CFIUS Updates: New Rules to Sharpen Process and Enforcement Authorities
CFIUS Updates: New Rules to Sharpen Process and Enforcement Authorities
On April 11, 2024, the Committee on Foreign Investment in the United States (CFIUS) unveiled updates to its regulations that sharpen CFIUS’s processes and enforcement authorities. Together with remarks by U.S. government officials speaking at a recent industry event, these updates underscore that the demands on and risks to transacting parties in the U.S. have never been greater.
The U.S. Department of the Treasury (“Treasury”) issued a Notice of Proposed Rulemaking (NPRM) to update certain CFIUS regulations, procedures, and authorities. These changes reflect CFIUS’s growing appetite to identify more violations, issue more and greater penalties, and to improve its internal processes.
The proposed changes include:
Expanding the types of information CFIUS can require persons to submit when engaging on transactions that were not initially filed with CFIUS (i.e., non-notified transactions) to explicitly include information to determine whether the transaction (i) may raise national security concerns, (ii) would be subject to a mandatory filing requirement, and (iii) is a covered transaction;
Instituting an extendable timeline (i.e., three business days) for transaction parties to substantively respond to mitigation agreement proposals from CFIUS;
Expanding the circumstances in which a civil monetary penalty may be imposed for material misstatements and omissions;
Increasing the amount of civil monetary penalties available for violations of CFIUS’s regulations, mitigation agreements, and orders, as well as for material misstatements, from $250,000 per violation to $5,000,000 per violation, or the value of the transaction;
Clarifying the use of CFIUS’s purported subpoena authority to obtain information when the Committee determines it is appropriate (as opposed to necessary in the current regulations); and
Extending the timeframe for submission of a petition for reconsideration of a penalty to the Committee and the number of days for the Committee to respond to such a petition.
Based on comments from CFIUS officials, the proposed changes are reactions to prior incidents and frustrations within CFIUS about its processes and procedures. Although most of the proposed regulations reinforce or enhance authorities CFIUS already has or reflect realities of how CFIUS has long operated, some are more material changes.
First, the extendable three-day response time for parties to respond to CFIUS-proposed mitigation agreement will likely create an unpredictable, costly, and hasty negotiation process by compelling parties to respond substantively to mitigation agreement proposals. If parties don’t, or can’t, substantively respond, CFIUS will be authorized to reject the filing. As a practical matter, it will be difficult for many transactions parties to respond to the initial draft of a CFIUS mitigation agreement within three business days.
CFIUS can take weeks to prepare mitigation terms and, although the draft mitigation agreements will reflect thoughtful consideration by CFIUS, they do not include direct input from the parties. The drafts may pose operational changes that will have a profound and burdensome impact on the U.S. business’s efficiency and competitiveness (e.g., vendor approvals or controls on specific types of information). Proposals can also include changes to existing processes that will require reallocating limited resources to operationalize redundant or inapposite requirements (e.g., CFIUS-preferred cybersecurity standards) or the proposals can have complex and conflicting impacts on new and existing shareholders. A CFIUS-generated draft mitigation agreement can also reflect an imperfect understanding of the U.S. business, its technology, and operations—and these imperfections will be difficult to understand in three business days, much less ascertain whether the terms are agreeable or require an alternative approach.
Second, the updates to CFIUS’s subpoena powers authorize CFIUS to obtain information when the Committee determines it is appropriate (as opposed to necessary in the current regulations). This language will also lower the threshold for contacting “other persons” (i.e., third parties) for information regarding whether a transaction is a covered transaction, may raise national security considerations, or trigger mandatory CFIUS filing obligations.
This update could have significant practical impacts. If CFIUS engages with third parties in this manner more regularly, it will raise novel issues of confidentiality and privilege. For example, outreach to third parties in a manner that discloses information provided to CFIUS by transaction parties may be inconsistent with statutory confidentiality protections. This authority also extends to subpoenas for non-privileged information from transaction-adjacent parties, such as financial and strategic advisors. And because the subpoena authorization extends to risk-related information, which includes aggregate investment trends as a potential risk factor, it is possible CFIUS may seek information regarding multiple transactions from a single source in the future.
Comments on the Proposed Rule are due by May 15, 2024. After considering the public’s comments, Treasury will issue a Final Rule, which will become effective one month after it is announced.
In addition to the new rulemaking, speakers at the industry event highlighted other topics, including:
These updates, combined with CFIUS’s proposed enhanced enforcement authorities, demonstrate the holistic approach the U.S. government is taking to try to mitigate national security risks, ranging from case-by-case inbound investment reviews to categorical restrictions on certain outbound investments and data transactions.