On October 20, 2022, the U.S. Department of the Treasury released its first-ever Committee on Foreign Investment in the United States (CFIUS) Enforcement and Penalty Guidelines (the Guidelines). The Guidelines provide background and context regarding (1) the types of conduct that can result in CFIUS-related violations, (2) how CFIUS gathers information regarding potential CFIUS-related violations, and (3) the enforcement process CFIUS follows with respect to CFIUS-related violations, including the factors that CFIUS considers in determining whether a penalty is warranted and the calculation of any such penalty.
CFIUS Enforcement and Penalty Authority and the Types of Conduct that Can Result in CFIUS-Related Violations
Section 721 of the Defense Production Act of 1950, as amended, and its implementing regulations (the CFIUS Regulations) authorize CFIUS to impose penalties and seek other remedies against parties that violate Section 721. Specifically, the CFIUS regulations authorize CFIUS to impose penalties (typically a civil monetary penalty not to exceed $250,000 or the value of the relevant transaction, whichever is greater) on parties that (1) fail to comply with mandatory CFIUS filing obligations, (2) engage in conduct that is prohibited by or otherwise fails to comply with a CFIUS mitigation agreement, condition, or order (CFIUS Mitigation), or (3) make material misstatements in, or omissions from, information submitted to CFIUS, or make false or materially incomplete certifications in connection with CFIUS assessments, reviews, investigations, or Mitigation, including information provided during informal consultations or in response to requests for information.
Importantly, the Guidelines confirm that a CFIUS-related violation will not necessarily result in the imposition of a penalty or other remedies under Section 721, but rather that CFIUS will exercise its discretion in determining what penalty, if any, is appropriate, including by considering relevant aggravating and mitigating factors (discussed in further detail below).
CFIUS’s Enforcement and Penalty-Related Information Gathering
The Guidelines confirm that CFIUS will consider information from various sources in connection with determining whether a CFIUS-related violation occurred, including sources from across the U.S. government, publicly available information, third-party service providers, tips, parties that submit filings to CFIUS, and parties to transactions reviewed by CFIUS.
In particular, the Guidelines confirm that CFIUS often requests information – and may use its subpoena authority as necessary – to support both its efforts to ensure parties’ ongoing compliance with CFIUS Mitigation and to investigate potential CFIUS-related violations to determine what appropriate enforcement action and penalties may be warranted, if any.
In addition, the Guidelines strongly encourage parties that may have engaged in a CFIUS-related violation to submit a self-disclosure even if not explicitly required to do so under, for example, applicable CFIUS Mitigation. According to the Guidelines (and as is discussed further below), CFIUS will consider the submission of a self-disclosure as a mitigating factor in its enforcement and penalty review.
The CFIUS Enforcement and Penalty Process
The Guidelines describe the following key steps in the CFIUS enforcement and penalty process as set forth in the CFIUS Regulations. First, CFIUS will issue a notice of penalty, which includes a written explanation of the underlying conduct and the penalty amount to be imposed, to the relevant party. Then, the relevant party has 15 business days (which can be extended) to submit a petition for reconsideration to the CFIUS Staff Chairperson. In the petition, the relevant party can describe any defenses, justifications, mitigating factors, or explanation it wishes CFIUS to consider. If the relevant party submits a petition for reconsideration, CFIUS will consider the petition and issue a final penalty determination within 15 business days (which can be extended). If no petition for reconsideration is received, CFIUS ordinarily will issue a final penalty notice determination to the relevant party.
The Guidelines also include the following non-exhaustive list of aggravating and mitigating factors that CFIUS will, as applicable, consider when determining the appropriate penalty for a CFIUS-related violation, if any:
- Accountability and Future Compliance. The impact of the enforcement action on protecting national security and ensuring that parties are held accountable for their conduct and incentivized to ensure compliance, including compliance with Section 721.
- Harm. The extent to which the conduct impaired or threatened U.S. national security.
- Negligence, Awareness, and Intent. The culpability of the relevant party, including whether the CFIUS-related violation was the result of simple negligence, gross negligence, intentional action, or willful conduct; whether the relevant party made any effort to conceal or delay the sharing of relevant information with CFIUS; and the seniority of personnel of the relevant party who knew or should have known about the conduct giving rise to the CFIUS-related violation.
