Yesterday, the Committee on Foreign Investment in the United States (CFIUS or the Committee) released its first-ever enforcement and penalty guidelines. The new guidelines reinforce the Committee’s continued focus on increased enforcement and more transparently identify the factors CFIUS will consider when exercising its enforcement authority and assessing penalties.
Under CFIUS’s regulatory authority, the Committee can impose civil penalties of up to $250,000 per violation or the transaction value, whichever is greater. Violations include (1) failure to file a mandatory declaration or notice; (2) non-compliance with CFIUS mitigation agreements, conditions, or orders (CFIUS Mitigation); or (3) material misstatements in or omissions from information filed with CFIUS, as well as false or materially incomplete certifications filed with the Committee. CFIUS exercises its discretion in determining whether a violation will lead to a penalty, including considering the newly announced penalty factors, publicly available information, self-disclosures, tips, and insight from third-party service providers and the U.S. Government, among others.
Penalty factors
Like other agencies operating in the international trade and national security space, CFIUS has outlined in its guidance a non-exhaustive list of aggravating and mitigating factors it will consider when determining an appropriate penalty in response to a violation. CFIUS will weigh the factors on a case-by-case basis using a fact-based analysis.
CFIUS’s penalty factors include:
- The enforcement action’s impact on protecting national security, holding the company accountable for its violations, and incentivizing future compliance and self-disclosure.
- The harm to U.S. national security caused by the conduct.
- The company’s degree of culpability: simple negligence, gross negligence, intentional action, or willfulness. This includes assessing the company’s efforts to conceal or delay sharing relevant information with CFIUS and the seniority of the personnel who knew or should have known about the conduct.
- The persistence and timing of the conduct, considering the conduct’s frequency and duration and the timeliness of the company’s disclosure. In the case of a failure to file, timeliness will be measured from the date of the transaction. In the case of non-compliance with CFIUS Mitigation, timeliness will be measured from the date the CFIUS Mitigation was issued or became effective.
- The company’s response and remediation. This includes timely and complete self-disclosure or initial self-disclosure followed by an investigation and a more detailed self-disclosure; complete cooperation with the Committee’s investigation; prompt and appropriate remediation; and an internal review of the nature, extent, origins, and consequences of the conduct, aimed at preventing reoccurrence.
- The company’s sophistication and existing compliance program, including the company’s history and familiarity with CFIUS; compliance culture; internal and external compliance resources (e.g., legal counsel, consultants, auditors, and monitors); policies, procedures, and training ‒ and the reason they did not prevent the conduct; and consistency of compliance across the organization and within the corporate hierarchy (i.e., from the board down to support staff). In the case of a violation of CFIUS Mitigation, the Committee will also assess the extent to which the relevant CFIUS Mitigation terms were communicated and implemented across the company, as well as the extent to which the authority, role, access, and independence of any security officer was sufficient and complied with the CFIUS Mitigation terms.
- The company’s record of compliance, including any past compliance with CFIUS Mitigation and the experience of other federal, state, local, or foreign authorities with knowledge of the quality and sufficiency of the company’s compliance with other legal obligations.