11/21/2022 | Press release | Distributed by Public on 11/22/2022 11:29
November 21, 2022, Covington Alert
Much attention has been drawn recently to the first-ever CFIUS Enforcement and Penalty Guidelines (the "Guidelines"), which the Treasury Department, as chair of CFIUS, released on October 20, 2022. The Guidelines are notable as a marker for CFIUS's approach to penalty enforcement, and are intended to signal a more active approach to enforcement of CFIUS mitigation agreements and non-notified transactions. Issuance of the Guidelines provides an opportunity to reflect on an aspect of the CFIUS law and regulations that is underdeveloped and, frequently, haphazard in its application: monitoring and enforcement of mitigation agreements. In this analysis, we summarize the Guidelines, but also place them in a broader context of gaps, challenges, and trends in CFIUS mitigation monitoring.
In issuing the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen explained that the "announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies." While the statement expresses a clear intent-and may sound ominous to investors-we view the issuance of the Guidelines as a welcome development, as it provides a clear administrative marker for how the Committee will approach enforcement of CFIUS mitigation agreements, including potential imposition of civil money penalties, and provides more structure to a process that has often been approached in an ad hoc manner.
The Guidelines describe three categories of conduct that may constitute a violation, the process the Committee follows in imposing penalties, the factors it considers in determining whether a penalty is warranted, and the scope of any such penalty. The three categories of acts or omissions that may constitute a violation include:
As the Guidelines point out, violations do not automatically result in penalties or other remedies available to CFIUS under Section 721 of the Defense Production Act of 1950, as amended, 50 U.S.C. § 4565, which instead are within the Committee's discretion.
According to the Guidelines, CFIUS primarily relies on three sources of information in determining whether a violation has occurred:
The Guidelines describe the Committee's process for considering and imposing penalties once it concludes that a violation has occurred. These processes, however, already are prescribed by the CFIUS regulations, 31 C.F.R. § 800.901, and thus the Guidelines do not chart new territory in this regard.
The regulations provide that if CFIUS identifies a violation that merits a penalty, CFIUS first sends a notice of penalty, which includes a written explanation of the alleged violation and the amount of any monetary penalty that CFIUS intends to impose. This notice should include a statement of the legal basis for CFIUS's determination that a violation has occurred and may also explain the factors (described more fully below) that the Committee considered in reaching its decision.
Second, the recipient of the notice of penalty is provided an opportunity to submit a petition for reconsideration that may include defenses, mitigating factors, explanations, or other information the party believes is relevant to CFIUS's decision.
Third, the Committee will consider any timely petition for reconsideration before issuing a final penalty determination within 15 days of the petition's receipt. If no petition for rehearing is received, CFIUS generally issues a final penalty determination in the form of an additional notice to the violating party.
Given the foregoing has been codified in regulations for several years, the most novel aspect of the Guidelines is the list of mitigating or aggravating factors that CFIUS will consider in its assessments of violations and potential penalties. At a high level, these factors can include:
The Guidelines are expressly non-binding, and will be updated as needed going forward.
The issuance of the Guidelines and the attention that they have drawn also provides an opportunity to consider the broader context of CFIUS mitigation and enforcement at this mid-term moment in the Biden Administration. While the issuance of the Guidelines is a step in the right direction, we still see gaps in this aspect of CFIUS's exercise of its authorities, and we offer our thoughts on potential trends and expectations for CFIUS in the near term and the impact on transaction parties and the broader investment community.
The same, however, cannot be said for mitigation monitoring-i.e., the practice of the Committee between approval and penalty enforcement. As a legal matter-and in application by the Committee-mitigation monitoring has developed as the Wild West. There are no clear rules that guide the entire Committee on mitigation monitoring, nor is there the same level of oversight or accountability within and among the agencies as applies when CFIUS reviews a transaction or when it pursues a civil money penalty. Most CFIUS mitigation matters do not run into challenges because the parties most often are compliant, and, importantly, because the CFIUS Monitoring Agencies ("CMAs")-meaning the agencies that are signatories to the mitigation agreement and responsible for monitoring and enforcement-most often act in a reasonable fashion, but that is entirely dependent on the personalities and individualized approaches of the CMAs. Indeed, it is a credit to transaction parties and the professionalism of the governmental officials and contractors who conduct mitigation monitoring on behalf of the government that, by and large, mitigation monitoring has worked adequately over the last several decades. But dependency on the personality and capabilities of individuals creates unnecessary risk both for CFIUS and for transaction parties.
