CFIUS Enforcement and Penalty Guidelines Enhance Transparency for Cross-Border Dealmakers

The Committee on Foreign Investment in the United States (CFIUS) released the first-ever CFIUS Enforcement and Penalty Guidelines (Guidelines) on Oct. 20, 2022, providing the public a roadmap describing three categories of conduct that may constitute a violation of the CFIUS regulations, the process the Committee generally follows in imposing penalties and some of the factors it considers in determining whether a penalty is warranted and the scope of any such penalty. These Guidelines also highlight the importance of prompt and complete self-disclosure of any conduct that may constitute a violation.

The Guidelines align with other regulatory regimes involved with protecting U.S. national security, such as export controls and economic sanctions, that incentivize voluntary self-disclosures of violations and reward parties for enhanced compliance measures, while applying less favorable treatment to repeat offenders and those that ignore or obfuscate prohibited conduct.

Types of Conduct That May Constitute a Violation of CFIUS Regulations

The Guidelines address three categories of acts or omissions that may constitute a violation:

1. Failure to file a mandatory declaration in a timely manner.
2. Conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions or orders (CFIUS Mitigation).
3. Material misstatements, omissions or false certifications in relation to any information submitted to CFIUS in connection with its review, or CFIUS Mitigation, including information "provided during informal consultations."

Sources of Information on Which CFIUS Relies

The Guidelines outline the primary sources CFIUS utilizes to receive information in connection to evaluating potential violations.

• Requests for Information: CFIUS often requests information from individuals and entities to monitor compliance with CFIUS mitigation, investigate potential violations and determine if any enforcement action is necessary. It is important to remember that compliance with these requests for information is a positive factor when CFIUS is considering appropriate enforcement actions.
• Self-Disclosure: CFIUS strongly encourages any person who engaged in conduct that may constitute a violation to submit a timely self-disclosure, even if not explicitly required by any applicable CFIUS agreement, law or regulation. Self-disclosures should be in written form and provide a complete description of what may constitute a violation, including all parties involved. Timely and complete self-disclosures will also be considered positive factors when CFIUS is determining whether a penalty or other remedial measures are necessary. A key factor in "timeliness" is whether discovery of the conduct at issue by CFIUS or other government officials has already occurred or was imminent prior to the self-disclosure. CFIUS will also consider whether the reporting party or parties complied with any applicable CFIUS mitigation requiring the disclosure of the conduct. If a business is in the process of completing an internal investigation of a potential violation, it should still make an initial self-disclosure to CFIUS and follow up with a complete self-disclosure.
• Tips: CFIUS encourages parties to submit tips, referrals or other relevant information to the CFIUS tips line found on the CFIUS Monitoring and Enforcement Page.

Penalty Process

The Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) and CFIUS regulations provide the maximum penalties that may be assessed based on different violations. Specifically:

• Any person who submits a declaration or notice with a material misstatement or omission or makes a false certification under 31 Section 800.404, Section 800.405 or Section 800.502 may be liable for a civil penalty not to exceed $250,000 per violation.
• Any person who fails to comply with the requirements of Section 800.401 may be liable for a civil penalty not to exceed $250,000 or the value of the transaction, whichever is greater.
• Any person who violates, intentionally or through gross negligence, a material provision of a mitigation agreement under Section 721(l) of the Defense Production Act may be liable for a civil penalty not to exceed $250,000 per violation or the value of the transaction, whichever is greater.

In each case, the penalty is per violation, which suggests that violations can be cumulated, meaning that CFIUS might find more than one violation and assess a penalty higher than the maximum per violation. This determination shall be based on the nature of the violation.¹

The Guidelines provide a roadmap for the penalty process as described in 31 C.F.R. Section 800.901. First, CFIUS sends a notice of penalty, including a written explanation of the conduct to be penalized and the amount of any monetary penalty to be imposed. The notice will state the legal basis for concluding that the conduct constitutes a violation and may set forth any aggravating and mitigating factors that the Committee considered. Second, the recipient may (but is not required to) submit a petition of reconsideration, within 15 business days, including any defense, justification, mitigating factors or explanation (the period may be extended by written agreement upon a showing of good cause). Finally, CFIUS will consider any petition it receives before issuing a final penalty determination within 15 business days of receipt of the petition (the period may be extended by written agreement).

When considering a penalty for a CFIUS violation, CFIUS weighs a number of aggravating and mitigating factors in its fact-based analysis. Below, we highlight a few of the most notable considerations for businesses (a full list is available here):

• Accountability and Future Compliance: the need to impose accountability for conduct and incentivize future compliance
• Harm: the impact of the violation on U.S. national security
• Negligence, Awareness and Intent: the extent to which the conduct was the result of simple negligence, gross negligence, intentional action or willfulness; any effort to conceal or delay the sharing of relevant information with CFIUS; and the seniority of personnel within the entity that knew or should have known about the conduct
• Persistence and Timing: the length of time that elapsed between awareness of the conduct and CFIUS reporting, along with the frequency and duration of the conduct
• Response and Remediation: the existence of self-disclosure, including the timeliness, nature and scope of information reported to CFIUS; whether there was complete cooperation in the CFIUS investigation; and whether there was prompt, complete and appropriate remediation of the conduct
• Sophistication and Record of Compliance: a business's history and familiarity with CFIUS; internal and external resources dedicated to compliance with applicable legal obligations (e.g., legal counsel, consultants, auditors and monitors); policies, training and procedures in place to prevent the conduct and the reason for the failure of such measures; the compliance culture that exists within the company; and the experience of other federal, state, local or foreign authorities with knowledge of the business in the assessment of the quality and sufficiency of compliance with applicable legal obligations

Top 3 Takeaways

The CFIUS Process Is Extremely Complex. The penalty guidelines, in combination with a recent Executive Order on expanded factors in the CFIUS review process, provide flashing signals to the public of CFIUS heightened scrutiny of and commitment to protect industry sectors of particular importance to U.S. national security. An analysis of CFIUS jurisdiction is now a de facto requirement in all cross-border investments or acquisitions.

Any Communication to CFIUS May Be the Basis for a Violation. The Enforcement and Penalty Guidelines make clear that any and all submissions to CFIUS (whether in the context of assessments, reviews, investigations, mitigation or informal consultations) should be complete, transparent and done in a timely manner. CFIUS considers each of these as aggregating or mitigating factors in assessing potential penalties.

Dedicated Resources and Commitment to Compliance Are Mitigating Factors. The Enforcement and Penalty Guidelines expressly call out — as mitigating factors — businesses' internal and external resources dedicated to compliance with applicable CFIUS legal obligations (including legal counsel), along with policies, training and procedures in place to prevent prohibited conduct. These factors clearly underscore the regulatory value of having an expert conduct standard CFIUS-related due diligence for all cross-border transactions and perform a CFIUS risk assessment, as appropriate, to fully vet all CFIUS considerations.

If you have any questions about this alert or seek assistance formulating a CFIUS strategy, reach out to the authors or another member of Holland & Knight's CFIUS and Industrial Security Team. Our attorneys have the knowledge and experience to conduct the necessary due diligence to identify covered transactions, prepare the necessary CFIUS risk assessments to equip business leaders with tools to evaluate regulatory risk and help navigate the evolving CFIUS landscape.

Notes

¹ See 31 Section 800.901.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.