Observations on CFIUS Mitigation and Enforcement
November 21, 2022, Covington Alert
Much attention has been drawn recently to the first-ever CFIUS Enforcement and Penalty Guidelines (the “Guidelines”), which the Treasury Department, as chair of CFIUS, released on October 20, 2022. The Guidelines are notable as a marker for CFIUS’s approach to penalty enforcement, and are intended to signal a more active approach to enforcement of CFIUS mitigation agreements and non-notified transactions. Issuance of the Guidelines provides an opportunity to reflect on an aspect of the CFIUS law and regulations that is underdeveloped and, frequently, haphazard in its application: monitoring and enforcement of mitigation agreements. In this analysis, we summarize the Guidelines, but also place them in a broader context of gaps, challenges, and trends in CFIUS mitigation monitoring.
Summary of Guidelines
In issuing the Guidelines, Assistant Secretary of the Treasury for Investment Security Paul Rosen explained that the “announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.” While the statement expresses a clear intent—and may sound ominous to investors—we view the issuance of the Guidelines as a welcome development, as it provides a clear administrative marker for how the Committee will approach enforcement of CFIUS mitigation agreements, including potential imposition of civil money penalties, and provides more structure to a process that has often been approached in an ad hoc manner.
The Guidelines describe three categories of conduct that may constitute a violation, the process the Committee follows in imposing penalties, the factors it considers in determining whether a penalty is warranted, and the scope of any such penalty. The three categories of acts or omissions that may constitute a violation include:
- The failure to timely submit a declaration or notice if a filing is required;
- Non-compliance with CFIUS mitigation agreements; and
- Material misstatements, omissions, or false certifications made to CFIUS.
As the Guidelines point out, violations do not automatically result in penalties or other remedies available to CFIUS under Section 721 of the Defense Production Act of 1950, as amended, 50 U.S.C. § 4565, which instead are within the Committee’s discretion.
According to the Guidelines, CFIUS primarily relies on three sources of information in determining whether a violation has occurred:
- Requests for information by CFIUS in the context of overseeing compliance with mitigation agreements or investigation into potential violations;
- Self-disclosures from parties engaged in conduct that may constitute violations; and
- Tips from the public. (The Guidelines also note the appropriate avenues for reporting potential violations, including the public CFIUS tips line found on the Treasury Department’s website.)
The Guidelines describe the Committee’s process for considering and imposing penalties once it concludes that a violation has occurred. These processes, however, already are prescribed by the CFIUS regulations, 31 C.F.R. § 800.901, and thus the Guidelines do not chart new territory in this regard.
The regulations provide that if CFIUS identifies a violation that merits a penalty, CFIUS first sends a notice of penalty, which includes a written explanation of the alleged violation and the amount of any monetary penalty that CFIUS intends to impose. This notice should include a statement of the legal basis for CFIUS’s determination that a violation has occurred and may also explain the factors (described more fully below) that the Committee considered in reaching its decision.
Second, the recipient of the notice of penalty is provided an opportunity to submit a petition for reconsideration that may include defenses, mitigating factors, explanations, or other information the party believes is relevant to CFIUS’s decision.
Third, the Committee will consider any timely petition for reconsideration before issuing a final penalty determination within 15 days of the petition’s receipt. If no petition for rehearing is received, CFIUS generally issues a final penalty determination in the form of an additional notice to the violating party.
Given the foregoing has been codified in regulations for several years, the most novel aspect of the Guidelines is the list of mitigating or aggravating factors that CFIUS will consider in its assessments of violations and potential penalties. At a high level, these factors can include:
- The expected impact of the penalty on accountability and future compliance;
- The underlying harm (or threat of harm) to national security;
- The associated efforts of the relevant party (whether negligence, gross negligence, intentional action, or willfulness), also taking into account any efforts to conceal or delay sharing relevant information as well as the seniority of the person who knew or should have known about the relevant conduct;
- The frequency and timing of violation(s), including the time elapsed from the time of the violation to the point at which CFIUS becomes aware of the violation;
- The party's response and remediation efforts related to any violation; and
- The party's overall sophistication and record of compliance.
The Guidelines are expressly non-binding, and will be updated as needed going forward.
