Proposed Regulations and Recent GAO Report Signal Increased CFIUS Enforcement and Reliance on Mitigation Agreements

May 10, 2024

A recent proposed rule from the U.S. Department of the Treasury aims to enhance CFIUS’s ability to request information from parties, increase potential penalty amounts, and expedite mitigation agreement negotiations. Similarly, a new GAO study reveals CFIUS’s enforcement priorities and increasing reliance on mitigation agreements to address national security concerns.

On April 11, 2024, the U.S. Department of the Treasury (“Treasury”), as Chair of the Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”) issued a Notice of Proposed Rulemaking (the “Proposed Rule”) that proposes to expand the types of information CFIUS may request in the course of non-notified reviews, add a time limit for parties to respond to mitigation agreement drafts, and raise the maximum penalty amount that Committee may impose for CFIUS violations (including violations of mitigation agreements), among other changes.

Shortly thereafter, the U.S. Government Accountability Office (“GAO”) publicly released a report outlining its findings concerning the Committee’s use of mitigation agreements, coordination of enforcement decisions, and staffing resources, along with recommendations for certain enhancements.

Together, the Proposed Rule and the GAO report underscore the increasing prominence of CFIUS and signal an expansion of the Committee’s monitoring and enforcement capabilities. We summarize key aspects of both below.

Proposed Rule to Expand CFIUS’s Monitoring and Enforcement Capabilities

Expanded Scope of Information Requested in Non-Notified Reviews

The Proposed Rule would expand the types of information that CFIUS can require transaction parties and other persons to submit. Current regulations permit CFIUS to request parties provide information necessary for the Committee to determine if a non-notified transaction constitutes a “covered transaction” under Part 800 or a “covered real estate transaction” under Part 802 of the CFIUS regulations. The Proposed Rule would authorize the Committee to issue requests more broadly to transaction parties and other persons for information to determine if a transaction (i) meets the criteria for a mandatory declaration and/or (ii) raises national security concerns. This expanded scope of information requests would, according to CFIUS, enhance the Committee’s ability to engage in preliminary fact-finding and further help determine whether to request transaction parties submit a declaration or notice for review.

Increased Obligations to Provide Additional Information Related to Compliance Monitoring

The Proposed Rule also expands CFIUS’s ability to require parties to provide information to the Committee in two situations post-CFIUS review:

Monitoring Compliance: Situations in which the Committee requires information to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition; and
Material Misstatements or Omissions: Situations in which the Committee seeks information to ascertain whether the transaction parties have made a material misstatement or omitted crucial information during the CFIUS’s review or investigation.

While such information is already routinely requested by the Committee, the Proposed Rule formalizes the current practice and explicitly obligates parties to respond. Additionally, the Proposed Rule changes the condition for the Committee to request such information from “[i]f deemed necessary by the Committee” to “[i]f deemed appropriate by the Committee,” thereby lowering the threshold for such information requests. As with the current rule, a subpoena may be issued to non-compliant parties, but the Proposed Rule specifically assigns this power to the Staff Chairperson (as opposed to the Committee as a whole) to increase operational efficiency.

Specific Timelines for Risk Mitigation Negotiations

As discussed at greater length below, in recent years, CFIUS has increasingly imposed mitigation agreements on transaction parties in order to address alleged national security concerns. While the current regulations require parties to respond to follow-up information requests from CFIUS within three business days during the course of a transaction review, the regulations are silent on the timeframe within which parties must respond to mitigation proposals or revisions, including in the context of non-notified reviews. The Proposed Rule recognizes that in some cases, particularly in situations where transactions have already closed, parties are less motivated to respond in a timely manner without a clear obligation. Accordingly, the Proposed Rule creates a similar deadline of three business days for parties to provide substantive responses to proposed mitigation terms, though, as with responses to follow-up information requests, the CFIUS Staff Chairperson may grant reasonable extensions on a case-by-case basis. Substantive responses include acceptance of terms as proposed, counterproposals, or a detailed statement of reasons explaining why a party or parties cannot comply with the terms as proposed (which may also include a counterproposal). If parties fail to respond within the prescribed timeframe, the Committee may reject the notice or declaration.

