Introduction

On April 15, 2024, Treasury’s Office of Investment Security published a Notice of Proposed Rulemaking (“NPRM”) in the Federal Register enhancing’s CFIUS authority to identify and mitigate national security risks for transactions subject to its jurisdiction.  

The rule is intended to enable CFIUS to more effectively deter violations, promote compliance, and swiftly address national security risks in connection with CFIUS reviews, adapt its practices based on lessons learned in recent years, and build on the 2022 CFIUS Enforcement and Penalty Guidelines implemented to standardize procedures for party noncompliance.  If enacted, this rule would be the first substantive update to the mitigation and enforcement provisions of the CFIUS regulations since their overhaul in 2018 and 2020.

CFIUS Background

CFIUS is a U.S. Government interagency committee authorized to review certain transactions involving foreign investments in U.S. businesses and foreign purchases or leases of U.S. real estate in order to determine the effect of such transactions on the national security of the United States.

CFIUS has the authority to review 1) certain transactions that could result in  control of any U.S. business by a foreign person, 2) the acquisitions of a noncontrolling interest by a foreign person in certain types of U.S. businesses, or 3) the purchase or lease of certain sensitive U.S. real estate by a foreign person.

When CFIUS identifies a national security concern that arises as a result of a transaction within its jurisdiction, it is authorized to negotiate and enter into agreements with the transaction parties or impose conditions on the transaction parties to mitigate such a national security concern, as well as to enforce compliance with those agreements and conditions.

Proposed Rule

The proposed rule would make the following changes augmenting CFIUS authorities:

Expanding information gathering authorities

1. For non-notified transactions: The proposed rule seeks to formally expand the types of information CFIUS can solicit on transactions that were not filed with CFIUS, as well as the parties from which CFIUS can seek such information.  Currently, CFIUS has explicit authority to seek information to determine only whether the transaction falls within Committee jurisdiction.  In particular, the proposed rule would expand this authority to allow CFIUS to seek information on whether a transaction may raise national security concerns and whether a transaction meets the criteria for a mandatory CFIUS filing even from persons who are not parties to the transaction in question.  CFIUS has previously solicited such information from transaction parties as part of its non-notified outreach, but the proposed rule would make explicit its authority to request such information and obligate transaction parties and other parties to respond.  
2. For potential violations and noncompliance: The proposed rule expands the types of information CFIUS can request for monitoring transaction party compliance with applicable obligations and determining whether any person has made a material misstatement or omitted material information during the course of a previously concluded review or investigation.  CFIUS already often solicits this type of information, but the changes in the proposed rule would obligate transaction parties and other parties to respond.
3. Via lower threshold for issuing subpoenas: The proposed rule lowers the threshold that CFIUS must meet to issue subpoenas. Currently, CFIUS may issue subpoenas to third parties if the Committee deems it necessary; the proposed rule will allow CFIUS to do so if the Committee deems it appropriate.  In practice, this revision may encourage CFIUS to rely more frequently on subpoena power, a power it has historically rarely invoked.

Increasing scope and magnitude of civil monetary penalties

1. The proposed rule substantially increases the maximum civil monetary penalties that CFIUS can impose for a variety of violations of obligations under its governing statute and regulations, as well as under CFIUS agreements, orders, and conditions.  Key changes to maximum monetary penalties per violation include:
   1. Material misstatements or omissions in CFIUS filings would increase to $5,000,000;
   2. Failure to submit a mandatory filing would increase to the greater of $5,000,000 or the value of the transaction;
   3. Violation of material provisions of mitigation agreements or material conditions imposed by CFIUS would increase to the greater of $5,000,000, the value of the transaction, or the value of the party’s interest in the U.S. business at the time of the violation or the time of the transaction.

Currently, the maximum penalty for these types of violations is either (i) $250,000 or (ii) $250,000 or the value of the transaction, whichever is higher.

2. The proposed rule expands the circumstances in which a civil monetary penalty can be imposed, including situations when a material misstatement or omission is made outside of a review or investigation of a transaction (for example, in the context of the Committee’s monitoring and compliance functions).
3. In consideration of these increased civil monetary penalties, the proposed rule extends from 15 business days to 20 business days the time window in which transaction parties may submit a petition for reconsideration of a penalty to CFIUS, as well as the number of days within which the Committee must respond to such a petition.

Formalizing timelines for negotiating mitigation agreements

1. The proposed rule would institute an extendable, three-day deadline by which transaction parties must substantively respond to CFIUS risk mitigation proposals in matters that are under active review. Failure to meet this deadline could result in CFIUS rejecting the parties’ notice. This provision is similar to CFIUS’s existing deadline for responding to Committee information requests, and CFIUS believes this rule will better enable it to conclude its reviews within the statutorily-mandated timelines. Despite this belief, the proposed rule does not impose a parallel deadline on CFIUS itself.