The CFIUS Colossus: CFIUS’s Expanding Authority Changes the Risk Calculus for M&A Transactions

by Stephenie Gosnell Handler, Michelle Weinbaum, Mason Gauch, and Chris Mullen

Photos of the authors

Left to right: Stephenie Gosnell Handler, Mason Gauch, and Chris Mullen. (Photos courtesy of Gibson Dunn & Crutcher LLP)

A new final rule from the U.S. Department of the Treasury will expand CFIUS’s authority to request information from parties related to a transaction, increases potential penalty amounts, and expedites mitigation agreement negotiations in certain situations. With the exception of modifying the time frame within which parties are required to respond to mitigation agreement proposals, CFIUS largely adopted the language of its April 2024 proposed rule.

On November 18, 2024, the U.S. Department of the Treasury (“Treasury”), as Chair of the Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”) issued a final rule largely codifying a rule proposed in April 2024, with only a handful of small, yet meaningful, changes. As noted in the accompanying press release, the final rule:

  1. Expands the types of information CFIUS can require transaction parties and other persons to submit in the process of reviewing non-notified transactions;
  2. Allows the CFIUS Staff Chairperson to set, as appropriate, a timeline for transaction parties to respond to risk mitigation proposals for matters under active review to assist CFIUS in concluding its reviews and investigations within the time frame required;
  3. Expands the circumstances in which a civil monetary penalty may be imposed due to a party’s material misstatement and omission, including when the material misstatement or omission occurs outside a review or investigation of a transaction and when it occurs in the context of CFIUS’s monitoring and compliance functions;
  4. Substantially increases the maximum civil monetary penalty available for violations of obligations under the CFIUS statute and regulations, as well as agreements, orders, and conditions authorized by the statute and regulations, and introduces a new method for determining the maximum possible penalty for a breach of a mitigation agreement, condition, or order imposed;
  5. Expands the instances in which CFIUS may use its subpoena authority, including in connection with assessing national security risk associated with non-notified reviews; and
  6. Extends the time frame for submission of a petition for reconsideration of a penalty to CFIUS and the number of days for CFIUS to respond to such a petition.

The final rule, which modifies CFIUS’s current regulations implementing Section 721 of the Defense Production Act (“DPA”), will go into effect 30 days after publication in the Federal Register.

In light of the expanded scope of CFIUS’s enforcement and monitoring powers and the sharp increase in the maximum penalty associated with violations of the CFIUS regulations, transaction parties should carefully evaluate the CFIUS risks when considering potential investments and acquisitions and ensure adherence to any time frames for responding to CFIUS requests.

Finalizing the Proposed Rule: CFIUS’s Expanded Monitoring and Enforcement Capabilities

The final rule largely adopts the provisions set forth in the proposed rule discussed in detail in our previous analysis. We set forth a refresher on these changes below:

1. Expanded Scope of Information Requested in Non-Notified Reviews

The final rule expands the types of information that CFIUS can require transaction parties and other persons to submit, including by issuing subpoenas. In determining whether to issue an information request or subpoena, as appropriate, the Committee will consider a party’s relationship to the relevant transaction. Current regulations permit CFIUS to request transaction parties provide information necessary for the Committee to determine if a non-notified transaction constitutes a “covered transaction” under Part 800 or a “covered real estate transaction” under Part 802 of the CFIUS regulations. The final rule authorizes the Committee to issue requests more broadly to transaction parties and other persons for information to determine if a transaction (i) meets the criteria for a mandatory declaration and/or (ii) raises national security concerns. This expanded scope of information requests will, according to CFIUS, enhance the Committee’s ability to engage in preliminary fact-finding and further help determine whether to request transaction parties submit a declaration or notice for review.

2. Increased Obligations to Provide Information Related to Compliance Monitoring

The final rule also expands CFIUS’s ability to require parties to provide information to the Committee in two situations post-CFIUS review:

  • Monitoring Compliance: Situations in which the Committee requires information to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition; and
  • Material Misstatements or Omissions: Situations in which the Committee seeks information to ascertain whether the transaction parties have made a material misstatement or omitted crucial information during the CFIUS’s review or investigation.

