Skip to main content

CFIUS Issues Enforcement and Penalty Guidelines

International Trade and Investment Alert™ | October 24, 2022

Authors: Michael T. Gershberg and Gregory Bernstein

On October 20, 2022, the U.S. Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States (“CFIUS”), issued its first-ever enforcement and penalty guidelines (“the Guidelines”). The Guidelines outline the types of conduct that may constitute violations and explain the penalty process, including the types of aggravating and mitigating circumstances that CFIUS will consider. They provide novel insight into how CFIUS views enforcement and represent another public statement that CFIUS is focused on enforcing its regulations and mitigation agreements.

The Guidelines note that CFIUS has a variety of ways to determine whether a violation has occurred, and can learn about such violations through requests for information, self-disclosures, or third-party tips, including those submitted through CFIUS’s tip line. A summary of main aspects of the Guidelines follows.

Types of Conduct that May Constitute a Violation

The Guidelines identify three categories of conduct that may constitute a violation of the CFIUS statute or regulations;

  • Failure to timely submit a mandatory declaration or notice
  • Failure to comply with the terms of any CFIUS mitigation agreements, conditions, or orders
  • Material misstatements or omissions in information filed with CFIUS, including false or materially incomplete certifications filed in connection with assessments, reviews, investigations, mitigations, or requests for information.

Penalty Process

The Guidelines describe a three-step penalty process that is consistent with the process outlined in the CFIUS regulations. First, CFIUS sends the target of its enforcement (“the Subject Person”) a notice of penalty, which will include a written explanation of the conduct at issue and the amount of any monetary penalty that CFIUS intends to impose. The notice of penalty will state the legal basis for concluding that the conduct at issue constitutes a violation and identify any aggravating or mitigating factors that CFIUS considered.

Second, within 15 business days of receiving a notice of penalty the Subject Person may submit a petition for reconsideration to the CFIUS Staff Chairperson. Such petition can include any defense, justification, mitigating factors, or other explanation of the conduct at issue. This period may be extended upon written agreement between the CFIUS Staff Chairperson and the Subject Person.

Third, within 15 business days of CFIUS’s receipt of a petition for reconsideration, it will issue a final penalty determination. This period can also be extended upon written agreement between the CFIUS Staff Chairperson and the Subject Person. If no timely petition for reconsideration is received, CFIUS will issue a final penalty determination to the Subject Person.

Aggravating and Mitigating Factors

The Guidelines also include a non-exhaustive list of factors that CFIUS may consider to be aggravating or mitigating depending on the circumstances. The Guidelines make clear that determining the appropriate penalty is a fact-based process, and that the weight given to any aggravating or mitigating factor will vary.

  • Accountability and Future Compliance: CFIUS will take into account the impact of the enforcement action on protecting national security and holding Subject Persons accountable for their misconduct. CFIUS will also consider the effect the enforcement action will have on incentivizing compliance, including through self-disclosures.
  • Harm: CFIUS will consider the extent to which the conduct at issue impaired or threatened to impair national security.
  • Negligence, Awareness, and Intent: CFIUS will consider whether or the extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness. CFIUS will also look at whether there was any effort to conceal or delay the sharing of relevant information with CFIUS, and the seniority of personnel within the entity that knew or should have known about the conduct.
  • Persistence and Timing: CFIUS will weigh the frequency and duration of the conduct and the amount of time, if any, that has elapsed between the Subject Person becoming aware of the conduct and CFIUS becoming aware of the conduct.
    • For violations of CFIUS mitigation agreements, CFIUS will consider the length of time since the CFIUS mitigation was put in to place.
    • For failure to file a mandatory declaration, CFIUS will consider the date of the transaction at issue.
  • Response and Remediation: CFIUS will consider whether the Subject Person submitted a self-disclosure, including the timeliness, nature, and scope of information reported to CFIUS. CFIUS will also consider whether the Subject Person cooperated completely in CFIUS’s investigation of the matter, the promptness of full remediation of the conduct, and whether there was an internal review or investigation into the nature, extent, origins, and consequences of the conduct.
  • Sophistication and Record of Compliance: CFIUS will consider, among other things, the Subject Person’s history and familiarity with CFIUS and, if applicable, past compliance with CFIUS mitigation agreements. CFIUS will also consider the Subject Person’s compliance policies and posture, including:
    • Internal and external resources dedicated to compliance
    • Policies, training, and procedures that are in place to prevent potentially violative conduct (and why such policies failed)
    • Variation in the consistency of compliance at the entity
    • The compliance culture that exists within the entity,
    • The experience of other federal, state, local, or foreign authorities with knowledge of the Subject Person in the assessment of the quality and sufficiency of the Subject Person’s compliance with legal obligations
    • In the case of a violation of CFIUS mitigation, the extent to which written policies and training on the terms of the mitigation were communicated and implemented, and the extent to which the authority, role, access, and independence of any security officer were sufficient to ensure compliance.

Key Takeaways

While the Guidelines do not modify any legal rights or obligations or change the level of penalties that CFIUS may impose, they nonetheless provide helpful guidance for businesses, especially those subject to any form of CFIUS mitigation. The Guidelines reiterate that material misstatements, omissions, and false certifications to CFIUS will be viewed as legal violations, as will failure to file mandatory notices or declarations, and any conduct that is prohibited by CFIUS mitigation. The Guidelines underscore that robust, written compliance policies, training, and a strong culture of compliance are important mitigating factors in any enforcement action, and that prompt self-disclosures are viewed favorably by CFIUS when considering the appropriate penalty.

The Guidelines do not provide any specific penalty amounts or ranges or mitigation percentages, as do some other regulators’ penalty guidelines. Rather, the document may be seen largely as a warning to industry that CFIUS remains focused on monitoring and enforcement, and that it intends to continue its recent history of imposing monetary penalties for violations of its regulations and mitigation agreements. Accordingly, relevant businesses should review the Guidelines and ensure that they have adequate policies and procedures in place to maintain compliance with any CFIUS obligations.


This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.