To amplify the point: there is no established and published practice for how the CMAs will approach monitoring; there is no articulated path for appeal if there is a disagreement between a party and a CMA short of a penalty enforcement action; there is no standard for terminating agreements when they are clearly obsolete, absent a clear timeline in a mitigation agreement (and often even when there are such clear timelines); and there is no requirement for the CMAs to respond to parties on waiver requests, clarifications, or even required submissions under CFIUS mitigation agreements. Moreover, it frequently is the case that the government officials responsible for monitoring were not part of the negotiation of the mitigation agreement; that subject matter experts that are engaged as contractors to support the CMAs do not receive the full history of the matter; and that during the life of a mitigation agreement, the CMA officials may change multiple times. Results and tendencies in mitigation monitoring, as a result, can vary wildly. For example, one agency may decide that a particular requirement of a mitigation agreement, or even the entire agreement, is obsolete, but other agencies may disagree, and the result is that the transaction parties live with, and are held to compliance with, outdated requirements that live on for years. Even when the foreign owner whose acquisition resulted in a mitigation agreement has divested its interest, it can take many months for CFIUS to confirm termination of the mitigation agreement.
To be sure, there are best practices for parties to govern compliance with CFIUS mitigation agreements-well developed over decades of compliance with CFIUS mitigation-and if parties follow those practices, they are very unlikely to have any compliance issues or disagreements with the CMAs. That fact and the largely successful history of most parties in navigating this compliance area, however, does not compensate for the lack of clear rules, guidelines, and practices to help ground the CFIUS monitoring and compliance area and ensure greater consistency.
The stress on the system in the absence of clear and consistent rules applying to mitigation monitoring will grow, particularly given other trends in CFIUS mitigation terms. One reason that CFIUS mitigation monitoring and compliance has not had (too many) trains derail previously is that there were a relatively modest number of CFIUS mitigation agreements historically, and most were not terribly complex. But just as the world has grown more complex-and CFIUS has increasingly grappled with an increasingly complicated set of national security risks in the context of transactions-so too has the volume and complexity of mitigation agreements. This trend is almost certain to continue, as the government reviews more transactions (consistent with the objectives and funding to CFIUS following FIRRMA) and takes a longer term and broader industry-based perspective on risk.
Several trends resulting from the volume and complexity of mitigation agreements exacerbate the concerns over mitigation monitoring for transaction parties. First, CFIUS is adding internal resources and contractors, but these resources-precisely because they are new-are often not well steeped in CFIUS practice, and as noted, they very seldom have a grounding in the transaction or the CFIUS review process that gave rise to the mitigation agreement.
Second, CFIUS is increasingly insisting on third-party monitoring mechanisms, including auditors and full-time monitors who report to the government, to be required terms under mitigation agreements. These requirements increase the costs for transaction parties, and, at best, create a tension in incentives as the third parties are directed to report to the government.
Third, CFIUS also is becoming more insistent on "standard" access and inspection rights for the CFIUS agencies, which on their face provide the government with broad access to personnel, records, systems, and facilities for purposes of verifying compliance with the mitigation agreement. While this latter requirement is not necessarily new, the breadth of the provision can be particularly difficult for parties who have global operations or that are publicly traded to accept, especially where the transaction relates to a small part of the party's business. And, when the broad access and inspection term is presented (a) in the context of an "enforcement" environment; (b) where agreements also require a third-party audit or third-party monitor; and (c) where global businesses must be careful about not ceding similar rights to other governments, it can become particularly difficult for transaction parties to accept.
Given this, the next step for CFIUS should be to develop a more coherent-and transparent-mitigation monitoring program to complement the enforcement Guidelines. Such a monitoring program should include express guidance on how CFIUS will exercise its access and inspection rights, in part to give transaction parties greater confidence that those rights will not be misused.
In this context, the absence of well-developed, accepted, and understood rules, practices, and procedures for monitoring and compliance is untenable. Unless it is remedied, this dynamic very likely will lead to transaction parties walking away from transactions that, with appropriate mitigation, would benefit the United States. Perhaps more significant, it will erode confidence in the CFIUS process itself, and in the United States as a trusted destination for investment-one that is governed by the rule of law and can serve as a beacon for other countries. We also would predict potential consequences to CFIUS's own authorities: just as when CFIUS's review authorities were challenged because the Committee refused to provide an unclassified justification for its position-a practice that the DC Circuit effectively overruled in the Ralls decision-CFIUS's actions on the mitigation monitoring front will likely lead to a challenge.
To end on a positive note, we do believe that the issues on mitigation monitoring are widely recognized within the Committee and among its senior leaders, and we are hopeful that within the next year, the Committee will undertake to develop a more coherent, transparent, and rule-bound mitigation monitoring process.
If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.