CFIUS Pulls Back the Curtain (A Little) with New Enforcement and Penalty Guidelines
- On October 20, 2022, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) released a memorandum (the “CFIUS Enforcement Memo”) summarizing enforcement procedures and penalties in 31 C.F.R. Parts 800 and 802 (the “CFIUS Regulations”).
- As CFIUS becomes increasingly active—2021 was the Committee’s busiest year on record and 2022 remains on pace—transaction parties should be alert to increased enforcement with respect to breaches regarding: (i) misstatements to CFIUS, (ii) mandatory filing obligations, and (iii) mitigation agreements.
- As seen in the data contained in the Committee’s recent annual reports (which we cover here and here), CFIUS is increasing both its use of mitigation agreements and its commitment to review “non-notified” transactions. Although increased activity may not correlate directly to increased enforcement, it may foreshadow what is to come.
- The bottom line: the CFIUS Enforcement Memo highlights the importance of not only including CFIUS considerations during the transaction due diligence process, but also ensuring that when mitigation measures are imposed, the parties have an effective compliance program in place to ensure compliance with applicable obligations.
CFIUS is an interagency committee, principally comprising nine members and chaired by the Secretary of Treasury, which has broad powers to review foreign investments in and acquisitions of U.S. businesses to determine the potential impact on U.S. national security. The Committee has the authority to impose mitigation measures, suspend transactions and, where appropriate, recommend that the President block or unwind transactions.
CFIUS has broad authority (expanded in recent years by the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”)) to review transactions involving U.S. businesses and foreign investors, including:
- Mergers, acquisitions, and takeovers that could result in a non-U.S. person acquiring control (defined broadly) of a U.S. business;
- Certain non-controlling investments by non-U.S. persons in U.S. businesses associated with critical technology, critical infrastructure, and sensitive personal data (with mandatory filing requirements for transactions involving certain U.S. businesses dealing in critical technologies or non-U.S. persons affiliated with foreign governments); and
- Transactions involving the purchase or lease by, or concession to, a non-U.S. person of certain U.S. real estate that might raise national security concerns.
Under the CFIUS Regulations and as described in the CFIUS Enforcement Memo, there are three types of conduct that can result in a penalty being imposed:
- The submission of a declaration or notice containing a material misstatement or omission or making a false certification to the Committee;
- Failing to file a mandatory declaration or notice; and
- Failing to comply with a material provision of a mitigation agreement.
For each violation, CFIUS is authorized to enforce and subsequently impose a civil penalty up to $250,000 or the value of the transaction (whichever is greater).
Historically, CFIUS has revealed little with respect to its enforcement activities other than disclosing a single enforcement action in each of 2018 and 2019. The 2018 enforcement action concerned what was described as a “repeated” breach of a mitigation agreement, including failure to establish the necessary security policies and provide the necessary reports thereunder to CFIUS, and resulted in a $1 million penalty. The 2019 enforcement action involved the violation of the terms of an interim order (i.e., the immediate mitigating measures put in place while a formal mitigation agreement was negotiated) and resulted in a $750,000 penalty.
The Committee’s most recent Annual Report to Congress for FY2021 (the “Annual Report”) provides insights into the current (and increasingly aggressive) climate at CFIUS as well as areas of future enforcement priority. For example, consider the Committee’s use of mitigation measures. In 2021, CFIUS required mitigation measures in 31 cases (or 11% of cases overall). Examples of negotiated mitigation included the following:
- Prohibiting or limiting the transfer or sharing of certain intellectual property, trade secrets, or know-how;
- Establishing guidelines and terms for handling existing or future U.S. Government (“USG”) contracts, USG customer information, and other sensitive information;
- Ensuring that only authorized persons have access to certain technology, that only authorized persons have access to USG, company, or customer information, and that the non -U.S. acquirer not have direct or remote access to systems that hold such information;
- Establishing a Corporate Security Committee and other mechanisms to ensure compliance with all required actions, including the appointment of a USG-approved security officer or member of the board of directors and requirements for security policies, annual reports, and independent audits;
- Ensuring that only U.S. citizens handle certain products and services, and ensuring that certain activities and products are located only in the United States;
- Exclusion of certain sensitive assets from the proposed transaction;
- Prior notification to and approval from relevant U.S. government parties in connection with any increase in ownership or rights by the non-U.S. acquirer; and
- Divestiture of all or part of the U.S. business.
While we do not yet have a complete set of data from 2022, Committee officials have acknowledged in public statements that CFIUS has continued (and even increased) its use of mitigation measures to address perceived national security risks. As the Committee increases the use of this tool, it is possible that there will be greater enforcement with respect to potential breaches.
