August 15, 2024
This update highlights the issuance of staggering civil monetary penalties and key takeaways from CFIUS’s most recent annual report and provides our team’s perspectives on foreign direct investment review and enforcement trends moving forward.
On July 24, 2024, the Committee on Foreign Investment in the United States (CFIUS or the Committee) released its annual report covering calendar year 2023 (the Annual Report). Shortly thereafter, on August 14, 2024, CFIUS provided an update on civil monetary penalties issued in 2023 and 2024. The past year and a half was a time of meaningful rulemaking activity for CFIUS—and a banner year for enforcement, with CFIUS assessing a record number of penalties, in amounts ranging up to $60 million dollars. In a statement accompanying the penalty update, Assistant Secretary for Investment Security Paul Rosen warned: “In the last few years, CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design: if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences.”
Below, we provide an overview of the decrease in global M&A and CFIUS filings in contrast with the increase in mitigation and enforcement, amidst a backdrop of efforts by the Committee to further expand its jurisdiction. We follow this discussion with our key takeaways for continued CFIUS compliance through the second half of 2024 and beyond.
1. CFIUS Filings Substantially Decreased, in Line with Global Market Slowdown
For the first time since the Foreign Investment Risk Review Modernization Act (FIRRMA) was implemented, the total number of CFIUS filings decreased. The drop was significant compared to the rates of change we have witnessed in recent years, with notices down nearly 19 percent and short-form declarations down over 29 percent.[1]
Year-Over-Year Comparison of the Number of CFIUS Filings
|
|
2021 |
2022 (∆ from 2021) |
2023 (∆ from 2022) |
|
Notices |
272 |
286 (↑5.1%) |
233 (↓18.5%) |
|
Declarations |
164 |
154 (↓6.1%) |
109 (↓29.2%) |
|
Total Filings |
436 |
440 (↑0.9%) |
342 (↓22.3%) |
As noted by CFIUS in the press release accompanying the Annual Report, this decline is ostensibly driven by the downswing in the global M&A market experienced in the latter half of 2022 and in 2023. Global deal volumes decreased for two consecutive years (by 37 percent in 2022 and 26 percent in 2023).[2] Similarly, expenditures by foreign direct investors to acquire, establish, or expand U.S. businesses continued to decrease (by 51 percent in 2022 and 16 percent in 2023).[3]
Another factor potentially driving the decrease in notices is transaction parties’ perception of the CFIUS process and outcomes. In a recent statement made to the United States Committee on Banking, Housing, and Urban Affairs, Assistant Secretary Paul Rosen reiterated the longstanding policy goals of “maintain[ing] an open investment environment” and “the status of the United States as the world’s top destination for foreign direct investment.” However, many transaction parties have been receiving more daunting comments on their draft CFIUS filings and more and longer question sets, incurring a higher cost to parties to participate in the filing process and—in a trend continuing from 2022—continued high rates of mitigation, which we discuss in further detail below. An overly onerous review process across transactions combined with a higher likelihood of mitigation for some minority investments can result in investors shying away from submitting voluntary notices, even if the transactions present heightened risk of a non-notified review and potential mitigation. This trend may continue into 2024 with transaction parties weighing the benefits of a CFIUS safe harbor against the costs of the review process and potential mitigation.
Although there were fewer filings in 2023, more of them were mandatory. While a CFIUS filing is voluntary for most transactions over which CFIUS has jurisdiction, filings are mandatory for certain investments in U.S. businesses that implicate critical technology, critical infrastructure, and/or sensitive personal data. In 2023, there was a slight uptick in the percentage of declarations that were submitted as mandatory filings. CFIUS does not share how many notices were mandatory, but we expect that more notices were mandatory as well.
2. Non-Notified Reviews Are Not Going Anywhere
As in prior years, CFIUS dedicated considerable time and resources to identifying “non-notified transactions” for which CFIUS had jurisdiction and the parties did not file a notice or declaration (whether mandatory or voluntary). CFIUS uses a variety of means to identify such transactions, including, as stated in the Annual Report, “interagency referrals, tips from the public, classified reporting, media reports, voluntary self-disclosures, congressional notifications, and multiple commercial and proprietary databases.”
The Annual Report shares that in 2023 the CFIUS non-notified team reviewed “thousands” of potential non-notified transactions, ultimately putting 60 of them forward for the Committee’s consideration. CFIUS requested notices for 13 such transactions.[4]
The number of non-notified transactions put forward for the Committee’s review has been decreasing for the past two years, due in part to a better resourced non-notified team having “caught up” on old transactions. However, while the total number of non-notified inquiries decreased, the percentage of inquiries resulting in a request for a filing increased—with over 20% of inquiries in 2023 resulting in a request for a filing, up from 13% in 2022.
