On 11 April 2024, the U.S. Department of the Treasury (“Treasury”), in its capacity as chair of the Committee on Foreign Investment in the United States (“CFIUS”), published a Notice of Proposed Rulemaking (“NPRM”, “the Proposed Rule(s)”) that, in Treasury’s words, is intended to “sharpen and enhance CFIUS procedures and enforcement authorities to protect national security.” Treasury is accepting public comments for 30 days.
The main elements: The NPRM (1) expands CFIUS's authority (or arguably merely codifies existing CFIUS practice) to request information from transaction parties in specific circumstances, (2) establishes a 3-business day timeframe for transaction parties to respond to CFIUS mitigation proposals, and (3) increases both the dollar amount of CFIUS penalties and the types of infractions that can be penalized.
The expected impact: The requirement that parties provide a substantive response to mitigation terms within 3 business days or risk rejection of their filing, could materially change the dynamic between the parties and the Committee during mitigation negotiations involving complex terms. CFIUS may face less pressure to reach accommodations with parties if CFIUS has a discretionary mechanism to reset the process and avoid the case ending up before the President (as would otherwise be the case if the parties do not seek to withdraw their notice at the end of the investigation period). Furthermore, while parties should be more carefully assessing feasibility of proposed mitigation in light of CFIUS’s more aggressive mitigation enforcement posture, a 3-business day response rule may create pressure on parties to rush their analysis and accept compliance risk to avoid the commercial cost of rejection and resetting of the CFIUS clock. The expansion of CFIUS’s authority to request information and the increased per-violation penalty, while having some potentially concerning implications, appear to have a reasonable basis generally and are not likely to affect the vast majority of parties that go before CFIUS.
The big picture: CFIUS wants to make it crystal clear to the investment community that it is focused on enforcement and compliance, and it is quite explicit in this regard in the associated press release. It is very notable that CFIUS chose not to include within this NPRM any changes to streamline the process and reduce unnecessary burdens on parties, changes that have been foreshadowed by Treasury officials for nearly a year. The net result is that those long-standing aspects of the CFIUS process that were intended to ensure that it operated in a manner that was consistent with the historical open investment policy of the United States are being overtaken. As CFIUS starts to look at investment more through an enforcement lens, parties will likely view the process as potentially more adversarial than they have in the past.
The takeaway: CFIUS’s continued emphasis on mitigation and enforcement underscores the critical importance for parties to carefully consider whether a filing is required or warranted; engage with CFIUS to make sure that its review is grounded in an accurate understanding of the transaction, businesses, technology, and industry; actively manage mitigation discussions to achieve a result that will preserve the value of the transaction and be capable of effective implementation; and then meticulously comply with any mitigation agreement that is agreed.
Our analysis of the specific proposals in the NPRM follows.
1. Expanded authority to require transaction parties to provide information
Change: Treasury appears to believe that CFIUS’s existing information gathering power could be construed as being limited to only information related to a transaction’s potential status as a “covered” transaction (i.e., subject to jurisdiction). The NPRM clarifies that the Committee is not limited just to collecting information to assess whether a transaction is covered, but can also request information to determine whether it may raise national security considerations or trigger a mandatory filing requirement. Further, the rule expressly gives CFIUS the authority to require information to assess mitigation compliance and accuracy of information submitted to CFIUS.
Impact: Parties who already assumed that CFIUS had more-or-less unlimited authority to request information probably will not view this Proposed Rule as having much of an impact, and the general ability of CFIUS to require information to assess compliance with law seems not to be particularly problematic. However, with respect to transactions not filed with CFIUS, the existing regulations intentionally required CFIUS to confirm jurisdiction before seeking information to assess substantive national security risks. This served as a limitation on use of the CFIUS process to gather information without a well-founded belief that the transaction was within CFIUS’s jurisdiction, and that limitation will no longer be in place.
2. Time frame for responding to proposed mitigation terms
Change: To prevent transaction parties from taking “longer than is reasonable to respond to the Committee’s proposed [mitigation] terms”—and with no statutory authority to simply pause the clock—the Proposed Rule would impose a 3-business day period for transaction parties to provide substantive responses to proposed mitigation terms, unless an extension is granted by the Staff Chairperson. This mirrors the time frame for responding to requests for information submitted in connection with a Notice, and parties who fail to timely respond face the same potential sanction: the Committee can reject the filing, and parties would then have to refile, which would restart the clock.
Impact: A bedrock principle of CFIUS’s posture of operating in a manner consistent with the historical U.S. open investment policy had been that CFIUS operated according to fixed timeframes. In practice, parties almost invariably ultimately agree to withdraw and refile if CFIUS needs more time than the statutory period allows or the parties need more time to respond to a CFIUS mitigation proposal. However, the principle remained that CFIUS does not have the authority to force parties to withdraw and refile if CFIUS would like more time on any particular transaction. The only exceptions are if the parties submit false or misleading information, materially change their transaction, or if they fail to respond to timely requests for information (which are usually requests for factual information). These circumstances arise rarely.
Mitigation, however, has become very common, and in our experience, CFIUS often does not disclose its concerns or propose mitigation until very late in the process, not as a strategy, but because of the challenges in developing consensus within the Committee. The real risk we see with the proposed change is that CFIUS will continue to share proposed mitigation terms only very late in the process and then will have substantial discretion in rejecting any explanation from the parties as to why they cannot provide a response to a mitigation proposal that CFIUS deems adequate within 3 business days. Responding to a mitigation proposal is not like responding to a request for factual information.
If the effect of the change is to force parties to accept mitigation proposals without fully doing their diligence, this raises increased risk of post-closing compliance challenges, which is in the interests of neither CFIUS nor of the parties (especially where CFIUS is refashioning itself as an enforcement body). If the effect of the requirement is to divert party attention away from engaging in diligence on the CFIUS proposal and to preparation of a justification for a request for additional time (which may or may not be granted), that too seems to be counter to the interests of either CFIUS or the parties.
There may be circumstances where parties are not sufficiently incentivized to negotiate the mitigation agreement, such as in the context of a review of a transaction that the parties have already closed, but CFIUS is not without remedies in those circumstances (e.g., threatening to exercise its authority to impose terms on unwilling parties). The NPRM does not explain why those limited circumstances justify this extraordinary, proposed change. We look forward to CFIUS reconsidering this proposal or adding additional qualifications that ensure that it would only apply in those circumstances where the parties are not exercising appropriate efforts to respond to a CFIUS proposal.
3. Increased civil monetary penalties
Change: To increase the deterrent effect of its penalty authority, the Proposed Rule would increase the maximum penalty for various violations from the greater of $250,000 per violation or the value of the transaction, to the greater of $5,000,000 or the value of the transaction. This will apply to material misstatements/omissions, failure to file a mandatory declaration, or violation of material provisions of mitigation terms. Separately, the Proposed Rule also included penalties to cover certain requests for information related to monitoring or enforcement or other Committee requests for information.
Impact: The impact of this change ultimately is fairly limited. The vast majority of all transactions have a value greater than $5,000,000, so the potential maximum penalty for such transactions already exceeds this amount. The NPRM lays out certain circumstances where the transaction value is not an effective measure of the value of the economic activity and, therefore, does not create a meaningful disincentive to avoid violations, so the Proposed Rule is largely reasonable in that light.