New CFIUS Enforcement Guidelines Signal Expanded Compliance Focus - Inward/ Foreign Investment

In what likely portends enforcement actions in the near future, the U.S. Department of the Treasury published its first ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”). The Committee on Foreign Investment in the United States (“CFIUS”) has long been authorized to impose penalties for noncompliance with mitigation agreements and orders, and more recently, for failure to make mandatory filings. Although the guidelines do not change these authorities, they represent the first time CFIUS has provided the public with a framework for how it thinks about potential violations and the process for assessing penalties.

The Guidelines are the latest addition to a mosaic of increased visibility, attention to, and resources for CFIUS monitoring and enforcement since the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), including, among other things, CFIUS's enhanced efforts to identify and pursue non-notified transactions.

I. Enforcement History

In its 47-year history, CFIUS has publicly disclosed only two penalties:

In 2018, CFIUS issued a civil monetary penalty of $1,000,000 for repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.
In 2019, CFIUS issued a civil monetary penalty of $750,000 for violations of a 2018 CFIUS interim order, including failure to restrict and adequately monitor access to data protected by the interim order.

Notably, the conduct underlying both of these actions and the penalties imposed predate many of the updates to CFIUS's regulations and its monitoring and enforcement organization. With these new guidelines and increased resources, we expect CFIUS's enforcement record to grow.

II. Guidelines Summary

The Guidelines identify three categories of acts that may constitute a violation:

The failure to submit a mandatory CFIUS filing (a declaration or notice);
The failure to comply with the terms of a mitigation agreement or order; and
The provision of material misstatements in or omissions from information filed with CFIUS, including information provided during informal consultations or in response to questions, and the provision of false or materially incomplete certifications regarding information provided to CFIUS.

Importantly, the Guidelines note that a violation will not automatically lead to a penalty, and CFIUS considers the circumstances surrounding the violation when determining what action is appropriate. To that end, the guidelines provide an extensive list of aggravating and mitigating factors, which include:

Harm: The extent to which the conduct impaired or threatened to impair U.S. national security.
Intent: The extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness, or any effort to conceal or delay the sharing of relevant information with CFIUS.
Persistence: The frequency and duration of the conduct.
Remediation: Whether the violation was self-disclosed, the promptness of remediation of the conduct, including the remedial steps taken, and whether there was an internal review of the nature, extent, origins, and consequences of the conduct to prevent its reoccurrence.
Record of Compliance: Resources dedicated to compliance with applicable legal obligations, policies, training, and procedures in place to prevent the conduct and the reason for the failure of such measures; familiarity with CFIUS (e.g., through multiple filings) and past compliance.
Effect: The impact of the enforcement action in protecting national security, ensuring accountability, and incentivizing compliance.

Just like a CFIUS assessment, review, or investigation, a mitigation agreement will be bespoke, and CFIUS's analysis of a violation will be based on the specific facts and circumstances surrounding the conduct. But the publication of these factors provides helpful insight into the factors CFIUS will consider in analyzing a violation.

One particularly sensitive area will be compliance with mitigation agreements and orders. CFIUS establishes terms to mitigation agreements often under intense timelines and by engaging with the parties, often through business leads who may or may not be best positioned to understand the full scope of the agreement's implications. These agreements, however, survive in perpetuity and the impracticability of some terms often arise as parties seek to operationalize the agreements after the fact. With an increased focus on strict compliance, it is imperative that the business teams and personnel that will be actually implementing the mitigation agreement be “in the room where it happened” before the ink is dry on a mitigation agreement.

III. The Enforcement Process

In addition to articulating the types of conduct that may constitute a violation, and what factors CFIUS will consider when assessing a violation, the Guidelines articulate the process for considering and imposing penalties—the first time CFIUS has provided a clear structure and timeline for adjudicating penalties. These steps are:

CFIUS will send a notice, which will include an explanation of the conduct at issue and the amount of the monetary penalty.
Within 15 business days, the recipient may submit a petition for reconsideration.
CFIUS will consider the petition for reconsideration before issuing a final penalty determination, which will be made within 15 business days of receipt of the petition.
If no petition for reconsideration is received, CFIUS will issue and send a notice of a final penalty determination.

With the publication of the Guidelines, we expect that CFIUS is not only providing useful guidance on its compliance framework and process but notice of a more aggressive posture towards non-compliance.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.