CFIUS Publishes Enforcement Details, Including $60M Fine of T-Mobile

“In the last few years, CFIUS has redoubled its resources and focus on enforcement and accountability, and that is by design,” said Paul Rosen, the Treasury Department’s assistant secretary for investment security. “If CFIUS requires companies to make certain commitments to protect national security and they fail to do so, there must be consequences.”

The enforcement and penalty information published this week by CFIUS is a shift for a government body long viewed by industry lawyers and firms as secretive: the committee had announced only two penalties in its nearly 50-year history before 2023. CFIUS has sought to publish more information and guidance in recent years, including enforcement and penalty guidelines in 2022 (see 2211030047) and guidance on the use of “springing rights” deals last year (see 2305300058).

CFIUS revealed that it has already imposed three penalties so far this year, including a fine of T-Mobile US, Inc. for violating a national security agreement the company had signed in 2018 in connection with T-Mobile’s merger with Sprint, which resulted in some foreign ownership. CFIUS said T-Mobile “failed to take appropriate measures to prevent unauthorized access to certain sensitive data” and didn’t report “incidents of unauthorized access promptly” to the committee, “delaying the Committee’s efforts to investigate and mitigate any potential harm.”

These violations “resulted in harm to the national security equities of the United States,” CFIUS said. T-Mobile has since worked with the committee to improve its compliance procedures and is cooperating with the U.S. government “to ensure compliance with its obligations going forward.”

T-Mobile said the issue stemmed from "technical issues during our post-merger integration with Sprint that affected information shared from a small number of law enforcement information requests out of the hundreds of thousands that we process each year," according to an Aug. 15 emailed statement. This "was not a breach, there was no intrusion and no bad actor was involved. The noted unauthorized access was that information was sent to the wrong law enforcement agency, but it never left the law enforcement ecosystem."

T-Mobile takes "matters like this seriously" and reported the issue "in a timely manner," the company said. "We are glad to have reached a resolution and look forward to continuing to work cooperatively with the law enforcement community to help keep the country and our customers safe."

CFIUS also said it issued a $1.25 million penalty -- the “maximum amount authorized under the applicable CFIUS regulations” -- earlier this year against a party to a transaction for filing a voluntary notice and other information to the committee that had “five material misstatements, including forged documents and signatures.” The committee said the foreign acquirer made the false statements about the source of its funding and made other “misstatements” during a CFIUS review of the deal, “which impaired the Committee’s ability to assess the risk to national security arising from the subject transaction and increased the potential harm to national security.”

CFIUS said it rejected the filing and the transaction was abandoned.

Another penalty this year resulted in an $8.5 million fine of a company for breaching a national security agreement. CFIUS said the firm’s majority shareholders “orchestrated an initiative” to remove its independent directors, “thereby causing the Security Director position to be vacant and the board of directors’ government security committee” to be defunct. CFIUS agreements sometimes require companies to hire a security director to oversee their compliance efforts, the committee said in new guidance about its mitigation procedures.

The company violated the agreement “by failing to ensure that the compliance oversight responsibilities assigned to the Security Director” and to the company’s government security committee “were or could be performed,” CFIUS said, “increasing the risk to the national security of the United States.” The company also possibly violated other terms of the NSA through transfers of certain intellectual property to third parties.

CFIUS also described three penalties it issued in 2023, one in 2019 and one in 2018, totaling about $3 million in total fines. They involved a company that failed to maintain a statement on its website about its foreign ownership, as required by the committee; two companies that failed to divest a foreign acquirer’s interest in the U.S. business by the deadline outlined in their national security agreements; a company that violated a CFIUS interim order, including by failing to restrict and monitor access to protected data; and a company that “repeatedly” violated its national security agreement, including by failing to establish required security policies and failing to provide adequate reports to CFIUS.

In cases where a company commits a violation, but CFIUS decides against a fine, the committee said it may issue a Determination of Noncompliance Transmittal (DONT) Letter. The letter notifies the parties about a violation but says the government has decided there may be enough mitigating factors where a penalty isn’t warranted. The letter may also seek “additional information” from the parties as CFIUS determines if a penalty is actually warranted, the committee said.

CFIUS generally issues DONT letters only to “first-time, inadvertent, and limited-scope” violators that didn’t harm national security and “had little potential to do so,” it said. The committee also takes into account whether the parties made “timely and complete voluntary self-disclosures, effectively and promptly remediated the violations, fully cooperated” with CFIUS, have a strong compliance program or “can demonstrate that the violation was related to difficult extrinsic circumstances.”

“However, even where some or all of such factors are present, CFIUS may nevertheless determine that the violation merits a penalty, in which case the presence of these mitigating factors will be taken into consideration in determining the amount and/or terms of the penalty,” the committee said.

CFIUS listed several examples of cases in which it issued a DONT letter instead of a penalty:

• A party that didn’t submit a timely mandatory declaration when it was a first-time offense and there was no harm to national security and little potential for harm
• A party that failed to “limit receipt and distribution of certain protected information to a segregated network,” as required by a CFIUS Letter of Assurance
• A party that transferred assets to another company controlled by foreign parties in violation of a CFIUS order
• A party that failed to stop unauthorized access to restricted intellectual property.

CFIUS also stressed that it’s continuing to search for non-notified transactions -- deals that weren’t filed with the committee but maybe should have been. Treasury has “dedicated staffing, training, resources, and outreach to support this critical effort” since 2020, CFIUS said, adding that the committee screens “thousands” of deals per year. It urged companies and others to submit tips to CFIUS if they have information about deals that should be disclosed or about possible violations of CFIUS agreements.