CFIUS Flexes Its Enforcement Authority

On August 14, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) published summaries of six recent enforcement actions, signaling a significant uptick in enforcement activity. CFIUS’s active enforcement signals continued, enhanced scrutiny of foreign investment in U.S. businesses, as well as the need for parties to agreements with the Committee to ensure they are in compliance.

CFIUS’s Enforcement Authority

By statute, CFIUS is empowered to impose civil monetary penalties of up to:

• $250,000 for false certifications or material misstatements or omissions during the CFIUS review process; and
• $250,000 or the value of the transaction, whichever is greater, for (1) failure to comply with a mandatory filing requirement; or (2) breach of a mitigation agreement.¹

Between 1975 and 2022, CFIUS publicly reported only two penalties, both relating to failures to comply with CFIUS mitigation requirements:

• a $1,000,000 penalty in 2018 for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.”
• a $750,000 penalty in 2019 “for violations of a 2018 CFIUS interim order, including failure to restrict and adequately monitor access to protected data, as defined in the order.”

As discussed in our prior Alert, in October 2022, the U.S. Department of the Treasury released the first-ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”). The Guidelines set forth the process by which CFIUS assesses penalties for non-compliance with the CFIUS regulations. The Guidelines identify three categories of violations that may be subject to enforcement:

• Failure to File a mandatory declaration or notice, as applicable, in the required time (i.e., at least 30 days prior to closing);
• Non-Compliance with CFIUS Mitigation, including breaches of national security agreements (“NSAs”); and
• Material Misstatements, Omissions, or False Certifications, which will typically reflect the provision of false information to CFIUS during the review process, or the omission of relevant information in response to questions from the Committee.

Recent Enforcement Actions

Since publication of the Guidelines in October 2022, CFIUS has completed at least six enforcement actions that resulted in the imposition of monetary penalties, as summarized below:

• a $60 million penalty in 2024 against T-Mobile US, Inc. (“T-Mobile”) for violation of an NSA. The Committee assessed that, between August 2020 and June 2021, T-Mobile failed to prevent unauthorized access to certain sensitive data, and failed to timely report certain incidents to CFIUS, in material breach of the NSA. Despite the substantial penalty, CFIUS credited T-Mobile for its remedial response and ongoing cooperation.
• an $8.5 million penalty in 2024 against a party to an NSA, whereby the majority shareholders orchestrated an initiative to remove all of the company’s independent directors, causing the NSA-mandated Security Officer and Government Security Committee to be vacant. CFIUS’s investigation also identified improper transfers of intellectual property to third parties, in potential violation of the NSA.
• a $1.25 million penalty in 2024—the maximum authorized under the CFIUS regulations—for a party who made five material misstatements in a joint voluntary notice (“JVN”) submitted to the Committee, including with respect to the source of funding for the transaction. In addition to imposing a monetary penalty, CFIUS rejected the JVN, which in turn led to the transaction being abandoned.
• a $990,000 penalty in 2023 for two violations of a CFIUS Letter of Assurance (“LOA”), wherein a U.S. business failed to maintain information on its website regarding its foreign ownership, which the Committee assessed could put U.S. customers’ technology or data at risk.
• a $200,000 penalty in 2023 for failure to divest a foreign acquirer’s interest by the deadline specified in an NSA.
• a $100,000 penalty in 2023 for failure to divest a foreign acquirer’s interest by the deadline specified in an NSA.

DONT Letters

As an alternative (or precursor) to a monetary penalty, a CFIUS Monitoring Agency (“CMA”) may issue a Determination of Noncompliance Transmittal (“DONT”) Letter. A DONT Letter is issued when a CMA has “determined that one or more violations occurred, but [has] . . . decided not to pursue further enforcement remedies or [to] require additional information to assess if a penalty is warranted.”² DONT Letters generally are issued for first-time and inadvertent violations that result in limited or no potential harm to national security.

CFIUS has identified the following examples of conduct that resulted in issuance of a DONT Letter:

• failure to file a mandatory declaration (but, notably, only in cases where there was a first-time offense, and the lack of a filing did not lead to national security harm).
• failing to limit the receipt and distribution of specified information to a segregated network, as required under an LOA.
• transferring assets to a company controlled by foreign persons, in violation of an NSA or other CFIUS mandate.
• failing to prevent unauthorized access to specified intellectual property.

The total number of enforcement actions brought by the Committee may be higher than those publicly reported by CFIUS, because DONT Letters are not published.

Takeaways

The newly published enforcement actions underscore that:

• NSA Compliance is Mandatory: In connection with publication of the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen stated, “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”³ Parties to NSAs are on notice of the potential consequences of non-compliance. In addition, parties negotiating NSAs should be transparent about any practical challenges that may arise in complying with specific mitigation proposals, in an effort to arrive at a mitigation framework that is attainable.
• Anonymity is Not Guaranteed: Historically, the Committee’s emphasis on confidentiality has extended to publication of enforcement activity. The T-Mobile case marks the first time that the Committee has publicly identified a party to an enforcement action. This unprecedented step suggests the possibility that future enforcement actions will not be kept anonymous.