CFIUS Issues First-Ever Enforcement and Penalty Guidelines

by Ryan Fayhee, Roy Liu, Tyler Grove, Anna Hamati, John Hannon, and Marcus Yu.

On October 20, 2022, the U.S. Department of the Treasury, as chair of the Committee on Foreign Investment in the United States (“CFIUS”), released the first-ever CFIUS Enforcement and Penalty Guidelines. CFIUS’s mandate is to identify and mitigate national security risks while maintaining the U.S.’s open foreign investment environment. Frequently it enters into mitigation agreements with parties to transactions; at other times it imposes mitigation conditions or orders (“CFIUS Mitigation”). These Guidelines provide the public with information on how the Committee assesses violations of the laws and regulations that govern relevant transactions, including violations of CFIUS mitigation agreements.

Specifically, the Guidelines describe three categories of conduct that may constitute a violation of an entity’s CFIUS obligations, the process the Committee generally follows in imposing penalties, and some of the factors it considers in determining whether a penalty is warranted and the scope of any such penalty, as well as the importance of self-disclosure of any conduct that may constitute a violation. The CFIUS authorizing statute, Section 721 of the Defense Production Act of 1950 (Section 721), allows CFIUS to impose monetary penalties and seek other remedies for violations of Section 721, the CFIUS regulations, and any mitigation orders, conditions, or agreements imposed by CFIUS. The Guidelines also highlight that CFIUS may use its subpoena authority to compel information from parties, and that CFIUS may also refer prohibited conduct to other U.S. government authorities, which may result in additional civil and/or criminal enforcement penalties depending on the nature of the misconduct.

The Guidelines

The Guidelines address the following four topics: Types of Conduct That May Constitute a Violation, Sources of Information on Which CFIUS Relies, the Penalty Process, and Aggravating and Mitigating Factors. Below, we summarize each of the four categories:

I. Types of Conduct That May Constitute a Violation – this section outlines three types of acts or omissions that may constitute a violation:

    • Failure to File: failure to timely submit a mandatory declaration or notice;
  •  
    • Non-Compliance with CFIUS Mitigation: conduct that is prohibited or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders; and
  •  
    • Material Misstatement, Omission, or False Certification: Material misstatements in or omissions from information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation, including information provided during informal consultations or in response to requests for information.

Notably, the Guidelines state that while a violation will not necessarily lead to a penalty or other remedy under Section 721, CFIUS intends to exercise its discretion in determining when a penalty is appropriate, including by considering applicable aggravating and mitigating factors.

II. Sources of Information on which CFIUS Relies – this section outlines the variety of sources CFIUS considers in determining whether a violation has occurred. CFIUS considers information from a wide array of sources, including the U.S. government, publicly available information, third-party providers (such as auditors and monitors), tips, filing parties, and others.

    • Requests for Information: CFIUS frequently requests information to support its monitoring of compliance with CFIUS Mitigation, as well as to investigate potential violations. The Guidelines note that CFIUS will consider the target entity’s cooperation with requests for information to determine its course of action. Parties may also choose to provide exculpatory evidence, defenses, justifications, mitigating factors, or explanations in response to CFIUS requests.
  •  
    • Self-Disclosures: The Guidelines set up, for the first time, a mechanism to self-disclose violations to CFIUS. CFIUS encourages persons who engaged in violative conduct to submit a timely self-disclosure, even if not required by CFIUS regulations. The Guidelines note that they will consider a self-disclosure in determining the appropriate response to a violation. The Guidelines also highlight that if the discovery of conduct that may constitute a violation requires further investigation, the subject person may follow up an initial self-disclosure with a more detailed one.
  •  
    • Tips: CFIUS also encourages the public to submit tips, referrals, or other relevant information related to potential CFIUS reporting violations to CFIUS.tips@treasury.gov.

III. Penalty Process – this section highlights the process for considering and imposing penalties in the regulations, and notes the following three key steps in the penalty process:

    • Notice: CFIUS sends the person a notice of the penalty, which will include a written explanation of the conduct to be penalized, the amount of any monetary penalty, and the legal basis for concluding that the conduct constitutes a violation. The notice may also contain any aggravating and mitigating factors CFIUS considered.
  •  
    • Petition for Reconsideration: The target entity may submit a petition for reconsideration to the CFIUS Staff Chairperson within 15 business days of receipt of the notice of penalty. The petition may include any defense, justification, mitigating factors, or explanation, and the 15-day period may be extended by written agreement if the party demonstrates good cause for delay.
  •  
    • Petition for Reconsideration Consideration: If a petition for reconsideration is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition, which may be extended.
      1. Final Penalty Determination: If no petition for reconsideration is received, CFIUS will typically issue a final penalty determination in the form of a notice to the party.

IV. Aggravating and Mitigating Factors – this section highlights how CFIUS engages in a fact-based analysis in which it weighs aggravating and mitigating factors in determining an appropriate penalty. Some factors that CFIUS may consider in determining an appropriate response to a violation are outlined in the non-exhaustive list below:

    • Accountability and Future Compliance: the impact of the enforcement action on ensuring that the target entity is held accountable and to incentivize future compliance;
  •  
    • Harm: the extent to which the conduct impaired or threatened to impair U.S. national security;
  •  
    • Negligence, Awareness, and Intent: the extent to which the conduct was the result of negligence or willfulness; whether the target entity made an effort to conceal information from CFIUS; and the seniority of personnel that knew or should have known about the conduct;
  •  
    • Persistence and Timing: whether the target entity became aware or had a reason to be aware of the violation; the time it took the company to report such conduct to CFIUS; the frequency and duration of the conduct; and (for certain violations) the date of the transaction at issue and the length of time since CFIUS mitigation was imposed;
  •  
    • Response and Remediation: whether the entity submitted a self-disclosure and cooperated in the investigation; the promptness and adequacy of any remedial steps taken; and whether there was an internal review of the consequences of the conduct to prevent its reoccurrence; and
  •  
    • Sophistication and Record of Compliance: the target entity’s history and familiarity with CFIUS, its prior compliance with CFIUS mitigation requirements, its resources dedicated to compliance with its legal obligations, policies and procedures in place to prevent certain conduct, variation in the consistency of compliance, the compliance culture that exists within the company, the experience of other authorities with knowledge of the target entity’s compliance with legal obligations, and in the case of a violation of CFIUS mitigation, the extent to which the target entity implemented compliance policies or training.

Concurrently with Treasury’s publication of the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen said in a statement, “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”

Any entities engaging in or planning to engage in any transactions which require compliance with CFIUS regulations – including companies engaging in transactions potentially subject to a mandatory declaration requirement as well as companies with an existing mitigation agreement – should familiarize themselves with the new Guidelines and raise any questions about their obligations under the law. Companies that have previously engaged in transactions subject to CFIUS jurisdiction but did not conduct CFIUS risk assessment also should carefully evaluate the new voluntary disclosure mechanisms. Treasury’s recent actions signal that enforcement actions are likely to come in this space, and the public should take steps to ensure they are in compliance with the relevant laws or, if appropriate, mitigate potential violations in the past.

This article was first published as a Client Advisory by Hughes Hubbard & Reed LLP. Ryan Fayhee and Roy Liu are partners; Tyler Grove is counsel; and Anna Hamati, John Hannon, and Marcus Yu are associates at Hughes Hubbard & Reed LLP.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.