FI Monitor Issue 6, 2023

CFIUS puts investors on notice of increased enforcement efforts with first ever enforcement and penalty guidelines

Historically, the Committee on Foreign Investment in the United States (CFIUS) had limited resources dedicated to monitoring and enforcement of mitigation agreements. The Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018 provided additional resources for CFIUS to build out its monitoring and enforcement capabilities. Following FIRMMA’s passage, however, CFIUS focused first on implementing provisions that had statutory deadlines, such as issuing regulations for a mandatory notification regime. Thus, prior to 2022, CFIUS had issued only two penalty notices, each of which entailed relatively modest monetary fines ($1m or less) for egregious conduct. Looking ahead, things could significantly change.

With the FIRRMA regulations fully in force, CFIUS is working to further develop its monitoring and enforcement framework. On October 20, 2022, the US Department of the Treasury (Treasury), as chair of CFIUS, released the first-ever CFIUS Enforcement and Penalty Guidelines (Guidelines). Internal drafts of the Guidelines were prepared as early as 2017, but CFIUS’s focus was subsequently diverted to passage and then implementation of FIRRMA.

The Guidelines are not revolutionary on their face, insofar as they reflect factors that are common sense and generally consistent with enforcement guidelines under other similar national security regulatory schemes. Instead, the Guidelines are notable in what they portend—that CFIUS is prepared to wield the stick that Congress first gave to CFIUS in 2008 (authority to impose penalties of $250,000 or the value of the transaction, whichever is greater) and sharpened with FIRRMA in 2018 (e.g., penalty authority for failure to make a required filing). Indeed, in the press release that accompanied the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen, the political head of CFIUS, stated unequivocally that “compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”

Having built out a robust monitoring and enforcement capability as part of the implementation of FIRRMA, and having telegraphed its intentions by issuing the Guidelines, CFIUS has already begun to step up enforcement against transaction parties that fail to make mandatory filings or that violate the terms of the National Security Agreements (NSAs) that form the basis for CFIUS to clear certain transactions that otherwise pose national security risks. Indeed, in April 2023, Rosen announced that CFIUS had imposed the first penalties following the issuance of the Guidelines. He noted that information about such penalties would be published in batches on a periodic basis, and we expect that the penalties may be described in the next CFIUS Annual Report, likely to be published over the summer.

Why might investors be faced with a CFIUS enforcement action?

1.   Failure to file a mandatory declaration or notice. CFIUS’s mandatory filing rules—particularly those related to critical technologies—require a combination of technical and legal analysis that can be complex to apply. However, getting this analysis right is critical because liability for failure to file falls on both buyer and seller. 

2.   Noncompliance with CFIUS mitigation. This might arise in any number of ways:

a.   Willful misconduct or negligence, such as failure to take steps to operationalize the NSA, including agreement to NSA terms that the company reasonably knew it would not be able to abide by.

b.   Changed or unexpected circumstances. Despite parties’ good faith intention of complying with an NSA, even the most meticulously drafted NSA cannot foresee all future circumstances that will arise throughout its life, and it is possible that full compliance may not be feasible in some instances. Notably, however, CFIUS officials have publicly stated that the high cost of compliance, even if material to transaction value or discovered after closing, is not such a circumstance. The obligation falls on transaction parties to make assessments of burden in advance of their entry into mitigation.

c.   Differences of interpretation. If the CFIUS Monitoring Agencies (CMAs) that administer the NSA differ with the parties on a question of interpretation, the CMAs may determine that a company’s actions taken in reliance on its own interpretation, even if formed reasonably and in good faith, may nonetheless constitute noncompliance.

3.   Making a material misstatement, omission, or false certification. Ensuring the accuracy and completeness of all information provided to CFIUS during the course of a filing and in connection with an NSA is obviously essential for compliance. However, the Guidelines note that penalties can be assessed for misstatements or omissions in information provided during informal consultations as well. It is also important to note that, in addition to civil penalties, a material misstatement or omission can serve as the predicate for CFIUS to reverse a grant of safe harbor and reopen a review.

Guidelines: The truth might set you free … or at least reduce the amount of your penalty.

CFIUS has discretion when determining the amount of a penalty or whether to assess a penalty at all. Moreover, it does not view all violations as being equally severe, and it will generally attempt to calibrate the penalty to the facts and circumstances surrounding a violation. The Guidelines identify six high-level aggravating and mitigating factors that CFIUS considers when deciding whether to assess a penalty and the amount of the penalty. Transaction parties can use these factors as a guide for taking proactive steps both before and after a violation occurs to limit the amount of any corresponding penalty. Below are the factors identified in the Guidelines along with key takeaways from each: 

1.   Accountability and future compliance. Is the enforcement action sufficient to deter bad behavior and incentivize future compliance? For example, a penalty that is large enough to get the attention of a small company might be a rounding error for a multibillion-dollar company.   

2.   Harm. To what extent did the violation impair US national security? A violation of a provision that is core to the agreement, or a violation that actually results in the harm that the agreement was intended to protect against, is more likely to draw stiffer enforcement action.

3.   Negligence, awareness, and intent: There are two components to this factor. First, was the violation the result of simple negligence, gross negligence, intentional action, or willfulness?

Second, who knew about the violation, who should have known about it, and was there any attempt to conceal it? Ignorance is no excuse if, in CFIUS’s estimation, the person claiming ignorance should have known about the requirement. Worse still, there is no quicker or surer way to transform an act of simple negligence into an act of willfulness than to try to hide it from CFIUS.

4.   Persistence and timing. How long before the violation was reported and/or remediated and how many times did it occur? Generally speaking, one-off violations will be granted more leniency than repeated violations of the same magnitude. In the case of an NSA violation, failure to report a known or suspected violation (once discovered) within the time period stipulated in the NSA will almost always be an aggravating factor (and, indeed, could also be considered a separate violation of the terms of the NSA). In the case of a failure to make a mandatory filing, CFIUS will consider the date of the transaction and the date it was self-reported or discovered by CFIUS.

5.   Response and remediation. Did the transaction parties self-disclose, provide required information, cooperate fully, and take prompt and effective remedial action? Self-disclosure is the most important component of this factor; if CFIUS comes knocking, they are probably bringing a penalty with them. The content of the self-disclosure also matters. CFIUS wants as much information as possible about the violation, as soon as possible, including when supplemental information becomes available or when CFIUS asks questions. Stonewalling will not be viewed favorably.

Taking proactive, immediate remedial action is a mitigating factor, especially if it can be shown that the remediation was effective. Standardized forms and processes used to report and investigate violations, performing root cause analyses, assessing consequences, and document remediation efforts can be very useful for demonstrating effective response and remediation. That said, transaction parties should not wait to self-disclose a violation until after remediation efforts are complete on the belief that the CMAs will be pleased to be presented with a problem that has already been solved. If remediation and mandatory reporting timelines conflict, parties to an NSA should timely report the violation, describe the ongoing remediation efforts, and continually update the CMAs until the remediation efforts have concluded.   

6.   Sophistication and record of compliance. Do the transaction parties have strong track record with the Committee and/or a general culture of compliance? The cornerstone of any successful CFIUS mitigation agreement is trust between the CMAs and the transaction parties. The most common basis for this trust is a long and successful track record of filing with the Committee and/or implementing one or more NSAs. Companies without this kind of history with CFIUS can begin building trust through candor in interactions with the Committee, demonstrating buy-in from senior leadership, and devoting sufficient resources to compliance and training.

Aside from the mitigating and aggravating factors themselves are two takeaways for investors:

CFIUS is willing to listen to your side of the story when determining how to respond to a violation. If CFIUS finds a violation, it will first send a notice of a determination of non-compliance. If it determines that a penalty is warranted, it will also send a notice of a penalty, including the amount, a description of the conduct being penalized, and the legal basis for the penalty. The recipient then has an opportunity to submit a petition for reconsideration that includes any defense, justification, explanation, or mitigating factors. If no petition is submitted (or the petition is not timely), CFIUS will issue a final penalty determination. If a petition is timely submitted, CFIUS will consider the petition before issuing its final penalty determination. Even if the recipient of a penalty notice believes it is unlikely that CFIUS will ultimately reconsider the penalty, it may nonetheless be worthwhile to submit a petition to correct any erroneous facts in the notice, ensure that CFIUS has all relevant facts, and generally try to manage the relationship with the Committee. 

It might not always seem like it, but the CMAs generally view themselves as your partners in success, not your enemy. CFIUS’s mission is to protect national security in the context of the open investment policy of the United States. If CFIUS has cleared a transaction pursuant to an NSA, it wants both the mitigation to succeed in protecting national security and the transaction to succeed in delivering the anticipated value to the parties. As such, it generally views the relationship between the CMAs and the parties to an NSA as more cooperative than adversarial, and it encourages the parties to take the same view.

With thanks to Freshfields’ Aimen Mir, Christine Laciak, Colin Costello and Tim Swartz for contributing this update.