Treasury Department Moves to Enhance CFIUS’s Enforcement Authorities

Treasury Department Moves to Enhance CFIUS's Enforcement Authorities

April 15, 2024, Covington Alert

Executive Summary

On April 11, 2024, the Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States ("CFIUS"), issued a Notice of Proposed Rulemaking ("NPRM") entitled Amendments to Penalty Provision, Provision of Information, Negotiation of Mitigation Agreements, and Other Procedures Pertaining to Certain Investments in the United States by Foreign Persons and Certain Transactions by Foreign Persons Involving Real Estate in the United States.[1] The NPRM proposes revisions to CFIUS's existing authorities in the context of non-notified transactions, mitigation agreement negotiations, and the imposition of civil monetary penalties.

Whether the proposed revisions to the regulations will ultimately be adopted in their totality remains to be seen, and several of them largely codify existing practice-so their practical impact is likely to be modest. Nevertheless, the rulemaking is notable insofar as it reflects a continued evolution of CFIUS, under current leadership, toward emphasizing enforcement and monitoring compliance. This evolution marks a material departure from CFIUS's historical emphasis, which prioritized applying the Committee's authorities surgically to address national security risks that were not addressable through other authorities, promoting open investment, and operating at a speed so as not to disrupt M&A activity unnecessarily. Parties who interact with the Committee-in the context of transactions under review, transactions that were not filed, and compliance with mitigation conditions-would be well advised to track that continued evolution closely.

Background-How did we get here?

Parts 800 and 802 of Title 31 of the Code of Federal Regulations implement the provisions of section 721 of the Defense Production Act, as amended, 50 U.S.C. § 4565 ("Section 721"). Part 800 deals with "covered transactions," while Part 802 deals with "covered real estate transactions." Among many other things, Parts 800 and 802 provide authority for CFIUS to issue questions and requests for information to parties in various circumstances. Parts 800 and 802 also authorize CFIUS to negotiate and enter into mitigation agreements with parties to covered transactions or covered real estate transactions in order to mitigate risks to U.S. national security that arise as a result of those transactions. Further, Parts 800 and 802 authorize CFIUS to impose civil monetary penalties for violations of Section 721, Parts 800 and 802, or mitigation agreements or conditions.

The NPRM proposes amendments to these authorities to address what the Treasury Department perceives to be gaps in CFIUS's existing powers. Specifically, the amendments aim to (1) expand CFIUS's authority to request (and require) information from parties, including outside the context of a transaction that is under review by the Committee; (2) require parties who are negotiating mitigation terms with CFIUS to "substantively respond" to mitigation proposals within three business days; and (3) expand CFIUS's authority to issue larger civil monetary penalties in more contexts for violations of Parts 800 and 802 or mitigation agreements with CFIUS.

Key Elements of the NPRM

As noted above, the updates to Parts 800 and 802 broadly fall into three categories. We set forth each category below and discuss potential impacts (and in some cases, the lack of meaningful practical impact) that the updates may have.

CFIUS's Authority to Request Information and Require Responses

Under Section 721 and Parts 800 and 802, CFIUS is authorized to identify covered transactions and covered real estate transactions that have not been notified or declared to the Committee (commonly referred to as "non-notified transactions").[2] The current regulations also address parties' obligations to respond to those inquiries and certain requests for information.[3] The NPRM proposes to expand these authorities by expressly authorizing CFIUS to request information in order to determine if a non-notified transaction may have triggered the mandatory filing requirement as well as whether the transaction may implicate national security considerations.

The NPRM proposes additional amendments that address two other circumstances. First, the amendments would require parties to provide information to CFIUS when CFIUS seeks information to monitor compliance with or enforce the terms of an existing mitigation agreement, order, or condition. Second, the amendments would require parties to provide information to CFIUS when it seeks that information to determine whether transaction parties have made a material misstatement or omitted material information during the course of a previously concluded review or investigation (including in circumstances where the review ended with CFIUS rejecting the parties' notice).

Notably, each of the foregoing largely reflects CFIUS's existing practices. For example, in practice CFIUS already asks questions to ascertain whether filings may have been mandatory or whether the non-notified transaction may implicate U.S. national security considerations. We believe it is likely that these formalizing updates to the Committee's authorities are a result of a relatively small number of edge cases where parties have declined to respond to questions from CFIUS regarding a non-notified transaction on the basis that the questions did not strictly relate to ascertaining CFIUS's jurisdiction. These revisions would close that perceived gap.

We do not anticipate that those revisions will meaningfully impact the Committee's internal decision-making about those non-notified transactions for which it ultimately requests a filing from the parties. While the NPRM suggests that these revisions will "allow the Committee to prioritize transactions that parties were required to submit . . . or that, in its view, otherwise warrant formal review," this is consistent with existing practice. CFIUS has finite resources to review transactions, including non-notified transactions, and it is already more likely to request a filing for a non-notified transaction about which it has substantive concerns, either because it suspects a filing was mandatory for the transaction or because it views the transaction as implicating U.S. national security interests.

