Recent CFIUS Activities Reflect Rising Scrutiny of Foreign Investments and Commitment to Enforcement

November 26, 2024

Key Takeaways

It has been a busy few weeks for the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), an interagency committee chaired by the U.S. Department of the Treasury (“Treasury”).

The Committee hosted the Third Annual CFIUS Conference (the “Conference”) on November 19, 2024, which included comments from career civil servants who staff the Committee as well as prominent Biden Administration appointees, including Deputy Treasury Secretary Wally Adeyemo and Assistant Treasury Secretary for Investment Security Paul Rosen.

Additionally, Treasury issued a final rule on November 18 implementing for the first time since 2018 significant revisions to its inbound foreign investment regulations (the “Final Rule”), which Treasury said were intended to “enhance” certain authorities relating to information sought by and provided to CFIUS by transaction parties and to “sharpen” the Committee’s penalty and enforcement authorities. Revisions to key provisions of the CFIUS regulations are compared with the preexisting versions of those provisions in the table below. The Final Rule will take effect 30 days after publication in the Federal Register.

Further, on November 1, Treasury issued a final rule expanding the types and number of military installations subject to its authority to review real estate transactions (the “Real Estate Final Rule”). This new rule will take effect on December 9, 2024.

The Conference messaging and the revisions to the CFIUS regulations reflect CFIUS’ growing desire and ability to assert its authority to influence dealmaking in the United States as key areas of national security focus (i.e., technology, infrastructure, and data) evolve, perceived threats and rivalries between nations become more pronounced, and the lines between national security and economic security become increasingly blurred.

Third Annual CFIUS Conference

At a high level, CFIUS used the Conference to convey that it continues to adapt to increasingly complex transactions involving ever-developing areas of national security concern, and that this approach has and will remain consistent across presidential administrations. Officials encouraged transaction parties to anticipate the Committee’s potential concerns and provide fulsome descriptions of the motivations and objectives of the investment, the technical details of the target’s activities, and the parties’ efforts to address potential national security implications of the deal, through their filings and through ongoing, open communication with the Committee.

In his remarks, Assistant Secretary Rosen highlighted the particular attention the Committee has been paying to the role of limited partners (“LPs”) in investment funds. He emphasized that not all LP arrangements are the same and that the Committee needs to be given information sufficient for it to understand the identities and roles of LPs in order to assess national security risk. He encouraged businesses seeking funding to “know their investor” in the same way that financial institutions are obligated to “know your customer” – “because CFIUS certainly will.”

Further, Assistant Secretary Rosen noted that the Committee has expanded to devote significant resources to monitoring; CFIUS currently is actively monitoring mitigation measures in approximately 240 cases.

Final Rule: Key Updates to CFIUS Regulations

CFIUS has broad powers to review non-U.S. investments in, and acquisitions of, U.S. businesses and certain U.S. real estate to determine their potential impact on U.S. national security. The Committee may impose mitigation measures on transactions that it determines are a risk to U.S. national security, and any failure to comply with such measures may result in the imposition of a penalty by the Committee.

The Final Rule issued on November 18 is the first significant expansion of CFIUS’ authority since the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) went into effect on February 13, 2020. Among other things, FIRRMA gave the Committee jurisdiction over: (i) certain non-controlling investments by non-U.S. persons in U.S. businesses associated with critical technology, critical infrastructure and sensitive personal data (collectively, “TID U.S. businesses”) through 31 C.F.R. Part 800 (the “TID Regulations”); and (ii) transactions involving the purchase or lease by, or concession to, a non-U.S. person of certain U.S. real estate that might raise national security concerns through 31 C.F.R. Part 802 (the “Real Estate Regulations”). The TID Regulations and Real Estate Regulations are structured similarly; the Final Rule will alter both sets of regulations in similar ways.

