Read All About It: CFIUS Publishes Enforcement Information

Darshak Dholakia, Betsy Feuerstein, Hrishikesh Hari, Amy Jicha, Brooklynn Moore, Jeremy Zucker
Dechert LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Dechert LLP

Key Takeaways

  • After over a year of preview, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) has finally published information on its most recent enforcement actions.
  • The actions were announced on CFIUS’ new Enforcement webpage (available here), and they are significant for a number of reasons.
  • The launch of the CFIUS enforcement page is an important step toward enhancing the transparency of the Committee's operations. By publishing details about the actions (and inactions) that led to enforcement, CFIUS has provided key insights for both U.S. companies and non-U.S. investors regarding compliance with filing requirements and mitigation commitments and articulated the cost of non-compliance.
  • CFIUS’ increased focused on compliance and enforcement also highlights the importance of ensuring that if mitigation measures are imposed as a condition of clearing a transaction there is an actionable compliance program in place to ensure compliance with the parties’ obligations. Below, we summarize the published enforcement actions and offer key takeaways for dealmakers.

Background

CFIUS is an interagency committee, chaired by the U.S. Department of the Treasury, which has broad powers to review non-U.S. investments in, and acquisitions of, U.S. businesses to determine the potential impact on U.S. national security. CFIUS has the authority to review matters that are brought before it and to initiate its own transaction reviews. It may impose mitigation measures on transactions that it determines are a risk to U.S. national security, and any failure to comply with such measures may result in the imposition of a penalty by the Committee.

Under the CFIUS regulations (31 C.F.R. Parts 800 and 802) and as described in CFIUS’ October 2022 memorandum summarizing enforcement procedures and penalties (which we discuss here), there are three types of conduct that can result in a penalty being imposed:

  • The submission of a declaration or notice containing a material misstatement or omission or making a false certification to the Committee;
  • Failing to file a mandatory declaration or notice; and
  • Failing to comply with a material provision of a mitigation agreement.

For each violation, CFIUS is authorized to enforce and subsequently impose a civil penalty up to $250,000 or the value of the transaction (whichever is greater).

CFIUS Enforcement Actions

Historically, CFIUS has revealed little with respect to its enforcement activities other than disclosing a single enforcement action in each of 2018 and 2019. The 2018 enforcement action concerned what was described as a “repeated” breach of a mitigation agreement, including failure to establish the necessary security policies and provide required reports to CFIUS, and resulted in a $1 million penalty. The 2019 enforcement action involved the violation of the terms of an interim order (i.e., the immediate mitigating measures put in place while a formal mitigation agreement was negotiated) and resulted in a $750,000 penalty.

In contrast, the recently published enforcement actions tout significant penalties from 2023 (and 2024) that are only now being made public.

  • Unauthorized Access to Protected Data: In 2024, CFIUS imposed a $60 million penalty against T-Mobile for failing to prevent unauthorized access to sensitive data and for failing to promptly report the same, which resulted in the violation of T-Mobile’s National Security Agreement (“NSA”). The T-Mobile action is notable for two reasons: it is the largest monetary penalty disclosed by the Committee, and it is the only enforcement action to date that provides the name of the party in violation.
  • Vacant Security Director: In 2024, CFIUS imposed an $8.5 million penalty against a U.S. business for violating its NSA by removing the board of directors’ independent directors, leaving the Security Director position vacant, and making a required government security committee defunct. This effectively stripped the U.S. government of the oversight mechanisms established to monitor compliance with the company’s NSA. This enforcement action also resolved CFIUS’ investigation of potential additional NSA violations, which related to the transfer of intellectual property to third parties.
  • Material Misstatements in Filing: In 2024, a transaction party was fined $1.25 million for submitting a joint voluntary notice with material misstatements regarding sources of funding and related agreements, as well as for providing the Committee with forged documents and signatures. Although the CFIUS filing was ultimately rejected and the proposed transaction was abandoned, CFIUS still chose to assess a penalty due to the finding that the transaction party’s actions impaired the Committee’s ability to assess the national security risks in connection with the proposed transaction.
  • Failure to Comply with NSA Obligation: In 2023, a U.S. business was fined $990,000 for failing to maintain a statement on its website regarding foreign ownership, which violated the transaction party’s CFIUS mitigation agreement (which was in the form of a Letter of Assurance or “LOA”). CFIUS noted the presence of certain aggravating factors, such as the duration of the violations, managerial involvement in the violations, failure to self-disclose the violations, and the company’s lack of LOA compliance procedures and training. CFIUS also identified mitigating factors, such as the company’s cooperation with CFIUS during its investigation.
  • Failure to Comply with Deadline under NSA: In 2023, a non-U.S. investor was fined $200,000 for failing to divest its interest in a U.S. business by the deadline specified by CFIUS in the parties’ NSA. CFIUS also noted the presence of certain aggravating factors, such as repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and the failure to provide timely notice to CFIUS of the failure to meet the divestment deadline. Mitigating factors included the difficulty of market conditions during the COVID-19 pandemic.
  • Failure to Comply with Deadline under NSA: In 2023, another non-U.S. investor was fined $100,000 for failing to divest its interest in a U.S. business by the deadline specified by CFIUS in the parties’ NSA. CFIUS also noted the presence of certain aggravating factors, such as repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and the failure to provide timely notice to CFIUS of the failure to meet the divestment deadline. Mitigating factors included the difficulty of market conditions during the COVID-19 pandemic, and the non-U.S. investors small size and lack of sophistication.

