Treasury to Finalize Higher CFIUS Penalties, Broader Subpoena Powers

Although the rule is largely unchanged from the proposed version Treasury issued in April (see 2404110037), it notably nixes one provision that would have set a three-day deadline for companies to respond to a CFIUS mitigation proposal, a suggestion that was widely criticized by law firms (see 2405310022).

The final rule, which was released by Treasury Nov. 18 but was not yet scheduled for publication in the Federal Register as of press time, will give the committee a “sharper scalpel to more quickly and effectively address national security risks that arise in CFIUS reviews,” said Paul Rosen, Treasury’s assistant secretary for investment security. The agency said the changes represent the first “substantive update” to CFIUS monitoring and enforcement regulations since the Foreign Investment Risk Review Modernization Act of 2018.

The changes will take effect 30 days after they’re published in the Federal Register.

The rule will notably raise maximum civil penalty violations from $250,000 per violation to $5 million per violation. The agency said it received pushback about this change in public comments, including from one commenter who said most violations are accidental or caused by “a lack of understanding of the mitigation terms,” so an increase in max penalty amounts wouldn’t do much to deter those violations. Others, including the Chinese government, said higher penalties could shake foreign investors’ confidence in the U.S. market.

Treasury is keeping the change partly because the current penalty language is outdated -- it was “issued over 15 years ago and has never been adjusted,” the agency said. It also said its experience reviewing hundreds of investments and monitoring compliance with over 200 mitigation deals -- a set of conditions agreed to by the committee and the transaction parties to address a deal’s national security risks -- has shown that higher max penalties “would be more effective to address the conduct that occurred and to deter future violations.”

It also echoed the argument it made in its proposed rule when it said companies are sometimes able to artificially structure multimillion-dollar deals so that they technically have a value of zero dollars, which undercuts the penalty amounts CFIUS can impose.

Treasury stressed that a violation won’t automatically result in a fine, but a higher maximum penalty will “serve as an upper limit in cases where a penalty is appropriate.” Each case “will continue to be based on the nature of the violation; and CFIUS will continue to take into account the aggravating and mitigating factors surrounding the conduct,” Treasury said.

Although Treasury kept the higher max penalty amounts, it eliminated a proposal that would have required companies to respond to a CFIUS mitigation proposal within three business days. Several commenters told Treasury that mitigation proposals can be complex and time-consuming to analyze, while others said the three-day time frame could incentivize parties to hurry through conversations about mitigating a deal’s national security risks, which could undermine the mitigation agreement.

Law firms and other commenters suggested CFIUS delete the deadline entirely or at least allow five or 10 business days for a response. Treasury chose to remove the requirement for all companies to submit a response within three days, and it instead will give the committee discretion to impose a deadline “of no fewer than three business days” in certain cases when the parties to a deal are “less motivated to respond promptly to a mitigation proposal.”

CFIUS may issue a deadline depending on the “nature of the transaction, the time remaining in the investigation, and the transaction parties’ past responsiveness, among other factors,” Treasury said.

“The Committee recognizes the importance of allowing sufficient time for consideration and negotiation, and also appreciates that many transaction parties negotiate with the Committee expeditiously,” Treasury said. “However, there are some instances in which the timeliness of resolution is not a compelling motivation for the transaction parties, and it is in those situations that the Staff Chairperson may determine it appropriate to impose a time frame for a party’s response.”

Treasury also said it received comments on a change that will expand the types of information CFIUS can require transaction parties and “other persons” to submit, including involving non-notified transactions, which are transactions that companies don’t voluntarily disclose to the committee. Under the final rule, parties may be subpoenaed or otherwise required to provide CFIUS information about whether their non-notified deal raises national security concerns or meets the criteria for a mandatory declaration.

Although one commenter said they feared this language would lead to no "limitation” on the types of information companies could be required to provide to CFIUS, Treasury said it didn’t make any changes to the rule’s wording.

CFIUS will specifically seek information “to enable it to determine whether a transaction is a covered transaction, whether it may raise national security concerns such that the Committee should review it” and “whether the transaction is of a type for which submission of a declaration was mandatory,” Treasury said. “Because any request made or subpoena issued must be in furtherance of one of the foregoing purposes, as specified in the proposed rule, the Committee’s authority is not ‘without any limitation whatsoever,’ as suggested by the commenter.”

Commenters also asked Treasury for clarity about the “other persons” CFIUS may reach out to as it seeks information about a deal. The agency declined to give an “exhaustive list” of the types of people CFIUS may speak to or subpoena, although they may include third-party banks, underwriters or “service providers to transaction parties,” Treasury said. “There may be situations in which relevant information is possessed by other third parties and the Committee would consider it appropriate to seek information from such third parties.”