Similarly, the amendments requiring parties to respond to CFIUS's inquiries in the context of monitoring compliance with existing mitigation arrangements or previously concluded reviews or investigations appear merely to formalize what is already a common practice. While it may be possible in some circumstances for parties to decline to respond to CFIUS's inquiries in those types of circumstances, parties do so at their own peril.

Thus, for the most part, the foregoing amendments simply clarify and make explicit how CFIUS has operated in pursuing information, and we do not see them as effecting any material change for transaction parties and their approach to CFIUS.

The NPRM also proposes expanding CFIUS's subpoena power by revising the current language of the regulations-which states that CFIUS can issue subpoenas "[i]f deemed necessary by the Committee"[4]-to allow CFIUS to issue a subpoena when deemed appropriate by the Committee. This proposed change is interesting because it raises the question of whether CFIUS intends to alter its existing practice of seeking information through more informal requests (which nevertheless produce responses) to issuing subpoenas, which other regulators, such as the Securities and Exchange Commission, regularly use to elicit information. We do not believe that necessarily is Treasury's intent; rather, we think that this proposal is intended to make it easier for CFIUS to ratchet up a request by issuing a subpoena in the rare circumstance that parties have not provided sufficient information on a voluntary basis. But if the change in practice were more dramatic-i.e., if CFIUS moved from seeking information through written requests to routinely issuing subpoenas to compel responses-it indeed would be a notable change, and position CFIUS in a more adversarial posture vis-à-vis transaction parties.

Timeframe for Responding to Proposed Mitigation Terms

The current regulations at Parts 800 and 802 do not provide a specific timeline for parties to respond to proposed mitigation terms from CFIUS. In contrast, the regulations do require transaction parties to respond to information requests by the Committee in connection with a notice or declaration within three or two business days of the request, respectfully.[5] The NPRM proposes to implement an analogous timeline for parties to respond to mitigation proposals from the Committee-transaction parties would be obligated to "substantively respond"[6] to mitigation proposals within three business days. If the transaction parties fail to do so, CFIUS could reject the notice under review. The revisions also provide for extensions in certain circumstances, including (but not limited to) initial mitigation proposals and circumstances where the proposed mitigation is complex, and the parties require more than three business days to review it. The NPRM further states that CFIUS may grant "reasonable extension requests," taking into account factors such as the remaining time on the statutory review clock and whether the transaction under review was filed before closing.[7]

The stated reason for these revisions is that the absence of an express time limit "can sometimes result in a protracted process where parties take longer than is reasonable to respond to the Committee's proposed terms."[8] The NPRM notes that these delays by parties "impede the Committee's ability to fulfill its statutory obligation to complete an investigation in 45 days" and can result in the withdrawal and refiling of the notice by the parties in order to facilitate further negotiation on mitigation terms.[9]

To put it plainly, this is a classic example of the pot calling the kettle black. Transaction parties-disciplined by market forces and the often-substantial costs associated with regulatory delays of any kind-nearly always are focused on timing and bringing transactions to a close within the statutory timeline. In fact, it is the transaction parties themselves who are routinely kept waiting for the Committee, as a result of its own processes, to propose mitigation terms or to respond to draft mitigation agreements. While we cannot cite empirical data, we can cite our own long experience that the government takes longer-often much longer-than the transaction parties to respond to draft mitigation terms. Indeed, there have been many cases over the years that have lasted longer-and required withdrawals and refilings-owing to Committee dynamics rather than delay by the parties. In those instances in which the Committee waits longer on transaction parties, it is typically because the proposed mitigation terms create substantial transactional or business impacts, or even constructively-if unintentionally-have the effect of prohibiting a transaction given the crippling commercial impact of the proposed terms. As we have advised clients for decades, the government excels at diagnosing the ailments within a transaction (i.e., the national security impact); on the other hand, it is not nearly as adept at prescribing solutions that are workable for businesses. This is neither new nor an inherent obstacle-it is a natural aspect of the negotiation of CFIUS mitigation terms for the government and transaction parties to have to iterate to identify the right formulation that protects the government's interests while also being commercially feasible.

We note that it was not always the case that parties were waiting on the government to respond to draft mitigation terms, or that the government's inter-agency processes delayed engagement on mitigation terms. Many years ago, parties could engage early and energetically in the review process with the key CFIUS agencies and work together on mitigation terms even before the co-lead agencies had finalized their risk-based assessment. This practice, while efficient, became disfavored out of a concern that it resulted in individual agencies effectively running their own CFIUS processes, contributing to circumstances of over-mitigation. There is, therefore, some benefit to the Committee's more formal rules, which require co-lead agencies for a particular matter to adhere closely to a formal risk-based assessment that is evaluated by the full Committee. In theory, this more formalized process should result in the Committee being more disciplined and mitigation terms being better calibrated-which should inure, overall, to the benefit of transaction parties. Having negotiated mitigation agreements for several decades, however, it is our view that the Committee has over-indexed on internal government process, with the effect of delaying negotiation of mitigation agreements and resolving matters less expeditiously.