Topic	Current Rule	New Rule	Analysis
Timing Constraints for CFIUS Mitigation Negotiations	The current CFIUS regulations do not include a specified timeframe in which transaction parties must respond to proposed mitigation agreement terms.	The new regulations will authorize CFIUS to impose a timeframe of three or more business days in which the parties to a transaction must respond to the Committee’s proposed risk mitigation terms (or request additional time); if the parties fail to substantively respond within that timeframe, the Committee may reject a voluntary notice even after it was accepted. (31 C.F.R. §§ 800.504, 802.504)	The Committee wishes to reduce the chance that the negotiation of mitigation measures lingers and/or results in a withdraw and refile request, which extends the CFIUS review process. As seen in the most recent CFIUS Annual Report data (see our coverage of the 2023 CFIUS Annual Report here), CFIUS continues to actively pursue the use of mitigation measures. In practice, the requirements may make it more difficult to conclude reviews in which mitigation agreements are required. Such agreements often require careful consideration by transaction parties; it may prove challenging, absent an extension, to fully consider and offer thoughtful responses to a proposed mitigation agreement in just three business days. This proposed change, among others, highlights the importance of developing a sophisticated CFIUS strategy in advance and evaluating the likelihood and feasibility of potential mitigation measures from the earliest stages of a transaction.
Enhanced Ability to Investigate and Request Information	The Committee currently may request information from parties: (i) to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition, (ii) to determine whether transaction parties have made material misstatements or omitted material information during the course of a previously concluded review or investigation (including in such cases where the transaction parties’ CFIUS filing was rejected by the Committee), and (iii) necessary to determine whether a non-notified transaction would constitute a “covered transaction” that is subject to CFIUS’ jurisdiction for review. If deemed necessary by the Committee, it may exercise its subpoena authority to obtain information from transaction parties or other persons.	The new regulations will expand the types of information the Committee may request from transaction parties as well as from “other persons.” In addition to “information necessary to determine whether the transaction is a covered transaction,” the revisions will enable CFIUS to request information about “whether the transaction may raise national security considerations,” or “whether the transaction is a transaction for which a submission is or was required under § 800.401,” which covers mandatory declarations. (31 C.F.R. §§ 800.501, 802.501) Additionally, the new regulations will provide for further circumstances in which CFIUS may seek or compel (through a subpoena) information to enable it to determine whether a transaction is a covered transaction, whether it may raise national security concerns such that the Committee should review it (if it is a covered transaction), and whether the transaction is the type of transaction that would necessitate a mandatory declaration. (31 C.F.R. §§ 800.801, 802.801)	The changes compelling responses to certain information requests further the goal of more effectively promoting compliance so that CFIUS can “swiftly” address potential U.S. national security risks in connection with CFIUS reviews. Of course, the Committee already enjoyed broad authority with respect to information requests, and it is unclear how the Committee will utilize these new authorities. One important change is that the Final Rule will allow the Committee to require non-parties to transactions to provide information to the Committee in a number of circumstances. It will be important to monitor how the Committee will utilize this authority and if third parties (i.e., beyond the transaction parties) should now expect to receive subpoenas or information demand letters. It will also be important to understand how the Committee will protect the confidentiality of the CFIUS review process if it begins to reach out to non-transaction parties to request information regarding parties to active or concluded reviews. Another key change relates to the Committee’s authority with respect to non-notified transactions. For context, CFIUS has authority to review transactions submitted to it for review and also has the authority to initiate its own review of transactions that were not submitted to it. CFIUS has dedicated significant resources to the identification and review of such non-notified transactions in recent years, and its casework in this area is expanding. This change will broaden the Committee’s ability to review non-notified transactions and strengthen the Committee’s ability to assess whether a CFIUS review is necessary. These changes appear to formalize existing practices and provide greater flexibility to the Committee with respect to its growing body of work regarding non-notified transactions.
Expanded Penalties	The current maximum penalty amounts for the following actions are either: (i) $250,000 (per violation), or (ii) the value of transaction (whichever is greater): The submission of a CFIUS filing with a material misstatement or omission, or the making of a false certification; Failure to submit a mandatory CFIUS filing; or Violations of material provisions of mitigation agreements, material conditions imposed by the Committee, or orders issues by the Committee.	The new rules will expand the circumstances in which a civil monetary penalty may be imposed for the submission of material misstatements, omissions, or false certifications to the Committee, such that a penalty may be imposed both where such misinformation is provided in a declaration or notice, and where such misinformation is provided in a response to a request from Committee. (31 C.F.R. §§ 800.901(a), 802.901(a)) The new rules also will increase the maximum civil monetary penalty available for: (i) providing misinformation to the Committee as described above from $250,000 per violation to $5 million per violation; (ii) certain violations of CFIUS' statute or regulations from $250,000 per violation or the value of the transaction, whichever is greater, to $5 million or the value of the transaction, whichever is greater; and (iii) certain violations of a material provision of a mitigation agreement, condition, or order, from $250,000 per violation or the value of the transaction, whichever is greater, to the greatest of (on a per violation basis): (A) $5 million; (B) The value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the transaction; (C) The value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the violation in question or the most proximate time to the violation for which assessing such value is practicable; or (D) The value of the transaction filed with the Committee. (31 C.F.R. §§ 800.901(a)-(c), 802.901(a)-(c))	These changes expand the Committee’s penalty and enforcement tools by increasing the civil monetary penalty amount that the Committee may impose and expanding the scope of activities that may result in a penalty. Transaction parties must ensure they are forthcoming in their responses and filings made with CFIUS as well as comply with all mitigation measures. Given that the existing penalty authorization already allowed penalties up to the value of the transaction, it will be important to monitor how the Committee uses this new authority.

