Two recent developments involving the Committee on Foreign Investment in the United States (CFIUS) continue CFIUS’s trend of more active review and intervention in transactions that it deems detrimental to the national security of the United States.
CFIUS is an inter-agency committee comprising nine Cabinet level executive agencies and various other executive branch offices that have the authority to review certain investments into the United States by foreign actors that involve national security. Based upon the CFIUS’s review of certain covered transactions, the President may act to block certain transactions that are deemed detrimental to the country’s national security. In 2018, the Foreign Investment Risk Review Modernization Act (FIRRMA) significantly expanded CFIUS’s authority and scope to review and take action on transactions deemed to be a national security threat, including those involving passive, non-controlling investments in U.S. businesses dealing in critical technology, the service of critical infrastructure, or the collection and maintenance of sensitive personal data.
Executive Order 14083 – Identifying and Considering Emerging Categories of Risk
On September 15, 2022, President Biden issued Executive Order 14083 (the Order), which directs CFIUS to broadly consider the following five categories of risk while reviewing covered transactions:
- A Covered Transaction’s Effect on Supply Chain Resilience and Security. The Order directs CFIUS to consider how a covered transaction may impact the resilience and security of certain critical U.S. supply chains fundamental to national security, both within and outside of the defense industrial base. These supply chains include those involving manufacturing capabilities, services, critical mineral resources and technologies deemed fundamental to national security, including microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, climate adaptation technologies, critical materials (such as lithium and rare earth elements) and agricultural industrial elements implicating food security. The Order directs CFIUS to evaluate the degree of involvement in such critical supply chains by a foreign person, as well as the existing capability in the supply chain at question, including the degree of diversification and the relationship of the target U.S. business to the U.S. Government or other critical industrial bases (i.e., is the target a government contractor?).
- A Covered Transaction’s Effect on United States Technological Leadership in Certain Critical Sectors. The Order directs CFIUS to consider the effect a covered transaction may have on U.S. technological leadership in industries and sectors that are critical to national security. The Order also directs the Office of Science and Technology Policy to periodically publish a list of technology sectors that it deems fundamental to U.S. technological leadership in areas relevant to national security.
- The Cumulative Effect of Numerous Incremental Investments in Certain Critical Sectors. The Order directs CFIUS to look beyond the impact of a single covered transaction and consider the impact that incremental investments over time have in a sector or technology critical to national security. The Committee should consider the risks arising from a covered transaction in the context of multiple investments in a single sector or multiple related sectors where a foreign person may take actions that would impair national security.
- A Covered Transaction’s Effect on Cybersecurity Risks. The Order directs CFIUS to consider whether a covered transaction may grant a foreign person direct or indirect access to means through which threat actors could engage in malicious cyber-enabled activities that would impair the interests of the U.S. or any U.S. person, including (1) activity that would undermine the protective or integrity of data; (2) activity designed to interfere in U.S. elections, critical infrastructure, the defense industrial base or other national cybersecurity priorities, or; (3) the sabotage of critical energy infrastructure.
- A Covered Transaction’s Contemplated Use of Personal Data. The Order also directs CFIUS to consider a covered transaction’s use of and effect on the sensitive personal data of U.S. persons in a manner detrimental to national security. In particular, the Order focuses on technological developments enabling foreign actors to de-anonymize or re-identify what was previously anonymous data, which could lead to the targeting of U.S. individuals or groups.
While the Order enumerates specific factors for CFIUS to consider, the factors are non-exhaustive, and the Order acknowledges CFIUS’s statutory mandate to “determine the effects of each covered transaction…on the national security of the United States.” The Order further directs CFIUS to continue to review its processes, practices and regulations to ensure that it remains current with the changing national security landscape.
Taken as a whole, the Order reaffirms not only the current practice of CFIUS in taking a broad view of the impact a covered transaction may have on national security, but also the more muscular and evolving approach that CFIUS has employed since FIRRMA was signed into law in 2018. The Order also telegraphs the Biden Administration’s focus and priority on critical technology sectors, including but not limited to, advanced quantum computing, biotechnology, artificial intelligence and advanced climate technologies.
Enforcement and Penalty Guidelines
Little more than a month after publication of the Order, the Treasury Department issued on October 20, 2022, the first ever CFIUS Enforcement and Penalty Guidelines (Guidelines). The Guidelines identify three categories of conduct that may constitute a violation under the relevant CFIUS regulations:
- Failure to timely submit a mandatory declaration or notice, as applicable.
- Any noncompliance or prohibited conduct under a CFIUS mitigation agreement, condition or order.
- A material misstatement or omission from information filed with CFIUS, or any false or materially incomplete certification filed in connection with CFIUS review.
The Guidelines further outline the tools that CFIUS may utilize to investigate whether a violation has taken place. These tools include:
- Requests for Information: CFIUS will often request information to support its compliance monitoring, whether a violation has occurred and what enforcement action, if any, should be taken. A subject person’s cooperation with a request for information may be considered in determining what action to take.
- Voluntary Self-Disclosure: CFIUS strongly encourages timely self-disclosure, even if not explicitly required by agreement or any other law or regulation. A self-disclosure should be made in writing and describe the conduct that may constitute a violation and the involved parties. One important factor in CFIUS’s consideration of a self-disclosure is its timeliness, and whether discovery of the potential violation was imminent or had already occurred.
- Tips: CFIS solicits tips from the general public and encourages the submission of relevant information through its website.
- Subpoena Authority: Lest the above methods fail, the Guidelines also make explicit that CFIUS may use its subpoena authority provided in the Defense Production Act.
The Guidelines also provide a roadmap to how CFIUS will impose a penalty on a subject person if a violation is found, as well as the factors that will inform the amount of the penalty. The imposition of a penalty follows a defined process which starts by the Committee providing written notice of a penalty, including the legal basis for concluding that a violation has occurred and the aggravating and mitigating factors considered by the Committee. The subject person then has the opportunity to submit a petition for reconsideration within 15 business days, which CFIUS will consider prior to issuing a final penalty determination within 15 business days after receipt of the petition.
The determination of the penalty amount is considered on a case-by-case basis where CFIUS weighs various aggravating and mitigating factors. Such factors broadly include (1) the subject person’s accountability and future compliance; (2) the degree of harm caused by the violation; (3) degrees of the subject person’s negligence, awareness and intent; (4) the persistence and timing of a violation; (5) the nature of the subject person’s response and remediation, and; (6) the subject person’s sophistication and record of compliance.
CFIUS’s release of the Guidelines appear to be an effort to increase transparency into its workings, which are notoriously secretive. At the same time, the trend since the passage of FIRRMA has been toward increased scrutiny of foreign investment in U.S. businesses. The release of the Guidelines on the heels of President Biden’s executive order only highlights CFIUS’s more aggressive current position. Seemingly to emphasize that point, in announcing the release of the Guidelines, Assistant Secretary of the Treasury for Investment Protection Paul Rosen stated: “Today’s announcement sends a clear message: Compliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation, including through the use of civil monetary penalties and other remedies.”