The U.S. Department of Treasury recently released Enforcement and Penalty Guidelines (Guidelines) that outline conduct violating the Committee on Foreign Investment in the United States (CFIUS or Committee) regulations. Specifically, these Guidelines, the first of their kind, outline CFIUS’ process and practical considerations when deciding whether to impose penalties and how severely to enforce a violation.
These Guidelines come several weeks after the Administration’s release of Executive Order (EO) 14083 “Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States.” EO 14083 is notable as it is the first presidential directive defining CFIUS security considerations. That said, the order outlines many of the factors that the Committee already considers when reviewing transactions under its purview. EO 14083, defines five key national security factors for CFIUS to consider when analyzing transactions for potential violations:
- Effect on U.S. supply chain resilience, including those outside the defense industrial base.
- Effect on U.S. technological leadership in national security sectors, including microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies
- Industry investment trends and possible national security reverberations from the transaction
- Cybersecurity risks threatening national security
- Risks to U.S. persons’ sensitive data
Central to both the Guidelines and EO 14083 are the importance of voluntary self-disclosures and the consequence for failing to make mandatory filings to the Committee. These two recent actions highlight the significance the Biden Administration places on CFIUS as a tool to combat national security threats.
CFIUS Enforcement and Penalty Guidelines
Under its mandate to review foreign investments in the United States, CFIUS is tasked with determining whether and to what degree a flagged transaction might jeopardize national security. These new guidelines outline the process the Committee follows when making those decisions. Specifically, it lays out the type of conduct the Committee considers a violation, the review process for imposing penalties, and the different factors that impact how severe of a penalty is appropriate.
Under the Guidelines, there are three categories of conduct that result in a violation:
- Failure to File applicable mandatory declarations or notices
- Noncompliance with CFIUS Mitigation
- Material Misstatements, Omissions or False Certifications
While the Guidelines list several tools at the Committee’s disposal to uncover one of the above violations—for example, submitted tips and referrals, and information requests to support mitigation efforts—voluntary self-disclosures by companies are critical. The guidelines introduce a voluntary disclosure process for self-reporting potential CFIUS violations similar to what has historically been more common with export controls and sanctions violations. The timeliness, nature and scope of a disclosure are only a few of the mitigating factors CFIUS will consider when calculating a violation penalty.
Timeliness will be assessed on two primary considerations: 1) was the conduct already discovered or about to be discovered prior to the self-disclosure, and 2) has the reporting party complied with any applicable CFIUS mitigation (Mitigation) measures that would require disclosing the conduct. The Guidelines do not replace or modify any reporting or notification requirements tied to Mitigation efforts.
Other aggravating and mitigating factors include:
- Accountability and Future Compliance, including through self-disclosures
- Degree of harm to U.S. national security caused or threatened to cause
- Negligence, Awareness, and Intent – degree of negligence, efforts to interfere with information sharing, and seniority of personnel who knew or should have known
- Persistence and Timing – duration of conduct prior to CFIUS awareness, date of transactions (Failure to File), and the amount of time elapsed since Mitigation was issued or became effective
- Response and Remediation – self-disclosures (timeliness, nature, and scope), cooperation with Committee investigations, promptness and completeness of remediation measures, and whether an internal review was conducted to prevent reoccurrence
- Sophistication and Compliance Record – history of dealings with CFIUS and other federal, local, or foreign authorities, internal and external compliance resources, training and procedures in place to prevent the conduct and stem the source of the failure, consistency of compliance and internal compliance culture