• On December 26, 2024, Treasury’s final regulations strengthening and expanding CFIUS’s existing compliance and enforcement functions will become effective.
• These final regulations will enhance CFIUS’s authority to gather information about transactions, mitigate national security risks of transactions, and penalize those that violate CFIUS’s rules or otherwise fail to comply with their obligations to CFIUS. In particular, CFIUS will be able to request information about non-notified transactions, have the discretion to require parties to a CFIUS filing to respond to proposed mitigation terms on a fixed time frame, and issue increased civil monetary penalties for a wider scope of behavior.
• These final regulations cap off a banner year for CFIUS’s compliance and enforcement capabilities, illustrating the U.S. government’s commitment to address national security concerns arising from foreign investment and use CFIUS to do so.

Happy Holidays from CFIUS: Final Regulations Enhancing CFIUS Review & Enforcement Effective on December 26th

Last month, the U.S. Department of the Treasury (“Treasury”) issued its final rule to amend the Committee on Foreign Investment in the United States (“CFIUS”) regulations to meaningfully strengthen and expand CFIUS’s existing compliance and enforcement functions. These final regulations will become effective on December 26, 2024—right on and around the major dates of this holiday season.

We previously discussed the proposed version of these regulations and their significance to the CFIUS process when Treasury initially released a notice of proposed rulemaking (the “NPRM”) on its compliance and enforcement capabilities earlier this year. The final rule generally finalizes the regulations as proposed in the NPRM, although there are some changes.

In finalizing regulations on CFIUS’s compliance and enforcement functions, Treasury is continuing its steady march toward enhanced monitoring and investigation of foreign investment in the United States. These regulations are merely the latest sign that CFIUS is focusing on this area, with Treasury having previously released its CFIUS Enforcement and Penalty Guidelines in 2022, and earlier this year, Treasury establishing a CFIUS Enforcement webpage that lists enforcement actions taken by CFIUS.

To briefly summarize the importance of these final regulations, Treasury chairs the interagency CFIUS, which is authorized to review certain transactions by or with any foreign person. Such transactions include those that could (1) directly or indirectly result in foreign control of a U.S. business, (2) involve a foreign person gaining certain noncontrolling rights in a subset of particularly sensitive U.S. businesses, and (3) involve certain particularly sensitive real estate. For transactions involving certain sensitive U.S. business technology—known as “critical technology”—or certain levels of foreign government ownership, parties may be required to make a mandatory filing with CFIUS regarding the transaction. Otherwise, CFIUS will review transactions on its own accord or based on transaction parties’ voluntary filings. If CFIUS identifies a national security risk during its review of a transaction, it may negotiate and enter into and enforce agreements with the transaction parties or impose conditions on the transaction parties to mitigate the risk.

Key Takeaways

CFIUS Will Have Expanded Authority to Request Information About Transactions from Transaction Parties and Other Persons

The final regulations expand CFIUS’s authority regarding information requests in a few meaningful ways, including the substance covered by the information requests and what parties will be obligated to respond to such requests. In some ways, these final regulations seem to codify CFIUS’s current practices regarding its information requests, but by having formal regulations supporting these practices, CFIUS has the necessary legal backing to promote more efficient cooperation from parties in responding to information requests.

For transactions for which parties have not submitted a CFIUS filing (known as “non-notified transactions”), the final regulations expand the substance potentially covered by CFIUS information requests into such transactions. Such CFIUS information requests will now be able to address both national security considerations and mandatory filing issues, which is an expansion from its prior authority to only request information necessary to determine whether it can review such a transaction, i.e., whether the transaction is a “covered transaction” or a “covered real estate transaction.”

Aside from non-notified transactions, the final regulations will also grant CFIUS the authority to ask questions and require responses when: (1) seeking information to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition, and (2) seeking information to determine whether any person has made a material misstatement or omitted material information during the course of a previously concluded review or investigation.