What Dealmakers Should Know

The trendlines remain clear: CFIUS continues focus on managing the impact of foreign investments on U.S. national security, and it is making greater use of enforcement actions to drive compliance with regulatory requirements and with the commitments that form the basis for clearing certain sensitive transactions.

As we discussed in our recent OnPoint regarding CFIUS’ latest annual report (which you can find here), CFIUS continues to impose mitigation measures on transaction parties. Furthermore, the illustrative list of mitigation measures published in the 2023 CFIUS annual report included several measures that were not included in 2022. Each such new action demonstrates the expanding breadth of restrictions that CFIUS may seek to implement. The increased scope of mitigation measures also aligns with the priorities publicly identified by Paul Rosen, Assistant Secretary of the Treasury for Investment Security, including a greater focus on monitoring and enforcement.

CFIUS officials have emphasized repeatedly the importance of timely development of programs designed to ensure compliance with mitigation agreements. During Treasury’s Second Annual CFIUS Conference in September 2023, CFIUS officials stated that they had identified a number of potential compliance exceptions during the implementation phase (usually the first few months following the date a mitigation agreement becomes effective). These sentiments are supported by the enforcement actions discussed above, two of which involve transaction parties’ failure to comply with agreed deadlines.

The disclosure of T-Mobile’s identity is particularly noteworthy for a Committee that takes such pride in the confidentiality of parties to CFIUS reviews. The Committee likely negotiated the reveal of T-Mobile as the recipient of the largest fine to underscore the seriousness and potential financial implications of non-compliance. By contrast, keeping other parties to violations anonymous may serve to encourage cooperation with mitigation agreements without publicly damaging reputations, while still conveying the message that non-compliance will be met with enforcement actions. This selective disclosure strategy underscores the Committee's commitment to enforcement while balancing the confidentiality concerns inherent in its operations.

The published enforcement actions also highlight the importance of aggravating and mitigating factors, with higher penalties assessed for violations in which aggravating factors were present. While this approach is similar to that of other U.S. government agencies with national security responsibilities (such as the Commerce Department’s Bureau of Industry and Security and the Treasury Department’s Office of Foreign Assets Control) there are also deviations in CFIUS’ approach. Unlike other U.S. government agencies, CFIUS has not provided information in the published enforcement actions about the specific impact of aggravating and mitigating factors on the size of the fines imposed. Such information is also not provided in CFIUS’ Enforcement and Penalty Guidelines, leaving an open question regarding the weight given by CFIUS to aggravating and mitigating factors when determining the appropriate civil monetary penalty.

The issuance of Determination of Noncompliance Transmittal (“DONT”) Letters also underscores the Committee’s enforcement goals (holding parties responsible) while maintaining a balanced approach to assessing penalties. According to the Committee, DONT Letters are issued to notify parties that one or more violations has occurred but, after considering the relevant information and aggravating and mitigating factors, CFIUS has decided either not to pursue enforcement (i.e., assess a penalty) or that more information is required to assess whether a penalty is warranted. DONT Letters have been described as appropriate for first time, inadvertent, and limited-scope violations that do not impair or threaten to impair U.S. national security. However, given that DONT Letters may lead to penalties in certain circumstances, a focused and transparent strategy for engagement with the Committee upon receipt of a DONT Letter will be important.

Conclusion

The introduction of the CFIUS enforcement page is a promising step toward enhancing the Committee's transparency. However, although this move signals progress, it is unlikely that CFIUS will adopt the same level of public disclosure as other U.S. government agencies with enforcement authority. While there may be periodic enforcement updates, we do not expect a dramatic shift in the Committee’s longstanding practices regarding the confidentiality of its deliberations and assessments, which often involve classified information. Nonetheless, the information published about recent enforcement actions reinforces for transaction parties that when agreeing to NSAs or other forms of CFIUS mitigation, the work isn’t done when the agreement is signed. Failure to ensure effective ongoing compliance can have both reputational and financial costs.

A sophisticated CFIUS strategy, at every step of the process, can make a significant difference. Parties contemplating transactions involving foreign investments in U.S. businesses should evaluate CFIUS considerations early in the transaction process and ensure that if mitigation measures are imposed, there is an actionable compliance program developed to oversee compliance with the parties’ obligations.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Dechert LLP

Written by:

Dechert LLP
Dechert LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Dechert LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide