CFIUS Increases the Stakes with New Enforcement and Penalty Guidelines

The Committee on Foreign Investment in the United States ("CFIUS" or "the Committee") has done it again: It has given parties reviewing their CFIUS compliance obligations another tool to assist their evaluation process by issuing the first-ever CFIUS Enforcement and Penalty Guidelines ("Guidelines").[1] Like the 2021 Annual Report to Congress ("Annual Report"), released in August 2022, and Executive Order 14083, issued in September 2022 (both of which we discussed here), the Guidelines issued in late October 2022 are not groundbreaking. They are nevertheless informative and may be helpful to those who discover filing failures and errors, entities subject to CFIUS mitigation, and anyone assessing whether to submit Declarations or Notices (particularly when facts do not clearly exclude them from filing mandates) to help anticipate how the Committee might react to a given scenario.

Violations

CFIUS Violations generally fall within one of three categories: (1) failure to submit a mandatory Declaration; (2) failure to comply with mitigation or other requirements imposed on a transaction; and (3) material misstatements, omissions, or false certifications in a transaction or mitigation filing.

Section 721 of the Defense Production Act of 1950, as amended ("Section 721") (50 U.S.C. § 4565) authorizes the Committee to impose civil penalties for any violation of the statute or implementing regulations. Under those regulations, civil penalties for failure to submit a mandatory Declaration in compliance with the regulations can result in fines of up to $250,000 or the value of the transaction, whichever is greater. Civil penalties for violations of material provisions of mitigation agreements, material conditions, or any order issued under Section 721(l) can also result in fines of up to $250,000 or the value of the transaction, whichever is greater. (Penalties might be different or pre-determined where parties stipulated to liquidated and actual damages provisions as part of a mitigation agreement.) Civil penalties for material misstatements, omissions, or false certifications in transaction and mitigation filings can result in fines of up to $250,000. For any of these, CFIUS must base the penalty imposed on the nature of the violation. (In contrast, comparable violations of foreign investment review laws in other countries, like the United Kingdom's National Security and Investment Act 2021 ("NSI Act"), can be subject to criminal penalties including prison terms and individual liability for company officers. Civil penalties for businesses under the U.K.'s NSI Act can result in fines of up to five percent of worldwide turnover, or £10 million, whichever is greater.)

The Guidelines describe the Committee's review of violations and its application of the regulatory penalty provisions but do not create new categories of violations or require CFIUS to reach specific results for any type of violation. In fact, the Committee was careful to emphasize that these Guidelines are no more than general guidelines, that they are non-binding on the Committee, and that "they can and will be updated as circumstances require." That said, the mere issuance of the Guidelines signals the Committee's increasing focus on enforcement. Their release also likely foreshadows that the Committee's public docket of past enforcement cases—currently limited to one instance of civil monetary penalties imposed in 2018 for repeated violations of a 2016 mitigation agreement, and one instance of civil monetary penalties imposed in 2019 for violations of a 2018 interim order—will soon expand.

With this in mind, parties to proposed transactions and to mitigation agreements should take care to understand when and how violations might arise, how the Committee learns about violations and its general response process, and what factors the Committee might consider during its penalty deliberations.

Timing and Types of Violations

Failure to submit a mandatory Declaration is an obvious way to violate CFIUS regulations; this type of violation has been subject to the possibility of civil penalties equaling the value of the transaction since creation of the mandatory Declaration pilot program in 2018. Other violations that might incur enforcement measures can arise throughout the transaction process, including while a transaction is under CFIUS review. In addition to misstatements, omissions, and false certifications, mid-review violations can include missed deadlines, failure to abide by interim mitigation measures CFIUS has imposed, and failure to comply with the withdrawal procedures when withdrawing a notice. Violations can also include closing transactions subject to mandatory Declaration requirements before the Committee completes action on the submission or, in the event of a resubmission, closing less than 30 days after the resubmission date.

The range of possible violations of mitigation agreements or other transaction conditions will vary in accordance with the measures agreed to by the parties. Regardless of the terms, possible violations can include failure to implement required measures or failure to abide by them after initial implementation. They can also include lack of cooperation with the pertinent agencies monitoring the mitigation (known as CFIUS Monitoring Agencies or "CMAs") and failure to cooperate with required third-party auditors.

How CFIUS Learns about Violations

The Committee learns of violations in a variety of ways, including directly from a party involved, through the mitigation monitoring process, and from tips and referrals received through its tip line. The Committee can also learn of non-notified transactions through its own research (which encompasses reviewing public information in press releases and databases like Refinitiv) and referrals from other agencies. The Committee's subsequent outreach, or invocation of its subpoena authority under 50 U.S.C. § 4555(a), might reveal parties' failure to file a mandatory Declaration or some other violation. Audits and CMA site visits conducted as part of agreed mitigation can also reveal violations.

