News & Insights

Client Alert

November 1, 2022

Treasury Publishes First-Ever CFIUS Enforcement and Penalty Guidance

Publication indicates a more robust enforcement posture

On October 20, 2022, the U.S. Department of the Treasury (“Treasury”) released the first-ever Enforcement and Penalty Guidelines (the “Guidelines”) for the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”).  The Guidelines, which were previewed in a fireside chat at the Inaugural CFIUS Conference in June 2022, provide more transparency into the enforcement process and help the public understand the Committee’s priorities and considerations in ensuring compliance with CFIUS statutes and regulations, including filing requirements, factual accuracy, and mitigation obligations.  The public release of the Guidelines is the culmination of an effort begun under Assistant Secretary Thomas Feddo following the issuance of CFIUS penalties in 2018 and 2019 and signals that new Assistant Secretary Paul Rosen intends to ramp up CFIUS enforcement action to reinforce that compliance is not optional.

The Bottom Line

The Guidelines change neither the legal authority nor the formal process that CFIUS follows in enforcement actions.  They do, however, provide a narrow window into how CFIUS thinks about compliance and enforcement, which impacts when the Committee may initiate a particular enforcement action and the remedies it may seek.  Specifically, when it learns of an apparent violation, CFIUS conducts a holistic analysis of the facts and circumstances to determine (1) whether there was indeed a violation and (2) what the appropriate remedy is for that violation in light of any aggravating and mitigating factors.  Such insight provides a valuable roadmap to parties as they conduct their own internal analyses and determine how best to comply with CFIUS requirements.

Overview of the Guidelines

Types of Conduct.  The Guidelines reiterate the types of conduct that may constitute a violation, all of which already exist in statute and regulations.1See 50 U.S.C. § 4565 and 31 C.F.R. §§ 800.901, 800.902, 801.409, 802.901, and 802.902.  Specifically, the Guidelines address the following categories of acts or omissions that may constitute a violation:

  • Failure to File. Parties need to be aware when they are required to file a mandatory declaration or notice and ensure that they do so within the required timelines.231 C.F.R. § 800.401(f).  While CFIUS may consider the circumstances surrounding a failure to file, it is not obligated to take mitigating facts into account.  For example, while CFIUS may consider whether the parties engaged in a good faith effort to determine whether a filing was mandatory, it also may simply determine that uncertain parties should have erred on the side of filing.  Because there is strict liability for mandatory filings, parties who fail to file as required risk civil monetary penalties up to the value of the transaction.

  • Non-Compliance with CFIUS Mitigation. Parties must comply with CFIUS mitigation, whether agreed upon or unilaterally imposed by the Committee.  Engaging in prohibited conduct or failing to act in accordance with mitigation provisions in a national security agreement, condition, or order may result in the Committee determining that there was a violation, which could result in a range of enforcement actions, including a civil monetary penalty up to the value of the transaction.  CFIUS could also decide to reopen the transaction for review.331 C.F.R. §§ 800.902, 802.902; 50 U.S.C. § 4565(b)(19(D)(iii).  It is imperative that parties understand their mitigation obligations and discuss any concerns with the Committee early and often to best position themselves for full compliance.

  • Material Misstatement, Omission, or False Certification. Parties must be forthcoming and honest in all communications with the Committee.  Should CFIUS determine that it received false or misleading information, or that information was omitted, and that such information was material (e., has a bearing on national security), parties may be liable for a civil monetary penalty up to $250,000 per violation, and CFIUS may reopen the transaction for review.  Moreover, knowingly and willfully making a materially false statement could result in criminal liability, including fines and imprisonment.431 C.F.R. §§ 800.901(h), 802.901(g); 18 U.S.C. § 1001.

Sources of Information.  The Guidelines also explain how CFIUS gathers compliance-related information.  In short, the Committee considers information from a variety of sources, including from across the U.S. government, publicly available information, third-party service providers (e.g., auditors and monitors), tips, transaction parties, and filing parties.  The Guidelines pointedly highlight a few important aspects of this information gathering, including the following:

  • Requests for Information. CFIUS may ask questions related to an apparent violation, which gives the subject person5The Guidelines refer to the person (whether an individual or entity) who may be liable to the United States for a monetary penalty or otherwise be subject to one of the other remedies provided for in the CFIUS regulations as the “Subject Person.” an opportunity to explain the situation to the Committee.  To the extent possible, parties should take a collaborative rather than adversarial approach to these discussions with CFIUS, particularly since CFIUS will consider cooperation in determining whether to pursue enforcement, as well as the type and scope of the action if it does decide to pursue enforcement.

  • Self-Disclosures. Like the enforcement regimes of other agencies, CFIUS places a very heavy emphasis on whether a violation was disclosed by the subject person.  In considering such a self-disclosure, the Committee also considers whether the disclosure was truly voluntary, its timeliness, and the fulsomeness of the information provided.  The Guidelines note that a self-disclosure should not be delayed so that the subject person can collect more information, however.  Timeliness is important not only because it demonstrates the cooperative nature of the disclosing person, but also because it allows the Committee to assist in quickly remediating any effects of the violation, which may be crucial to preventing further national security harm.

  • Tips. The Treasury tips email was created shortly after the establishment of the Monitoring & Enforcement office and has been a very successful means for that office to gather information, particularly related to non-notified transactions and possible violations of mitigation provisions.  While a tip can be made by anyone, anonymously or otherwise, it is particularly important for parties to note that tips may come from within their own organizations.  That means parties must ensure that there is a broad and deep culture of compliance so that all members of their organizations fully understand any CFIUS requirements, that violations will not be tolerated, and that there will be no retaliation for notifications to CFIUS.  The Committee will consider each of these aspects in weighing any aggravating and mitigating factors.

