CFIUS Issues Enforcement and Penalty Guidelines
By Keith R. Fisher
On October 20, 2022, the Committee on Foreign Investment in the United States (“CFIUS”), for the first time during its approximately 50-year existence, issued Enforcement and Penalty Guidelines (the “Guidelines”). CFIUS is an interagency body created in the 1970s responsible for reviewing and making recommendations to the president on the national security implications of foreign investments in U.S. companies. (The CFIUS review process, in fact, focuses solely on national security concerns). CFIUS operates pursuant to authority conferred by section 721 of the Defense Production Act of 1950, as amended (“Section 721”), as implemented by Executive Order 11858, as amended. The U.S. Treasury Department has promulgated regulations to implement the CFIUS regime, and Treasury’s Office of Investment Security (“OIS”) administers those regulations.
Section 721 authorizes CFIUS to impose monetary penalties and seek other remedies (e.g., directed notices, action plans) for violations of Section 721, the regulations promulgated thereunder, or any mitigation orders, conditions, or agreements pursuant thereto. The new Guidelines focus on three categories of potentially unlawful conduct: (1) failure to make mandatory CFIUS filings, (2) noncompliance with CFIUS mitigation agreements, conditions, or orders, and (3) material misstatements in or omissions from information filed with CFIUS, including during informal consultations or in response to agency requests for information, and false or materially incomplete certifications provided to CFIUS.
Violations falling within categories (1) or (2) can result in a civil money penalty of up to $250,000 or 100% of the value of the transaction, whichever is greater. Violations falling within category (3) carry only a maximum civil penalty of $250,000, except that agreements entered into with CFIUS that contain mitigation conditions can specify additional amounts as liquidated damages.
Historically, CFIUS’s enforcement activities have not been extensive. Since enactment of the Foreign Risk Review Modernization Act as part of the National Defense Authorization Act of 2018, however, the focus on compliance has significantly increased.
In describing the process by which CFIUS learns of violations, the Guidelines identify various sources of information, including tips from informants, self-reporting (the importance of which as a mitigating factor is underscored in the Guidelines), requests by the agency for information from parties to a transaction or to mitigation agreements, as well as the potential exercise of the agency’s subpoena power. Violations will not invariably lead to imposition of a penalty, but the Guidelines describe the agency’s evaluation process as consisting of two phases. First, the agency will issue to a party alleged to have committed a violation a notice describing the factual predicate, the amount of the proposed penalty, and, where appropriate, a description of any aggravating or mitigating circumstances CFIUS has considered. Second, the recipient of the notice will have 15 business days to file a petition for reconsideration, which can include a discussion of any defenses, justifications, mitigating factors, or other explanatory material. If no such petition is submitted within the requisite timeframe, CFIUS will issue a final determination of the penalty; if such a petition is timely submitted, CFIUS then has 15 business days (which can be enlarged, if necessary) within which to consider the submission and issue a final penalty determination.
The Guidelines identify a non-exhaustive list of aggravating and mitigating factors CFIUS may consider:
- Accountability and Future Compliance: how the enforcement action will promote national security, ensure that parties are held accountable for their conduct, and incentivize future compliance with Section 721 and the CFIUS regulatory regime.
- Harm: the extent to which the conduct harmed or threatened U.S. national security.
- Negligence, Awareness, and Intent: assessing the level of fault in terms of simple negligence, gross negligence, intentional action, or willful misconduct, including an assessment of whether the party attempted to conceal pertinent information or delay sharing it with CFIUS.
- Persistence and Timing: how long a violating party knew or should have known of the violation prior to CFIUS becoming aware of it, and the frequency and duration of the conduct underlying the violation.
- Response and Remediation: the violating party’s mitigation and remediation efforts, including whether there was self-disclosure of the violation (and the timeliness, nature, and scope of any such disclosure), as well as the party’s cooperation with CFIUS.
- Sophistication and Record of Compliance: relevant factors include (i) the violating party’s history and familiarity with CFIUS (including past compliance with CFIUS mitigation measures); (ii) the party’s compliance policies, procedures, and resources; (iii) the experience of other federal, state, local, and foreign authorities with the party’s compliance efforts; and (iv) in the case of compliance with CFIUS mitigation measures, the adequacy of the authority, access, and role of the appropriate security or compliance officers.