On September 14th, the Committee on Foreign Investment in the United States ("CFIUS" or the "Committee") held its second annual conference. The major theme of the conference, the speakers of which were exclusively US Government employees, was that CFIUS is aggressively ramping up monitoring, compliance, and enforcement activities—both for mitigation agreements and non-notified transactions. CFIUS also intends to issue updates to its regulations within the next year to "refine" certain of its authorities and processes. The following are our key takeaways from the conference.
- CFIUS is highly focused on compliance and enforcement. In published remarks, Assistant Secretary for Investment Security Paul Rosen detailed the Committee's compliance and enforcement priorities and underscored CFIUS's commitment to impose penalties for violations both to hold parties accountable and deter future violations. Notably, he stated that two civil monetary penalties have already been issued in 2023 and several more are pending at various stages, in addition to other enforcement actions such as warning letters. For context, prior to this year, only two CFIUS penalties have ever been announced. Other panelists at the conference similarly emphasized increased enforcement efforts. Mr. Rosen and various panelists also highlighted the value of voluntary disclosures (which can be significant mitigating factor when assessing potential enforcement actions) and advised that CFIUS has started receiving them for both mitigation violations and failures to make mandatory filings. CFIUS telegraphed its intention to start issuing more penalties with the release of its first-ever CFIUS Enforcement and Penalty Guidelines last October, but CFIUS's focus on enforcement remains a major shift in long-term Committee policy and practice.
- There will be updates to the CFIUS regulations within the next year. Nearly four years after new CFIUS regulations implementing the Foreign Investment Risk Review Modernization Act (FIRRMA) took effect, Mr. Rosen announced it is now time to "refine" some of them. Within the next year CFIUS will issue one or more notices of proposed rulemaking, which are expected to include regulatory changes to (1) improve the efficiency and effectiveness of reviews, (2) update CFIUS's penalty and enforcement authorities, (3) sharpen and enhance CFIUS’s tools relating to non-notified transactions, and (4) "broadly ensure the Committee’s tools and processes are best aligned to the current landscape."
- CFIUS is expanding its efforts to identify and review non-notified transactions, with critical technologies being a particular focus. Mr. Rosen announced that CFIUS is adding resources to detect and call-in non-notified transactions that may present national security concerns. As we previously reported, in its Annual Report to Congress for FY 2022, CFIUS advised that it has largely worked through its backlog of older deals and is now more focused on identifying recent transactions. Mr. Rosen said that of the 19 filings CFIUS requested in 2022, "many ended up in mitigation or voluntary divestment." A separate CFIUS panelist commented that a lot of non-notified transactions CFIUS calls-in relate to critical technologies, which has been a particular focus for CFIUS. Though parties typically cooperate with CFIUS requests, Mr. Rosen noted CFIUS's willingness to unilaterally review transactions when parties refuse to file or cooperate with the Committee. He similarly stated that CFIUS has imposed—and is enforcing—mitigation where parties would not negotiate or cooperate.
- Companies under mitigation agreements should expect more active CFIUS oversight. Mr. Rosen said that CFIUS is ramping up its oversight activities, site visits, and questions to ensure compliance. This is particularly noteworthy given that CFIUS appears to be requiring mitigation measures in more transactions (e.g., in 2022, 23% of distinct transactions filed via notice resulted in CFIUS requiring mitigation to clear the transaction). Overall, parties should anticipate increasingly robust monitoring by CFIUS, including more involved scrutiny during site visits (e.g., employee interviews at all levels, spot checks of records). Panelists also emphasized the importance of site visits and a CFIUS representative noted that approximately 75% of mitigation violations have related to access restrictions and were almost all unintentional. Mr. Rosen also advised that CFIUS will be leaning more on third-party monitors and auditors regarding compliance oversight and actively engaging with them—and that CFIUS will not be shy in replacing third-party monitors that are not meeting CFIUS's expectations.
- CFIUS noted the importance of highlighting other legal authorities relevant to the notified transaction, such as export controls. The long-term standard has been that CFIUS should only mitigate national security risks when there are not other legal authorities sufficient to address them. During the conference, CFIUS panelists suggested that parties emphasize in their filings where other authorities are relevant, such as export controls to protect sensitive technology and the Health Insurance Portability and Accountability Act (HIPAA) to protect health data. An audience member asked whether state laws (e.g., regarding real estate transactions) could provide adequate authorities, and a CFIUS representative responded that CFIUS would not likely defer to state law and would want federal law to cover its concerns, but noted it would depend on the case.