On April 11, 2024, the Committee on Foreign Investment in the United States (CFIUS) unveiled updates to its regulations that sharpen CFIUS’s processes and enforcement authorities. Together with remarks by U.S. government officials speaking at a recent industry event, these updates underscore that the demands on and risks to transacting parties in the U.S. have never been greater.
New Rulemaking Bolstering CFIUS Enforcement Authorities and Updating Processes
The U.S. Department of the Treasury (“Treasury”) issued a Notice of Proposed Rulemaking (NPRM) to update certain CFIUS regulations, procedures, and authorities. These changes reflect CFIUS’s growing appetite to identify more violations, issue more and greater penalties, and to improve its internal processes.
The proposed changes include:
-
Expanding the types of information CFIUS can require persons to submit when engaging on transactions that were not initially filed with CFIUS (i.e., non-notified transactions) to explicitly include information to determine whether the transaction (i) may raise national security concerns, (ii) would be subject to a mandatory filing requirement, and (iii) is a covered transaction;
-
Instituting an extendable timeline (i.e., three business days) for transaction parties to substantively respond to mitigation agreement proposals from CFIUS;
-
Expanding the circumstances in which a civil monetary penalty may be imposed for material misstatements and omissions;
-
Increasing the amount of civil monetary penalties available for violations of CFIUS’s regulations, mitigation agreements, and orders, as well as for material misstatements, from $250,000 per violation to $5,000,000 per violation, or the value of the transaction;
-
Clarifying the use of CFIUS’s purported subpoena authority to obtain information when the Committee determines it is appropriate (as opposed to necessary in the current regulations); and
-
Extending the timeframe for submission of a petition for reconsideration of a penalty to the Committee and the number of days for the Committee to respond to such a petition.
Material Changes
Based on comments from CFIUS officials, the proposed changes are reactions to prior incidents and frustrations within CFIUS about its processes and procedures. Although most of the proposed regulations reinforce or enhance authorities CFIUS already has or reflect realities of how CFIUS has long operated, some are more material changes.
First, the extendable three-day response time for parties to respond to CFIUS-proposed mitigation agreement will likely create an unpredictable, costly, and hasty negotiation process by compelling parties to respond substantively to mitigation agreement proposals. If parties don’t, or can’t, substantively respond, CFIUS will be authorized to reject the filing. As a practical matter, it will be difficult for many transactions parties to respond to the initial draft of a CFIUS mitigation agreement within three business days.
CFIUS can take weeks to prepare mitigation terms and, although the draft mitigation agreements will reflect thoughtful consideration by CFIUS, they do not include direct input from the parties. The drafts may pose operational changes that will have a profound and burdensome impact on the U.S. business’s efficiency and competitiveness (e.g., vendor approvals or controls on specific types of information). Proposals can also include changes to existing processes that will require reallocating limited resources to operationalize redundant or inapposite requirements (e.g., CFIUS-preferred cybersecurity standards) or the proposals can have complex and conflicting impacts on new and existing shareholders. A CFIUS-generated draft mitigation agreement can also reflect an imperfect understanding of the U.S. business, its technology, and operations—and these imperfections will be difficult to understand in three business days, much less ascertain whether the terms are agreeable or require an alternative approach.
Second, the updates to CFIUS’s subpoena powers authorize CFIUS to obtain information when the Committee determines it is appropriate (as opposed to necessary in the current regulations). This language will also lower the threshold for contacting “other persons” (i.e., third parties) for information regarding whether a transaction is a covered transaction, may raise national security considerations, or trigger mandatory CFIUS filing obligations.
This update could have significant practical impacts. If CFIUS engages with third parties in this manner more regularly, it will raise novel issues of confidentiality and privilege. For example, outreach to third parties in a manner that discloses information provided to CFIUS by transaction parties may be inconsistent with statutory confidentiality protections. This authority also extends to subpoenas for non-privileged information from transaction-adjacent parties, such as financial and strategic advisors. And because the subpoena authorization extends to risk-related information, which includes aggregate investment trends as a potential risk factor, it is possible CFIUS may seek information regarding multiple transactions from a single source in the future.
Comments on the Proposed Rule are due by May 15, 2024. After considering the public’s comments, Treasury will issue a Final Rule, which will become effective one month after it is announced.
Other Updates
In addition to the new rulemaking, speakers at the industry event highlighted other topics, including:
- Strategic competition between the United States and China and its effect on investment flows: Concerns were raised with China’s revised counterespionage law, which speakers cautioned potentially gives Chinese authorities unfettered access to the data and documents of any company operating in China. According to some, this makes it difficult, if not impossible, in certain circumstances to mitigate the risks of Chinese investment into U.S. companies.
- Outbound investment restrictions: As previously discussed, in August 2023, President Biden issued a long-anticipated Executive Order (E.O.) restricting U.S. investments in Chinese companies developing certain sensitive technologies. There were no updates on when to expect the next stage of rulemaking and overall little new light shed on the proposed regime.
- Data transfer restrictions: As previously discussed, in February 2024, President Biden issued an E.O. announcing a new regulatory regime to restrict the transfer of certain sensitive data to what are described as six “countries of concern,” including China. The Department of Justice (DOJ), which will implement and oversee the regime, issued an ANPRM contemporaneous with the E.O. It seems DOJ’s focus in implementing the regime will be to cover categories of transactions not already covered by other authorities—some referring to this as an “export regime for data.”
The regime is not necessarily aimed at protecting privacy, as existing regimes on privacy are individual-focused and best left to other regulatory authorities. Rather, the regulations are intended to protect U.S. national security and the collective risk of Americans’ data being misused by perceived adversaries. DOJ expects to move to an NPRM “quickly” after consideration of the comments provided to the ANPRM.
These updates, combined with CFIUS’s proposed enhanced enforcement authorities, demonstrate the holistic approach the U.S. government is taking to try to mitigate national security risks, ranging from case-by-case inbound investment reviews to categorical restrictions on certain outbound investments and data transactions.
[View source.]
