Treasury Department Issues Final Rule to Enhance CFIUS’ Monitoring Authorities and Sharpen Its Enforcement Powers

On November 26, 2024, the U.S. Department of the Treasury (Treasury) published a final rule (Final Rule) amending certain provisions of the regulations governing proceedings of the Committee on Foreign Investment in the United States (CFIUS or the Committee). The Final Rule, which will go into effect on December 26, 2024, enhances and sharpens CFIUS’ monitoring authorities and enforcement powers. The Final Rule closely (but not entirely) mirrors the proposed rule issued by Treasury on April 15, 2024.

The key elements of the Final Rule are new procedures through which CFIUS may (1) request information from parties to “non-notified transactions,” require a response to such requests, and subpoena the information, if appropriate; (2) prescribe timelines for parties to respond to risk-mitigation proposals, including in as little as three days; and (3) penalize violations and noncompliance, including by imposing penalties more severe than are authorized under the current regulations. We discuss each of these elements in more detail below.

Information Requests and Subpoenas

When parties to what may be a transaction subject to CFIUS’ jurisdiction (a “covered transaction”) decline to notify CFIUS of the transaction but CFIUS learns of it through other sources (often referred to as a “non-notified” transaction), CFIUS may request information from the parties in order to determine whether the transaction is a covered transaction and whether the parties should submit a formal notice to CFIUS. If the parties fail to provide requested information, current rules allow CFIUS to obtain the information by subpoena when such an action is deemed “necessary.”

The Final Rule enhances the Committee’s power to request and receive information pertaining to non-notified transactions in a number of ways. First, the Final Rule sets forth procedures through which CFIUS may request information not only from parties to the transaction, but also from third parties such as banks, underwriters, and service providers. Second, the Final Rule provides that CFIUS may request information to determine not only whether a non-notified transaction may be a covered transaction, but also whether it (1) may raise national security considerations and/or (2) is subject to requirement for a mandatory filing to CFIUS. Third, the Committee may issue subpoenas for information when it deems such action “appropriate,” whereas under the current regulations, subpoenas may be issued only when “necessary.”

In addition, the Final Rule enhances the Committee’s power to request and receive information in other situations as well. Treasury’s current rules provide that CFIUS may request information from parties for reasons other than investigating a non-notified transaction, such as to monitor compliance with a mitigation agreement or order, or to determine whether parties made a material misstatement or omitted information during a previously concluded review. However, the current rules do not explicitly require parties to respond to such requests, and thus CFIUS has lacked a basis for using its subpoena power in such situations (since it is not “necessary” to subpoena information that is not required to be provided). The Final Rule declares that responses in such situations are required and may thus be enforced by subpoena.

Timelines to Respond to Mitigation Proposals

CFIUS frequently works with parties to a covered transaction to reduce national security risks, including by proposing mitigation measures and security agreements. The current rules do not set any timeline, however, for parties to respond to CFIUS’ mitigation proposals. This can hinder CFIUS’ ability to deem certain transactions acceptable and therefore to conclude its investigations within the statutorily prescribed time of 45 days.

The Final Rule equips the Committee with the discretionary power to impose a timeframe of no fewer than three days for parties to respond to the Committee’s proposed mitigation terms. Such a short turnaround is not expected to be the default deadline (as it was to be in the proposed rule). Rather, the Committee will consider the nature of the transaction, the time remaining in the investigation, and the parties’ past responsiveness, among other factors, before imposing a deadline to respond. CFIUS will also have the power to reject a notice as a remedy for parties’ failure to respond in the timeframe specified.

Scope and Amount of Penalties

Under current rules, CFIUS may impose civil monetary penalties in three cases. Penalties may be imposed when a party:

1. Submits a declaration or notice with a material misstatement, omission, or false certification
2. Fails to inform CFIUS of a transaction for which disclosure to CFIUS is mandatory
3. Violates a material provision of a mitigation agreement, a material condition imposed by the Committee, or an order issued by the Committee

If penalized for a material misrepresentation, omission, or falsehood, a party may currently be fined a maximum of $250,000. If penalized for failure to abide by the mandatory disclosure requirement or violation of a material provision, condition, or order, a party may be fined a maximum of the greater of $250,000 or the value of the transaction. According to Treasury, these fixed penalty maximums, which have not been changed since they were first set more than 15 years ago, have been insufficient to deter misconduct.

CFIUS has recently increased substantially its enforcement under the current rules; it imposed four penalties in 2023, representing more than double the total number that CFIUS had previously imposed in its nearly 50-year history. The Final Rule will give CFIUS additional ammunition in pursuing enforcement actions. First, whereas the maximum fixed-dollar penalty CFIUS currently can impose is $250,000, under the Final Rule, it is $5,000,000 — a 20-fold increase. (To note, maximums will not necessarily be imposed in the event of a violation. CFIUS will consider all facts and circumstances, including any aggravating or mitigating factors as described in the Committee’s Enforcement and Penalty Guidelines.) Second, the Final Rule expands the list of circumstances in which a penalty may be imposed for misrepresentation, omission, or falsehood from those associated with declarations, notices, and certifications to those made in other contexts, including when responding to requests for information from the Committee. Third, the Final Rule raises the potential amount of a penalty imposed for violations of a mitigation agreement, material condition, or order, taking into account the value of the violating party’s interest in the U.S. business and the value of the transaction.

The Final Rule also increases the amount of time granted to both parties and the Committee to respond to each other in the case of a penalty notice and assessment. Under current rules, parties have 15 days to petition a penalty notice and CFIUS has 15 days following the parties’ petition submission to assess the submission and issue a final penalty determination. The Final Rule increases the amount of time in each case from 15 to 20 days.

Conclusion

CFIUS’ modernization through the Foreign Investment Risk Review Modernization Act (FIRRMA) in 2018 better positioned the Committee to detect and counter national security risks associated with foreign influence over critical technologies and infrastructure. The new Final Rule serves to fulfill Congress’ objectives for FIRRMA by facilitating CFIUS’ access to pertinent information, encouraging cooperation from relevant stakeholders, and enhancing the Committee’s tools to deter and penalize misconduct.

Going forward, it will be prudent for individuals and businesses transacting with foreign parties, particularly in the critical technology, critical infrastructure, and sensitive personal data sectors, to keep abreast of their disclosure and response obligations, and the deadlines for making such disclosures and providing such responses, to CFIUS. Steep new fines may await those who do not. Please contact any author of this Advisory or your Arnold & Porter relationship attorney if you have any questions or to seek further guidance or advice.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.