The Committee on Foreign Investment in the United States (CFIUS or Committee) on Aug. 14, 2024, announced its largest-ever enforcement action and launched a new section of its website dedicated to enforcement. In addition to publishing past enforcement actions, the website includes information related to CFIUS Enforcement and Penalty Guidelines and the latest regulatory activities aimed at strengthening compliance.
Notably, the launch of the new website comes shortly after the release of the public version of CFIUS' Annual Report to Congress for Calendar Year 2023 (Annual Report) on July 23, 2024. In the Annual Report, CFIUS emphasizes its increased focus on diligence, compliance and enforcement, while improving efficiencies in its review process. For example, the Annual Report underscores enhanced CFIUS scrutiny over non-notified transactions, as well as the increase in penalties issued by the Committee.
The 2023 CFIUS Annual Report, together with the new enforcement website, highlight CFIUS' ongoing commitment to enhancing its oversight and enforcement of foreign investment transactions. Specifically, the focus on increased enforcement and scrutiny over non-notified transactions underscore that CFIUS is as important a concern to cross-border transactions as ever.
Record CFIUS Fine Made Public to Warn Would-Be Violators
The most prominent enforcement case published on the new website is against one of America's largest telecom companies. This case stands out because it is the first instance where CFIUS has publicly named the violating party, and it carries a record penalty of $60 million.
This recent enforcement action against a well-known mobile communications company is paramount for CFIUS practitioners and companies alike, as it underscores the critical nature of CFIUS compliance, including compliance with national security agreements (NSAs) and the provision of accurate, complete and timely information to CFIUS. The Committee determined that between August 2020 and June 2021, in violation of a material provision of the NSA, the company failed to take appropriate measures to prevent unauthorized access to certain sensitive data and promptly report incidents of unauthorized access to CFIUS, thereby delaying CFIUS' efforts to investigate and mitigate any potential harm. The company has subsequently worked with CFIUS to enhance its compliance posture and committed to working cooperatively with the U.S. government to ensure future compliance with its CFIUS obligations. Cooperation with the government and implementation of enhanced compliance procedures are mitigation measures that could lead to reduction of the potential penalty.
The new enforcement website also references seven additional relatively recent enforcement actions, all of which relate to noncompliance with CFIUS mitigation terms – except for one involving material misstatements filed with CFIUS. The website includes details of the violations, such as the nature of the conduct, as well as mitigating and aggravating factors that factored into CFIUS decisions.
The enforcement website, along with the publication of CFIUS enforcement actions, indicates a substantial increase in enforcement activities and reflects CFIUS' broader effort toward transparency and accountability with a heightened focus on enforcement.
Enforcement Website Content
U.S. Department of the Treasury Assistant Secretary for Investment Security Paul Rosen made the following remarks in connection with the launch of the new website:
"In the last few years, CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design: if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences."
Rosen's comments align with recent CFIUS enforcement trends. Notably, in 2023 and 2024, CFIUS issued three times more penalties than it had previously issued in its nearly 50-year history. The publication of these recent enforcement actions is therefore a welcome feature and a step forward toward increased government transparency and improved industry compliance.
One key feature of the new website is its disclosure of all civil monetary penalties imposed by CFIUS since 2018. The majority of the enforcement actions published on the website include the imposition of penalties for failing to comply with an NSA's mitigation terms and provisions. For example, in 2024, one company was fined $8.5 million for willful violations of an NSA. According to CFIUS, the company's major shareholders orchestrated an initiative to remove all of the company's independent directors, which effectively nullified the compliance oversight responsibilities assigned to the security director and the board's government security committee. The company also had potential additional violations of the NSA relating to transfer of certain intellectual property (IP) to third parties.
One 2024 case delineates a $1.25 million penalty for submitting a joint voluntary notice and supplemental information containing five material misstatements, including forged documents and signatures. CFIUS not only rejected the filing due to the misstatements, but also levied significant civil penalties because the misstatements impeded CFIUS' ability to assess national security risks and increased the potential harm to national security.
The website also contains other helpful information for the public and investing community about how CFIUS approaches compliance and enforcement. The website clarifies the situations in which violations of relevant laws and regulations, as well as mitigation agreements, would lead to civil monetary penalties (CMPs) or other remedies. In this context, the website references the CFIUS Enforcement and Penalty Guidelines (Guidelines) and lists examples of aggravating and mitigating factors CFIUS may consider in making a case-by-case decision on the appropriate enforcement course of action. (See previous Holland & Knight alerts on the Guidelines and proposed rule to enhance CFIUS enforcement authorities and procedures, "CFIUS Enforcement and Penalty Guidelines Enhance Transparency for Cross-Border Dealmakers," Oct. 24, 2022, and "Treasury Department Issues Proposed Rule to Enhance CFIUS Procedures, Enforcement Authorities," May 10, 2024.)
Moreover, CFIUS lists penalties and remedies that it has the authority to impose in addition to CMPs. These include the revocation of safeharbor, negotiation of remediation plans, imposition of a filing requirement regarding future covered transactions for up to five years, and injunctive relief.
Finally, the enforcement website includes a section on Determination of Noncompliance Transmittal (DONT) Letters, which the Treasury Department may issue in cases where CFIUS has determined that one or more violations occurred. DONT Letters serve as notification to the parties that a violation has occurred in situations where a penalty is not necessarily warranted. DONT Letters have been issued mainly in the context of first-time, inadvertent and limited-scope violations that had little potential to harm national security or when certain mitigating factors apply. Importantly, DONT Letters may serve as an aggravating factor in the event that CFIUS later pursues penalties against the same party for a separate violation. CFIUS also provides examples of circumstances in which DONT Letters have been issued, including failure to timely submit a mandatory declaration for a first-time offense with no harm to national security, transfer of assets to a company controlled by certain foreign persons, and failure to prevent unauthorized access to restricted IP.
Conclusion
The new CFIUS enforcement website reflects the Committee's broader effort to enhance and develop its enforcement processes and authorities in recent years, as reflected in its 2023 Annual Report. Alongside the Enforcement and Penalty Guidelines issued in 2022, the website serves as a tool to better understand CFIUS procedures and considerations in reviewing conduct by parties in cross-border transactions and determining penalties and other remedies. The new website provides concrete examples of the types of violations that may lead to heightened scrutiny and significant penalties for breaching parties.