Topic

Current Rule

New Rule

Analysis

Timing Constraints for CFIUS Mitigation Negotiations

The current CFIUS regulations do not include a specified timeframe in which transaction parties must respond to proposed mitigation agreement terms.

The new regulations will authorize CFIUS to impose a timeframe of three or more business days in which the parties to a transaction must respond to the Committee’s proposed risk mitigation terms (or request additional time); if the parties fail to substantively respond within that timeframe, the Committee may reject a voluntary notice even after it was accepted.

(31 C.F.R. §§ 800.504, 802.504)

The Committee wishes to reduce the chance that the negotiation of mitigation measures lingers and/or results in a withdraw and refile request, which extends the CFIUS review process. As seen in the most recent CFIUS Annual Report data (see our coverage of the 2023 CFIUS Annual Report here), CFIUS continues to actively pursue the use of mitigation measures. In practice, the requirements may make it more difficult to conclude reviews in which mitigation agreements are required. Such agreements often require careful consideration by transaction parties; it may prove challenging, absent an extension, to fully consider and offer thoughtful responses to a proposed mitigation agreement in just three business days. This proposed change, among others, highlights the importance of developing a sophisticated CFIUS strategy in advance and evaluating the likelihood and feasibility of potential mitigation measures from the earliest stages of a transaction.

Enhanced Ability to Investigate and Request Information

The Committee currently may request information from parties: (i) to monitor compliance with or enforce the terms of a mitigation agreement, order, or condition, (ii) to determine whether transaction parties have made material misstatements or omitted material information during the course of a previously concluded review or investigation (including in such cases where the transaction parties’ CFIUS filing was rejected by the Committee), and (iii) necessary to determine whether a non-notified transaction would constitute a “covered transaction” that is subject to CFIUS’ jurisdiction for review. If deemed necessary by the Committee, it may exercise its subpoena authority to obtain information from transaction parties or other persons.

The new regulations will expand the types of information the Committee may request from transaction parties as well as from “other persons.” In addition to “information necessary to determine whether the transaction is a covered transaction,” the revisions will enable CFIUS to request information about “whether the transaction may raise national security considerations,” or “whether the transaction is a transaction for which a submission is or was required under § 800.401,” which covers mandatory declarations.

(31 C.F.R. §§ 800.501, 802.501)

Additionally, the new regulations will provide for further circumstances in which CFIUS may seek or compel (through a subpoena) information to enable it to determine whether a transaction is a covered transaction, whether it may raise national security concerns such that the Committee should review it (if it is a covered transaction), and whether the transaction is the type of transaction that would necessitate a mandatory declaration.

(31 C.F.R. §§ 800.801, 802.801)

The changes compelling responses to certain information requests further the goal of more effectively promoting compliance so that CFIUS can “swiftly” address potential U.S. national security risks in connection with CFIUS reviews. Of course, the Committee already enjoyed broad authority with respect to information requests, and it is unclear how the Committee will utilize these new authorities.

One important change is that the Final Rule will allow the Committee to require non-parties to transactions to provide information to the Committee in a number of circumstances. It will be important to monitor how the Committee will utilize this authority and if third parties (i.e., beyond the transaction parties) should now expect to receive subpoenas or information demand letters. It will also be important to understand how the Committee will protect the confidentiality of the CFIUS review process if it begins to reach out to non-transaction parties to request information regarding parties to active or concluded reviews.

Another key change relates to the Committee’s authority with respect to non-notified transactions. For context, CFIUS has authority to review transactions submitted to it for review and also has the authority to initiate its own review of transactions that were not submitted to it. CFIUS has dedicated significant resources to the identification and review of such non-notified transactions in recent years, and its casework in this area is expanding. This change will broaden the Committee’s ability to review non-notified transactions and strengthen the Committee’s ability to assess whether a CFIUS review is necessary. These changes appear to formalize existing practices and provide greater flexibility to the Committee with respect to its growing body of work regarding non-notified transactions.

Expanded Penalties

The current maximum penalty amounts for the following actions are either: (i) $250,000 (per violation), or (ii) the value of transaction (whichever is greater):

The submission of a CFIUS filing with a material misstatement or omission, or the making of a false certification;

Failure to submit a mandatory CFIUS filing; or

Violations of material provisions of mitigation agreements, material conditions imposed by the Committee, or orders issues by the Committee.

The new rules will expand the circumstances in which a civil monetary penalty may be imposed for the submission of material misstatements, omissions, or false certifications to the Committee, such that a penalty may be imposed both where such misinformation is provided in a declaration or notice, and where such misinformation is provided in a response to a request from Committee.

