Treasury releases proposed rule expanding CFIUS monitoring and enforcement authorities

On April 11, 2024, the Treasury Department issued a proposed rule (the Proposed Rule) that would expand and sharpen the investigative, enforcement, and monitoring authorities of the Committee for Foreign Investment in the United States (CFIUS or the Committee). The Proposed Rule would, among other things:

• Expand the information that the Committee may require from parties that do not voluntarily file with CFIUS, including any information that is relevant to “national security considerations,” as well as information concerning CFIUS’s jurisdiction or the applicability of mandatory filing requirements;[1]
• Substantially increase the penalties that may be imposed for violations of CFIUS rules or mitigation agreements and expand the bases for which CFIUS may impose penalties; and
• Impose a three business day deadline for parties to respond to terms proposed by CFIUS when negotiating mitigation agreements (which may be extended at the Committee’s discretion).

Although the Proposed Rule would not expand the universe of transactions that are subject to filing requirements, it would expand the Committee’s investigative authorities for transactions that are not filed and the penalties for breaching filing requirements, mitigation agreements, and CFIUS orders. The Proposed Rule continues and reinforces the Committee’s recent emphasis on investigation of non-notified transactions and enforcement of mitigation agreements, which includes a significant expansion of the monitoring and enforcement staff (funded by filing fees introduced in the 2018 revision of CFIUS’s statute), new enforcement and penalty guidelines (discussed in a previous client update), the imposition of civil penalties in a number of cases, and a repeated public emphasis on monitoring and enforcement by senior Treasury officials.[2]

The Proposed Rule also establishes a narrow, three business day timeframe for transaction parties to respond to proposed mitigating conditions from CFIUS (although CFIUS acknowledged that it expects parties to request an extension in complex cases). In practice, this new deadline would require parties to evaluate the operational and commercial implications of proposed mitigation, reach an agreement among stakeholders, and provide a detailed response within 72 hours, which transaction parties may find challenging or unworkable in many cases. Notably, CFIUS itself typically does not meet this timeframe (and is subject to no requirements under the proposed rules). Ultimately, though, the practical consequences of failing to meet the deadline (rejection of the CFIUS filing and extension of the review process) may not differ much from current practice.

We provide below a summary of the Proposed Rule and its implications. The public will have 30 days to submit comments to the Proposed Rule after it is published in the Federal Register and we would expect a final rule to be issued later this year.

What does the Proposed Rule do?

Investigations and subpoenas

Currently, when parties do not file a notice or declaration, CFIUS’s regulations authorize the Committee to request information from the transaction parties “to determine whether the transaction is a covered transaction” (i.e., whether the transaction is subject to CFIUS jurisdiction).[3] CFIUS staff charged with investigating non-notified transactions send out questionnaires seeking information on transactions of interest (which may be identified from press reports, industry sources, other government agencies, or tips), following which CFIUS may request a filing from the parties (or, if the parties do not cooperate, open an investigation).

The Proposed Rule would expand the scope of information that CFIUS may request about non-notified transactions to include any information necessary to determine: (a) “whether the transaction may raise national security considerations” and (b) whether the transaction would trigger mandatory filing requirements under CFIUS regulations (which apply to certain transactions involving a U.S. business involved in critical technologies, critical infrastructure or sensitive personal data).  These proposed updates to the CFIUS regulations are consistent, in many respects, with the Committee’s existing practices, as it is common for CFIUS to request a range of information about non-notified transactions, including details that may overlap with national security considerations (e.g., the nature of a party’s operations in the United States or the rights that a foreign person would acquire post-closing). On its face, however, the Proposed Rule would meaningfully expand the scope of information that CFIUS is likely to request, as information relevant to “national security considerations” could in theory include virtually any details about the transaction or the business, operations, and commercial activities of the transaction parties. For example, CFIUS may request granular technical details about a company’s software and technologies, the plans of the parties post-closing, or details regarding a U.S. business’s government contracts.

In effect, under the Proposed Rule, CFIUS may request substantially the same information from parties that choose not to file as it would for parties that submit a filing—whether or not CFIUS in fact has jurisdiction over the transaction. The Proposed Rule states, however, that the “Committee does not intend to use its authority to obtain information related to risk as a substitute for a review or an investigation, but rather for the purpose of preventing unnecessary filings” and more efficiently identifying transactions that “may present an extant risk.” While this would be a reasonable approach as a matter of policy, there is no such requirement in the plain language of the Proposed Rule.  There also does not appear to be a facial basis to resist CFIUS’s demand for substantive information on the grounds that the Committee lacks jurisdiction over a transaction.  The Proposed Rule would also require parties to provide information to CFIUS relating to the parties’ compliance with mitigation agreements or to determine the accuracy of information previously provided to CFIUS (although CFIUS already requests this information as a matter of practice).

Responses to the Committee’s requests are mandatory under the CFIUS regulations, and CFIUS also has subpoena authority under the Defense Production Act.  Requests and subpoenas may be directed either to transaction parties or to third parties.

