The Committee on Foreign Investment in the United States (CFIUS or the Committee) is a federal interagency group that assesses whether a foreign acquirer’s transaction by purchasing certain U.S. assets presents a national security risk. CFIUS is reposed in the Department of the Treasury, but several other federal agencies are also CFIUS stakeholders and decision-makers.

At the end of the day, the ball lies with the U.S. president. The president may block the transaction in question — regulated parties (sometimes known as “subject persons”) have limited substantive recourse¹ — though usually at most mitigation agreements are imposed to minimize an otherwise questionable transaction’s national security risk. That way, the transaction can go through. The Committee’s recent actions reinforce that it remains a robust tool for the Executive Branch to police investment inflow carrying national security implications. And CFIUS emphasizes time and again that it prizes transparency from foreign acquirers.

In one form or another, CFIUS has been around since 1975. But in the past few years, certain critical CFIUS innovations have taken place. Among the most prominent innovations was the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). Since FIRRMA and its related regulations came into effect, CFIUS has gained the authority to regulate: (1) certain non-controlling investments in some U.S. businesses involved with critical technology, critical infrastructure, or sensitive personal data — known as “TID US businesses” — and (2) certain real estate transactions.

2022 was an eventful year for CFIUS. Interestingly, on Oct. 22, 2022, the Committee issued the Enforcement and Penalty Guidelines (Guidelines). The Guidelines are supposed to “provide the public with information about how [CFIUS] assesses violations of the laws and regulations that govern transaction parties, including potential breaches of CFIUS mitigation agreements.”

For the first time ever, these Guidelines articulate how CFIUS will continue to address certain CFIUS-related violations by subject persons, as well as the aggravating and mitigating factors CFIUS will consider when arriving at the appropriate penalties.

Violations Covered by the Guidelines

To be precise, these Guidelines come into play when: (1) a subject person has failed to “timely submit a mandatory declaration or notice;” (2) the conduct in question “is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders;” or (3) a subject person has made “[m]aterial misstatements in or omissions from information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation, including information provided during informal consultations or in response to requests for information.”

CFIUS tends to emphasize, including in these Guidelines, the value of “prompt and complete self-disclosure of any conduct that may constitute a [v]iolation” — a factor that may lead the Committee to take a more charitable view of a subject person’s conduct in question than it otherwise might have. “The Committee” has announced in the Guidelines that it “strongly encourages any person who engaged in conduct that may constitute a [v]iolation to submit a timely self-disclosure,” no matter what. To be clear, “[a] self-disclosure should take the form of a written notification describing all of the conduct that may constitute a Violation and all of the persons involved.” Self-disclosure is just one way that the Committee obtains the information to determine whether a violation has taken place. Tips received by CFIUS are another.

The Guidelines also state that “CFIUS often requests information to support its monitoring of compliance with CFIUS [m]itigation [agreements], as well as to investigate whether a [v]iolation has occurred and what enforcement action, if any, should be taken.” And once a violation is found, CFIUS considers the extent to which the subject person has cooperated with the government “in response to requests for information in determining what action, if any, to take.” Notably, regulated parties are permitted to supply the Committee with “exculpatory evidence,” along with “defense[s], justification[s], mitigating factors, or explanation[s].”

CFIUS Process and Procedure

When assessing the mitigation agreements that CFIUS will impose, the Guidelines say that CFIUS will take these “key steps in the penalty process”:

• Notice of Penalty: CFIUS will send “a written explanation of the conduct to be penalized and the amount of any monetary penalty to be imposed” to the subject person. Moreover, “[t]he notice will state the legal basis for concluding that the conduct constitutes a [v]iolation and may set forth any aggravating and mitigating factors that the Committee considered.”
• Petition for Reconsideration: The subject person has up to 15 business days after receiving the penalty notice — extensions are permitted only if the subject person can show “good cause” — to “submit a petition for reconsideration to the CFIUS Staff Chairperson, including any defense, justification, mitigating factors, or explanation.”
• Final Decision: CFIUS will issue a final penalty determination within 15 business days of receipt of the petition. And should no petition for reconsideration be timely received, then the Committee “ordinarily will issue a final penalty determination in the form of a notice to the [s]ubject [p]erson.”

Aggravating and Mitigating Factors Laid Out by the Guidelines

The Guidelines furnish a non-exhaustive list of aggravating and mitigating factors that CFIUS will consider when reaching its final decision. According to the Guidelines, “[t]he weight CFIUS gives to any factor will necessarily vary depending on the particular facts and circumstances surrounding the conduct giving rise to the [v]iolation.” CFIUS makes very clear that these protean factors are “non-binding and are not intended to, do not, and may not be relied upon to create any right or benefit, substantive or procedural, enforceable at law by any party in any administrative, civil, or criminal matter.” How a subject person behaves before and throughout the course of the CFIUS engagement might make a dispositive difference.

Among the most important factors published by CFIUS are:

• Accountability and Future Compliance: Consequences “on protecting national security and ensuring that [s]ubject [p]ersons are held accountable for their conduct and incentivized to ensure compliance, including promoting compliance and cooperation with [the operative CFIUS statute], such as through self-disclosures, where appropriate.”
• Harm: The degree to which “the conduct [in question] impaired or threatened to impair U.S. national security.”
• Sophistication of the Regulated Party and Their Record of Compliance:
  • The regulated party’s “history and familiarity with CFIUS and, if applicable, past compliance with CFIUS [m]itigation agreements.]”
  • Compliance policies, procedures, and training put in place by; resources dedicated by; and culture of the regulated party.
• Persistence and Timing: The “frequency and duration of the conduct” as well as the time delta between when the regulated party became aware — or should have become aware — of the problem and when CFIUS became aware of the problem and/or its remediation.
• Response and Remediation:
  • Whether the regulated party (1) “submitted a self-disclosure, including the timeliness, nature, and scope of information reported to CFIUS;” or (2) “cooperated completely in the investigation of the matter.”
  • “[P]romptness of complete and appropriate remediation of the conduct.”
  • Internal review of the conduct in question.
• Negligence, Awareness, and Intent:
  • Whether and to what extent the conduct in question was “the result of simple negligence, gross negligence, intentional action, or willfulness.”
  • Any “[e]ffort to conceal or delay the sharing of relevant information with CFIUS.”
  • Whether and to what extent senior “personnel within the entity that knew or should have known about the conduct.”

---

¹It suffices to note that under current D.C. Circuit precedent, the president’s or CFIUS’ “failure to provide [subject persons with] notice of, and access to, the unclassified information used to prohibit the transaction” violates the Due Process Clause of the Fifth Amendment to the U.S. Constitution — even if the regulated parties is given “the opportunity to present evidence to CFIUS and to interact with it.” Ralls Corp. v. Committee on Foreign Inv. in U.S., 758 F.3d 296, 320 (2014) (emphasis added and cleaned up). Beyond that, it is not clear that the regulated parties can do very much if a transaction is blocked.