CFIUS Issued Record-Setting 4 Penalties Last Year, Opened Other Probes

The uptick in penalties shows CFIUS is “more focused than ever on diligence, compliance, and enforcement,” said Paul Rosen, the Treasury Department’s assistant secretary of investment security, calling 2023 a “busy” year (see 2309150038). Before last year, CFIUS had only announced two penalties in its nearly 50-year history.

CFIUS rarely discloses specific details of enforcement actions, penalties it assesses or transactions it has worked to block or unwind. The committee said the four penalties last year involved “breaches of material provisions in mitigation agreements” -- the deals that CFIUS negotiates with companies to address national security risks from a particular foreign investment transaction.

After determining the companies violated their mitigation agreements, the committee’s “monitoring agencies” then “pursued prompt remediation and determined whether a civil monetary penalty was appropriate,” the report said. “CFIUS will continue to assess noncompliance on a case-by-case basis as it evaluates whether civil penalties should be assessed or if measures to address national security risk should be implemented.”

The report didn’t say how much the companies were fined, but Rosen said CFIUS last year “sharpened its review and enforcement toolkit while doubling down on efficiency and due diligence in reviewing and investigating covered transactions.” CFIUS in April proposed to further expand its enforcement powers, including through higher maximum penalties (see 2404110037).

CFIUS also conducted several investigations into whether parties had violated the committee's mandatory filing requirements -- “some of which resulted in issuing formal determinations of noncompliance” -- and received its first voluntary self disclosure for a potential failure to file with the committee. CFIUS said it didn’t impose any fines in those cases after it “considered the specific facts and circumstances,” but it did say the probes led Treasury to issue guidance in May 2023 about when CFIUS considers the completion date of a transaction to have occurred.

In that guidance, CFIUS said it considers the completion date to be the date when the foreign person obtains any equity interest in the U.S. business. Law firms called this a large shift for parties that for years had relied on "springing rights" for minority investments subject to CFIUS (see 2305300058 and 2308010057).

Despite the committee's increased enforcement activity, the report revealed that CFIUS saw a drop in notices and investigations from 2022 to 2023, down from 286 to 233 and 163 to 128, respectively. CFIUS in 2022 had initiated the most investigations since 2017 (see 2308010053).

But Rosen said CFIUS “continues to confront a complex national security landscape and significant caseload.” He also said the CFIUS process has become more efficient, noting that the committee reduced the “withdraw and refile rate” from 23% percent in 2022 to 18% in 2023, the first decrease in five years. CFIUS also increased the number of transactions it cleared in the first 30 or 45 days from 58% percent in 2022 to 66% in 2023.

Of the 233 covered notices the committee received last year, 57 were withdrawn. In 43 of those cases, the parties filed a new notice. In other instances, the parties withdrew the notice and abandoned the transaction either for commercial reasons or after CFIUS said it couldn’t “identify mitigation measures that would resolve its national security concerns,” or because CFIUS offered mitigation measures “that the parties chose not to accept.”

The committee also said it identified “thousands” of potential non-notified transactions last year, and Treasury opened non-notified inquiries for about 60 of them and formally requested a filing for 13, around the same amount as the 11 requested by CFIUS in 2022. The committee said those numbers don’t reflect three cases in which a non-notified party voluntarily filed a declaration or notice with CFIUS before being asked to do so by the committee.

CFIUS said it took an average of 7.86 business days from the date it received a draft covered notice to the date when it provided written comments on the notice, about the same as the 7.4 days it averaged in 2022. The committee took an average of 45.8 days to close a review of a notice -- about the same as 2022 -- and an average of 85.8 days to close an investigation, a slight increase from the 80.5 days it averaged in 2022.

The committee also received 109 declarations, a drop from the 154 it received in 2022. Of the 109 declarations, 36 were subject to mandatory filing requirements. The committee said it asked filers of 20 of the declarations to file a written notice, was unable to conclude action on six declarations and didn’t reject any declarations submitted in 2023. CFIUS averaged 4.2 days from the date it received a declaration to the date when it accepted the declaration, the report said, and averaged 29.9 calendar days to complete reviews of declarations, both slightly quicker than in 2022.

Investors from Canada accounted for the most declarations in 2023, at 13 total declarations. Investors from Japan and France accounted for the second- and third-most declarations, with 11 each.

China filed the highest number of notices with CFIUS in 2023, accounting for 14% of the total, or 33 notices. Investors from the United Arab Emirates were close behind with 22 notices, followed by the U.K. and Singapore at 19 each.

The report also said CFIUS reviewed 153 covered transactions involving U.S. critical technology companies in 2023. Fourteen of those transactions involved acquirers from Canada and the U.K., and seven involved buyers from China. Most involved companies in the “computer and electronic product manufacturing” sector and the “professional, scientific, and technical services sector.”

CFIUS said it imposed mitigation measures in 35 instances last year, close to 21% of “the distinct 2023 notices.” Those measures included limits on transfers of intellectual property or trade secrets; guidelines and terms for handling certain sensitive information; steps to ensure only “authorized persons have access to certain technology”; steps to ensure that “computer networks are segregated"; actions to destroy “sensitive information”; restricting the hiring of “certain personnel”; and more.

The report added that foreign governments remain “extremely likely to use a range of collection methods to obtain critical U.S. technologies,” including through cyber attacks from China, Russia, Iran and North Korea. “Federal research institutions, universities, and corporations are regularly targeted by cyber actors seeking proprietary information,” the report said.

CFIUS also said it’s continuing to hire more employees as it faces an increasing workload. Treasury’s Office of Investment Security “has made significant progress in growing its staff commensurate with the increased workload of the Committee across all functions since the passage of” the Foreign Investment Risk Review Modernization Act in 2018.