Deadlines for responding to proposed mitigation terms

When CFIUS determines that a transaction may present national security risks, the Committee may require various commitments and conditions from the transaction parties to mitigate those risks, which are typically formalized in a National Security Agreement (NSA). CFIUS can and does impose a wide range of requirements under an NSA and there is no statutory limitation on what the Committee may require.  

An NSA is negotiated during the CFIUS review and investigation periods, meaning it is subject to the same statutory timelines (i.e., 45 days for the review period, plus a further 45 days for the investigation period) for concluding the review. Given the potential commercial and practical ramifications of the conditions CFIUS proposes – which may entirely alter the economics of the deal or prove unworkable as a technical or operational matter – the negotiation of an NSA may consume many weeks. CFIUS itself is often very slow to propose mitigation terms and to respond to the parties’ comments and counterproposals. If the statutory review period expires before an NSA under negotiation can be finalized, CFIUS typically will refuse to clear the transaction, leaving the parties little alternative but to withdraw and resubmit the CFIUS notification to start a new review period.

The Proposed Rule would attempt to speed the process by imposing a three business day deadline for transaction parties to submit a “substantive response” to the Committee’s proposed mitigating terms, which may be extended at the discretion of the Committee.[4] For purposes of the Proposed Rule, a “substantive response” would mean “acceptance of the terms, a counterproposal, or a detailed statement of reasons that the party or parties cannot comply with the proposed terms, which may also include a counterproposal.” CFIUS believes a fixed deadline is necessary because in certain cases “parties may take longer than is reasonable to respond to the Committee’s proposed terms,” particularly when a deal has already closed and the transaction parties “may be less motivated to respond promptly given the absence of an impending closing date.” However, there is no deadline for CFIUS to provide an initial proposed mitigation agreement, nor any deadline for the Committee to respond to the parties’ proposals.

The Committee would have discretion to extend the deadline and noted that it “anticipates that parties will seek extensions in certain instances including but not limited to initial mitigation proposals and in instances where the proposed risk mitigation is complex.” The Committee has the discretion to grant an extension and the Proposed Rule states that CFIUS will consider factors, “such as the statutory time remaining for the case and whether the transaction has been filed before closing.”

CFIUS’s expectation that parties will often request an extension is well-founded as, in some cases, the terms proposed under an NSA may require material changes to a party’s operations, management and governance, or technology infrastructure. In such cases, the Proposed Rule would require parties to evaluate whether the proposed changes are practicable from a technical, operational or economic perspective; reach an agreement both among internal stakeholders and with their transaction counterparty or counterparties; and agree on a proposed response, all within a matter of three business days. Even in less complex cases, the process of obtaining approval from all stakeholders can be a time-consuming process. Although CFIUS will allow the parties to respond with “a detailed statement of reasons” why the parties cannot comply, it may take substantially longer than three days for the parties to make a complete and good faith determination in that regard.

That said, the potential consequence of failing to meet the deadline is rejection of the notice by CFIUS. The practical implication of rejection is that the parties would refile the notice, re-starting the statutory review period.  This outcome is not necessarily very different from the status quo in which parties withdraw and refile CFIUS notices, sometimes repeatedly, to provide the time required to negotiate a workable NSA. Thus, while the rule change will doubtless increase pressure on transaction parties to respond quickly to mitigation proposals, the practical risks appear modest.

Increased monetary penalties

Finally, the Proposed Rule would increase the maximum civil monetary penalty amount for violations of Section 721 of the Defense Production Act (the statutory authority for CFIUS), CFIUS regulations or the terms of an NSA. Currently, both the failure to make a mandatory filing or an intentional or grossly negligent violation of a material provision of a mitigation agreement or condition imposed by CFIUS are subject to a civil penalty of up to the greater of $250,000 or the value of the transaction.  The Proposed Rule raises the $250,000 alternative to $5 million and, in the case of a violation of a mitigation agreement, adds the value of the violator’s interest in the US business as an alternative (so that the maximum penalty is the largest of $5 million, the original value of the notified transaction, and the current value of the interest in the U.S. business). The maximum civil penalty for material misstatements or omissions (or false certifications) to CFIUS would likewise be raised from $250,000 to $5 million; those penalties are also extended to responses to information requests from CFIUS to third parties or parties to non-notified transactions. The new maximum penalties would not be retroactive to existing transactions or agreements and the actual penalties would be determined in accordance with CFIUS’s Enforcement and Penalty Guidelines.[5]

Implications for the market

As Treasury noted in its press release (and as we have observed), the Proposed Rule reflects the Committee’s increased focus on compliance and enforcement.[6] While the CFIUS process remains formally voluntary in most cases, CFIUS is increasingly active in investigating cases that are not voluntarily filed, as well as in enforcing mandatory filing requirements where applicable. CFIUS has also engaged in a years-long process to improve its monitoring and enforcement of mitigation agreements and conditions. We expect proactive investigation of transactions and enforcement of filing requirements and NSAs, backed by the significantly greater staffing and resources provided by CFIUS filing fees, to be a long-term trend.