CFIUS issues first-ever enforcement and penalty guidelines

The guidelines, published Thursday, lay out three categories of acts or omissions that would constitute a violation: failure to file a mandatory declaration notice; noncompliance with CFIUS mitigation agreements, conditions, or orders; or providing CFIUS with a material misstatement, omission, or false certification.

CFIUS is an interagency body of the U.S. government authorized to review and address national security risks arising from certain transactions involving foreign investment in the United States. According to its annual report to Congress for calendar year 2021, CFIUS issued 272 notices of covered transactions last year. Of that total, 164 were reported voluntarily to the committee and 130 required further investigation.

A total of 26 transactions warranted mitigation measures to resolve national security concerns, the report said.

The guidance indicates CFIUS will begin considering penalties for entities that fail to file a mandatory declaration notice. In 2021, there were 108 transactions CFIUS considered a threat to national security that were not voluntarily reported.

The most common sectors to receive declaration notices in 2021 were financial services (55 percent); manufacturing (28 percent); mining, utilities, and construction (12 percent); and wholesale/retail trade and transportation (4 percent). The most common foreign countries involved in declaration notices were China (44), Canada (28), Japan (26), and the Cayman Islands (18).

If CFIUS decides to issue a notice of penalty for a violation, the entity receiving the notice will have 15 days to respond with “any defense, justification, mitigating factors, or explanation,” the guidance said. CFIUS might consider extending the deadline if warranted.

When attempting to determine an appropriate penalty for a violation, CFIUS will consider mitigating and aggravating factors, including accountability and future compliance; harm to national security; negligence, awareness, and intent; persistence and timing; response and remediation; and an entity’s sophistication and record of compliance.

The committee has previously issued two penalties, both of which involved issues with mitigation agreements, according to CFIUS’s enforcement page on the Treasury Department’s website.

CFIUS issued a $1 million penalty in 2018 and a $750,000 fine in 2019, both to unnamed entities. The 2018 violation involved a “failure to establish requisite security policies and failure to provide adequate reports to CFIUS,” while the 2019 violation related to a failure to “restrict and adequately monitor access to protected data” as required by an interim order the committee handed down a year prior.

CFIUS has also forced foreign companies to divest from acquisitions and majority or minority stakes in American businesses the committee determined could threaten national security, according to a 2019 blog post by law firm Morrison Foerster. These divestiture actions are not listed on CFIUS’s enforcement page.

As of 2021, CFIUS is actively monitoring 187 mitigation agreements and conditions on covered transactions, its report to Congress said.

“The vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with the committee to mitigate any national security risks arising from the transaction; however, those who fail to comply with CFIUS mitigation agreements or other legal obligations will be held accountable,” said Assistant Secretary of the Treasury for Investment Security Paul Rosen in a press release. “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”