On April 15, 2024, the U.S. Treasury Department (Treasury), as the Chair of the Committee on Foreign Investment in the United States (CFIUS or the Committee), published a notice of proposed rulemaking (NPRM) “to enhance certain CFIUS procedures and sharpen its penalty and enforcement authorities.”  In particular, the proposed new measures would expand the authority of CFIUS to gather information related to both notified and non-notified transactions, impose more significant civil penalties on transaction parties, and alter procedures related to the negotiation of mitigation agreements.  The proposed changes to CFIUS’s regulations are meant “to more effectively deter violations, promote compliance, and swiftly address national security risks in connection with CFIUS reviews,” Assistant Secretary for Investment Security Paul Rosen said in a statement on Thursday.  This represents the first significant update to the CFIUS regulations since the enactment and implementation of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which significantly expanded the scope of CFIUS’s jurisdiction. 

Key Takeaways

  • It seems clear that based on lessons learned by the Committee in the years since FIRRMA’s implementation, CFIUS has determined that its regulatory and enforcement toolkit is still insufficient, at least with respect to certain transaction parties, to properly incentivize compliance and deter conduct detrimental to its core national security mission. The proposed rules seek to rebalance the cost-benefit calculus for transaction parties, especially those who may only respond to increased enforcement risk and the prospect of significant monetary penalties. 
  • The new rules will likely have a considerable impact on certain transaction parties negotiating mitigation agreements with CFIUS, engaged in contentious or adversarial proceedings with CFIUS, or that have violated a CFIUS rule, mitigation agreement, condition, or order. The rules will also enhance CFIUS’s ability to collect information from parties when evaluating jurisdictional questions and potential national security risks associated with non-notified transactions not previously reviewed by the Committee.  
  • The NPRM may also foreshadow an overall increase in CFIUS enforcement activity, as CFIUS may seek to leverage its enhanced penalty authorities.  It is important to note, however, that just because CFIUS may have the authority to impose more severe civil penalties does not mean that it will do so in every case.  Indeed, the NPRM clarifies that CFIUS will exercise its discretion by taking “into account the specific facts and circumstances of the violation and relevant aggravating and mitigating factors as identified in the Committee’s Enforcement and Penalty Guidelines….”
  • Despite the prospect of more aggressive enforcement and larger monetary penalties, for many transaction parties the proposed rules may have minimal impact on their interactions with CFIUS. The rules do not expand the scope of CFIUS jurisdiction, adjust the timetable for CFIUS review, or alter the national security considerations it assesses when reviewing transactions. In many instances, the regulations appear intended to explicitly authorize conduct that is already relatively common CFIUS practice.
  • The NPRM makes clear that enhancing the Committee’s operational efficiency is a key driving factor behind the proposed rule changes.  CFIUS will look to use the new authorities and processes in the proposed rule to increase the efficiency of its information gathering, reviews and investigations, and negotiation of mitigation agreements.  In particular, certain of the changes appear aimed at helping CFIUS meet the statutory review deadlines more often and cut down on the number of transactions that are withdrawn and refiled, a common and recently increasing practice used to restart the CFIUS review clock. 

Changes Proposed in NPRM

Authority to Request Information

The first major change in the NPRM relates to CFIUS’s authority to request, and if necessary compel, parties to provide information related to certain types of transactions.  The current regulations allow the Committee to request from parties to non-notified transactions information necessary for CFIUS to determine whether a given transaction is a “covered transaction” under the regulations. However, the regulations do not expressly authorize CFIUS to request other information, such as whether a transaction may have been subject to a mandatory pre-closing filing requirement or may raise national security concerns. The proposed rules would make CFIUS’s authority to request such information explicit. Currently, when seeking information about non-notified transactions, CFIUS often requests information that is relevant to whether the transaction was subject to a mandatory filing requirement or may raise national security concerns. Therefore, the changes to make the Committee’s authority to request such information explicit may not significantly alter the type of information it requests from parties to non-notified transactions. With that said, the additional explicit authority may embolden CFIUS to broaden the nature of requests it sends to parties in at least some contexts.

The NPRM makes clear that CFIUS does not intend to use such explicit authority to conduct national security assessments outside of the formal notice or declaration process, but rather to help CFIUS prioritize and assess the non-notified transactions for which it should request a formal filing.

The proposed rule would also make explicit CFIUS’s authority to request information from parties when the Committee seeks information regarding compliance with a mitigation agreement, order, or condition and when the Committee seeks to determine if a transaction party made a material misstatement or omission during a previously reviewed transaction. CFIUS currently requests information in such situations, but the current regulations do not explicitly obligate parties to respond.

Relatedly, the proposed rules would provide CFIUS more latitude to issue subpoenas to compel parties to respond to CFIUS requests by relaxing the standard for issuing subpoenas.  Currently, CFIUS’s regulations only allow the Committee to issue a subpoena if doing so is “necessary” to obtain information from a party to a transaction.  The proposed rule would loosen this criteria by authorizing CFIUS to issues a subpoena if the Committee deems it to be “appropriate.” 

Enhanced Penalties

The second significant change in the NPRM would expand the circumstances in which CFIUS may impose a penalty and allows CFIUS to issue much larger civil penalties in various situations. 

