the conduct at issue was discovered by CFIUS or other government officials before the self-disclosure or whether such discovery was imminent prior to the self-disclosure. CFIUS may also consider whether the reporting party or parties complied with requirements provided for under any applicable law, regulation, or mitigation measure requiring disclosure of the conduct.

Penalty Determinations

CFIUS performs a fact-based analysis to determine when a penalty is appropriate. This includes consideration of certain aggravating and mitigating factors. The Guidance provides a non-exhaustive list of some of these factors, which include the following:

• The impact of the violation on U.S. national security
• Whether the violation was negligent, intentional, or willful
• Whether senior personnel knew or should have known about the violation
• Efforts to conceal or delay sharing information with the Committee
• The need to ensure that responsible persons are held accountable
• The time it took to discover and remediate the violation
• The completeness and appropriateness of remediation efforts
• The timing, frequency, and duration of the conduct
• Whether a timely and complete self-disclosure was submitted
• The level of cooperation with the Committee’s investigation of the matter
• Compliance history, culture, and commitment to compliance
• Internal and external resources dedicated to compliance
• Policies, training, and procedures in place to prevent the conduct
• Whether there was an internal review of the conduct to prevent its reoccurrence

The Penalty Process

The process used by the Committee to issue penalties is set forth in the regulations.[9] As detailed in the Guidelines, key steps to this process consist of the following:

• CFIUS sends the person subject to enforcement (the “Subject Person”) a notice of penalty, including a written explanation of the conduct subject to penalty and the amount of any monetary penalty to be imposed. The notice will state the legal basis for concluding that the conduct constitutes a violation and may set forth any aggravating and mitigating factors that the Committee considered.
• The Subject Person may, within 15 business days of receipt of a notice of penalty, submit a petition for reconsideration to the CFIUS Staff Chairperson, including any defense, justification, mitigating factors, or explanation. Upon a showing of good cause, this period may be extended by written agreement between the Staff Chairperson and the Subject Person.
• If a petition for reconsideration is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition, which may be extended by written agreement between the Staff Chairperson and the Subject Person.
• If no petition for reconsideration is timely received, CFIUS ordinarily will issue a final penalty determination in the form of a notice to the Subject Person.

Conclusion

The recent Guidelines go beyond previously limited information available on the Committee’s enforcement practices. Many of the practices, particularly those pertaining to self-disclosures and penalty determinations, mirror those of other agencies that enforce related national security laws. Similar to the guidelines issued by the other agencies, the Committee’s recent Guidance signals an intent to pursue well-defined enforcement objectives. Parties subject to mitigation measures or involved in transactions subject to CFIUS jurisdiction should therefore take heed of the Guidelines, ensure familiarity with respective legal obligations, and implement appropriate compliance policies, processes, and training.

[1] CFIUS Enforcement and Penalty Guidelines (October 20, 2022), available at https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-enforcement-and-penalty-guidelines

[2] 31 C.F.R. parts 800 and 802.

[3] 31 C.F.R. § 800.901(b).

[4] 31 C.F.R. §§ 800.901(c) and (d).

[5] 31 C.F.R. § 800.901(a).

[6] Treasury Releases CFIUS Enforcement and Penalty Guidelines (October 20, 2022), available at https://home.treasury.gov/news/press-releases/jy1037

[7] CFIUS assessed a civil penalty of $750,000 in 2019 for violations of a 2018 CFIUS interim order, including a failure to restrict and adequately monitor access to protected data, as defined in the order; and imposed a $1,000,000 civil penalty in 2018 for repeated breaches of a 2016 CFIUS mitigation agreement, including a failure to establish requisite security policies and failure to provide adequate reports to CFIUS.

[8] CFIUS – Annual Report to Congress – CY 2021 (August 2, 2022), available at https://home.treasury.gov/system/files/206/CFIUS-Public-AnnualReporttoCongressCY2021.pdf

31 C.F.R. §§ 800.901 and 802.901.

[9] 31 C.F.R. §§ 800.901 and 802.901.