On October 20, 2022, the U.S. Department of Treasury, acting in its role as Chair of the Committee on Foreign Investment in the United States (CFIUS), published a new set of “Enforcement Penalty and Guidelines” (the guidelines). This marks the first time since CFIUS was established in 1975 that it provided any such guidance material for parties subject to CFIUS’s statutory purview. CFIUS is charged with identifying and mitigating risks to U.S. national security arising from foreign acquisitions of and investments in U.S. businesses.

The publication of these guidelines is intended to provide greater transparency to the public in CFIUS’s decision-making and enforcement paradigm. CFIUS has stated this guidance document is not binding, creates no substantive or procedural rights, and “can and will be updated as circumstances require.” However, while the release of these guidelines does not appear to be directly in response to any recent enforcement actions, it is another signal from the current Administration to heighten its focus on improving the competitiveness of U.S. businesses and reducing U.S. reliance on foreign supply chains. For this reason, the guidelines point to a potentially heightened enforcement environment in CFIUS’s efforts to protect U.S. national security interests.

Guidelines

The guidelines identify the following three types of conduct that may be considered a violation subject to enforcement and penalty:

1. Failure to timely submit either a mandatory declaration or notice;
2. Engaging in conduct prohibited or that fails to comply with CFIUS mitigation agreements, conditions, or orders;
3. Submitting information containing material misstatements or omissions or filing materially incomplete or false certifications.

To identify a violation in the above categories, CFIUS notes that it considers information from sources both within and outside the U.S. government, with emphasis on the following methods:

• Requests for Information: Voluntary information requests submitted to entities for purposes of either monitoring compliance with mitigation measures implemented by CFIUS or investigations of potential violations.
• Self-Disclosures: The guidelines “strongly encourage” parties that may have committed a violation to submit a self-disclosure even when not explicitly required by law or other regulation (e.g., voluntary self-disclosures pursuant to the Office of Foreign Asset Control’s regulations). This marks the first time CFIUS has identified procedures for self-disclosures and the degree to which a timely and complete self-disclosure may mitigate enforcement action.
• Tips: Information from any party that believes a violation may have occurred.
• Subpoena: CFIUS may issue subpoenas for information pursuant to the Defense Production Act (50 U.S.C. § 4555(a)).

In the event that CFIUS considers imposing penalties or other enforcement actions, as provided at 31 C.F.R. §§ 800.901 and 802.901, the guidelines outline three key steps in the process. First, CFIUS will send the potentially penalized part a notice of penalty, which includes a written explanation of the prohibited conduct, a proposed monetary penalty, the legal basis for the violation, and any mitigating/aggravating factors. Second, following receipt of such notice, the party has 15 business days to submit a “petition for reconsideration” to CFIUS, which should include any potential defenses, justifications, explanations, or mitigating factors for the alleged prohibited conduct. If a party submits a petition, CFIUS will consider it before issuing its final penalty determination within 15 days of receipt (CFIUS will issue a similar notice if no petition is received).

During its review and consideration of potential penalties, the guidelines now provide the following (non-exhaustive) aggravating and mitigating factors that CFIUS will consider on a case-by-case basis:

• Accountability and Future Compliance: Whether and how the enforcement action will affect national security, ensure accountability for the alleged actions, and incentivize future compliance.
• Harm: The extent of any harm, actual or threatened, to U.S. national security interests by the alleged conduct.
• Negligence, Awareness, Intent:
• Whether the conduct resulted from negligence (simple or gross), intentional action, or willful conduct;
• Whether there was an effort to conceal or delay sharing information with CFIUS;
• Whether senior personnel knew or should have known about the prohibited conduct.
• Persistence and Timing:
• Time between the alleged action or conduct and when CFIUS became aware of the potential violation;
• The frequency and/or duration of the conduct;
• For mandatory filings, the date of the transaction requiring the filing;
• For CFIUS mitigation measures, how long the measures were in place;
• Response and Remediation:
• Whether a self-disclosure was made and the contents/timing of such disclosure (i.e., timeliness of filing, scope of information submitted)
• Cooperation of the potential violating party;
• Remedial steps taken upon learning of a violation and the promptness of remediation;
• Whether an internal review occurred and any consequences therefrom.
• Sophistication and Record of Compliance:
• Party’s history/familiarity with CFIUS and any prior mitigation measures;
• Resources (internal and external) devoted to compliance with legal obligations;
• Policies, training, and procedures in place to prevent the alleged conduct;
• Consistency of compliance policy and whether a “compliance culture” exists at an entity, as demonstrated both horizontally across the entity and vertically from senior management to supporting staff;
• Other governmental authorities’ experience with the party in regard to compliance measures;
• For CFIUS mitigation issues, whether specific compliance policies or trainings were disseminated and implemented and whether a security officer’s authority, role, access, and independence were sufficient to comply with the CFIUS mitigation measure.

Key Takeaways

The guidelines should ultimately be helpful from a compliance standpoint to foreign parties and U.S. businesses considering mergers, acquisitions, or investments and those that have entered into mitigation agreements with CFIUS. But with increased transparency, parties must also assume that CFIUS is entering a period of increased scrutiny and enforcement of these types of transactions. Therefore, now more than ever, businesses must promptly determine, ideally early in due diligence, whether a contemplated transaction is subject to CFIUS jurisdiction and whether it could present national security concerns.

Cozen O’Connor stands ready to assist our international and domestic clients in addressing national security concerns across a variety of industries, including by evaluating a proposed transaction from a CFIUS perspective, shaping an effective strategy for addressing any likely CFIUS concerns, and establishing policies and trainings for parties already subject to mitigation agreements to enhance compliance in the long-term while mitigating risk in the event of a violation.