The existing regulations allow for the imposition of civil penalties for material misstatements or omissions in a declaration or notice or false certifications.  The proposed rule would authorize CFIUS to also impose civil penalties for material misstatements or omissions in other contexts, such as “requests for information related to non-notified transactions, certain responses to the Committee’s requests for information related to monitoring or enforcing compliance, and other responses to the Committee’s requests for information, such as for agency notices….”  However, the NPRM clarifies that such civil penalties “are not intended to apply to every material misstatement or omission in a communication between parties and the Committee related to monitoring compliance with an agreement, condition, or order” and that “the Committee will notify parties in writing when parties’ response to a particular communication may be subject to a penalty…due to a material misstatement or omission.”

The proposed rule would authorize penalties of up to $5 million per violation for (1) declarations or notices with material misstatements or omissions or false certifications regarding such filings and (2) any response to a request from CFIUS that contains a material misstatement or omission.

With respect to violations of mitigation agreements, conditions, or orders the proposed rule would provide for the maximum penalty for a violation to be the greatest of: (1) $5 million, (2) the value of the violating party’s interest in the U.S. business (or covered real estate) at the time of the transaction, (3) the value of the violating party’s interest in the U.S. business (or covered real estate) at the time of the violation or the most proximate time to the violation for which assessing such value is practicable, or (4) the value of the transaction.

The NPRM states that the increased civil penalties are necessary because the current penalty maximum of $250,000 (or the greater of $250,000 or the value of the transaction for certain violations) “may not sufficiently deter or penalize certain violations….” Moreover, CFIUS notes in the proposed rule that some transactions are valued at zero even if they involve companies worth billions of dollars. “[C]overed transactions involving businesses with valuations in the billions of dollars or with substantial liquidity might still be purported to be valued at zero dollars” given the “various forms” that a transaction may take under CFIUS rules.

Mitigation Negotiations

The final substantial change in the NPRM would alter CFIUS’s procedures for negotiating mitigation agreements by imposing deadlines for parties to respond to draft mitigation agreements.  The proposed rule explains that “[t]he current regulations contain no provision establishing a time frame within which parties must respond to a Committee proposal or revision of terms to mitigate identified national security risks, and the Committee often exchanges multiple drafts with transaction parties during negotiation of a mitigation agreement…” Consequently, according to CFIUS, the current arrangement makes it challenging for the Committee to comply with its statutory obligation to complete its investigation phase within 45 days (following a 45-day review phase).  The NPRM would “amend the regulations to specify a three business day period for substantive party responses to proposed mitigation terms (both initial and subsequent proposals or revisions), unless the parties request a longer time frame and the Staff Chairperson grants that request in writing.”  The proposed rule further clarifies that “[t]he Staff Chairperson may grant reasonable extension requests on a case-by-case basis, as appropriate and taking into account views of the Committee and factors such as the statutory time remaining for the case and whether the transaction has been filed before closing.” 

Notably, the NPRM does not provide a timetable in which CFIUS must initiate negotiations over mitigation agreements, which can often occur with just a couple of weeks left in the investigation phase, leaving companies with little time to assess the impact of significant measures they may need to live with for years to come. The NPRM also does not include timetables in which CFIUS must respond to mitigation counterproposals or substantive suggestions from the parties.

Parties that have negotiated mitigation agreements in the past will likely recall scrambling to respond to CFIUS mitigation proposals as quickly as possible to maximize the negotiating time available, which may raise the question of why such a regulatory change is necessary.  The NPRM notes that it is particularly needed for post-closing transactions in which the parties have less incentive to move quickly.  There have been a number of recent high-profile post-closing transactions in which mitigation discussions have reportedly dragged on for months or even years.  CFIUS may also be trying to cut down on the number of filings that are withdrawn and refiled, a tactic commonly used to restart the CFIUS review clock when parties run out of time to negotiate mitigation agreements within the time allotted by the statute and regulations.  In 2022, the most recent year for which data is available, 68 transactions were withdrawn and refiled, a significant increase from years past.

Business Impact

For many transaction parties the proposed rules are likely to have little impact on their dealings with CFIUS. The rules do not alter the scope of CFIUS jurisdiction, the timeline of reviews, or the national security considerations it uses in assessing transactions. Indeed, a number of the changes seem aimed at making more explicit certain powers and practices that CFIUS has already been exercising. With that said, the proposed rules may have a significant impact on parties with complex deals requiring mitigation or engaged in more contentious or adversarial proceedings with CFIUS. In such instances, the proposed rules could result in parties having less leverage in mitigation negotiations, less ability to negotiate with CFIUS over the production of sensitive or burdensome information, and more risk if they make a mistake resulting in a violation of CFIUS rules.

The proposed rules may also portend an uptick in CFIUS enforcement action and follow CFIUS’s recent issuance of its Enforcement and Penalty Guidelines.

The deadline for comments on the NPRM is Wednesday, May 15, 2024, 30 days from its publication in the Federal Register.

For additional information regarding the NPRM or advice with respect to a particular transaction please contact a member of our National Security and CFIUS Practice.