Further Comments and Observations on Mitigation and Enforcement
The issuance of the Guidelines and the attention that they have drawn also provides an opportunity to consider the broader context of CFIUS mitigation and enforcement at this mid-term moment in the Biden Administration. While the issuance of the Guidelines is a step in the right direction, we still see gaps in this aspect of CFIUS’s exercise of its authorities, and we offer our thoughts on potential trends and expectations for CFIUS in the near term and the impact on transaction parties and the broader investment community.
- The Guidelines reflect a clear intent to pursue enforcement actions for violations of mitigation agreements more aggressively. There is no doubt that the public comments of Assistant Secretary Rosen in connection with the issuance of the Guidelines also reflect direction that the Treasury Department has provided to the Committee. There is a strong history in Washington of policy officials staking out ground on priorities for their offices through enforcement actions, and we believe the issuance of the Guidelines, coupled with the public remarks, are intended to lay a marker for the pursuit of future civil money penalties. Staking a claim to a more aggressive enforcement posture may also be intended to help protect against political critiques of a Biden Administration-led CFIUS process that almost certainly will increase with a GOP-led House of Representatives.
- At the same time, the Guidelines should not portend an open hunting season for violations. Imposition of a civil money penalty requires consensus among all nine CFIUS member agencies, and as the Guidelines and regulations make clear, there is administrative law and potential judicial process available to parties on whom CFIUS seeks to impose penalties. There also is fairly well developed case law in the United States regarding administrative enforcement actions by regulators. In combination, these administrative checks and balances and legal protections against over-reach should instill discipline on CFIUS, with the result that penalties should be reserved for cases where there is a clear factual basis for a violation, and the pursuit of a civil penalty action consequently should not come as a surprise to the parties.
- There remains a significant legal gap in the CFIUS process related to mitigation monitoring. While the Guidelines provide some greater illumination and guidance in an important area of CFIUS authorities—namely, penalty enforcement—they do not address the area in most glaring need for clear rules and processes: CFIUS monitoring of mitigation agreements. To place this in context, the CFIUS regulations and administrative law already provide legal boundaries on penalty enforcement. Likewise, while the CFIUS review process is often perceived as a Star Chamber of sorts, the reality is that there are clear rules and a well-developed risk-based framework that the Committee applies in its review of transactions. The statute also articulates the standard that CFIUS must apply in its review and investigation of a transaction—i.e., CFIUS must determine the effects of the transaction on national security; if there is an impact on national security, it must consider whether that impact can be mitigated; and it can only approve a transaction if there are no unresolved concerns. While not free from dysfunction—and not always the most pleasant process for transaction parties—the interagency nature of the review process itself instills a degree of discipline and provides opportunities for transaction parties to engage with the Committee and address concerns. Ultimately, in this context, there are laws, regulations, and well-established processes, even if thin in comparison with other regulatory systems, that can be challenged and to which the Committee must adhere.
The same, however, cannot be said for mitigation monitoring—i.e., the practice of the Committee between approval and penalty enforcement. As a legal matter—and in application by the Committee—mitigation monitoring has developed as the Wild West. There are no clear rules that guide the entire Committee on mitigation monitoring, nor is there the same level of oversight or accountability within and among the agencies as applies when CFIUS reviews a transaction or when it pursues a civil money penalty. Most CFIUS mitigation matters do not run into challenges because the parties most often are compliant, and, importantly, because the CFIUS Monitoring Agencies (“CMAs”)—meaning the agencies that are signatories to the mitigation agreement and responsible for monitoring and enforcement—most often act in a reasonable fashion, but that is entirely dependent on the personalities and individualized approaches of the CMAs. Indeed, it is a credit to transaction parties and the professionalism of the governmental officials and contractors who conduct mitigation monitoring on behalf of the government that, by and large, mitigation monitoring has worked adequately over the last several decades. But dependency on the personality and capabilities of individuals creates unnecessary risk both for CFIUS and for transaction parties.