While such information is already routinely requested by the Committee, the final rule formalizes the current practice and explicitly obligates parties to respond. Additionally, the final rule changes the condition for the Committee to request such information from “[i]f deemed necessary by the Committee” to “[i]f deemed appropriate by the Committee,” thereby lowering the threshold for such requests. Consistent with current regulations, a subpoena may be issued to non-compliant parties, but the final rule specifically assigns this power to the Staff Chairperson (as opposed to the Committee as a whole) to increase operational efficiency.

CFIUS makes clear that even parties currently subject to a pre-existing mitigation agreement, condition, or order will be subject to such information requests to enable the Committee to fulfill its monitoring and enforcement responsibilities.

3. Increased Maximum Civil Monetary Penalties

The proposed rule noted a significant drop in the median value of covered transactions filed with CFIUS pursuant to a joint voluntary notice following the implementation of the Foreign Investment Risk Review Modernization Act of 2018 and the introduction of mandatory declarations. The Committee noted that the relatively low value of many transactions undermines the current penalty framework of imposing fines of up to greater of $250,000 or the value of the transaction. For example, for certain transactions with reported low values (or even a valuation of zero dollars), the maximum penalty de facto becomes $250,000, which the Committee considered an insufficient deterrent in many instances. Consequently, the final rule adopts the language of the proposed rule and, for the first time in 15 years, increases and expands the maximum civil penalties as of the effective date as follows:

  • Material Misstatements and Omissions in Submissions. The maximum civil monetary penalty for a declaration or notice with a material misstatement or omission, or a false certification, will increase from $250,000 to $5,000,000 per violation for material misstatements and omissions that occur as of the effective date, even if the underlying transaction was entered into or consummated prior to the effective date.
  • Expansion of Material Misstatements and Omissions Penalty to Information Request Responses. Under the current regulations, the above penalty only applies to material misstatements or omissions in the context of a declaration or notice filed with CFIUS, or a false certification. The final rule expands penalty coverage to (1) requests for information related to non-notified transactions, (2) certain responses to the Committee’s requests for information related to monitoring or enforcing compliance, and (3) other responses to the Committee’s requests for information, such as for agency notices. While this expanded coverage is significant, the final rule makes clear that the penalty provisions will not apply to all communications with the Committee; rather, only with respect to responses to requests that were made in writing by the Committee, specified a time frame for response, and indicated the applicability of penalty provisions. As with the above, such penalties will only be imposed for responses that are provided as of the effective date.
  • Failure to Submit Mandatory Declarations. The maximum civil monetary penalty for failure to submit a mandatory declaration will increase from the greater of $250,000 or the value of the transaction to the greater of $5,000,000 or the value of the transaction, including for transactions that were entered into or consummated prior to the effective date.
  • Material Mitigation Agreement Violations. The maximum civil monetary penalty for the violation of a mitigation agreement, intentionally or through gross diligence, will increase from the greater of $250,000 per violation or the value of the transaction to the greater of
    $5,000,000 per violation or the value of the transaction. Further, the concept of “transaction value” is revised to include the greater of:

    • the value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the transaction;
    • the value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the violation in question or the most proximate time to the violation for which assessing such value is practicable; or
    • the value of the transaction filed with the Committee.

This expanded approach to transaction value will allow CFIUS greater latitude in imposing penalties, though CFIUS clarifies that the new penalties will only apply to mitigation agreements entered into, conditions imposed, or orders issued on or after the effective date of the final rule.

  • Extension of Penalty Petition Time frame from 15 to 20 Days. Under the current regulations, parties have up to 15 business days to submit a petition to the Committee in response to a penalty notice, and the Committee similarly has 15 business days to respond. Under the final rule, both time frames will be extended to 20 business days to account for the Committee’s routine practice of granting extensions for such petitions.

Parties subject to a mitigation agreement, condition, or order as of the effective date of the final rule will not be subject to the enhanced penalties for past violative conduct; however, the enhanced penalties will apply to any conduct by such parties that is outside the bounds of any such agreement, condition, or order—such as a material misstatement or omission made to the Committee on or after the effective date.

The Final Rule Alters the Time Frame for Parties to Respond to Mitigation Agreement Proposals

CFIUS has increasingly imposed mitigation agreements on transaction parties in order to address national security concerns. While the current regulations require parties to respond to follow-up information requests from CFIUS within three business days during the course of a transaction review, the regulations to date have been silent on the time frame within which parties must respond to mitigation proposals or revisions, including in the context of non-notified reviews. The proposed rule would have established a similar deadline of three business days for parties to provide substantive responses to proposed mitigation agreements to address current delays in the negotiation process. However, after receiving over 700 comments in response to the proposed rule—many of which raised concerns over this proposal—CFIUS adopted a more nuanced approach in the final rule.

In the final rule, the CFIUS Staff Chairperson may impose a time frame of no fewer than three business days for parties to a mitigation agreement to provide a substantive response to its terms, including revisions. Substantive responses include acceptance of terms as proposed, counterproposals, or a detailed statement of reasons explaining why a party or parties cannot comply with the terms as proposed (which may also include a counterproposal).

The final rule explicitly establishes factors for the CFIUS Staff Chairperson to consider when setting response deadlines as follows:

  1. The statutory deadline for completing an investigation under Section 721 of the DPA, e., a 45-day investigation period, which follows an initial 45-day review period;
  2. The risk to the national security of the United States arising from the transaction;
  3. The party’s or parties’ responsiveness to the Committee;
  4. The nature of the transaction;
  5. The appropriateness of suspending, or imposing conditions on, the transaction as stipulated in the DPA; and
  6. Other such factors the CFIUS Staff Chairperson may determine to be appropriate in connection with a specific transaction.

Importantly, if the parties fail to respond to mitigation proposals within the time frame prescribed by the CFIUS Staff Chairperson, the Committee may, at its discretion, reject the notice in its entirety. Further, under the current regulations, CFIUS may also act to unilaterally impose mitigation proposals to address national security risks.

CFIUS makes clear that the new time frame requirements will not apply to transactions already under review or investigation by the Committee as of the final’s rules effective date (i.e., 30 days after publication in the Federal Register), but the CFIUS Staff Chairperson may impose such response deadlines on any notice accepted by the Committee after the effective date. Because there is often a delay between the date a party submits a filing and when CFIUS officially accepts the filing, certain notices submitted close in time to the effective date may still be subject to the new requirements.

The final rule exemplifies the increasingly robust role CFIUS plays in aggressively monitoring and shaping foreign direct investment in the United States. In light of these efforts and the rising costs and consequences of non-compliance, transaction parties should carefully evaluate transactions involving foreign person investors, directly or indirectly, for CFIUS risks even in the early stages of deal discussions. We also recommend transaction parties take the following steps beginning now:

  • Consider the interested parties that CFIUS may request information from. While CFIUS declined to provide an enumerated list of the types of third parties it might request information from while reviewing a transaction and/or compliance with a mitigation agreement, CFIUS highlighted the possibility of requesting information from banks, underwriters, or service providers. Parties should consider their communications with these parties while engaging with CFIUS. For example, CFIUS may look to bankers to provide further insight into parties’ reasons for pursuing a transaction—a topic of great interest to CFIUS—and something the parties should consider when drafting a notice.
  • More carefully consider the rationale for forgoing a voluntary filing. CFIUS’s expanded authority to request more types of information earlier in the non-notified process may decrease the number of full notices requested but increase the number of transactions called in for preliminary questioning. In light of the potential to be questioned more often, transaction parties should be prepared to articulate their reasoning for forgoing a filing, including by, in some cases, formalizing the process for who makes and memorializes such decisions.
  • Plan proactively for mitigation. While CFIUS, in its comments to the final rules, suggests that a three-business day deadline to respond to a mitigation agreement would be appropriate for parties that have established a pattern of delayed responses, the fact of the matter is that many practitioners find that CFIUS identifies a threat and proposes mitigation very late in the statutory review period—without allowing time for otherwise attentive parties to meaningfully consider and negotiate a commercially workable agreement. On the other hand, CFIUS consistently cautions parties that they expect full compliance on the precise day that a mitigation agreement goes into effect, and that the parties are responsible to ensure full compliance is feasible. Given the increasing likelihood of being squeezed on both ends by tight timing to negotiate and high expectations for immediate compliance, parties need to have a plan in advance to immediately brief and involve all relevant U.S. business stakeholders in mitigation negotiations.

Stephenie Gosnell Handler is a Partner, Michelle Weinbaum is Of Counsel, and Mason Gauch and Chris Mullen are Associates at Gibson Dunn & Crutcher LLP. This post first appeared as a client alert for the firm.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).