In sum, sophisticated transaction parties who are repeat players with CFIUS will rightly be incredulous at the notion that the delays in mitigation are more attributable to the parties than to the government. These parties will recognize that imposing a three-day requirement to respond to mitigation is not a cause of concern (because they generally will want to bring CFIUS to a close sooner than later), and, at the same time, will accomplish nothing in terms of expediting the process as long as the dynamics described above remain unchanged. What would be more likely to have a salutary impact on timing-as well as to build confidence and relationships that will help with monitoring agreements once they become effective-is to restore more of an equilibrium between the formality of the Committee's process and the prior art of direct engagement with transaction parties on potential solutions to the government's concerns. And if CFIUS really wishes to instill confidence in the mitigation process, it would impose a concomitant deadline on the government to respond to successive turns of a mitigation agreement by the transaction parties.

Civil Monetary Penalties

Parts 800 and 802 set forth the amounts for civil monetary penalties that the Committee may impose for various situations, including (1) the submission of a declaration or notice with a material misstatement or omission, or the making of a false certification;[10] (2) the failure to comply with the requirements for mandatory CFIUS filings;[11] and (3) violations of orders issued by the Committee, material provisions of mitigation agreements, or material conditions imposed by the Committee.[12]

The NPRM proposes significant modifications to these provisions. Specifically, the proposed revisions would increase the amount of potential civil monetary penalties under the three scenarios above as follows:

• the maximum penalty under situation (1) above would increase from $250,000 to $5,000,000 (per violation);
• the maximum penalty under situation (2) above would increase from the greater of $250,000 or the value of the transaction (per violation) to the greater of $5,000,000 or the value of the transaction (per violation); and
• the maximum penalty under situation (3) above would increase from the greater of $250,000 or the value of the transaction (per violation) to the greater of $5,000,000, the value of the transaction, or the value of the party's interest in the U.S. business at the time of the violation or the time of the transaction (per violation).

Additionally, the revisions would expand CFIUS's authority to issue civil monetary penalties for material misstatements and omissions to additional contexts outside of declarations and notices. The Committee would have authority to issue such penalties to material misstatements and omissions in connection to requests for information related to non-notified transactions, responses to certain information requests from CFIUS in the context of monitoring or enforcing compliance with mitigation terms, and also for information requests from the Committee in other contexts such as agency notices.

Finally, the revisions would update the timeline for parties to submit a petition for reconsideration of a penalty by the Committee. Under the proposal, the parties would have 20 business days to submit such a petition, and the Committee would have 20 business days to assess the petition and issue a final penalty determination.

These are major changes to CFIUS's penalty powers. The NPRM explains that CFIUS has determined that the $250,000 limit under existing regulations-which it notes is not specified by Section 721 and was put in place over 15 years ago-does not create sufficient deterrent effect in certain contexts. For example, the NPRM notes that under the broad definition of "transaction," certain transactions may have a low value (or in some cases, a valuation of zero dollars). In that situation, CFIUS could only impose $250,000 per violation, which may not be-in the Committee's view-sufficiently punitive to deter violations. (Though we note, as does the NPRM, that criminal penalties may attach under 18 U.S.C. § 1001 to making false statements to the government.)

We see this focus on increasing monetary penalties to incentivize compliance as misplaced. We have yet to experience a matter where the size of the potential civil money penalty would likely have had any impact on the particular compliance weakness; such weaknesses or issues most typically arise not because parties are actively seeking to avoid their obligations under a mitigation agreement but rather due to such factors as human error or misunderstandings as to the meaning of mitigation terms that often have been negotiated in great haste. To the extent that there are weaknesses, it more often relates to other organizational controls or the capabilities of security officers (i.e., the individuals charged with day-to-day compliance of the mitigation agreements). Moreover, one significant historical challenge has been the unevenness of the government's approach to monitoring and compliance, with the result that the substantive focus on any given mitigation agreement could vary from year to year, agency to agency, or even among successive officials from the same agency. Another challenge that remains is ensuring consistency in understanding and analysis in the "hand-off" between the teams within agencies who negotiate the mitigation terms and the teams responsible for monitoring compliance. To the credit of the current leadership of CFIUS, we have seen meaningful improvement on these fronts over the last 12 to 24 months, though there is still more room for maturity and consistency-especially consistency in the agencies' understanding of terms as negotiated and how those same terms are implemented and monitored.

Considering this history, we respectfully suggest that the government is more likely to incentivize enhanced compliance by engaging more collaboratively during the mitigation negotiations, continuing its efforts to mature its monitoring framework, and setting clear expectations as part of its oversight responsibilities.

* * *