For most of its 45-year history,1 the Committee on Foreign Investments in the United States (CFIUS) has been limited to reviewing only investments that could result in "control" of a U.S. business by a foreign entity.2 What's more, CFIUS filings were generally voluntary, limiting the committee's ability to identify and remedy at-risk deals (although CFIUS has always had the authority to initiate formal reviews).

That all changed with FIRRMA, the Foreign Investment Risk Review Modernization Act of 20183 (see What Corporate Lawyers Need to Know About Changes in U.S. Foreign Investment Laws.). FIRRMA broadened CFIUS's jurisdiction and authority by expanding the scope of foreign investments subject to review.4 Most CFIUS experts expect CFIUS to become increasingly active and proactive in its reviews going forward.

As part of this trend, in April 2019, CFIUS published a notice on its website that in 2018 it had issued a $1 million fine for breaches of a 2016 CFIUS mitigation agreement. The foreign investment watchdog imposed the hefty, unprecedented civil penalty on an unnamed entity for its "failure to establish requisite securities policies and failure to provide adequate reports to CFIUS." Although CFIUS has always had the authority to impose fines for breaches of a mitigation agreement, this is the first time that CFIUS announced that it had exercised such authority.

The fine serves as a clear signal for all parties going through CFIUS review, particularly those involving a mitigation agreement: to be successful, they must actively monitor and maintain ongoing communication with CFIUS and its agencies to ensure that they meet the terms of the agreement.

What's in a Mitigation Agreement?

After initial review of a foreign investment for national security considerations, CFIUS may initiate a formal 45-day investigation to look more closely at the deal.5 If the agency then determines that the transaction does indeed pose a threat to U.S. national security interests, CFIUS has the authority to "take any necessary actions in connection with the transaction" in order to protect national security.6

CFIUS's mitigation conditions, which depend on the nature and severity of concerns, are rolled up into a mitigation agreement. Agreements vary significantly in length and scope: they can be as simple as requiring a Letter of Assurance in which the parties agree to take steps to address security concerns.7 On the other hand, CFIUS may require an agreement that not only imposes operational restrictions but may also require the restructuring of the transaction.8 Common types of mitigation measures include:9

  • Divesture of assets: CFIUS may require asset relinquishment and divesture of certain investors.
  • Imposing controls on access: CFIUS may require measures that control and restrict access, including only permitting authorized personnel to have access to certain technology, products, and sensitive information, and improved security measures.
  • Protocols and procedures updates: As part of the mitigation plan, CFIUS may require updates on the company's operational protocols and procedures. Additionally, CFIUS may require additional compliance training for employees – such as on the proper use and handling of sensitive information.
  • Establishing audit and reporting requirements: Generally, mitigation agreements may require third-party audits and will always include a process to identify, respond to, and report discovered or suspected violations.

Once a mitigation agreement is established, the parties to the transaction must implement all specified steps in order to proceed with the transaction. Additionally, CFIUS may require that they appoint a third-party monitor to oversee and report on the progress of the mitigation plan in place10 and, at the same time, facilitate implementation of the plan.

Monitoring

Mitigation monitoring is on the rise. FIRRMA requires more reporting to Congress on compliance and remediation than in the past; this will likely increase CFIUS's attention on these matters.

In addition, cases with mitigation agreements in place may be audited periodically. In fact, CFIUS has the authority to "unilaterally initiate a review" of previously mitigated transactions,11 and is now equipped with the ability to reassert jurisdiction if parties fail to comply with or materially breach a mitigation agreement.

Potential Penalties

As the recent $1 million fine demonstrates, non-compliance with the terms of a mitigation agreement can be costly for parties in the transaction. In addition to monetary fines, CFIUS may impose a "civil penalty not to exceed $250,000 per violation or the value of the transaction, whichever is greater" when there is a violation of the agreement.12

In addition to imposing fines, CFIUS may require a new plan of action for the party or parties in violation to "remediate the lack of compliance;"13 that new agreement may include liquidated or actual damages for breaches of the previous agreement.14

When penalties are imposed, the parties have a 15-day window to request reconsideration with a petition that defends, justifies, or explains their previous conduct,15 and CFIUS will review and issue a final decision within 15 days of receiving the petition.16*         

Footnotes

1 Exec. Order No. 11,858, 40 Fed. Reg. 20,263 (May 7, 1975).

2 The term "control" is defined as "the power, direct or indirect, whether exercised or not exercised, ... to determine, direct, or decide important matters affecting an entity...." 31 C.F.R. § 800.204 (2019).

3 Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), Pub. L. 115-232, Div. A, Title XVII, §§ 1701-1793, 132 Stat. 2173 (2019).

4 FIRRMA § 1703(a)(4)(B) (2019).

5 31 C.F.R. § 800.502 (2019).

6 50 U.S.C. § 4565(b)(2)(A) (2019).

7 U.S. Dep't of the Treasury, Committee on Foreign Investment in the United States Annual Report to Congress (Sept. 2017), at 21, https://www.treasury.gov/resource-center/international/foreign-investment/Documents/Unclassified%20CFIUS%20Annual%20Report%20-%20(report%20period%20CY%202015).pdf (last visited July 3, 2019).

8 Id. at 21-22.

Id.

10 Id. at 22.

11 FIRRMA § 1708(7)(D) (2019). 50 U.S.C. § 4565(l)(6)(D) (2019).

12 31 C.F.R. § 800.801(b) (2019).

13 31 C.F.R. § 800.802(a) (2019).

14 31 C.F.R. § 800.801(c) (2019).

15 31 C.F.R. § 800.801(e) (2019).

16 Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.