April 26, 2019

National Security: CFIUS Flexes Its Fining Muscles

CFIUS recently announced that it had imposed a $1 million civil monetary penalty against an undisclosed entity for repeatedly breaching a 2016 mitigation agreement. CFIUS has had the ability to impose fines for non-disclosure & other compliance issues, but it hasn’t exercised this authority in the past. This Winston & Strawn memo says that CFIUS’s decision to impose a fine now is kind of a big deal:

On April 12, 2019, CFIUS released a brief statement on its website that in 2018 it imposed a fine of $1 million on an unnamed company for failure to comply with a mitigation agreement. Specifically, the penalty was imposed for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.” This appears to be the first time CFIUS has used its penalty powers and a signal that it may do so more frequently.

Part of this interest in penalties may be due to the recent creation within CFIUS of a team wholly dedicated to monitoring compliance with mitigation agreements.

Companies need to keep CFIUS’s new willingness to exercise its authority to impose monetary penalties in mind, because as the memo points out, those fines can pack quite a wallop. The Foreign Investment Risk Review Modernization Act enacted last year granted CFIUS the authority to mandate certain filings & impose fines on those that fail to comply – and regulations under the Pilot Program provide that penalties for failure to comply with mandatory filing requirements can be as much as the value of the transaction.

John Jenkins