US Treasury Department proposes regulations to "refine and enhance" CFIUS investigation and enforcement authorities

The US Treasury Department has issued a Notice of Proposed Rulemaking (NPRM) that would amend current regulations to enable the Committee on Foreign Investment in the United States (CFIUS) to:

• Identify more efficiently potential national security risks of foreign investment into the US, by expanding the information that CFIUS can request from deal parties as well as third parties to a transaction (which includes an expansion of CFIUS subpoena authority).
• Impose a three-business day deadline for parties to respond to proposed terms for a mitigation agreement.
• Bolster CFIUS enforcement authorities by significantly increasing civil monetary penalties and the circumstances when such penalties may be imposed. 

Overall, the NPRM generally signals a more aggressive approach to CFIUS enforcement. 

As the US foreign direct investment regulator, CFIUS (an interagency body) reviews “covered transactions,” namely foreign (non-US) acquisitions of, and certain non-controlling foreign investments in, US businesses for their potential impact on US national security.  Where CFIUS identifies national security risks, it is empowered to condition potential clearance of such transactions on the entry of a mitigation agreement (undertakings) designed to address those risks. CFIUS also has authority to investigate and call in for review any covered transaction not filed with CFIUS (known as “non-notified” transactions). 

The NPRM (available here), issued by the Treasury Department in its role as CFIUS Chair, are subject to a public consultation period through 15 May, 2024, after which CFIUS would promulgate final regulations, which may revise the NPRM following consideration of stakeholder inputs. There is no deadline for final regulations to issue.

Assistant Secretary for Investment Security Paul Rosen stated that the NPRM reflects “lessons learned” by CFIUS during its recent monitoring, compliance, and enforcement work.  According to Mr. Rosen, the NPRM is intended to build upon and enhance CFIUS’s Enforcement and Penalty Guidelines issued in October 2022.  However, unlike the Guidelines, the proposed amendments will be binding once they are issued as a final rule.  In current form, the NPRM is designed to, in the words of an accompanying Treasury press release, “refine and enhance CFIUS’s authorities” via, among other items, the following amendments:

• Empowering CFIUS to request information from transaction parties, and third parties, as to whether a non-notified transaction meets the criteria for a mandatory CFIUS filing, and as well as information that would enable CFIUS to determine whether a transaction may raise national security considerations. For example, CFIUS would be expressly empowered to inquire into a non-notified transaction’s overall security risk profile, and not just whether CFIUS has jurisdiction to review the transaction.
• Expanding regulations to expressly require parties to provide responses where CFIUS seeks (i) information to monitor compliance with a mitigation agreement; and (ii) information deemed relevant to whether the transaction parties made a material misstatement or omitted material information during a previously concluded CFIUS review or investigation.
• Enabling CFIUS to issue subpoenas in connection with a notified, or non-notified, transaction to non-parties or third parties to the transaction if CFIUS deems such subpoenas “appropriate,” a more expansive standard than the current “if necessary” threshold for such subpoenas. 
• Increasing the maximum civil monetary penalty amount (i) for material misstatements or omissions made to CFIUS, to $5 million (from $250,000); (ii) for failing to file for CFIUS review in a mandatory filing scenario, the greater of $5 million (from $250,000) or the total value of the transaction; and (iii) for violations of material terms in mitigation agreements to the greater of either $5 million, the value of the US business, or the total transaction value. 
• Requiring deal parties to provide substantive responses to proposed mitigation terms within three (US) business days, in cases where CFIUS requires a mitigation agreement to address national security risks to clear a transaction under review. For example, CFIUS is looking to address instances, particularly in non-notified transactions that have closed, where deal parties have appeared, in CFIUS’s words, “less motivated” to respond promptly.

The proposed regulations highlight that any penalties imposed or enforcement action undertaken by CFIUS will depend on the facts and circumstances in each case, including any aggravating or mitigating factors as described in CFIUS’s Enforcement and Penalty Guidelines, on which we reported here. 

The foregoing marks the first substantive update to CFIUS regulations since the suite of 2020 regulations implementing the CFIUS-related reforms in the Foreign Investment Risk Review Modernization Act of 2018, and CFIUS undoubtedly will continue to propose “additional regulatory enhancements” to its national security review mechanisms.  Non-US persons engaging in transactions with a US nexus would thus be well-served to carefully assess potential CFIUS risk in those transactions.