Treasury Department Issues First-Ever CFIUS Enforcement and Penalty Guidelines

On October 20, 2022, the U.S. Department of the Treasury (“Treasury”), in its position as Chair of the Committee on Foreign Investment in the United States (“CFIUS”), the interagency committee authorized to review certain transactions involving non-U.S. investment into the United States, issued its first-ever enforcement and penalty guidelines (the “Guidelines”) for a violation of the CFIUS regulations (31 C.F.R. Parts 800 -802). The Guidelines provide background and context with respect to the CFIUS enforcement process and a non-exhaustive list of aggravating and mitigating factors that CFIUS will consider in any enforcement action. [i]

In issuing the Guidelines, Treasury noted the importance of prompt and complete self-disclosure of any conduct that may constitute a violation of the CFIUS regulations and established a self-disclosure mechanism. The Guidelines do not, however, include penalty mitigation or other concrete incentives that appear in other Treasury regulatory regimes ( e.g., economic sanctions regulations). The issuance of the Guidelines may reflect a decision by CFIUS to increase its use of the enhanced enforcement authorities provided to it under the Foreign Investment Risk Review Modernization Act (“FIRRMA”), particularly in the context of violations of CFIUS mitigation agreements, failures to make mandatory filings, and material factual misstatements or omissions. The Guidelines also offer more transparency with respect the CFIUS enforcement and penalty process, which has historically been opaque.

Three Categories of Conduct that may Constitute a Violation

The Guidelines identify three types of conduct subject to CFIUS enforcement and penalties. The Guidelines specifically note, however, that not all violations will necessarily result in an enforcement action or penalties, and that CFIUS will exercise its enforcement discretion in light of certain aggravating and mitigating factors.

The types of conduct that constitute a violation of the CFIUS regulations that may result in enforcement are:

1. The failure to submit a mandatory declaration or notice;
2. Engaging in conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders (collectively, “CFIUS Mitigation”); and
3. Material misstatements in or omissions in information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation, including information provided during informal consultations or in response to requests for information.

Sources of Information on which CFIUS Relies

The Guidelines note that, in determining whether a violation of the CFIUS regulations has occurred, CFIUS considers information from a variety of sources, including from across the U.S. government, publicly available information, third party service providers ( e.g., auditors or monitors), tips, transactions parties, and filing parties. 

The Guidelines highlight information that may come from the parties to a transaction or filings themselves as a particular focus of CFIUS, including:

1. Responses to Requests for Information. CFIUS often requests information from relevant parties and may consider a party’s cooperation with such requests to be a mitigating factor in an enforcement action related to the information sought.
2. Self-Disclosures. The Guidelines include the first-ever discussion of voluntary self-disclosures regarding potential violations of the CFIUS regulations and note that the timely self-disclosure of potential violations of the CFIUS regulations (including CFIUS Mitigation) would generally be considered to be a mitigating factor.
3. Tips. The Guidelines actively encourage the reporting of any tips regarding potential violations of the CFIUS regulations to CFIUS and provide email and phone contacts to report such tips to CFIUS.

Penalty Process

The Guidelines note, that, as required by the CFIUS regulations, prior to taking an enforcement action, CFIUS will send the target of the action a notice of penalty, which must include a written explanation of the violation, the amount of the proposed monetary penalty, and any aggravating and mitigating factors that CFIUS has considered. The Guidelines note that the recipient of a notice of penalty may, within 15 business days of receiving the notice, submit a petition for reconsideration to the CFIUS Staff Chairperson, including any defense, mitigating factors, or explanation. CFIUS must then consider the issues raised and issue a final penalty determination within 15 business days following the receipt of a petition for reconsideration. 

Aggravating and Mitigating Factors

The Guidelines state that, when determining any appropriate penalty in response to an identified violation, CFIUS will engage in a “fact-based analysis in which it weighs aggravating and mitigating factors” and that the weight CFIUS may give to any factor will “necessarily vary depending upon the particular facts and circumstances” surrounding the conduct at issue. 

The Guidelines include a non-exhaustive list of potential aggravating and mitigating factors that CFIUS may consider, depending upon the facts and circumstances of a given violation, including:

1. Accountability for the violative conduct (the impact of the enforcement action on protecting national security and/or holding violative parties accountable for their actions and incentivizing future compliance with the CFIUS regulations);
2. Harm (whether and the extent to which the violative conduct impacted U.S. national security);
3. Negligence, awareness, and intent (the extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness as well as whether there were any efforts to conceal the violation or delay the sharing of relevant information regarding the violation with CFIUS);
4. Persistence and timing (the length of time that a violative party had been aware, or had reason to be aware, of a potential violation prior to CFIUS becoming aware of the violation);
5. Response and remediation (whether the violative party self-disclosed the violation, whether the violative party cooperated fully in the CFIUS investigation, and whether the violative party performed a root cause analysis regarding the violation and took appropriate remedial actions to prevent future violations); and
6. Sophistication and past record of compliance (including the violative party’s history and familiarity with CFIUS, its past compliance with CFIUS Mitigation, and its internal and external resources dedicated to compliance).

Implications

Although the Guidelines state that they are not binding and may be updated in the future, their issuance suggests that CFIUS intends to make use of the enhanced enforcement authorities conferred on it by FIRRMA to strengthen enforcement of the CFIUS regulations, particularly with regard to compliance with CFIUS Mitigation. To date, CFIUS has announced only two penalty actions: (1) a $1 million civil penalty imposed in 2018 for repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS; and (2) a $750,000 civil penalty imposed in 2019 for violations of a 2018 CFIUS interim order, including failure to restrict and adequately monitor access to protected data. CFIUS has authority under FIRRMA to impose substantially higher penalties, including civil fines up to the value of a given transaction for failure to make a mandatory CFIUS filing and for violating a CFIUS mitigation agreement or order. With such potential penalties in the background, the Guidelines highlight the importance of non-U.S. investors and their U.S. targets performing appropriate CFIUS diligence in transactions, particularly to determine whether a mandatory filing is triggered, and for all parties subject to CFIUS Mitigation to devote appropriate resources to ensure compliance with such CFIUS Mitigation. 

We will continue to monitor enforcement actions taken and guidance issued by CFIUS and provide further updates as appropriate.

                                                                                                                   *              *              *

[i]       U.S. Dep’t of the Treasury, “CFIUS Enforcement and Penalty Guidelines,” (Oct. 20, 2022), available here.