(31 C.F.R. §§ 800.901(a), 802.901(a))

The new rules also will increase the maximum civil monetary penalty available for: (i) providing misinformation to the Committee as described above from $250,000 per violation to $5 million per violation; (ii) certain violations of CFIUS' statute or regulations from $250,000 per violation or the value of the transaction, whichever is greater, to $5 million or the value of the transaction, whichever is greater; and (iii) certain violations of a material provision of a mitigation agreement, condition, or order, from $250,000 per violation or the value of the transaction, whichever is greater, to the greatest of (on a per violation basis):

(A) $5 million;

(B) The value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the transaction;

(C) The value of the person’s interest in the U.S. business (or, as applicable, the parent of the U.S. business) at the time of the violation in question or the most proximate time to the violation for which assessing such value is practicable; or

(D) The value of the transaction filed with the Committee.

(31 C.F.R. §§ 800.901(a)-(c), 802.901(a)-(c))

These changes expand the Committee’s penalty and enforcement tools by increasing the civil monetary penalty amount that the Committee may impose and expanding the scope of activities that may result in a penalty. Transaction parties must ensure they are forthcoming in their responses and filings made with CFIUS as well as comply with all mitigation measures. Given that the existing penalty authorization already allowed penalties up to the value of the transaction, it will be important to monitor how the Committee uses this new authority.

Real Estate Final Rule: Further Scrutiny of Real Estate Transactions

The Real Estate Final Rule will expand CFIUS’ jurisdiction to review foreign real estate transactions with proximity to U.S. military installations by amending the Real Estate Regulations to revise the definition of “military installations” and add 59 new locations across 30 states identified as important to national security, as we previewed here.

The revisions to the definition of “military installations” expand the term to include more types of facilities and allow CFIUS to add further installations to Appendix A of the Real Estate Regulations going forward. The new types of military installations added to the definition are as follows:

Space Force bases, stations, and major annexes;

Army depots, arsenals, and military terminals;

Marine Corps installations, logistical battalions, and support facilities;

Military ranges owned by any branch of the military anywhere in the United States (previously, only military ranges owned by the Navy or Air Force and certain joint training centers were included); and

Major support activities and annexes to Naval bases and air stations (previously, these were limited to “squadrons and supporting commands of the Submarine Force Atlantic or Submarine Force Pacific”).

Additionally, the Real Estate Final Rule adds 59 military installations to Appendix A, which identifies certain installations of interest to CFIUS and helps identify whether a foreign real estate transaction falls within CFIUS’ jurisdiction for review based on proximity of the real estate in question to such installations.

This expansion of the Real Estate Regulations follows President Biden’s May 2024 order unwinding the purchase by a Chinese company, MineOne Cloud Computing Investment I L.P. (collectively with its affiliates, “MineOne”), of U.S. real estate in close proximity to Francis E. Warren Air Force Base (“F.E. Warren AFB”) in Wyoming. This was the first time the President had blocked a transaction involving CFIUS’ authority to review certain real estate transactions and was only the eighth time that a U.S. President has formally blocked a transaction under any CFIUS authority. Notably, MineOne had not sought CFIUS approval in connection with the acquisition, and CFIUS learned of the transaction thereafter through a public tip. Upon receipt of the information, CFIUS investigated the transaction and ultimately identified national security risks that could not be mitigated through a national security agreement, at which point the matter was referred to President Biden. President Biden’s order requiring MineOne’s divestment of the real estate demonstrates the heightened attention that potentially sensitive real estate transactions are receiving from the U.S. government, the breadth of the Real Estate Regulations, and the importance of evaluating potential CFIUS issues from the early days of a transaction.

Conclusion

The overarching messages from the Conference, the Final Rule, and the Real Estate Final Rule, speak to CFIUS’ ongoing efforts to ensure compliance with its regulations and mitigation measures against a backdrop of heightened national security concerns. In expanding its reach and potential impact through these regulatory revisions, CFIUS is signaling that it means business, and dealmakers should pay attention.

A sophisticated CFIUS strategy, at every step of the deal process, can make a significant difference. Parties contemplating transactions involving foreign investments in U.S. businesses should evaluate CFIUS considerations early in the transaction process and ensure that if mitigation measures are imposed, there is an actionable compliance program developed to oversee compliance with the parties’ obligations.

Dechert represents a wide range of clients through CFIUS reviews, including major operators and investors in the high tech, telecommunications, energy, defense, and infrastructure industries. We regularly advise foreign and domestic entities (“buyers” and “sellers,” as well as other interested third parties) through the CFIUS review process, helping them determine whether or not to bring a transaction before the Committee (and whether or not CFIUS review is required), to assemble the required information and materials for a filing, to negotiate (as necessary) national security agreements with CFIUS in a manner that minimizes both delay and the imposition of conditions that might threaten the transaction, and to design and implement a compliance plan that allows parties to meet any imposed CFIUS mitigation obligations. We also give counsel on strategies for identifying and addressing political and policy considerations that may arise.