On October 20, 2022, the US Department of the Treasury (Treasury) issued, for the first time, Enforcement and Penalty Guidelines (Guidelines) for the Committee on Foreign Investment in the United States (CFIUS or the Committee). The Guidelines describe three categories of conduct that may constitute a violation, the process CFIUS generally follows in imposing penalties, and some of the factors the Committee considers in determining whether a penalty is warranted and the scope of any such penalty. The Guidelines also encourage prompt and complete self-disclosure of any conduct that may constitute a violation.
While the Guidelines are novel in the CFIUS context, they track many of the key features included in penalty and enforcement guidance from other agencies with national security responsibilities such as the Office of Foreign Assets Control (OFAC) within Treasury and the Bureau of Industry and Security (BIS) within the Department of Commerce.
Before summarizing the substance of the Guidelines below, we offer a few key takeaways:
- Although CFIUS has always had authority to impose penalties on parties subject to its jurisdiction, the Guidelines signal the likelihood that such penalties, seldom used in the past, may be deployed more aggressively against those who fail to submit mandatory filings, violate mitigation obligations, or make false or misleading statements to CFIUS.
- Citing CFIUS’s subpoena authority under the Defense Production Act (DPA), the Guidelines signal the Committee is prepared to force recalcitrant parties to provide information when violations are suspected. The Guidelines highlight that CFIUS may refer violations to other Executive Branch agencies for investigation, including the Department of Justice (DOJ), further underscoring the heightened stakes. While the DPA and CFIUS’s implementing regulations provide only for civil penalties, criminal penalties could be imposed under other laws, such as knowingly making a false statement to a US government agency (18 USC § 1001).
- While the CFIUS website has had a tip line and email address for a number of years, it has been seldom utilized. The Guidelines further encourage CFIUS tips, which could have interesting consequences for parties subject to jurisdiction of the Committee, especially those that could be subject to mandatory filing requirements who are either unaware or unwilling to comply with such requirements. As in any other investigative context, companies potentially subject to such requirements would be well-served to take seriously any internal or external indications that an employee, competitor, or other third-party may contact the CFIUS tip line, and take appropriate steps to assess the merits of their position to mitigate the risk that CFIUS could act on its own by sending a request for information or otherwise initiating an investigation.
- The aggravating and mitigating factors that will ultimately weigh for and against imposition of a penalty should be very familiar to attorneys and compliance professionals that focus on economic sanctions matters. The factors cited by CFIUS closely resemble those used by OFAC in assessing whether a penalty should be imposed in the face of an apparent violation of OFAC regulations. Likewise, the factors also echo many of the key elements of DOJ’s recently released guidance on Corporate Criminal Enforcement Policies. These similarities are no accident and make clear that parties engaging with CFIUS on penalty and enforcement matters should proceed with the same caution and care they would use in these closely related contexts.
The Guidelines highlight three types of acts or omissions which may constitute a violation:
- Failure to File: Failure to timely submit a mandatory declaration or notice, as applicable.
- Non-Compliance with CFIUS Mitigation: Conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders.
- Material Misstatement, Omission, or False Certification: Material misstatements in or omissions from information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation, including information provided during informal consultations or in response to requests for information.
The announcement notes that a violation will not necessarily lead to a penalty or other remedy, and that CFIUS will exercise its discretion in determining when a penalty is appropriate, including by considering the applicable aggravating and mitigating factors described below.
In determining whether a violation has occurred, CFIUS will rely on information from a variety of sources, including from across the US government, publicly available information, third-party service providers (e.g., auditors and monitors), tips, transaction parties, and filing parties. When deemed necessary, CFIUS may also use its subpoena authority.
The Guidelines outline four key steps in the penalty process. These include:
- CFIUS sends the Subject Person a notice of penalty, including a written explanation of the conduct to be penalized and the amount of any monetary penalty to be imposed. The notice will state the legal basis for concluding that the conduct constitutes a Violation and may set forth any aggravating and mitigating factors that the Committee considered.
- The Subject Person may, within 15 business days of receipt of a notice of penalty, submit a petition for reconsideration to the CFIUS Staff Chairperson, including any defense, justification, mitigating factors, or explanation. Upon a showing of good cause, this period may be extended by written agreement between the Staff Chairperson and the Subject Person.
- If a petition for reconsideration is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition, which may be extended by written agreement between the Staff Chairperson and the Subject Person.
- If no petition for reconsideration is timely received, CFIUS ordinarily will issue a final penalty determination in the form of a notice to the Subject Person.
As mentioned above, CFIUS will consider aggravating and mitigating factors when formulating an appropriate penalty following a violation. While non-exhaustive, the Guidelines list several such factors that CFIUS may consider which include:
- Accountability and Future Compliance
- The impact of the enforcement action on protecting national security and ensuring that Subject Persons are held accountable for their conduct and incentivized to ensure compliance.
- The extent to which the conduct impaired or threatened to impair U.S. national security.
- Negligence, Awareness, and Intent
- The extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness.
- Effort to conceal or delay the sharing of relevant information with CFIUS.
- The seniority of personnel within the entity that knew or should have known about the conduct.
- Persistence and Timing
- The length of time that elapsed after the Subject Person became aware, or had reason to become aware, of the conduct, and before CFIUS became aware of the conduct and/or its remediation.
- The frequency and duration of the conduct.
- In the case of a Violation of CFIUS Mitigation, the length of time since the CFIUS Mitigation was issued or became effective.
- In the case of a Failure to File, the date of the transaction at issue.
- Response and Remediation
- Whether the Subject Person submitted a self-disclosure, including the timeliness, nature, and scope of information reported to CFIUS.
- Whether the Subject Person cooperated completely in the investigation of the matter.
- The promptness of complete and appropriate remediation of the conduct, including the remedial steps taken upon learning of a Violation.
- Whether there was an internal review of the nature, extent, origins, and consequences of the conduct to prevent its reoccurrence.
- Sophistication and Record of Compliance
- The Subject Person’s history and familiarity with CFIUS and, if applicable, past compliance with CFIUS mitigation.
- Internal and external resources dedicated to compliance with applicable legal obligations.
- Policies, training, and procedures in place to prevent the conduct and the reason for the failure of such measures.
- Variation in the consistency of compliance, both horizontally across the entity, and vertically from directors and officers to supporting staff.
- The compliance culture that exists within the company.
- The experience of other federal, state, local, or foreign authorities with knowledge of the Subject Person in the assessment of the quality and sufficiency of compliance with applicable legal obligations.
- In the case of a Violation of CFIUS Mitigation, the extent to which written compliance policies or training on the terms of the relevant CFIUS mitigation were communicated and implemented across the entity.
- In the case of a Violation of CFIUS Mitigation, the extent to which the authority, role, access and independence of any security officer were sufficient and in compliance with the terms of the CFIUS Mitigation.
Consistent with its stated goal of promoting compliance and cooperation, CFIUS will continue its practice of publishing on its website information related to specific enforcement actions. This will shed further light on the actual implementation of these Guidelines. Those potentially within the scope of CFIUS’s jurisdiction would be well-advised to monitor any future enforcement actions to assist in their own compliance with CFIUS regulations and related authorities.