Another area to watch is non-notified transactions. One of the overarching changes under FIRRMA was the strengthening and broadening of the Committee’s authority to review so-called “non-notified/non-declared” transactions, meaning transactions that technically fall within CFIUS’ jurisdiction but were not presented by the transaction parties to the Committee for review. According to the Annual Report, CFIUS requested information regarding 135 “non-notified/non-declared” transactions in 2021, resulting in eight formal requests for a filing. As the Committee continues to pursue non-notified transactions, there may be a corresponding increase in enforcement actions if CFIUS takes the view that some non-notified transactions were subject to mandatory filing obligations.
CFIUS Enforcement Memo Highlights
The Penalty Process
As articulated in the CFIUS Enforcement Memo, there are four steps in the Committee’s penalty process. Excluding possible extensions, the entire penalty process spans 30 business days.
The Committee sends a notice of penalty to the party in violation, including a written explanation of the violating conduct and the proposed amount of any monetary penalty to be imposed. The notice may also set forth any aggravating and/or mitigating factors relevant to the violation at hand (these factors are described below).
Within 15 business days of receipt of the notice of penalty, the party in violation can submit a petition for reconsideration to CFIUS. The petition can include any defense, justification, mitigating factors, or explanation that the party desires to use in support of the Committee’s reconsideration. The Committee may extend the 15-day petition period upon the showing of good cause.
If a petition for reconsideration is submitted to the Committee within the statutory timeframe, CFIUS will consider the petition before issuing its final penalty determination. The final penalty determination will be issued within 15 business days of receipt of a petition for reconsideration (unless CFIUS chooses to extend this timeline).
Once the petition for reconsideration process has run its course, CFIUS will issue a final penalty determination to the party in violation.
Aggravating and Mitigating Factors
The CFIUS Enforcement Memo makes clear that the Committee approaches each penalty determination with a fact-based analysis, including the consideration of multiple aggravating and mitigating factors. The weight given to any factor changes depending on the facts and circumstances giving rise to the violation. It is noteworthy that the Committee gives great weight to a strong compliance culture and a party’s timeliness with respect to self-disclosures. The factors to be considered by the Committee are summarized below.
Scoping Potential Violations
CFIUS will consider a multitude of factors at the outset of any penalty determination. The goal of the Committee is to hold a party accountable for a violation, and institute a penalty that promotes future compliance. In the same vein, the Committee will examine how a violation impaired or threatened to impair U.S. national security, consider the extent of a party’s negligence, the party’s intent to conceal or withhold information, and how long it took for a party to gain knowledge of the violation. For certain instances in which there is a violation of existing mitigation measures or a party failed to file, the Committee will also examine the amount of time that elapsed since the establishment of mitigation measures or the entry into the transaction, as applicable.
Response & Remediation
The CFIUS Enforcement Memo emphasizes the importance of timeliness in several aspects, especially with respect to self-disclosure. From there, the Committee considers a party’s cooperation while it is under investigation. CFIUS will also examine how quickly a party remediated the conduct that caused the violation and what further action a party took to prevent recurrence of the conduct.
Record of Compliance
The Committee will also consider a party’s history with CFIUS and other government authorities (at any level), along with a party’s familiarity with CFIUS, in its approach to penalties. CFIUS analyzes a party’s compliance practices (e.g., trainings, policies, and procedures), resources dedicated to compliance, and the consistency of compliance among all ranks of a party’s employees. In instances in which there is a violation of a mitigation measure, the Committee will review a party’s prior compliance with other mitigation agreements/measures, and what processes a party incorporated into the workplace to prevent the violative conduct. If a security officer is involved, the Committee will also consider the sufficiency of the officer’s authority, role, access, and independence.
Given the continued uptick in the Committee’s review activity, its imposition of mitigation measures, and its outreach to parties of non-notified transactions, a sophisticated CFIUS strategy can make a significant difference. Parties contemplating transactions involving foreign investments in U.S. businesses should evaluate CFIUS considerations early in the transaction process and ensure that if mitigation measures are imposed there is an actionable compliance program developed to oversee compliance with the parties’ obligations. As the Committee has made clear, the cost for not doing so may be more than reputational.
Dechert has represented many clients through CFIUS reviews, including major operators and investors in the industries surrounding high tech, telecommunications, energy, defense, and infrastructure. We regularly advise foreign and domestic entities (“buyers” and “sellers,” as well as other interested third parties) through the CFIUS review process, helping them determine whether or not to bring a transaction before the Committee (and whether or not CFIUS review is required), to assemble the required information and materials for a filing, and then (as necessary) to negotiate national security agreements with CFIUS in a manner that minimizes both delay and the imposition of conditions that might threaten the transaction. We also advise on strategies for identifying and addressing political and policy considerations that may arise.