To amplify the point: there is no established and published practice for how the CMAs will approach monitoring; there is no articulated path for appeal if there is a disagreement between a party and a CMA short of a penalty enforcement action; there is no standard for terminating agreements when they are clearly obsolete, absent a clear timeline in a mitigation agreement (and often even when there are such clear timelines); and there is no requirement for the CMAs to respond to parties on waiver requests, clarifications, or even required submissions under CFIUS mitigation agreements. Moreover, it frequently is the case that the government officials responsible for monitoring were not part of the negotiation of the mitigation agreement; that subject matter experts that are engaged as contractors to support the CMAs do not receive the full history of the matter; and that during the life of a mitigation agreement, the CMA officials may change multiple times. Results and tendencies in mitigation monitoring, as a result, can vary wildly. For example, one agency may decide that a particular requirement of a mitigation agreement, or even the entire agreement, is obsolete, but other agencies may disagree, and the result is that the transaction parties live with, and are held to compliance with, outdated requirements that live on for years. Even when the foreign owner whose acquisition resulted in a mitigation agreement has divested its interest, it can take many months for CFIUS to confirm termination of the mitigation agreement.
To be sure, there are best practices for parties to govern compliance with CFIUS mitigation agreements—well developed over decades of compliance with CFIUS mitigation—and if parties follow those practices, they are very unlikely to have any compliance issues or disagreements with the CMAs. That fact and the largely successful history of most parties in navigating this compliance area, however, does not compensate for the lack of clear rules, guidelines, and practices to help ground the CFIUS monitoring and compliance area and ensure greater consistency.
The stress on the system in the absence of clear and consistent rules applying to mitigation monitoring will grow, particularly given other trends in CFIUS mitigation terms. One reason that CFIUS mitigation monitoring and compliance has not had (too many) trains derail previously is that there were a relatively modest number of CFIUS mitigation agreements historically, and most were not terribly complex. But just as the world has grown more complex—and CFIUS has increasingly grappled with an increasingly complicated set of national security risks in the context of transactions—so too has the volume and complexity of mitigation agreements. This trend is almost certain to continue, as the government reviews more transactions (consistent with the objectives and funding to CFIUS following FIRRMA) and takes a longer term and broader industry-based perspective on risk.
Several trends resulting from the volume and complexity of mitigation agreements exacerbate the concerns over mitigation monitoring for transaction parties. First, CFIUS is adding internal resources and contractors, but these resources—precisely because they are new—are often not well steeped in CFIUS practice, and as noted, they very seldom have a grounding in the transaction or the CFIUS review process that gave rise to the mitigation agreement.
Second, CFIUS is increasingly insisting on third-party monitoring mechanisms, including auditors and full-time monitors who report to the government, to be required terms under mitigation agreements. These requirements increase the costs for transaction parties, and, at best, create a tension in incentives as the third parties are directed to report to the government.
Third, CFIUS also is becoming more insistent on “standard” access and inspection rights for the CFIUS agencies, which on their face provide the government with broad access to personnel, records, systems, and facilities for purposes of verifying compliance with the mitigation agreement. While this latter requirement is not necessarily new, the breadth of the provision can be particularly difficult for parties who have global operations or that are publicly traded to accept, especially where the transaction relates to a small part of the party’s business. And, when the broad access and inspection term is presented (a) in the context of an “enforcement” environment; (b) where agreements also require a third-party audit or third-party monitor; and (c) where global businesses must be careful about not ceding similar rights to other governments, it can become particularly difficult for transaction parties to accept.
Given this, the next step for CFIUS should be to develop a more coherent—and transparent—mitigation monitoring program to complement the enforcement Guidelines. Such a monitoring program should include express guidance on how CFIUS will exercise its access and inspection rights, in part to give transaction parties greater confidence that those rights will not be misused.
In this context, the absence of well-developed, accepted, and understood rules, practices, and procedures for monitoring and compliance is untenable. Unless it is remedied, this dynamic very likely will lead to transaction parties walking away from transactions that, with appropriate mitigation, would benefit the United States. Perhaps more significant, it will erode confidence in the CFIUS process itself, and in the United States as a trusted destination for investment—one that is governed by the rule of law and can serve as a beacon for other countries. We also would predict potential consequences to CFIUS’s own authorities: just as when CFIUS’s review authorities were challenged because the Committee refused to provide an unclassified justification for its position—a practice that the DC Circuit effectively overruled in the Ralls decision—CFIUS’s actions on the mitigation monitoring front will likely lead to a challenge.
To end on a positive note, we do believe that the issues on mitigation monitoring are widely recognized within the Committee and among its senior leaders, and we are hopeful that within the next year, the Committee will undertake to develop a more coherent, transparent, and rule-bound mitigation monitoring process.
If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.