Follow us

The new guidelines from CFIUS signal the regulator may be willing to take a more muscular approach as US companies are put on alert

The Committee on Foreign Investment in the United States (CFIUS) - the US Government’s foreign direct investment (FDI) regulator - recently issued its first-ever CFIUS Enforcement and Penalty Guidelines (the Guidelines). They outline how the regulator will assess the scope of, and potential penalties for, violations of regulations governing CFIUS reviews of proposed acquisitions of and/or certain investments in US businesses by non-US parties. The regulator will also assess breaches of mitigation agreements or undertakings entered into between deal parties and the US Government as a condition for CFIUS transaction clearance. 

The new Guidelines address:

  • The types of conduct that may constitute a violation of CFIUS regulations or agreements (including the failure to submit a filing in a mandatory filing scenario).
  • Information sources CFIUS may consider in determining whether a violation has occurred.
  • The process CFIUS would follow in imposing penalties.
  • Factors CFIUS weighs in determining whether a penalty is appropriate and if so, the scope of such penalty. Consistent with the US export control regime, the Guidelines put a high premium on self-disclosure of conduct that may constitute a violation.

The Guidelines are non-binding and do not create new obligations on foreign acquirers/investors or on parties involved in the CFIUS process.  Nevertheless, the Guidelines are an unmistakable signal that CFIUS will continue its increased vigilance with respect to non-notified transactions and potential lapses in mitigation agreement compliance.


CFIUS is empowered to investigate and impose civil monetary penalties and other remedies for violations of the laws that govern the CFIUS review process. In addition, the regulator can impose penalties for violations of mitigation agreements, or other conditions or orders, that the US Government requires as a condition for foreign ownership of a US business operating in critical technologies or other areas important to US national security. In the wake of the Foreign Investment Risk Review Modernization Act of 2018, CFIUS established its Office of Monitoring & Enforcement, which investigates certain transactions not previously submitted to CFIUS for review and enforces penalties for violations of CFIUS regulations and mitigation agreements. It is these enforcement efforts that the Guidelines are intended to address.


According to an accompanying US Treasury Department statement, the Guidelines will “provide the public with important information about how CFIUS will assess whether and in what amount to impose a penalty or take some other enforcement action for a violation of a party’s obligation, and factors that CFIUS may consider in making such a determination, including aggravating and mitigating factors.” 

The Guidelines in particular address the following:

Conduct that may constitute a violation

The Guidelines identify three types of acts, or omissions, that may constitute a CFIUS violation:

  • Failure to timely submit a transaction for CFIUS review where submission is mandatory.
  • Failure to comply with the terms of a CFIUS mitigation agreement, condition or order.
  • Making a “material” misstatement in or omission from information filed with CFIUS, which includes via a declaration, notice or other written submission to CFIUS, as well as information provided during any informal CFIUS consultation.

Information sources on which CFIUS may rely in assessing whether a violation has occurred

Per the Guidelines, “CFIUS considers information from a variety of sources, including from across the [US] government, publicly available information, third-party service providers (eg, auditors and monitors), tips, transaction parties, and filing parties.”  In particular, CFIUS employs/relies upon the following:

  • Information requests to parties, to investigate a potential violation and to assess what enforcement action, if any, CFIUS may take, as well as to support CFIUS monitoring of mitigation agreement compliance.
  • Self-disclosures of violations to CFIUS. In this respect, CFIUS “strongly encourages any person who engaged in conduct that may constitute a violation to submit a timely self-disclosure, even if not explicitly required” by regulation or an applicable mitigation agreement.
  • Tips about a potential violation, which may be submitted by anyone with relevant information (to encourage tips, CFIUS established a dedicated email “tips line” found on the CFIUS Monitoring & Enforcement web page). 

Unfolding of the CFIUS penalty process

CFIUS regulations (see, eg, 31 C.F.R. § 800.901) set forth the process by which CFIUS is authorised to consider and impose penalties. The Guidelines highlight the key milestones and timelines in that process, including issuance of a written “notice of penalty” which states the alleged violation, the amount of any monetary penalty, and the information CFIUS considered in determining a violation occurred. A party may challenge the penalty notice via a reconsideration petition, which CFIUS must consider prior to issuing any final penalty determination.

Assessment of aggravating and mitigating factors

The Guidelines are clear that the finding of a violation “will not necessarily lead to a penalty or other remedy,” and information published to date by CFIUS (in anonymised form) reflects only two monetary penalties, a $1 million fine in 2018 for repeated breaches of a CFIUS mitigation agreement, and a $750,000 penalty in 2019 for violation of an interim CFIUS order restricting access to protected data. CFIUS retains discretion “in determining when a penalty is appropriate, including by considering applicable aggravating and mitigating factors,” the relevance and importance of which will depend on the specific facts and circumstances at issue.  Examples of aggravating and mitigating factors include the following:

  • Accountability and future compliance: This focuses on holding the target of the enforcement action (the Subject Person) accountable for its conduct and incentivising future compliance, including via self-disclosures where appropriate.
  • Harm: This addresses the extent to which the conduct impaired or “threatened to impair” US national security.
  • Negligence, awareness and intent: This assesses whether the relevant conduct was negligent, grossly negligent or intentional, whether information was concealed from CFIUS, and the seniority level of company personnel that knew or should have known about the conduct.
  • Persistence and timing: Here, CFIUS will examine among other things the frequency and duration of the alleged conduct. In addition, the regulator will consider the time between the Subject Person becoming aware of the conduct and CFIUS’s awareness thereof, and in the case of a failure to file in a mandatory scenario, the date of the transaction at issue.
  • Response and remediation: This looks at various facts and circumstances, including whether there was a voluntary disclosure of the violation and the level of co-operation during the CFIUS investigation.
  • Sophistication and record of compliance: CFIUS here considers an array of factors, including but not limited to the entity’s “history and familiarity with CFIUS and, if applicable, past compliance with CFIUS Mitigation”; the resources devoted to CFIUS compliance (including with respect to legal counsel, consultants, auditors, and monitors); compliance policies and training; and the overall “compliance culture” within the entity.

As noted, the Guidelines do not vest CFIUS with additional investigation and enforcement authority.  Nor do the Guidelines limit the ability of the US Government to seek civil or criminal penalties that may be applicable under other laws, and CFIUS may refer a matter to the US Department of Justice or other enforcement authorities where it deems appropriate.  CFIUS acknowledges that “vast majority of those who come before CFIUS abide by their legal obligations and work collaboratively with [CFIUS] to mitigate any national security risks arising from the transaction.”  But is clear from the Guidelines CFIUS will use its authority to ensure compliance with overall CFIUS process.

Key contacts

Joseph Falcone photo

Joseph Falcone

Partner, New York

Joseph Falcone
James Robinson photo

James Robinson

Partner, New York

James Robinson