United States: CFIUS Issues Its First-ever Enforcement and Penalty Guidelines

On October 20, 2022, the Committee on Foreign Investment in the United States (CFIUS), which is chaired by US Department of the Treasury, issued its first-ever Enforcement and Penalty Guidelines (the Guidelines) for entities that violate mitigation agreements with CFIUS or otherwise run afoul of Section 721 of the Defense Production Act of 1950 and the regulations promulgated thereunder. The Guidelines are intended to provide some clarity on CFIUS enforcement and penalty matters for inbound investors, including with respect to: (1) the types of conduct that may constitute a violation; (2) the sources of information CFIUS uses to determine if a violation occurred; (3) what aggravating and mitigating factors CFIUS may consider; and (4) CFIUS’ penalty processes and procedures.

Types of conduct that may constitute a violation

The Guidelines address three categories of acts or omissions that may constitute a violation. These include: failure to timely submit a mandatory declaration or notice; conduct that is prohibited or otherwise fails to comply with CFIUS mitigations agreements, conditions or orders; and material misrepresentations or omissions in information filed with CFIUS. The latter category also encompasses incomplete certifications filed in connection with CFIUS’ investigations or mitigation measures, including information provided during informal consultations or in response to requests for information.

The Guidelines also note that, even if CFIUS finds a violation, such finding will not necessarily lead to a penalty. CFIUS exercises broad discretion in determining when a penalty is appropriate and, as discussed in more detail below, it considers many factors (both aggravating and mitigating) when making such a determination.

Sources of information CFIUS may use to find a violation

CFIUS relies on a wide variety of sources of information when investigating a potential violation. Those sources include, for example, information from other US agencies, publicly available information, information from transaction parties, or tips. In addition, the Guidelines highlight the importance of the information provided by the transaction parties at CFIUS’ request, which forms an integral part of CFIUS’ monitoring and compliance mechanisms. The Guidelines emphasize that the parties’ compliance with CFIUS’ request for information might be considered as a mitigating factor if a violation is found. In addition, when providing the requested information, the parties are encouraged to attach any exculpatory evidence, as well as any defense, justification, mitigating factors, or explanation for the conduct at issue.

Similarly, CFIUS relies on self-disclosed information. In this vein, CFIUS strongly encourages timely self-disclosure, even if such disclosure is not explicitly required by a CFIUS mitigation agreement, condition, or order, or by any law or regulation. The Guidelines instruct the transaction parties to submit self-disclosure in a written form, describing all of the conduct that may constitute a violation and all of the persons involved.

In addition, CFIUS may communicate with a transaction party prior to initiating a formal penalty process. It is important to note that these initial communications are for informational purposes and do not constitute waiver of any penalty, remedy or other authorities by the government or any defense or excuse for the party.

Aggravating and mitigating factors CFIUS may consider when imposing a penalty

Although CFIUS’ determination of the appropriate penalty is fact-specific, the Guidelines provide some factors that could be aggravating or mitigating (depending on the circumstances) and that CFIUS may consider in determining an appropriate response to a violation.

Those factors include, among others: (i) the extent of a violation and the impact of the enforcement action on protecting US national security; (ii) the party’s negligence, awareness or intent; (iii) the frequency and duration of a violation; (iv) self-disclosures, including timeliness, nature and scope of information reported to CFIUS; (v) cooperation with the investigation (e.g., providing timely and detailed responses); (vi) prompt and complete remedial measures; and (vii) the availability of robust internal compliance measures.

Notably, CFIUS emphasizes a transaction party’s sophistication and record of compliance as an important factor when evaluating a potential penalty. According to the Guidelines, CFIUS will typically look at:

  • The party’s history and familiarity with CFIUS and, if applicable, past compliance with CFIUS’ mitigation agreements, conditions or orders.
  • Internal and external resources dedicated to compliance with applicable legal obligations (e.g., legal counsel, consultants, auditors, and monitors).
  • Policies, training and procedures in place to prevent the conduct and the reason for the failure of such measures.
  • Variation in the consistency of compliance, both horizontally across the entity and vertically from directors and officers to supporting staff.
  • The compliance culture that exists within the company (e.g., demonstrated commitment to compliance with applicable legal obligations).
  • The experience of other federal, state, local, or foreign authorities with knowledge of the party in the assessment of the quality and sufficiency of compliance with applicable legal obligations.
  • In the case of a violation of CFIUS’ mitigation agreements, conditions or orders, the extent to which written compliance policies or training were communicated and implemented across the entity.
  • In the case of a violation of CFIUS’ mitigation agreements, conditions or orders, the extent to which the authority, role, access, and independence of any security officer were sufficient and in compliance with the terms of the CFIUS mitigation.

Thus, companies should strive to have robust compliance measures in place, as the availability, sophistication and history of those measures would be considered as a potential mitigating factor in CFIUS’ determination of a penalty.

Penalty process

Consistent with the processes set out in CFIUS’ regulations, including 31 CFR §§ 800.901 and 802.901, the Guidelines summarize key steps in the penalty determination process:

First, CFIUS issues a notice of penalty to the party, including a written explanation of the conduct and the amount of any monetary penalty to be imposed, as well as the legal basis for concluding that the conduct constitutes a violation. The initial notice may also set forth any aggravating and mitigating factors CFIUS has considered in connection with the notice.

Second, the party may, within 15 business days of receipt of a notice of penalty, submit a petition for reconsideration to the CFIUS Staff Chairperson, which may include any applicable defense, justification, mitigating factors, or explanation. This response period may be extended by written agreement between the Staff Chairperson and the party.

Third, if a petition for reconsideration is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition, which may be extended by written agreement between the Staff Chairperson and the party. Otherwise, CFIUS will typically issue a final penalty determination in the form of a notice to the party.

* * *

As the Foreign Investment Risk Review Modernization Act of 2018 greatly broadened CFIUS’ jurisdiction, the Guidelines mark another step CFIUS has taken to assert its expanded authority and provide more transparency as to how CFIUS may respond to potential violations in the future. Assistant Secretary of the Treasury for Investment Security Paul Rosen noted that the Guidelines were meant to send “a clear message” that “[c]ompliance with CFIUS mitigation agreements is not optional.” He further emphasized that CFIUS “will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.” The issuance of the Guidelines, coupled with the Biden Administration’s Executive Order of September 2022, should serve as a signal to interested parties that CFIUS is expected to increase its enforcement activities. Thus, companies contemplating foreign investments in US businesses should carefully review the Executive Order and the Guidelines in relation to their formal and informal dealings with CFIUS.

* Junghyun Baek contributed to this Advisory. Mr. Baek is a graduate of Harvard Law School and is employed at Arnold & Porter’s Foreign Legal Consultant Office as a Law Clerk.