Increased Maximum Civil Monetary Penalties

The Proposed Rule notes a significant drop in the median value of covered transactions filed with CFIUS pursuant to a joint voluntary notice following the implementation of the Foreign Investment Risk Review Modernization Act of 2018 and the introduction of mandatory declarations. According to the Committee, the relatively low value of many transactions undermines the current penalty framework of imposing fines of up to greater of $250,000 or the value of the transaction. For example, for certain transactions with reported low values (or even a valuation of zero dollars), the maximum penalty de facto becomes $250,000, which the Committee considers an insufficient deterrent in many instances. Consequently, the Proposed Rule would, for the first time in 15 years, increase and expand the maximum civil penalties as follows:

Material Misstatements and Omissions in Submissions. The maximum civil monetary penalty for a declaration or notice with a material misstatement or omission, or a false certification, would be increased from $250,000 to $5,000,000 per violation.
Expansion of Material Misstatements and Omissions Penalty to Information Request Responses. Currently, the above penalty only applies to material misstatements or omissions in the context of a declaration or notice filed with CFIUS, or a false certification. The Proposed Rule would expand penalty coverage to (1) requests for information related to non-notified transactions, (2) certain responses to the Committee’s requests for information related to monitoring or enforcing compliance, and (3) other responses to the Committee’s requests for information, such as for agency notices. While this expanded coverage is significant, CFIUS makes clear that the penalty provisions would not apply to the majority of communications with the Committee; rather, only with respect to responses to requests that were made in writing by the Committee, specified a time frame for response, and indicated the applicability of penalty provisions.
Failure to Submit Mandatory Declarations. The maximum civil monetary penalty for failure to submit a mandatory declaration would be increased from the greater of $250,000 or the value of the transaction to the greater of $5,000,000 or the value of the transaction.
Material Mitigation Agreement Violations. The maximum civil monetary penalty for the violation of a mitigation agreement, intentionally or through gross diligence, would be increased from the greater of $250,000 per violation or the value of the transaction to the greater of $5,000,000 per violation or the value of the transaction. Further, the transaction value would be revised to include the greater of (i) the value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the transaction; (ii) the value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the violation in question or the most proximate time to the violation for which assessing such value is practicable; or (ii) the value of the transaction filed with the Committee. This expanded approach to transaction value would allow CFIUS greater latitude in imposing penalties, though CFIUS makes clear it would only apply to mitigation agreements entered into, conditions imposed, or orders issued on or after the effective date of the final rule.
Extension of Penalty Petition Timeframe from 15 to 20 Days. Currently, parties have up to 15 business days to submit a petition to the Committee in response to a penalty notice, and the Committee similarly has 15 business days to respond. Under the Proposed Rule, both timeframes would be extended to 20 business days to account for the Committee’s routine practice of granting extensions for such petitions.

Written comments to the Proposed Rule must be received by Wednesday, May 15, 2024, by mail or submitted electronically at Regulations.gov. After such comments are received and reviewed, Treasury is expected to issue a final rule in short order.

GAO Report Provides Insight into CFIUS Mitigation Agreements and Makes Related Recommendations to Standardize Certain Processes

On April 18, 2024, GAO publicly released a report evaluating issues related to CFIUS mitigation agreements and staffing and offered targeted recommendations for improvement.

First, GAO recommended two changes related to CFIUS’s process for handling mitigation agreements:

The Secretary of the Treasury, as CFIUS’s chair, should work with member agencies to document a committee-wide process for considering and making timely decisions on enforcement actions related to mitigation agreements.
The Secretary of the Treasury, as CFIUS’s chair, should work with member agencies to document a committee-wide process for periodically assessing the relevance of mitigation agreements and amending, phasing out, or terminating them when appropriate.