Non-Notified Inquiries, 2020–2023
|
|
2020 |
2021 |
2022 |
2023 |
|
Number of Inquiries |
117 |
135 |
84 |
60 |
|
Number of Filings requested (%) |
17 (14.5%) |
8 (5.9%) |
11 (13.1%) (plus eight from prior year cases) |
13 (21.7%) |
CFIUS remains committed to identifying and reviewing transactions that parties do not bring forward voluntarily, and non-notified filings remain subject to mitigation and other conditions up to and including divestment. For example, the MineOne transaction, which we discussed in more detail in a prior Gibson Dunn client alert, was initiated by a public tip and then became subject to a non-notified review that ultimately resulted in divestment. CFIUS will continue leveraging its non-notified resources to identify and place conditions on transactions that raise U.S. national security concerns. In April 2024, CFIUS published a proposed rule that would expand the types of information that the Committee can request during the non-notified process, further strengthening CFIUS’s non-notified capabilities.
Last, the Annual Report disclosed that CFIUS filed one “agency notice”, a rare occurrence, after the parties filed a notice that was rejected and then refused to resubmit a corrected notice. Unlike a standard filing or a non-notified review, an agency notice allows CFIUS to conduct a review without cooperation from the transaction parties. There were zero agency notices filed between 2020-2022, and this year’s anomaly serves as a stark reminder of the Committee’s power to initiate a unilateral review even if parties forgo a voluntary filing.
3. Record High Number of CFIUS Mitigation Agreements; Site Visits Continue Apace
CFIUS is authorized to review certain investments in U.S. businesses and, if it identifies a risk to national security, mitigate that risk through a variety of methods, one being entry into a mitigation agreement (e.g., a national security agreement) with the transaction parties. Each national security agreement contains a panoply of restrictions and requirements relating to, for example, corporate governance, protection of certain technology or data, the use of third-party vendors, product quality and supply assurance, various reporting and notification requirements, and day-to-day compliance policies and oversight. For each mitigation agreement, Committee members take on responsibilities to monitor it and enforce compliance—drawing down personnel and resources.
CFIUS is now monitoring a record number of mitigation agreements—246 total agreements, up from 214 in 2022. The Committee reported devoting additional staff and resources to support compliance monitoring, made possible by increased hiring in 2022 and 2023. However, the year-over-year requirements to monitor compliance will continue to increase as CFIUS adds more mitigation agreements (35 in 2023)[5] than it terminates (15 in 2023). As an indicator of the Committee’s commitment to active oversight, CFIUS conducted 43 site visits in 2023, representing just over 20% of the agreements that had been in force since 2022.
4. Enforcement-Bent Committee Issues Record Number of Penalties—Early Glimpse at 2024 Penalties Show Staggering Dollar Values
The Annual Report reflects CFIUS’s more recent shift in emphasis on enforcement. In 2023, the Committee assessed four civil monetary penalties for breaches of material provisions in mitigation agreements—a record number of penalties in one year. Notwithstanding this sharp rise, the level of consensus required to issue a penalty suggests these were the result of more egregious violations, not minor compliance foot-faults.
Year-Over-Year Comparison of Civil Monetary Penalties Through 2023
|
|
2018 |
2019 |
2020-2022 |
2023 |
||
|
Number of Penalties |
One |
One |
None |
One |
One |
Two |
|
Penalty Amount |
$1 M |
$750 K |
– |
$100 K |
$200 K |
$990 K |
|
Type of Violation |
Breach of mitigation agreement |
Breach of interim order |
– |
Breaches of agreements |
||
|
Snapshot of Violation |
Failure to established required security policies and provide adequate reports to CFIUS. |
Failure to restrict and adequately monitor access to protected data. |
–
|
Failure to timely divest foreign acquirer’s interest and repeated violations of other mitigation agreement provisions.
|
Failure to timely divest foreign acquirer’s interest and repeated violations of other mitigation agreement provisions. |
Failure to maintain website statement regarding foreign ownership, as required by CFIUS, possibly putting customers’ data and technology at risk. |
Although noteworthy, the penalties do not come as a surprise. In October 2022, CFIUS released its first-ever guidelines for enforcement actions, focusing on three types of violations: (1) failure to submit a mandatory notice or declaration; (2) failure to comply with a mitigation agreement or other order (including divestiture); and (3) material misstatements or omissions in filings/submissions. The 2022 guidelines did not grant new authorities to CFIUS. Rather, they put transaction parties on notice that CFIUS was focused on enforcement and highlighted what the Committee would consider when issuing penalties. CFIUS resumed assessing penalties in 2023 and 2024, including an eye-popping $60 million penalty for breach of a mitigation agreement. More penalties are likely on the way in the last months of 2024.