- Persistence and Timing. The nature of the relevant CFIUS-related violation, including the length of time between when the relevant party became aware, or had reason to become aware, of the conduct, and when CFIUS became aware of the conduct; the frequency and duration of the conduct; with respect to CFIUS Mitigation, the length of time since the CFIUS Mitigation was issued or became effective; and, with respect to failure to file a mandatory CFIUS filing, the date of the transaction.
- Response and Remediation. The relevant party’s mitigation and remediation efforts, including whether the relevant party submitted a self-disclosure (and the timeliness, nature, and scope of any such disclosure); the relevant party’s cooperation with CFIUS; the promptness of the relevant party’s complete and appropriate remediation of the conduct; and whether the relevant party undertook an internal review of the nature, extent, origins, and consequences of the conduct to prevent similar CFIUS-related violations.
- Sophistication and Record of Compliance. The characteristics of the relevant party, including the relevant party’s history and familiarity with CFIUS; the nature and extent of the relevant party’s compliance resources, policies and procedures, training, and culture; the experience of other federal, state, local, or foreign authorities regarding the relevant party’s compliance efforts; and with respect to CFIUS Mitigation, the extent to which the relevant party had written compliance policies or trainings regarding the terms of the relevant CFIUS Mitigation that were communicated and implemented across the relevant party and the extent to which the authority, role, access, and independence of any security officer was sufficient and in compliance with the CFIUS Mitigation.
We do not expect the mechanics of CFIUS’s enforcement and penalty process to materially change as a result of the Guidelines. Instead, the Guidelines codify what CFIUS’s practice has been and lay a foundation for future developments. With that said, the Guidelines do provide a clearer picture of how CFIUS is thinking about its enforcement and penalty authority, and what parties should expect if CFIUS decides to pursue a CFIUS-related violation.
Historically, CFIUS’s enforcement activity has been limited. The data that has been publicly released by CFIUS, which covers only 2018 and 2019, discloses only two enforcement actions: a $1 million penalty in 2018 and a $750,000 penalty in 2019, both for breaches of CFIUS Mitigation. The release of the Guidelines may suggest that CFIUS plans to be more aggressive in policing and penalizing CFIUS-related violations, including with respect to issues that may not have previously been areas of CFIUS enforcement focus. With that in mind, parties should ensure that they are taking their CFIUS filing, representation, and compliance obligations seriously.
To avoid potential CFIUS pitfalls:
- parties to transactions that fall within CFIUS’s jurisdiction (so-called “covered transactions”) should ensure that they are conducting appropriate due diligence and analysis to confirm whether a transaction triggers a mandatory CFIUS filing;
- if the decision is made to submit a CFIUS filing, parties should work closely with their CFIUS legal counsel to ensure that all information included in the filing is accurate and complete in all material respects;
- when negotiating CFIUS Mitigation, parties should ensure that they do not agree to any terms that they are unable or unwilling to comply with — such concerns should be communicated to CFIUS early in the CFIUS Mitigation negotiation process and addressed with CFIUS before any CFIUS Mitigation is finalized;
- parties to CFIUS Mitigation should consider incorporating their relevant personnel (including, for example, legal, information technology, compliance, and management personnel, any CFIUS-approved security officers, and any CFIUS-related third-party monitors and auditors) into their CFIUS compliance programs and training, and have senior management emphasize the importance of CFIUS-related compliance; and
- when parties become aware of a potential or actual CFIUS-related violation, they should investigate the matter thoroughly, strongly consider the benefits and costs of self-disclosure, and promptly notify CFIUS if self-disclosure is appropriate.
 U.S. Department of the Treasury, “CFIUS Enforcement and Penalty Guidelines,” available at https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-enforcement-and-penalty-guidelines.
 See 50 U.S.C. § 4565; 31 C.F.R. Parts 800 and 802.
 31 C.F.R. §§ 800.901, 800.902, 801.409, 802.901, and 802.902.
 Such third-party service providers may include, for example, cyber security auditors, compliance monitors, and escrow agents.
 Such tips may originate from, for example, corporate insiders, shareholders, and creditors. The CFIUS tip line information can be found on CFIUS’s Monitoring & Enforcement webpage available at https://home.treasury.gov/policy-issues/international/the-committee-on-foreign-investment-in-the-united-states-cfius/cfius-monitoring-and-enforcement.
 31 C.F.R. §§ 800.901; 802.901.