CFIUS Announces Enforcement Updates, Including Details on Large Penalty Assessments
7 min read
The Committee on Foreign Investment in the United States (CFIUS or the Committee) has launched a new CFIUS Enforcement webpage, highlighting the Committee's heightened focus on "increasingly exercising its enforcement remedies, including civil monetary penalties, while also honing and refining its enforcement regulations and tools." For the first time, CFIUS has disclosed details regarding its enforcement actions resulting in the imposition of monetary penalties, including identifying the sanctioned party in one case. These developments are consistent with the Committee continuing to expand its resources and focus on enforcement and accountability in recent years, which appears to continue unabated. Given the increasingly high stakes, transaction parties should conduct careful due diligence when assessing CFIUS considerations for deals and should establish robust protocols for compliance with any CFIUS mitigation measures.
CFIUS penalties are increasing in amount and frequency.
While CFIUS has long been authorized to impose civil monetary penalties for violations, it has used this power sparingly until recently. The announced penalties on the new CFIUS Enforcement webpage show that, following the February 2020 implementation of the updated CFIUS regulations under the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), CFIUS did not issue any monetary penalties until 2023—notably after issuance of the Enforcement and Penalty Guidelines in 2022. Since 2023, however, CFIUS has announced the issuance of six monetary penalties.
Significantly, the amount of penalties appears to be increasing substantially. Post-FIRRMA, the initial monetary penalties started out relatively modest—with fines of $100,000, $200,000, and $990,000 in 2023. Though the penalty amounts reflect the facts and circumstances of the given violations, there was a notable jump in the value of penalties announced so far for 2024, with amounts of $8.5 million, $1.25 million (noted as the highest possible penalty in that case), and $60 million. This also tracks with the recent proposed CFIUS rule seeking to significantly increase available penalty amounts. For example, if the penalties in the $1.25 million case were maximized under the proposed rule, the penalty would instead have been $25 million.
The increasing number and size of penalties, combined with consistent messaging from CFIUS officials and efforts to expand the Committee's penalty authorities, sends a clear message that CFIUS intends to impose larger penalties more frequently when it determines a violation warrants penalties.
View full image (PDF)
CFIUS may impose penalties for a variety of violations, though it has not yet issued a monetary penalty for failure to submit a mandatory filing.
CFIUS has the authority to impose monetary penalties and other remedies for various statutory and regulatory violations, including failure to submit mandatory filings; violating CFIUS mitigation requirements (e.g., National Security Agreements and Letters of Assurance); and making material misstatements, omissions, or false certifications to the Committee.
The vast majority of the penalties issued to date have been for violations of mitigation requirements, including in connection with mitigation agreements to address national security risks to clear transactions and divestiture requirements for transactions that were effectively blocked. In one case, CFIUS penalized a party under its false statements authorities. Though CFIUS has identified violations for failure to timely make mandatory filings—including pursuant to the previously widely accepted "springing rights" construct—the Committee has not yet issued a monetary penalty for failure to submit a mandatory filing. Aside from the penalties themselves, it is also notable that in addition to imposing a $60 million penalty on T-Mobile—by far the Committee's largest penalty amount issued to date—CFIUS also disclosed the identity of the party subject to the penalty. Although CFIUS generally is a confidential process, the new enforcement website specifies that in certain instances, such as where a party publicly discloses the existence of a CFIUS review or related compliance obligations, CFIUS may disclose more information.
The announced penalties are summarized below.
| Year | Penalty Amount | Violation | Summary |
| 2024 | $60 million | Breach of material provisions of a National Security Agreement | CFIUS determined that “[T-Mobile US, Inc.] failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS” in violation of a National Security Agreement. |
| 2024 | $1.25 million | Submission of material misstatements in a joint voluntary notice | CFIUS determined that a party made “five material misstatements, including forged documents and signatures” in its submission of a notice to CFIUS. In addition to rejecting the filing, CFIUS imposed “the maximum authorized” penalty of $1.25 million given that the penalty for such violations is limited to $250,000 per violation. |
| 2024 | $8.5 million | Breach of material provisions of a National Security Agreement | CFIUS determined that a “company’s majority shareholder orchestrated an initiative to remove all of the company’s independent directors” in violation of a National Security Agreement. |
| 2023 | $990,000 | Breach of material provisions of a Letter of Assurance | CFIUS determined “that on two occasions, the U.S. business failed to maintain a statement on its website regarding its foreign ownership, as required by [a Letter of Assurance].” |
| 2023 | $200,000 | Breach of material provisions of a National Security Agreement | CFIUS determined that a party failed to “effect divestment of the foreign acquirer’s interest in the U.S. business by the deadline specified in the National Security Agreement.” |
| 2023 | $100,000 | Breach of material provisions of a National Security Agreement | CFIUS determined that a party failed to “effect divestment of the foreign acquirer’s interest in the U.S. business by the deadline specified in the National Security Agreement.” |
| 2019 | $750,000 | Breach of material provisions of an interim order. | CFIUS determined that a party failed “to restrict and adequately monitor access to protected data” in violation of a CFIUS interim order. |
| 2018 | $1 million | Breach of material provisions of a National Security Agreement | CFIUS determined that a party failed “to establish required security policies” and failed to “provide adequate reports to CFIUS” in violation of a National Security Agreement. |
CFIUS may issue “DONT Letters” rather than penalties depending on certain aggravating and mitigating factors.
CFIUS may issue a Determination of Noncompliance Transmittal ("DONT") Letter when it has "determined that one or more violations occurred, but that, after considering the relevant information . . . as well as the relevant aggravating and mitigating factors", CFIUS has decided "not to pursue further enforcement remedies[.]" As explained on the CFIUS Enforcement webpage, CFIUS generally issues DONT Letters instead of monetary penalties "in the context of first-time, inadvertent, and limited-scope violations that did not harm national security and had little potential to do so." While CFIUS has not provided statistics regarding its issued DONT letters, it has provided examples of circumstances under which it has issued DONT letters, including failure to submit a mandatory declaration and failure to comply with certain mitigation terms. Notably, the prior issuance of a DONT Letter may be a relevant aggravating factor if CFIUS later pursues penalties against the same party for a separate violation.
Best practices for avoiding CFIUS enforcement action.
While CFIUS has broad discretion to take enforcement action when parties violate the CFIUS regulations or mitigation requirements, the following best practices could reduce the chances of such action:
- Conduct a thorough assessment of CFIUS jurisdiction with respect to a contemplated transaction. The rules regarding mandatory CFIUS filings require a comprehensive understanding of the CFIUS regulations, and in many cases, of US export-control laws and regulations. Engagement of experienced counsel is highly advisable to assist with the jurisdictional assessment.
- Ensure that all CFIUS filings—including any related information transmitted to the Committee, such as Q&A responses and exhibits—are complete and accurate. Where doubt exists as to the accuracy of data or factual representations, provide an explanation of any ambiguity or limitations on the ability to provide the requested information.
- Engage experienced counsel or consultants to understand and comply with the obligations of any CFIUS mitigation measures. CFIUS considers an effective compliance program to be a mitigating factor in its consideration of enforcement actions.
- Where doubt exists regarding the permissibility of a given action under a mitigation agreement, preview the contemplated course with experienced counsel and, as appropriate, the CFIUS monitoring agencies.
- If the parties to a covered transaction or a mitigation agreement identify a potential violation, consider a voluntary self disclosure, which CFIUS considers a mitigating factor.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
