CFIUS Announces Recent Enforcement Actions and Fines

The Committee on Foreign Investment in the United States (CFIUS) - the US Government’s foreign direct investment (FDI) regulator – has announced updates to its public website which describe CFIUS’s recent, and aggressive, enforcement actions against companies that CFIUS found violated US regulations as well as certain mitigation agreements (undertakings) made with CFIUS. These updates are intended to publicly “underscore CFIUS’s commitment to accountability and the protection of national security.”  

In an accompanying press release, Paul Rosen, who leads CFIUS operations in his role as Assistant Secretary of the Treasury for Investment Security, stated that over the past few years, “CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design:  if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences.”  This has resulted in CFIUS issuing three times more penalties in 2023 and to date in 2024, than it has imposed since it was established in 1975.  This more vigorous approach was foreshadowed in 2022, when CFIUS issued its first-ever Enforcement and Penalty Guidelines, outlining how it would assess potential penalties for violations of regulations governing CFIUS reviews of proposed acquisitions of and/or certain investments in US businesses by non-US parties, on which we reported here.  

Generally, CFIUS may impose civil monetary penalties for (i) non-compliance with agreed mitigation undertakings; (ii) failure to submit (at least 30 days prior to completion) a CFIUS filing in a mandatory filing scenario; and (iii) making a material misstatement or omission to CFIUS.  As reflected on the revamped CFIUS Enforcement website, recent enforcement actions and penalties include the following:  

• In 2024, CFIUS resolved an enforcement action against a telecommunications company, and imposed a $60 million penalty for violations of a mitigation agreement, known as a National Security Agreement (NSA), entered into in connection with a 2018 merger involving foreign (non-US) ownership of the merged entity.  CFIUS determined that the company did not take appropriate measures to prevent unauthorized access to certain sensitive data and did not report certain of these incidents promptly.  
• CFIUS imposed a $1.25 million penalty in 2024 against a transaction party which made several material misstatements in its notice submitted to CFIUS seeking approval of a transaction.  The amount of the fine (the maximum penalty available for such misstatements) was likely influenced by the party’s submission, per CFIUS, of certain forged documents and signatures. 
• Also this year, CFIUS imposed an $8.5 million penalty on a party for “orchestrat[ing] an initiative to remove all of the company’s independent directors, thereby causing the Security Director position to be vacant and the board of directors’ government security committee . . .  to be defunct,” in violation of an existing NSA.  
• In 2023, CFIUS determined that a transaction party violated a CFIUS Letter of Assurance (essentially, an undertaking in which a party agrees to certain post-closing steps as a condition for CFIUS clearance) by failing to maintain a foreign ownership disclosure on the website of the US business, and assessed a $990,000 penalty.
• In response to a foreign transaction party’s failure to divest its interest in a US business by an NSA-imposed deadline, which delay CFIUS determined presented a risk to US national security, CFIUS imposed a $200,000 penalty in 2023. Per CFIUS, “aggravating factors” warranting a penalty included among other things a “prolonged failure to make serious efforts to divest, and the transaction party’s failure to provide timely notice to CFIUS of its failure to meet the divestment deadline.”  A lower fine was likely imposed due to “mitigating factors” which included “particularly difficult market conditions” due to the COVID pandemic.  
• CFIUS issued, also in 2023, a $100,000 penalty against another transaction party that similarly failed to complete its divestment of the foreign interest in the US business by the deadline agreed in the NSA.  While the transaction party’s small size and COVID impacts were recognized mitigating factors, CFIUS again found that the prolonged delay coupled with a failure to timely notify CFIUS of that delay warranted a financial penalty.

In addition, CFIUS has issued Determination of Noncompliance Transmittal (DONT) Letters, instead of monetary penalties, for “ first-time, inadvertent, and limited-scope violations that did not harm national security and had little potential to do so.”  Per CFIUS, violations that have resulted in DONT Letters include (i) failing to file a transaction for CFIUS review where CFIUS mandatory filing obligations were triggered (though no harm to US national security was found to have occurred); (ii) failing to limit “receipt and distribution of certain protected information to a segregated network” per prior undertakings with CFIUS; (iii) transferring assets to a foreign-controlled company in violation of a CFIUS order; and (iv) failing to prevent “unauthorized access to restricted intellectual property.”  

More details can be found at the CFIUS website.  But the clear message from its recent announcement is, CFIUS is looking for, and not hesitating to penalize, violations of CFIUS regulations and related undertakings, and has prioritized this as part of its mandate to protect US national security and deter conduct that in its view may compromise that security.