Locke Lord QuickStudy: Recent CFIUS Civil Monetary Penalty Suggests Heightened Enforcement Regime

On April 12, 2019, the Committee on Foreign Investment in the United States (“CFIUS”) posted a notice on its resources website page with little fanfare announcing the imposition of a civil fine on an unnamed party for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS”. By citing in the announcement Section 721 (b)(1)(D)(iii) of the Defense Production Act of 1950, as amended, CFIUS also gave notice that it had unilaterally reopened its investigation of the 2016 transaction.

These enforcement steps by CFIUS have been described as “historic” and “unprecedented.” Although CFIUS was vested with the statutory authority to impose such a penalty through its original 2008 regulations (31 C.F.R. Part 800.801(b)), this was the first occasion on which CFIUS publicly announced such a fine. Given the usual reluctance of CFIUS to be in the public eye, this announcement may indicate a new phase of enforcement. A spokesperson for the Department of the Treasury did not provide any particularized information on the announcement, but did highlight the importance of mitigation agreements and the heightened determination of CFIUS to insure compliance.

Two aspects of the announcement are important to bear in mind. First, the penalty regulation for violations of mitigation agreements permits a fine to be imposed by CFIUS “not to exceed $250,000 per violation or the value of the transaction, whichever is greater.” Because this matter apparently involved multiple violations, a fine of $1 million may be understated. Second, the announcement does not identify the fined party. In future situations, it is expected that larger fines will be imposed and the fined party will be identified.

By all accounts this is the first occasion on which CFIUS has fined a party to a mitigation agreement for violations of the agreement. Such agreements are generally entered into between CFIUS and merging parties when CFIUS believes that, although the transaction will be permitted to close, national security risks occasioned by the deal need to be mitigated. Examples of such mitigation scenarios include the segregation of American citizens’ personal data, proximity concerns with land located near high security U.S. Government installations, and direct or indirect sales to U.S. Government agencies. If such concerns arise during a CFIUS transaction review, the parties should be evaluating their own internal cyber and physical security controls to determine their suitability. Such self-evaluation will be critical in negotiations with CFIUS Staff on the scope of a mitigation agreement. As the April 12th announcement underscores, it is critical that once the agreement is executed the parties scrupulously adhere to its requirements, even down to the timeliness of periodic reports.

The second aspect of the April 12th announcement is the exercise by CFIUS of its statutory authority to reopen transaction investigations. This is highly significant because a second CFIUS review will undoubtedly result in appreciably greater detail and expense with no guarantee as to a favorable result.

Affiliating parties whose transaction is subject either to a CFIUS voluntary notice under the 2008 regulations or to a mandatory declaration filing requirement under the 2018 regulations must carefully consider the scope of U.S. national security risks that their transaction presents. While not mandating a referral by CFIUS to the President for possible action, a lesser level of security risk needs to be examined in advance of the filing so that the adequacy of the parties’ internal security controls can be considered and strengthened, as appropriate. Advance consultation with CFIUS Staff on the adequacy of such controls will ensure a mitigation agreement that is both meaningful and manageable. If the mitigation controls proposed by Staff present performance difficulties for the parties, then it is critical to either have alternative controls for consideration or to be realistic about the prospects for going forward.