août 19 2024

CFIUS Announces $60 Million Penalty and Debuts New Enforcement Website

Share

On August 14, 2024, the Committee on Foreign Investment in the United States (“CFIUS” or “Committee”) announced a $60 million penalty, “the largest penalty CFIUS has ever issued,” following its finding of material violations relating to a National Security Agreement (NSA). At the same time, CFIUS unveiled a new enforcement website that is intended to “provide further clarity and transparency regarding CFIUS penalties and other enforcement actions.” Both provide important insights into CFIUS’s rapidly developing enforcement program.

The new website details information about all of the civil monetary penalties imposed by CFIUS since 2018. For each penalty action, CFIUS describes the nature of the conduct, as identified by CFIUS, that gave rise to the penalty and mitigating and aggravating factors. As reflected in these summaries, CFIUS has issued three times more penalties in the past 20 months than it did in its prior nearly 50-year history. Underscoring CFIUS’s increased focus on enforcement and its intent to be a “critical national security tool” for the United States, Assistant Treasury Secretary for Investment Security, Paul Rosen, emphasized that “if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences . . . . Today’s penalty updates underscore CFIUS’s commitment to accountability and the protection of national security.” This follows Treasury’s issuance in 2022 of the first-ever Penalty and Enforcement Guidelines.

Enforcement Actions

As to the newly revealed enforcement actions, CFIUS announced that in 2024, following an initial Notice of Penalty issued in 2023, CFIUS resolved an enforcement action against a foreign-controlled US telecommunications company, resulting in the $60 million penalty highlighted above. The company entered into an NSA with CFIUS in 2018 in connection with a merger transaction. CFIUS determined that between August 2020 and June 2021, “in violation of a material provision of the NSA,” the company failed “to take appropriate measures to prevent unauthorized access to certain sensitive data [i.e., data breaches] and failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.” CFIUS further concluded that these violations “resulted in harm to the national security equities of the United States,” leading to a $60 million penalty. CFIUS further reported that the company has worked with CFIUS to “enhance its compliance posture and obligations” and has committed to working cooperatively with the US government “to ensure compliance with its obligations going forward.”

CFIUS’s enforcement page outlines five other penalties from 2023 and 2024. These include:

  • An $8.5 million penalty imposed in 2024 following CFIUS’s determination that a company’s majority shareholders “orchestrated an initiative to remove all of the company’s independent directors, thereby causing the Security Director position to be vacant and the board of directors’ government security committee to be defunct,” which resulted in a breach of the company’s NSA.
  • A $1.25 million penalty imposed in 2024 against a transaction party after finding a joint voluntary notice and supplemental information contained five material misstatements, including forged documents and signatures.
  • A $990,000 penalty issued in 2023 against a transaction party for two violations of a material provision of a CFIUS Letter of Assurance (LOA). CFIUS determined that on two occasions the US business failed to maintain a statement on its website regarding its foreign ownership, as required by the LOA. As a result, customers of the US business may have lacked knowledge of its ownership by a foreign entity, possibly putting customers’ data and technology at risk. Aggravating factors included the duration of the violations, managerial involvement in the violations, failure to self-disclose the violations, and the US business’s lack of compliance procedures and training. The US business’s cooperation with CFIUS during its investigation was a mitigating factor.
  • A $200,000 penalty assessed in 2023, resolving an enforcement action against a transaction party for its failure to effect divestment of the foreign acquirer’s interest in the US business by the deadline specified in the NSA. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and the transaction party’s failure to provide timely notice to CFIUS of the party’s failure to meet the divestment deadline. Mitigating factors included particularly difficult market conditions during the COVID pandemic, among other factors. 
  • A $100,000 penalty imposed in 2023 against a transaction party for its failure to effect divestment of the foreign acquirer’s interest in the US business by the deadline specified in the NSA. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and failure to timely notify CFIUS that it would be unable to meet the divestment deadline. Mitigating factors included the transaction party’s small size and lack of sophistication and particularly difficult market conditions during the COVID pandemic. 

Takeaways

Companies may wish to take stock of whether any prior or contemplated changes may be in tension with existing national security agreements with CFIUS or other agencies and consider reforms or voluntary self-disclosures in an effort to mitigate potential penalties.

Interested parties should also continue to monitor CFIUS’s Enforcement Page for updates and review CFIUS’s Penalty and Enforcement Guidelines. These guidelines include information about how CFIUS assesses violations of its laws and regulations that govern transaction parties, what types of conduct may result in an enforcement action, and the key steps of the penalty process that CFIUS generally follows. The guidelines also describe aggravating and mitigating factors that CFIUS may consider in determining the appropriate response to a violation.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe