CFIUS Issues New Enforcement and Penalty Guidelines

7 min read

On October 20, 2022, the US Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States (CFIUS), released the first-ever CFIUS Enforcement and Penalty Guidelines (Guidelines). The Guidelines describe how CFIUS identifies, processes, and assesses violations, including failure to make a mandatory filing, material misstatements or omissions, and breaches of CFIUS mitigation requirements. Although, to date, CFIUS has only announced the issuance of two penalties, the release of the Guidelines is consistent with the US Government's increasingly robust efforts to protect US national security. We anticipate that CFIUS will use its substantially increased monitoring and enforcement resources more aggressively going forward.


The CFIUS statute authorizes CFIUS to impose monetary penalties and seek other remedies for violations of the CFIUS statute or regulations, namely failure to submit mandatory filings, violating CFIUS mitigation, and making material misstatements, omissions, or false certifications to the CFIUS. Pursuant to the CFIUS regulations, any person that fails to submit a mandatory filing or that violates CFIUS mitigation requirements may be liable for a civil penalty up to $250,000 or the value of the transaction, whichever is greater. Additionally, any person that makes a material misstatement, omission, or false certification to CFIUS may be liable for a civil penalty up to $250,000 per violation. 

Historically, CFIUS has only announced two penalty actions: one in 2018 for $1 million for repeated violations of a mitigation agreement and another in 2019 for $750,000 for violation of an interim mitigation order. Thus, although the imposition of penalties for violations has so far been rare, when penalties are issued they can be costly. 

The Guidelines

The Guidelines describe the three categories of conduct that may constitute a violation, the process CFIUS generally follows in imposing penalties, and some of the aggravating and mitigating factors it considers in determining whether a penalty is warranted and the extent of any such penalty. 

Conduct That May Constitute a Violation 

The Guidelines identify three categories of acts or omissions that may constitute a violation: 

  1. Failure to timely notify CFIUS of a transaction triggering a mandatory filing;
  2. Conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation requirements; and
  3. Material misstatements or omissions in information filed with CFIUS (including in informal consultations), as well as false or materially incomplete certifications submitted in connection with CFIUS filings or mitigation.

Consistent with past CFIUS practice, the Guidelines note that a violation will not necessarily lead to a penalty or other remedy, since CFIUS will exercise discretion in determining when a penalty is appropriate. For example, in calendar year 2020, CFIUS did not assess or impose any penalties despite instituting remediation activities for three mitigation agreements in response to minor violations. 

Violations come to the attention of CFIUS in a myriad of ways, including from, but not limited to: the parties themselves (via voluntary disclosures or in response to CFIUS inquiries), monitors and auditors for CFIUS mitigation agreements, the result of CFIUS site visits, public tips, other government agencies, and publicly available information. 

The Penalty Process

The Guidelines also address the steps taken when penalties are issued, which track with the CFIUS regulations. First, CFIUS sends the person (whether an individual or entity) that may be liable for a penalty (a Subject Person) a notice stating the basis for the penalty and the penalty amount. The Subject Person then has 15 business days to submit a petition for reconsideration to CFIUS. If a petition is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition for reconsideration. Otherwise, CFIUS will issue a final penalty determination to the Subject Person. These timelines may be extended by agreement between the Subject Person and CFIUS. The regulations also specify that the Subject Person and CFIUS may reach an agreement on a remedy any time before a final penalty determination is issued.

Aggravating and Mitigating Factors

The Guidelines highlight six categories of aggravating and mitigating factors the Committee will use to determine the appropriateness of any penalty (including the amount for a monetary penalty) in response to a violation:

  • Accountability and future compliance, which considers protection of national security, ensuring responsible parties are held accountable, and incentivizing future compliance  
  • Harm, i.e., the extent to which the violation impaired or threatened to impair US national security
  • Negligence, awareness, and intent, including any efforts to conceal or delay sharing information about a violation with CFIUS and the seniority of individuals who knew or should of known about the relevant conduct within the company
  • Persistence and timing, including how long it took the Subject Person to become aware of the conduct and notify CFIUS, the frequency and duration of the conduct, and the length of time since the mitigation agreement was established or a transaction subject to a mandatory notification requirement closed
  • Response and remediation, including whether a voluntary self-disclosure was made to CFIUS (and its related details and timing), the level of cooperation with CFIUS, any remediation steps and how quickly and effectively they were taken once a violation was known, and whether there was an internal review within the company to prevent a reoccurrence of violations
  • Sophistication and record of compliance, including the person's history and familiarity with CFIUS (including any prior CFIUS mitigation), a range of factors relating to the company's compliance policies, training and culture, the experience of other US and foreign governmental authorities’ assessment of the company’s compliance (as applicable), and the extent to which compliance measures specific to the CFIUS mitigation requirements had been appropriately implemented 

These factors are not surprising and are generally consistent with other US regulatory bodies' approaches to assessing potential actions in relation to violations of their regulations. These include giving positive weight to self-disclosure and a parties' own remedial action, while, in contrast, giving negative weight to consistent violations, the absence of a robust compliance posture, and lack of transparency. 

We do note that the Guidelines are consistent with the long-standing messaging of CFIUS monitoring and enforcement authorities about the importance of treating CFIUS mitigation as a collaborative engagement between CFIUS and the parties. If any party becomes aware of a breach of a mitigation agreement, CFIUS expects prompt notification and transparency, and to work together to address any issues in a constructive way that ensures mitigation measures are prompt and effective. 

Why This Matters

The new Enforcement and Penalty Guidelines provide the first public insight in CFIUS history on the Committee's calculus when determining the appropriateness and amount of penalties for violations. Of these, timing and transparency in reporting violations are key elements in reducing the likelihood of a substantial penalty. Additionally, the release of the these Guidelines several months after the first-ever Presidential Directive defining national security factors for CFIUS to consider in evaluating transactions underscores the US Government's increasingly robust approach to protecting US national security. By highlighting the penalties involved for violations, the Committee likely hopes to incentivize compliance with CFIUS mitigation agreements, increase the number of mandatory filings, and ensure maximum transparency in communications with CFIUS during the Committee's evaluation of transactions.   

We also note that since the passage of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), CFIUS officials have consistently stated that CFIUS intends to ramp up its monitoring and enforcement activities. FIRRMA provided substantial additional resources, which enable greater oversight by CFIUS of mitigation agreements as well as improved abilities to identify and call in non-notified transactions of interest (including those that may have been subject to mandatory filing requirements). Although there has not been a significant number of announced penalty actions since FIRRMA was enacted, we anticipate that CFIUS intends to start using these authorities more going forward, particularly as parties are now on notice about criteria CFIUS will utilize to assess whether penalties should apply. 

It is also noteworthy that as CFIUS's monitoring and enforcement resources have increased in recent years, CFIUS now has a range of tools to more effectively monitor compliance and identify violations. In addition to internal capabilities, CFIUS can leverage external sources, from tips from the public—which can include competitors and whistleblowers—to public information and information from other agencies, all of which increase the possibility that a violation will more directly result in CFIUS actions. In light of this enhanced monitoring and enforcement environment, it is now more important than ever for parties to carefully consider whether contemplated transactions might trigger a mandatory CFIUS filing as well as for companies operating under mitigation requirements to prioritize compliance. Mitigated companies should implement robust compliance mechanisms, develop a strong and collaborative relationship with CFIUS monitoring agencies, and disclose violations or suspected violations promptly (which is often itself a specific requirement in mitigation agreements).

1 See The Committee on Foreign Investment in the United States Annual Report to Congress, Report Period: Calendar Year 2020, p. 47, available at

Michael Crowley (White & Case, Law Clerk, Washington, DC) contributed to the development of this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2022 White & Case LLP