Along with these new substantive focuses for information requests, CFIUS will be able to issue information requests to “other persons” as well as parties to a transaction. Historically, CFIUS’s investigatory authority has been limited to requesting information from transaction parties. The expanded authority of obligating “other persons,” a term that is not defined in the final regulations, to respond to information requests represents a meaningful expansion of potential sources that CFIUS can probe for transaction information. Commenters on the proposed rule noted the expansiveness of the undefined “other persons” term, but Treasury responded to such comments by stating that the Defense Production Act (the “DPA”)—the underlying law setting forth the CFIUS review process—allows it to obtain information from “any person as may be necessary or appropriate.” Accordingly, CFIUS looks ready to issue information requests to entities and persons indirectly or tangentially related to a transaction.

To practically enforce these information requests, the final regulations alter how CFIUS can issue subpoenas. To issue a subpoena, CFIUS will need to deem a subpoena “appropriate” to compel responses to its information requests if parties do not voluntarily respond. This is a change from CFIUS’s historic subpoena power, which required that CFIUS deem a subpoena “necessary” to obtain the sought-after information.

Parties to a CFIUS Filing May Be Required to Respond to Proposed Mitigation Terms on a Fixed Time Frame

In a change from the NPRM, the final regulations will provide CFIUS the authority to impose a minimum three-business-day time period for transaction parties to respond to proposed mitigation terms. Notably, this minimum response time will only be imposed if CFIUS finds it appropriate to do so. Timely responding to mitigation terms is important because CFIUS must resolve national security concerns by proposing mitigation terms to transaction parties, and CFIUS has the 45-day investigation time frame to do so under the DPA. Failing to do so may result in transactions being withdrawn and refiled with CFIUS, which makes the CFIUS process look less efficient.

The NPRM had initially proposed a three-business-day time period to respond to mitigation terms in all circumstances, which resulted in several commenters stating that three business days would not be enough time to substantively respond to mitigation proposals. In considering these comments, Treasury softened its stance on timeframes for tight deadlines to respond to mitigation proposals. Instead of creating a three-business-day default to respond to proposed mitigation terms, CFIUS will have the ability to impose response time frames at its discretion, with three business days being the minimum. In imposing a response deadline, CFIUS will consider factors enumerated in the final regulations, including the statutory deadline to complete an investigation, the transaction’s national security risk, the party’s or parties’ responsiveness to the CFIUS process, the nature of the transaction, the appropriateness of suspending or mitigating the transaction, and other such factors that may be appropriate. The final regulations additionally grant CFIUS the ability to reject a filing as a remedy for a party failing to respond to proposed mitigation terms in the time frame specified, giving parties incentive to meet any such deadline imposed by CFIUS.

CFIUS Will Have Expanded Authority to Issue Civil Monetary Penalties

Under the final regulations, CFIUS will not only be able to impose higher civil monetary penalties, but will be able to impose penalties for a wider range of situations than it has in the past. These maximum penalties align with what was proposed in the NPRM:

• For the submission of a declaration or notice with a material misstatement or omission, the NPRM would increase the maximum penalty amount to $5,000,000 per violation, from the current $250,000 per violation.

• For the failure to submit a mandatory declaration, the NPRM would increase the maximum penalty per violation to $5,000,000 or the value of the transaction, whichever is greater. Currently, this penalty per violation is $250,000 or the value of the transaction, whichever is greater.

• For violations of material provisions of mitigation agreements, material conditions imposed by CFIUS, or orders issued by CFIUS, the NPRM would increase the maximum penalty amount per violation to the greater of $5,000,000, the value of the transaction, or the value of the party’s interest in the U.S. business at the time of the violation or time of the transaction. Currently, this penalty per violation is a maximum of $250,000 or the value of the transaction, whichever is greater.

Regarding the expanded scope of CFIUS’s penalty authority, CFIUS will be able to impose penalties for material misstatements and omissions made outside of an active CFIUS review, such as when CFIUS is monitoring compliance with mitigation agreements or when parties are responding to information requests from CFIUS. The final regulations additionally grant parties additional time to request reconsideration of a penalty notice from CFIUS, setting out a specific timeline for doing so. Specifically, the final regulations increase the time for a party to submit a petition for reconsideration of a penalty from 15 business days to 20 business days, and similarly increase the time for CFIUS to assess a petition and issue a final determination from 15 business days to 20 business days.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.