  • Subpoenas. While CFIUS historically has preferred to obtain information without issuing subpoenas, the Guidelines’ inclusion of this option signals a likely change in approach, particularly as CFIUS enforcement grows more formalized.  It also is noteworthy that CFIUS has authority to compel information from parties and non-parties alike.6The regulations allow information to be “obtained from parties to a transaction or other persons through a subpoena or otherwise.”  31 C.F.R. §§ 800.801, 802.801.  The statute is even broader, allowing the taking of sworn testimony as well as subpoenas.  See 50 U.S.C. § 4555(a).   Parties should bear this in mind in all aspects of communications with the Committee, including non-notified transactions, filed declarations and notices, mitigation compliance, and enforcement actions. 

The Penalty Process.  The Guidelines summarize the penalty process, which already is detailed in the CFIUS regulations.7See 31 C.F.R. §§ 800.901 and 802.901, or, for certain older transactions, in earlier regulations, as applicable.  In short, CFIUS will provide the subject person with notice of the proposed penalty and an opportunity to respond substantively before issuing a final penalty determination.  The subject person also may agree with CFIUS to suspend the process and enter settlement negotiations before a final penalty determination is issued.  Finally, the Guidelines note that if a penalty is indeed issued, CFIUS will publish a description on the Treasury website, subject to statutory confidentiality provisions.8CFIUS historically has interpreted the 50 U.S.C. § 4565(c)) confidentiality provisions broadly and thus withheld any identifying information from the penalty publication.

Aggravating and Mitigating Factors.  The Guidelines then lay out some of the aggravating and mitigating factors that CFIUS considers in determining an appropriate penalty, including the amount.  As a threshold matter, however, it is important to note that CFIUS also will consider these factors in determining whether to even issue a penalty or to pursue a lesser enforcement action instead.9For example, CFIUS has previously required a variety of remediation measures, or issued Determination of Noncompliance Transmittal (DONT) Letters in lieu of or as an interim measure to immediately pursuing a civil monetary penalty.  CFIUS may also determine that referral to another enforcement authority is the appropriate response instead of or in addition to taking enforcement action itself.  It is equally important to recognize that these factors in the Guidelines are holistically considered, may be unique to the facts and circumstances of each matter, and are representative, meaning that they and other unenumerated factors may be considered by the Committee in part or not at all.  Finally, CFIUS may consider each factor as either aggravating or mitigating, depending on the nature and severity of the factual impact.  

The Guidelines list six factors and multiple sub-factors, which may be summarized as follows:

  • Accountability and Future Compliance: How well would enforcement protect national security and incentivize compliance?

  • Harm: How bad was the impact on national security?

  • Negligence, Awareness, and Intent: What did the subject person do to prevent or cause the violation, and what happened when the violation was discovered?

  • Persistence and Timing: Was the violation isolated or systemic, did it occur early in the compliance period, and how long did the subject person take to report it?

  • Response and Remediation: Was the violation voluntarily disclosed in a full and timely manner, was the violation promptly remediated, and how much did the subject person cooperate in the investigation?

  • Sophistication and Record of Compliance: Should the subject person have known better, and was there sufficient dedication to establishing a culture of compliance?

Led by Treasury’s Monitoring & Enforcement team, CFIUS has been steadily building its ability to ensure compliance following the passage of the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”).  As the most recent Annual Report shows, CFIUS has leveraged these increased capabilities to accelerate its monitoring efforts, particularly in the area of non-notified transactions.  Publication of the Guidelines indicates that CFIUS now intends to accelerate its enforcement efforts as well, and parties should be very careful to heed mandatory filing requirements and take their mitigation obligations seriously. 

Parties should be proactive and forthcoming in all communications with the Committee.  Parties also should do a deeper dive into the substance of the factors and sub-factors listed in the Guidelines and use them as a roadmap for their compliance planning, as well as for their responses to violations and potential violations.  Knowing how CFIUS thinks about compliance may help parties avoid enforcement in the first instance.  Finally, when parties are subject to mitigation, they should expect to dedicate appropriate resources to compliance.

Increased enforcement makes it crucial that foreign investors and U.S. businesses engage experienced CFIUS counsel early in the planning process to guide their assessment of the transaction’s CFIUS risk profile and determine whether a filing is mandatory before closing, thereby avoiding potential liability up to the value of the transaction.  Even where a filing is not required, counsel can help parties determine whether a voluntary filing is advisable, particularly where the transaction involves the national security factors specified in the recently issued CFIUS Executive Order.  Being pulled into the non-notified process can be costly and operationally disruptive, particularly if it has been several years since closing and the CFIUS review results in a divestment order or heavy mitigation.

If parties do file, experienced CFIUS counsel can help structure the transaction and address any potential national security risks to expedite the Committee’s review of that filing.  Moreover, if CFIUS requires mitigation, counsel can negotiate with the Committee to achieve a feasible agreement with which the parties can comply, thereby reducing the threat of massive penalties being levied for lack of compliance.  Finally, experienced CFIUS counsel can engage the Committee to resolve any alleged violations on behalf of the parties, negotiating for the most favorable outcome. 

King & Spalding has a global footprint, substantial industry experience, and deep bench of former trade and national security government officials, including the former U.S. Department of Treasury official who recently helped lead the office that chairs CFIUS and drafted the Guidelines, and is uniquely positioned to guide companies through all aspects of CFIUS.