Treasury Proposes a “Sharper Scalpel” for CFIUS Enforcement

On April 11, 2024, the U.S. Department of the Treasury (“Treasury”) issued a Notice of Proposed Rulemaking (the “NPRM” or the “proposed rule”) to augment the penalty and enforcement authority of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”).[1]  The NPRM marks Treasury’s first substantive update to its mitigation and enforcement toolkit since Congress passed the Foreign Investment Risk Review Modernization Act of 2018.[2]

Assistant Secretary for Investment Security Paul Rosen said, “these updates to our enforcement toolkit provide CFIUS with a sharper scalpel to carefully and methodically address violations and protect U.S. national security.”[3]  As discussed below, the proposed rule signals that CFIUS is increasing its focus on monitoring and enforcement, especially with respect to “non-notified” transactions.[4]  Notably, the NPRM also considers implementing an extendable, three-day period for parties to submit substantive responses to proposed mitigation terms.

Information Collection Authorities
Although CFIUS has statutory authority to issue subpoenas, it historically has not exercised this authority.[5]  In the 2022 Enforcement and Penalty Guidelines (the “2022 Guidelines”), CFIUS signaled that it intended to utilize that authority more regularly, highlighting that “[w]hen necessary and appropriate to gather information, CFIUS may use the subpoena authority[.]”[6] The NPRM builds on the 2022 Guidelines by expanding the circumstances where CFIUS could utilize its subpoena authority.

First, the NPRM proposes to expand the types of information CFIUS can require parties to submit related to “non-notified transactions.”  While the current regulations permit CFIUS to make requests to determine whether a non-notified transaction is covered (i.e., subject to the jurisdiction of CFIUS), “they do not expressly address requests for information that would enable the Committee to determine whether a transaction meets the criteria for a mandatory declaration under section 800.401, nor do they expressly address requests for information that would enable the Committee to determine whether a transaction may raise national security considerations.”[7]  The NPRM would permit CFIUS to “request information from transaction parties and other persons related to whether a transaction may raise national security considerations and . . . information as to whether a transaction meets the criteria for a mandatory declaration[.]”[8]  The proposed rule would similarly “require[] transaction parties and other persons to respond to such requests for information.”[9]  The NPRM contemplates that this would enable CFIUS to engage in “preliminary fact-finding relevant to potential national security considerations prior to receiving a formal notice” and that “the information it receives can inform the decision of whether and when to request the submission of a notice.”[10]

Second, the proposed rule would grant CFIUS expanded authority to require parties to provide the Committee with information where (i) “the Committee seeks information to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition,” and (ii) “when it seeks information to determine whether the transaction parties had made a material misstatement or omitted material information.”[11]  While CFIUS “currently requests information in both circumstances, . . . the regulations do not expressly obligate parties to respond.”[12]

Third, while the current regulations permit the use of subpoena authority when it is “deemed necessary by the Committee,” the proposed rule would permit the utilization of a subpoena when it is “deemed appropriate by the Committee.”[13]  The proposed rule contemplates that this “will enhance operational efficiency.”[14]

Increasing Penalties
The NPRM would also expand the circumstances in which a civil monetary penalty may be imposed due to a party’s material misstatement and omission.  This would include circumstances “when the material misstatement or omission occurs outside a review or investigation of a transaction and when it occurs in the context of the Committee’s monitoring and compliance functions.”[15]

In addition, the NPRM would increase the maximum civil penalty amount from $250,000 per violation to:

• $5,000,000 per violation under sections 800.901(a) and 802.901(a);
• the greater of $5,000,000 or the value of the transaction per violation under section 800.901(b); and
• the greater of $5,000,000 or the value of the transaction (or the value of the party’s interest in the U.S. business at the time of the violation or time of the transaction) per violation under sections 800.901(c) and 802.901(b).[16]

CFIUS will calculate the value of transactions “through, for example, audited financial statements or other industry standard methods of valuation.”[17]  For violations of mitigation agreements or conditions (800.901(c) and 802.901(b)), “the proposed rule would further allow for the maximum penalty to be determined by reference to a person’s interest in a U.S. business at the time of the violation or the transaction.”[18]  The maximum penalty could, therefore, be greater than the value of the transaction.  According to the NPRM, this methodology “would provide an additional deterrent or penalty in the case of certain transactions valued at less than $5,000,000.”[19] 

Under the proposed rule, the Committee would retain discretion to “determine the appropriate penalty in individual cases, similar to other Federal enforcement regimes.”[20]  In doing so, the Committee “will continue to take into account the specific facts and circumstances of the violation and relevant aggravating and mitigating factors as identified in the Committee’s Enforcement and Penalty Guidelines.”[21]

CFIUS reasons that the current regulations only apply to material misstatements or omissions in declarations and notices.  The NPRM builds on these penalties by putting teeth in enforcement penalties relating to material misstatements and omissions for CFIUS requests for information related to non-notified transactions, certain responses to CFIUS requests for information related to monitoring and enforcement, and other responses to CFIUS requests for information (e.g., agency notices).

