Article Law360

New Proposal Signals Sharper Enforcement Focus At CFIUS

In this article for Law360, partners Mario Mancuso, Luci Hague and Justin Schenck discuss key takeaways for private equity investors and companies about a proposed rule that would significantly expand the enforcement authorities of the Committee on Foreign Investment in the United States (CFIUS). 

On April 11, the U.S. Department of the Treasury released a proposed rule that aims to sharpen the Committee on Foreign Investment in the United States' enforcement authorities.

If the rule becomes final in its current form, it will, among other things, increase the potential maximum penalty that CFIUS may impose for violations of its regulations or mitigation agreements, and greatly expand CFIUS' legal authority to obtain information about nonnotified transactions — transactions that were not voluntarily filed with CFIUS.

The rule clearly signals to market participants that CFIUS takes enforcement seriously and intends to actively pursue potential violations. It follows CFIUS' issuance of enforcement and penalty guidelines in October 2022,[1] and builds on the monitoring and enforcement apparatus that was created in the Foreign Investment Risk Review Modernization Act, or FIRRMA.[2]

Although CFIUS has publicly released information on only two penalties, Treasury officials have stated that CFIUS has issued others,[3] and the text of the rule strongly indicates CFIUS has developed sophisticated monitoring, enforcement and settlement practices. We expect that CFIUS' focus on enforcement will continue to increase, regardless of the outcome of the 2024 presidential election.

We discuss below three highlights from the rule and related takeaways.

1. The rule increases the maximum penalty for certain violations of CFIUS regulations and conditions 20 times — from $250,000 to $5 million.

CFIUS is currently empowered to impose penalties up to $250,000 or the value of the transaction, whichever is greater, in connection with each material violation of a mitigation agreement, material condition imposed by CFIUS or order that CFIUS issues.

The rule would permit CFIUS to impose the greatest of the following four options, for each violation that occurs:

  1. $5 million;
  1. The value of the violating party's interest in the U.S. business or real estate at the time that the transaction occurred;
  1. The value of the violating party's interest in the U.S. business or real estate at the time that the violation occurred; or
  1. The value of the transaction.

The rule clearly indicates CFIUS does not believe that the current maximum penalty of $250,000 or the value of the transaction is sufficiently high to deter or penalize violations.

For example, an investor that violates a national security agreement by obtaining sensitive commercial data may be willing to pay $250,000 or more to obtain the data — thus pricing in the potential cost of noncompliance being detected. By making violations much more costly and increasing CFIUS' flexibility in calculating potential penalties, the rule is likely to reduce moral hazard and advance the policy goals of the CFIUS legal regime.

2. The rule provides CFIUS with greater latitude to request or compel parties to a transaction — or "other persons" — to provide information about a transaction.

CFIUS regulations provide that the agency may contact parties to nonnotified transactions to request information that would enable it to determine whether the transaction is within its legal jurisdiction — in other words, whether CFIUS has authority to review the deal.

CFIUS can ask, for example, questions to discern whether the investor in question is a "foreign person" for CFIUS purposes,[4] and if the transaction perimeter includes a U.S. business, as defined in Title 31 of the Code of Federal Regulations, Section 800.252.[5]

Although CFIUS has in certain matters sent questions that aim to gather information about the U.S. business to evaluate if the U.S. business is sensitive from a national security perspective, it has always been technically optional for parties to respond.

The rule proposes three important changes to the status quo.

First, the rule would allow CFIUS to request or compel information about a transaction from so-called other persons, rather than just the parties to the transaction. Neither FIRRMA nor CFIUS' current regulations empower CFIUS to seek information about a transaction from persons who were not parties to the transaction.[6]

It is not clear who CFIUS would intend to target with these requests, or how the proposed provisions will align with FIRRMA's confidentiality provisions. In theory, the rule's changes could permit CFIUS to require third parties, such as mergers and acquisitions bankers, to provide information about a nonpublic transaction, even one that has not signed; initiate an agency notice concerning the deal; and then impose conditions on, or issue an order with respect to, the matter — without the parties themselves providing any information to inform CFIUS' assessment or actions.