|
|
|||
|
|||
|
Penalty Amount |
$8.5 Million |
$1.25 Million |
$60 Million |
|
Type of Violation |
Breach of mitigation agreement |
Material misstatements |
Breach of mitigation agreement |
|
Snapshot of Violation |
Majority shareholders caused removal of independent directors, leading to vacancy of CFIUS-mandated Security Director position, and causing government security committee to be defunct, resulting in failure to perform required compliance oversight. |
Forged documents and signatures, as well as material misstatements in the joint voluntary notice and supplemental information submitted to CFIUS during their review, impairing CFIUS’s ability to assess transaction risk. |
Failure to take appropriate measures to prevent unauthorized access to sensitive data and report incidents promptly, resulting in harm to U.S. national security equities. |
Notably, neither the Annual Report—nor the update for 2024—included any penalties for failures to make a mandatory filing. Instead, CFIUS noted, in the Annual Report, that it issued its “first ever formal determinations of noncompliance” in several cases. One reason for forgoing penalties for certain failures to make mandatory filings is the more recent change in how parties have structured minority investments, particularly in U.S. businesses that produce critical technologies. In prior years, businesses used “springing rights” whereby U.S. businesses would accept funding from foreign investors while deferring the investor’s acquisition of control, governance, or information access rights until after CFIUS review. In 2023, CFIUS issued a frequently asked question (FAQ) clarifying that the “completion date” for a transaction is the earliest date upon which the foreign person acquired any equity interest.[6] In practice, the FAQ means that parties cannot use a springing rights strategy to permit funding before filing because CFIUS does not view the issuance of initial passive equity and the subsequent grant of rights as distinct transactions. Now, transaction parties must submit a mandatory filing no later than 30 days prior to the transfer of the initial passive equity interest. As with the 2022 enforcement guidelines, the FAQ put parties on notice that CFIUS would take a more aggressive enforcement posture moving forward, and we could see the first monetary penalties for a failure to make a mandatory filing in 2024.
We fully expect this enforcement focus to continue through 2024 and beyond. In April 2024, CFIUS published a proposed rule to substantially increase the maximum civil monetary penalty for certain violations. As CFIUS expands its enforcement toolkit, U.S. businesses and their investors must update their compliance tools to match. In 2023, CFIUS received one voluntary self-disclosure (VSD) from a party for failure to submit a mandatory filing. CFIUS does not provide a well-established form or process for submitting VSDs, and this has never been an established practice for CFIUS practitioners in the past. However, it may become more commonplace as parties look to receive the benefit of mitigating a potential violation through self-disclosure and cooperation with the Committee.
5. CFIUS Continues Efforts to Expand its Jurisdiction, Particularly in Real Estate
One of the most important parts of the Committee’s work, while less clearly captured in the Annual Report statistics, is its work drafting new legislation, rules, and clarifications. In the press release accompanying the Annual Report, Assistant Secretary Paul Rosen noted that “2023 was a busy year for CFIUS in reviewing transactions for national security risk, monitoring compliance with mitigation agreements, expanding the reach of its jurisdiction, and enforcing against violations of CFIUS legal authorities” (emphasis added). Noteworthy policy initiatives in 2023 included:
Separate from CFIUS, Treasury’s Office of Investment Security has also taken the lead on drafting regulations to implement President Biden’s August 2023 Executive Order “Addressing United States Investments in Certain National Security Technologies and Products in Countries of Concern”, the so-called “Outbound Investment” regime for which Treasury requested over $16 million dollars in the FY25 budget (and which we discussed in more detail in a prior Gibson Dunn client alert). Moreover, Treasury is not alone in focusing on the national security threat posed by certain types of foreign investment. The Office of the Director of National Intelligence and partner agencies recently issued a joint bulletin outlining a variety of threats posed by investment from certain foreign actors, including the theft of intellectual property, personal data, and technology by means of a variety of investment schemes. This joint bulletin is indicative of a wider U.S. government attempt to target and address investments by foreign actors with nefarious intents.
This year’s Annual Report included some striking but expected highlights, such as the downturn in filings and the substantial number of penalties assessed for breaches of mitigation agreements, as well as some unexpected news, such as the filing of an agency notice. Our top three takeaways follow.
Top Takeaways to Guide 2024 and Beyond:
[1] The total number of distinct transactions reviewed by the Committee is even lower than the sum of filings. The 233 notices include 34 that were withdrawn and refiled the same year and the 109 declarations include 20 that resulted in a request from the Committee to file a full written notice. After accounting for these duplicate filings, the Committee would have reviewed approximately 288 distinct transactions, down nearly 15 percent from the 337 distinct transactions reviewed in 2022.
[2] S&P Global, Global M&A by the Numbers: Q4 2023 (Feb. 22, 2024), available here.
[3] U.S. Bureau of Economic Analysis, New Foreign Direct Investment in the United States (July 12, 2024), available here.
[4] Per the Annual Report, three of the parties that received non-notified questions proactively filed a declaration or notice and are not counted among the 13.
[5] CFIUS also imposed mitigation requirements under one interim order and six withdrawal and abandonment letters.
[6] See the Frequently Asked Question “How does CFIUS determine the “completion date,” in assessing when a mandatory filing should be submitted, where the foreign person first acquires equity interest but will not receive control or covered investment rights until after CFIUS’s review?” found at CFIUS, CFIUS Frequently Asked Questions, available here (last accessed Aug. 15, 2024).
Gibson Dunn lawyers are monitoring the proposed changes to U.S. export control laws closely and are available to counsel clients regarding potential or ongoing transactions and other compliance or public policy concerns.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:
United States:
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, [email protected])
Mason Gauch – Houston (+1 346.718.6723, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Claire Yi – New York (+1 212.351.2603, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])
Asia:
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Felicia Chen – Hong Kong (+852 2214 3728, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])
Europe:
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 224, [email protected])
Melina Kronester – Munich (+49 89 189 33 225, [email protected])
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.