The Guidelines Reflect CFIUS’s Awkward Positioning Between the National Security World of Executive Branch Discretion and the Corporate Rule-of-Law World

On October 20, 2022, the Committee on Foreign Investment in the United States (CFIUS or the Committee) issued its first-ever set of “Enforcement and Penalty Guidelines.” The Guidelines introduce for CFIUS participants a new dose of rule-of-law ingredients, suggesting more predictability with regard to the process for assessing potential violations of Committee rules and agreements, as well as the consequences of such violations. However, the Committee historically has overridden rule-of-law principles when it believes circumstances warrant, which suggests that the Guidelines may well be more interesting for their signaling and conceptual features than in the actual details thereof:

• The Guidelines might best be understood as a signal of CFIUS’s aggressive new approach to monitoring foreign investment—specifically indicating an intent to impose more frequent monetary penalties. What they should not be understood to do is cabin CFIUS’s immense discretion, in part because as guidelines they lack the force of regulation. That discretion remains the signature feature of CFIUS—regarding penalties and virtually every other aspect of its operations.
  • Further, while CFIUS has been focused primarily on policing investments from parties linked to China or Russia, the Guidelines may be relevant particularly to transactions without Chinese or Russian parties. That is so because the Guidelines likely will be relevant most frequently when there are alleged violations of CFIUS mitigation agreements—i.e., violations of Committee-imposed conditions on company governance and/or operations. Most mitigation agreements are with parties that are not Chinese or Russian but, rather, from Europe, the Middle East, and elsewhere.
• CFIUS presumably views the Guidelines as limiting its own discretion in certain enforcement proceedings. By extension, that suggests the Committee wants to convey to CFIUS advisers and transaction parties a sense that CFIUS weighs heavily rule-of-law values, particularly predictability.
  • However, given the fragmented nature of CFIUS decision-making-by-committee and the absence of meaningful oversight, there is reason to doubt whether the Committee will be successful in adhering to its own limitations. Regardless, other areas of CFIUS enforcement activity likely will remain unrestrained. For example, CFIUS “requests” that companies take measures to demonstrate compliance likely will remain subject to virtually unfettered discretion, and CFIUS timeframes for making decisions on enforcement and compliance matters seemingly are unlimited.
• The vacillation between rule-of-law and discretion reflects CFIUS’ unusual posture, sitting between two worlds: i) the world of national security, in which executive branch discretion generally is unfettered; and ii) the rule-of-law world, in which predictability is the coin of the realm and is obtained through adherence to written rules and visible, regularized practices.
  • For examples of illustrative actions in the two different worlds: Seal Team Six’s raid on Osama bin Laden was in the first, while corporate transactions generally depend on the rules and practices in the second.
  • CFIUS is a creature of the national security world that by virtue of its role is constantly engaging with the rule-of-law world. This clash of worlds is often awkward. For example, the Committee issued dozens of pages of rules to implement the last CFIUS reform legislation but simultaneously asserted that much of that lawyerly stuff was not actually required—specifically, CFIUS maintains that it is not subject to rulemaking under the Administrative Procedures Act (APA) because the CFIUS rules regulate conduct that “could harm the strategic national security interests of the United States vis-à-vis other nations.” In litigation, CFIUS has maintained that it might not be constrained by the APA at all. So, CFIUS will indulge rule-of-law values . . . to a point. The Guidelines should be read with this tension in mind.
• The dose of rule-of-law ingredients that the Guidelines represent have been appropriately welcomed by CFIUS advisers and others who value the predictability that is essential for ordering private sector affairs (e.g., foreign acquisitions and investments). But there should be no mistake: while CFIUS may be lawyerly to a point, rule-of-law values will be quickly overwhelmed if/when CFIUS officials deem a setting more appropriate for Seal Team Six.

Categories of Violations

Zooming in on the details of the Guidelines, they describe three categories of potential violations:

• Failure to make a timely declaration or notice;
• Non-compliance with an existing mitigation agreement, condition, or order; and
• Material misstatement, omission, or false certification.

The Committee has not publicly reported any enforcement actions for the first or third categories, and, since 2018, there have been only two penalties for non-compliance with mitigation agreements. CFIUS officials, however, have said that additional penalties—particularly for non-compliance with mitigation agreements—are highly likely in the near future. This suggests that the Guidelines may be signaling such future enforcement activity at least as much as a commitment to rule-of-law values.  

Sources of Information

The Guidelines also address the sources of information CFIUS considers in assessing a violation, “including from across the U.S. government, publicly available information, third-party service providers (e.g., auditors and monitors), tips, transaction parties, and filing parties.” The Guidelines specifically highlight as important i) requests for information by the Committee, ii) company self-disclosures, and iii) tips provided to the CFIUS tip line. Note that the last of those three is commonly used by companies seeking to draw CFIUS attention to competitors.
 
The Guidelines do not focus much on the information that CFIUS may glean from third-party auditors and monitors, but such third parties are increasingly frequent features of CFIUS mitigation agreements. Our recent experience suggests that CFIUS is urging auditors and monitors to be very stringent in their reviews.

The Guidelines also emphasize the timeliness of self-disclosure as a factor in determining the Committee’s response to a potential violation. Timeliness factors include whether the conduct was discovered by the Committee or other government officials, and whether such discovery was imminent prior to self-disclosure. This self-disclosure factor presumably will incentivize parties to consider disclosure of potential violations sooner rather than later (all else being equal). As in other regulatory regimes that urge self-disclosures, though, the incentives to disclose might or might not outweigh other factors.

The Guidelines also note that information provided during informal consultations will be held to the material misrepresentation standard— i.e., a party might be penalized based on a misrepresentation in the context of a seemingly informal discussion with CFIUS—suggesting that there is no longer such a thing as an “informal” inquiry.

The Penalty Process

The Guidelines next address the penalty process. The penalty process begins with the Committee sending a written notice of penalty to the subject, which notice will include an explanation of the violation and any monetary penalty being imposed. CFIUS sometimes signals an intent to begin enforcement proceedings even before issuing the penalty notice, but that penalty notice officially starts the enforcement proceeding.

The subject then has 15 days (extendable by a showing of good cause) to submit a petition for reconsideration, including any defense, justification, mitigating factors, or explanation. Upon receipt, CFIUS then has 15 days (extendable by mutual agreement) to consider the petition and issue a final penalty determination.

Aggravating/Mitigating Factors

Finally, the Guidelines set forth six categories of factors that the Committee may weigh in determining an appropriate penalty:

• whether and how a penalty will hold violators accountable and incentivize compliance in the future;
• the harm to U.S. national security caused or threatened by the violation;
• the extent to which the violation was the result of negligence, intentional action, or willfulness;
• the frequency, duration, and timing of the violation;
• the actions taken to respond to, report, and remediate the violation; and
• the subject’s record of compliance, both with respect to existing CFIUS mitigation measures and generally.

Some of these factors are quite broad. The Guidelines state that “variation in the consistency of compliance” and the “compliance culture” within the company are relevant to the Committee’s evaluation of the company’s record of compliance, as is “experience of other federal, state, local or foreign authorities” with respect to the company. The discretion the Committee affords itself is manifest, unsurprising, and perhaps appropriate.

In the Legal World, but Not of It

The Guidelines provide at least a simulacrum of a legal process, and that may be welcome news for those in the rule-of-law world. In the event CFIUS officials see a need for Seal Team Six, though, observers should be aware that the Guidelines are merely, well, guidelines.