Second, the rule would permit CFIUS to request or compel information that would inform not just its jurisdictional assessment, but also its national security assessment and whether a transaction triggered a mandatory CFIUS filing requirement.

Combined with the first change, this suggests that the rule would enable CFIUS to request information from third parties about a transaction to determine if the transaction could raise national security considerations. This determination is a legal predicate to CFIUS requesting that parties to a transaction file a formal notice of the deal.

In other words, CFIUS could request that parties to a transaction file a notice based on information collected entirely from third parties.

Third, the rule would enable CFIUS to compel a party to provide information via subpoena, if CFIUS deems a subpoena appropriate. To date, CFIUS has not publicly stated that it has issued a subpoena to parties in connection with a transaction, and the rule suggests that CFIUS would use its subpoena power only after parties fail to respond to a request from CFIUS to provide information voluntarily.

3. The rule imposes deadlines on transaction parties' responses to CFIUS mitigation proposals.

If CFIUS identifies unresolved national security concerns arising from a transaction and believes that those concerns can be addressed through mitigation measures, CFIUS will typically proffer the transaction parties a draft national security agreement outlining proposed conditions.

Currently, there is no deadline by which transaction parties must respond. The rule explains that CFIUS believes that the absence of a formal deadline has elongated CFIUS' engagement with parties, and caused parties to withdraw and refile notices in order to obtain more time to negotiate — thus preventing CFIUS from concluding all action on a case within its statutory 45-day period of review and investigation.

As a result, the rule proposes that parties would be required to respond to CFIUS within three business days of receiving proposed mitigation terms or subsequent proposals for revision to such terms. Although CFIUS "may grant reasonable extension requests on a case-by-case basis," these extensions are not guaranteed, and failure to submit an adequate response to CFIUS within three business days may result in CFIUS rejecting the filing and thus restarting the clock on its review of the deal.

Importantly, the 45-day statutory period for investigations was established 36 years ago under the Exon-Florio regime. At the time, the very concept of mitigation or voluntary undertakings from parties to address identified national security risks was suspect. Many Treasury officials believed that these commitments were equivalent to performance requirements and, in any event, unenforceable.

Although more cases than ever conclude with execution of a national security agreement and CFIUS' authority to require mitigation measures was codified in FIRRMA, the timeline in which CFIUS is expected to conclude all action on a case — with or without mitigation — remains the same as it was over three decades ago.

Another potential solution to these timing challenges might be to amend FIRRMA to provide for an automatic extension of CFIUS' investigation period when CFIUS determines that it will require mitigation measures to conclude all action on a deal.


  • CFIUS' enforcement focus is here to stay. The rule clearly signals to investors and companies that CFIUS intends to exercise its enforcement authorities vigorously and in all relevant contexts. Parties submitting information to CFIUS, whether in a formal filing, in response to a Q&A or otherwise should exercise diligence to ensure that such information is complete and accurate.
  • Responses to CFIUS' requests for information are voluntary, but only up to a point. The move to codify CFIUS' subpoena powers suggests that CFIUS will use this mechanism in the future to obtain information that parties would not otherwise provide voluntarily.
  • It is already difficult to fly under CFIUS' radar — and it will become even more challenging if the rule is enacted in its current form. While transaction parties can expect that CFIUS will become aware of deals based on press releases and securities filings, CFIUS has now indicated that it will gather information from commercial third parties about transactions in which it takes an interest.
  • The rule is not final. CFIUS has requested public comments on the rule within 30 days after the rule is published in the Federal Register, and such comments may inform changes to the rule's substance and its potential changes to CFIUS processes.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.




[4] 31 C.F.R. § 800.224.

[5] 31 C.F.R. § 800.252.

[6] 31 C.F.R. § 800.801(a).