CFIUS regulations do not spell out a voluntary or self-disclosure process for parties who discover their own violations. Mitigation agreements may include disclosure expectations, and the Guidelines confirm that voluntary disclosures are encouraged even where not required. The Guidelines do not spell out specific content or format requirements for disclosures other than specifying that they should be timely, in writing, and describe all of the conduct and persons involved. A disclosing party is free to present the facts, anticipate the Committee's possible penalty response, and address any aggravating or mitigating factors in the manner it deems most amenable to its cause. A party can also submit an initial disclosure of a suspected violation, conduct further investigation, then submit a more detailed disclosure at the close of its investigation. The timing and nature of the violation determines to whom a party will submit a disclosure: Submissions related to mitigation agreements should be directed to the applicable CMAs, disclosures tied to transactions currently under CFIUS review should be directed to the review points-of-contact, and disclosures outside of those scenarios should be submitted through the tip line.

Imposition of Penalties

After receiving a voluntary disclosure or otherwise learning of a suspected violation, the Committee might engage in further communication with the relevant party prior to commencing the formal penalty process. The Guidelines articulate that the Committee's initial communications never constitute a waiver by the government of its enforcement authority and are not a defense or excuse for the receiving party.

The Committee's process for imposing penalties is determined by the regulations (31 C.F.R. §§ 800.901 and 802.901), though the Guidelines provide a few additional details. After the Committee learns of a suspected violation and concludes that a violation warranting imposition of a penalty has indeed occurred, it will send the party at issue a notice of penalty via email as well as in hard copy. The notice will explain the basis for finding a violation, aggravating and mitigating factors considered, and the amount of the penalty to be imposed. The party has 15 business days from receipt of the notice—determined by the earlier of the date the notice email was sent or the date of receipt of the hard copy notice—to submit a petition for reconsideration; the time period can be extended upon a showing of good cause. A petition can include exculpatory evidence, defenses, justifications, mitigating factors, or other explanations. CFIUS will respond to a timely received petition within 15 business days, again with allowance for an extension. If the party does not submit a petition, the Committee will ordinarily proceed to issue a final penalty notice.

Aggravating and Mitigating Factors

Because penalties must be based on the nature of the violation, CFIUS weighs both aggravating and mitigating factors when determining the size of a penalty. The Guidelines contain a non-exhaustive list of considerations, which are not all relevant to every violation scenario. When parties submit voluntary disclosures of violations or respond to a penalty notice, they should review the list to help them craft thorough and effective arguments.

Factors CFIUS considers include:

• The actual or threatened impairment to national security posed by the conduct at issue;
• Whether the violation was the result of negligence, intentional action, or willfulness;
• The frequency or duration of the conduct;
• Efforts to delay or conceal sharing information with CFIUS;
• The seniority of personnel who knew or should have known about the conduct;
• The length of time that elapsed between the party's awareness of the conduct at issue compared to when CFIUS learned of the conduct or remediation;
• Whether the party submitted a voluntary disclosure, the scope of the disclosure, and cooperation with the Committee during its review of the disclosure;
• Remedial actions taken, resources dedicated to compliance, and general compliance culture; and
• The party's history of violations.

Several additional considerations are addressed in the Guidelines.

Notably, the Guidelines hint that the Committee's review of a party's compliance culture is not limited to surveying compliance with CFIUS requirements but also legal requirements generally. Presumably, CFIUS might first turn to its constituent agencies, like the Departments of Commerce and State, to inquire about the party's compliance in relevant areas like export controls. While not so qualified in the Guidelines, this inquiry could be more likely in scenarios where CFIUS chose not to impose mitigation on a specific transaction, or tailored its mitigation, because the party at issue was subject to regulations CFIUS had deemed adequate to address the risk posed by the transaction. (We discussed CFIUS mitigation in more detail here.)

Additional Considerations

Particularly in light of this last point, a party submitting a disclosure to CFIUS might determine it needs to coordinate submission of disclosures to additional agencies. This could help avoid the danger that a disclosure to CFIUS and the Committee's disclosure review process might lead another agency to inquire about the conduct at issue and direct a disclosure, which might in turn cause the party to lose any benefits that might be associated with voluntary disclosures under the other agency's processes. The reverse is also true: a party submitting a disclosure to another agency, particularly a CFIUS constituent agency, might determine the scenario also warrants a coordinated submission to CFIUS.

Adding to these coordinated disclosure considerations, the Guidelines note that CFIUS "may refer conduct to other government enforcement authorities where appropriate," which could lead to additional civil or criminal enforcement measures outside of the civil penalties addressed above. This further argues for conducting a thorough internal review that extends to related legal requirements (such as foreign ownership rules under the jurisdiction of the Federal Communications Commission, or export controls) when a party discovers a potential CFIUS violation.

As noted above, publication of the Guidelines signals CFIUS is stepping up enforcement efforts pertaining to all transactions over which it has jurisdiction. Parties to transactions where the requirement to file a Declaration is not clear as applied to their specific facts might, therefore, choose to file rather than risk later review by the Committee, the possibility that CFIUS will determine the filing was indeed mandatory, and subsequent imposition of both penalties and mitigation. A party who discovers a potential violation might also want to engage with CFIUS as early as possible to mitigate whatever penalties CFIUS may impose and to maintain credibility with the Committee for future transactions.