Second, GAO recommends CFIUS take three actions to evaluate the level of staffing devoted to mitigation agreements:

The Secretary of the Treasury should document Treasury’s objectives for increasing its staff for monitoring and enforcing compliance with CFIUS mitigation agreements.
The Secretary of the Treasury should, once the targeted staffing increase is completed, analyze its CFIUS monitoring and enforcement staffing in accordance with federal workforce planning guidance, to determine the extent to which the targeted increase enables Treasury to achieve its documented objectives.
The Secretary of the Treasury, as CFIUS’s chair, should work with member agencies to establish a committee-wide process to regularly discuss and coordinate the staffing levels needed to address the projected increase in workload associated with monitoring and enforcing CFIUS mitigation agreements.

Apart from these recommendations, the GAO report provides key insights into CFIUS’s use of mitigation agreements and the Committee’s enforcement priorities, including the following:

Increasing Use of Mitigation Agreements and Focus on Agreement Monitoring
- From December 2000 through December 2022, the GAO reports that the cumulative total number of active mitigation agreements increased significantly, from about five to almost 230, with the number almost quadrupling from December 2012 to December 2022.
- The U.S. Department of Defense (“DOD”) has played an increasing role in supervising mitigation agreements, including an increased focus on risks related to supply assurance (which were addressed in almost half of the mitigation agreements DOD was monitoring at the end of 2022).
Increased Coordination Among CFIUS Agencies and Departments Needed, Especially with Respect to Mitigation Agreement Procedures
- The lack of clear standards to justify terminating mitigation agreements has led to long delays in the process, and GAO recommends CFIUS implement clearer responsibilities and written guidance for termination decisions.
- Treasury is working with other CFIUS agencies and departments to harmonize monitoring compliance with mitigation agreements, standardize tracking and reporting violations, and bolster enforcement resources.
Focus Is on Enforcement and Imposing Penalties When Determined Necessary
- As of October 2023, CFIUS had publicly reported only two penalties, though additional non-public penalties were imposed in 2023 and others were not yet finalized at the time the GAO report was published. The two public penalties were as follows:
  - In 2018, CFIUS imposed a $1 million penalty for repeated breaches of a 2016 mitigation agreement, including failure to establish required security policies and failure to provide adequate reports to the committee.
  - In 2019, CFIUS imposed a $750,000 penalty for violations of a 2018 interim order, including failure to restrict and adequately monitor access to protected data.
- The majority of violations identified by CFIUS have been minor or technical in nature, though CFIUS intends to increase its focus on enforcement in the coming months.
- Treasury intends to roughly double the number of Treasury staff dedicated to CFIUS monitoring and enforcement by the end of fiscal year 2024.
Site Visits to Monitor Mitigation Efforts May Become More Common
- While site visits currently occur about once every 3 years for many mitigation agreements—due primarily to the lack of resources and large number of active mitigation agreements—several CFIUS officials recognized such site visits as a critical tool for monitoring compliance, signaling their frequency may increase in the near future.

Both the Proposed Rule and the findings in the GAO report exemplify the increasingly robust role CFIUS plays in aggressively monitoring and shaping foreign direct investment in the United States. In light of these efforts and the increasing costs of non-compliance, transaction parties should carefully evaluate transactions involving foreign person investors, directly or indirectly, for CFIUS risks even in the early stages of deal discussions. CFIUS’s role and impact are poised only to increase as Treasury finalizes the Proposed Rule and the Committee ramps up its enforcement efforts.

The following Gibson Dunn lawyers prepared this update: Stephenie Gosnell Handler, Mason Gauch, and Chris Mullen.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Claire Yi – New York (+1 212.351.2603, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])

Asia:
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Felicia Chen – Hong Kong (+852 2214 3728, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Susy Bullock – London (+44 20 7071 4283, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 20 7071 4205, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 160, [email protected])

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.