CFIUS assesses that its current penalty matrix (up to $250,000 or the value of the transaction) “may not sufficiently deter or penalize certain violations.”[22]  For example, according to CFIUS, if a transaction has a relatively low valuation (or even no valuation) then “the value of the transaction” becomes inappropriate from an enforcement perspective, and the ceiling of $250,000 per violation is in many instances an insufficient deterrent or penalty.[23]

Penalty Process
Finally, the proposed rule would extend the time for parties to petition for reconsideration after a penalty is imposed.  Under the current regulations, the subject person has 15 days to petition after receiving notice of a penalty.  The Committee then has 15 business days to assess the petition and issue a final penalty determination.  The proposed rule would extend both time frames to 20 business days.[24]

Transaction Review
According to the NPRM, “for the Committee to complete an investigation of a transaction within the time prescribed by statute (i.e., 45 days), it is incumbent upon parties to respond to Committee proposals of terms to mitigate identified national security risks in a timely manner.”[25]  The current regulatory framework does not require transaction parties to respond to CFIUS comments in the context of mitigation agreements within a specific time frame.[26]  The NPRM seeks to address this by implementing an extendable three-day period for parties to submit substantive responses to proposed mitigation terms.  The Committee would expect a response to “consist of acceptance of the terms, a counterproposal, or a detailed statement of reasons that the party or parties cannot comply with the proposed terms, which may also include a counterproposal.”[27]

This expedited timeline further emphasizes the need for parties to proactively think about and place a premium on potential mitigation before making a filing, as the NPRM will make CFIUS comments in the context of mitigation agreements particularly challenging to respond to.  This is because responses to mitigation agreements require considerably more strategic planning with respect to a company’s corporate structure and costs, among other considerations.

*       *       *

[1]        Amendments to Penalty Provisions, Provision of Information, Negotiation of Mitigation Agreements, and Other Procedures Pertaining to Certain Investments in the United States by Foreign Persons and Certain Transactions by Foreign Persons Involving Real Estate in the United States (the “NPRM” or the “proposed rule”), available here.

[2]        Once the NPRM is officially published, interested parties will have 30 days to submit comments.  See NPRM, at 1.

[3]        Hans Nichols, Scoop: Treasury wants “sharper scalpel” to dissect foreign investment, Axios (Apr. 11, 2024), available here.

[4]        A “non-notified transaction” is defined in the NPRM as a covered transaction for which no notice or declaration has been submitted to the Committee.  

[5]        50 U.S.C. § 4555(a); 31 CFR § 800.801.

[6]        U.S. Dep’t of Treasury, CFIUS Enforcement and Penalty Guidelines, available here.

[7]        NPRM at 6.

[8]        Id.

[9]        Id.

[10]       Id. at 7.

[11]       Id.

[12]       Id. at 8.

[13]       Id.

[14]       Id.

[15]       U.S. Dep’t of Treasury, Treasury Proposes Regulatory Update to Sharpen and Enhance CFIUS Procedures and Enforcement Authorities to Protect National Security (Apr. 11, 2024), available here.

[16]       According to the NPRM, “[t]hese changes would apply to violations that occur on or after the effective date of the final rule making the amendments with respect to sections 800.901(a) and (b) and 802.901(a). With respect to sections 800.901(c) and 802.901(b), the changes would apply to mitigation agreements entered into, conditions imposed, and orders issued on or after the effective date of the final rule making the amendments.”  See NPRM, at 11.

[17]       NPRM at 11.

[18]       Id. at 12.

[19]       Id.

[20]       Id. at 13.

[21]       Id.

[22]       Id. at 11.

[23]       Id.

[24]       Id. at 14.

[25]       Id. at 8.

[26]       Parts 800 and 802 do, however, require parties to respond to follow-up information requested by the Staff Chairperson generally within two or three business days of the request.  The NPRM is focused on addressing the absence of a similar requirement in the context of proposed mitigation terms.

[27]       NPRM at 9.