On August 14, 2024, the Committee on Foreign Investment in the United States ("CFIUS" or "Committee") announced a $60 million penalty, "the largest penalty CFIUS has ever issued," following its finding of material violations relating to a National Security Agreement (NSA). At the same time, CFIUS unveiled a new enforcement website that is intended to "provide further clarity and transparency regarding CFIUS penalties and other enforcement actions." Both provide important insights into CFIUS's rapidly developing enforcement program.
The new website details information about all of the civil monetary penalties imposed by CFIUS since 2018. For each penalty action, CFIUS describes the nature of the conduct, as identified by CFIUS, that gave rise to the penalty and mitigating and aggravating factors. As reflected in these summaries, CFIUS has issued three times more penalties in the past 20 months than it did in its prior nearly 50-year history. Underscoring CFIUS's increased focus on enforcement and its intent to be a "critical national security tool" for the United States, Assistant Treasury Secretary for Investment Security, Paul Rosen, emphasized that "if CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences . . . . Today's penalty updates underscore CFIUS's commitment to accountability and the protection of national security." This follows Treasury's issuance in 2022 of the first-ever Penalty and Enforcement Guidelines.
Enforcement Actions
As to the newly revealed enforcement actions, CFIUS announced that in 2024, following an initial Notice of Penalty issued in 2023, CFIUS resolved an enforcement action against a foreign-controlled US telecommunications company, resulting in the $60 million penalty highlighted above. The company entered into an NSA with CFIUS in 2018 in connection with a merger transaction. CFIUS determined that between August 2020 and June 2021, "in violation of a material provision of the NSA," the company failed "to take appropriate measures to prevent unauthorized access to certain sensitive data [i.e., data breaches] and failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee's efforts to investigate and mitigate any potential harm." CFIUS further concluded that these violations "resulted in harm to the national security equities of the United States," leading to a $60 million penalty. CFIUS further reported that the company has worked with CFIUS to "enhance its compliance posture and obligations" and has committed to working cooperatively with the US government "to ensure compliance with its obligations going forward."
CFIUS's enforcement page outlines five other penalties from 2023 and 2024. These include:
- An $8.5 million penalty imposed in 2024 following CFIUS's determination that a company's majority shareholders "orchestrated an initiative to remove all of the company's independent directors, thereby causing the Security Director position to be vacant and the board of directors' government security committee to be defunct," which resulted in a breach of the company's NSA.
- A $1.25 million penalty imposed in 2024 against a transaction party after finding a joint voluntary notice and supplemental information contained five material misstatements, including forged documents and signatures.
- A $990,000 penalty issued in 2023 against a transaction party for two violations of a material provision of a CFIUS Letter of Assurance (LOA). CFIUS determined that on two occasions the US business failed to maintain a statement on its website regarding its foreign ownership, as required by the LOA. As a result, customers of the US business may have lacked knowledge of its ownership by a foreign entity, possibly putting customers' data and technology at risk. Aggravating factors included the duration of the violations, managerial involvement in the violations, failure to self-disclose the violations, and the US business's lack of compliance procedures and training. The US business's cooperation with CFIUS during its investigation was a mitigating factor.
- A $200,000 penalty assessed in 2023, resolving an enforcement action against a transaction party for its failure to effect divestment of the foreign acquirer's interest in the US business by the deadline specified in the NSA. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and the transaction party's failure to provide timely notice to CFIUS of the party's failure to meet the divestment deadline. Mitigating factors included particularly difficult market conditions during the COVID pandemic, among other factors.
- A $100,000 penalty imposed in 2023 against a transaction party for its failure to effect divestment of the foreign acquirer's interest in the US business by the deadline specified in the NSA. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and failure to timely notify CFIUS that it would be unable to meet the divestment deadline. Mitigating factors included the transaction party's small size and lack of sophistication and particularly difficult market conditions during the COVID pandemic.
Takeaways
Companies may wish to take stock of whether any prior or contemplated changes may be in tension with existing national security agreements with CFIUS or other agencies and consider reforms or voluntary self-disclosures in an effort to mitigate potential penalties.
Interested parties should also continue to monitor CFIUS's Enforcement Page for updates and review CFIUS's Penalty and Enforcement Guidelines. These guidelines include information about how CFIUS assesses violations of its laws and regulations that govern transaction parties, what types of conduct may result in an enforcement action, and the key steps of the penalty process that CFIUS generally follows. The guidelines also describe aggravating and mitigating factors that CFIUS may consider in determining the appropriate response to a violation.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.