On October 20, 2022, the Department of the Treasury (Treasury), which chairs the Committee on Foreign Investment in the United States (CFIUS), released the first-ever CFIUS Enforcement and Penalty Guidelines (the Guidelines). The Guidelines, issued during CFIUS’s review of TikTok and its relationship with Chinese parent ByteDance, provide further guidance on CFIUS’s evaluation of whether to pursue penalties or other enforcement actions for violations of a party’s CFIUS obligations. CFIUS publishes its enforcement actions on Treasury’s website.
Section 721 of the Defense Production Act of 1950 (Section 721), the CFIUS authorizing statute, allows CFIUS to impose monetary penalties and seek other remedies for violations of Section 721, the CFIUS regulations, and any mitigation orders, conditions, or agreements imposed by CFIUS. For instance, failure to submit a mandatory CFIUS filing and certain violations of mitigation agreements may result in civil penalties of up to $250,000 per violation or the value of the transaction, whichever is greater. Further, previously cleared transactions in which a party submitted false or misleading information to CFIUS as well as material breaches of mitigation agreements can result in unilateral or compelled initiations of reviews by CFIUS, including reopening closed cases.
The new Guidelines describe three categories of conduct that may constitute a violation, the process CFIUS generally follows when imposing penalties, and specific factors that CFIUS considers when determining whether a penalty is warranted. The Guidelines note that CFIUS may use its subpoena authority when necessary to compel information from parties, and that CFIUS may also refer prohibited conduct to other U.S. government authorities, which may result in additional civil and/or criminal enforcement penalties depending on the nature of the misconduct.
Categories of Conduct That May Constitute a Violation. The Guidelines identify three categories of acts or omissions that may constitute a violation:
- Failure to file. Failure to timely submit a mandatory declaration or notice.
- Non-compliance. Conduct that is prohibited or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders.
- Material misstatements, omissions, or false certifications. Material misstatements in or omissions from information filed with CFIUS and false or materially incomplete certifications filed in connection with CFIUS proceedings or mitigation. This includes information provided during informal consultations or in response to requests for information.
Sources of Information. To determine whether a violation has occurred, CFIUS considers information from a wide variety of sources, including the U.S. government, publicly available information, third-party providers such as auditors and monitors, tips, self-disclosures, transaction parties, and filing parties. CFIUS will also review a party’s responses to any requests for information that are issued in support of CFIUS’s monitoring of compliance with its mitigation agreements. In determining whether to take action, CFIUS will consider a party’s cooperation in providing such requested information, which may also include any exculpatory evidence, defenses, justifications, mitigating factors, or explanations that a party may choose to provide.
The Guidelines encourage parties engaged in conduct that may be prohibited to submit voluntary self-disclosures to CFIUS, which should take the form of a written notification describing the conduct and persons involved. CFIUS will consider the timeliness of any self-disclosure in determining the appropriate response to a violation, including whether discovery of the conduct by CFIUS or other government officials has already occurred or was imminent prior to the self-disclosure and whether the reporting party or parties complied with any applicable CFIUS mitigation requirements mandating disclosure of the conduct. In cases where a party believes that a violation may have occurred but has not yet fully investigated the conduct at issue, a party may submit an initial self-disclosure and subsequently submit a more detailed disclosure.
Penalty Process. The Guidelines explain the key steps in the penalty process, which largely follow CFIUS’s regulations:
- Notice. CFIUS will send the party notice of the penalty, including a written explanation of the conduct to be penalized and the amount of any monetary penalty to be imposed. The notice will state the legal basis for concluding that a violation has occurred. The notice may also describe any aggravating and mitigating factors that CFIUS considered.
- Petition for reconsideration. The party may submit a petition for reconsideration to CFIUS within 15 business days of receiving the penalty notice. The petition may include any defense, justification, mitigating factors, or explanation. The 15-day period may be extended by written agreement if the party demonstrates good cause for delay.
- Consideration of petition for reconsideration. If a petition for reconsideration is timely received, CFIUS will consider the petition before issuing a final penalty determination within 15 business days of receiving the petition.
- Final penalty determination. If no petition for reconsideration is received, CFIUS will typically issue a final penalty determination in the form of a notice to the party.
Aggravating and Mitigating Factors. The Guidelines explain that CFIUS engages in a fact-based analysis when determining the appropriate penalty in response to a violation. The weight CFIUS affords to any given factor depends on the particular facts and circumstances giving rise to the violation.
The following illustrates some of the aggravating or mitigating factors that CFIUS may consider when determining the appropriate response to a violation:
- Accountability and future compliance. The impact of the enforcement action on protecting national security and ensuring that the violating party is held accountable, as a means to incentivize and ensure future compliance.
- National security. The extent to which the conduct impaired or threatened to impair U.S. national security.
- Negligence, awareness, and intent. Whether the conduct was the result of negligence, intentional action, or willfulness; whether a party made efforts to conceal or delay the sharing of information with CFIUS; and the seniority of personnel within the entity who knew or should have known about the conduct.
- Persistence and timing. Whether the party became aware or had reason to be aware of the violation; the frequency and duration of the conduct; and (for certain violations) the date of the transaction at issue and the length of time since CFIUS mitigation was imposed.
- Response and remediation. Whether the party submitted a self-disclosure, cooperated in the investigation of the violation, remediated the conduct, and conducted an internal review to prevent the conduct from recurring.
- Sophistication and record of compliance. The party’s history and familiarity with CFIUS; its prior compliance with CFIUS mitigation requirements; and the scope of any internal and external resources dedicated to compliance with CFIUS obligations – including a company’s general compliance culture and the existence of written compliance policies, training, and other procedures to ensure compliance with CFIUS obligations.
Kelly Laughlin, a Law Clerk at Wiley Rein LLP, contributed to this alert.