Client Alert

New CFIUS Enforcement Guidelines Top 5 Takeaways

November 3, 2022
While the Guidelines are not legally binding, they signal CFIUS’s clear intent to take an active approach to compliance and enforcement.

On October 20, 2022, the US Department of the Treasury, as Chair of the Committee on Foreign Investment in the United States (CFIUS), released the first-ever CFIUS Enforcement and Penalty Guidelines (the Guidelines). According to the Treasury Department, the Guidelines “provide the public with information about how [CFIUS] assesses violations of the laws and regulations that govern transaction parties, including potential breaches of CFIUS mitigation agreements.”

Just a month prior, on September 15, 2022, President Biden issued an Executive Order relating to CFIUS reviews (see Latham’s Client Alert New CFIUS Executive Order Outlines 5 Risk Factors: Key Takeaways).endnote text goes here. and you can hyperlink it if necessary.

Client Alert Graphic for Testing

The issuance of both the Guidelines and the Executive Order underscore the US government’s reliance on CFIUS as a critical tool in identifying and mitigating national security risks.

This Client Alert presents the top five takeaways from the Guidelines.

  1. CFIUS is focused on three types of conduct that may constitute a violation of its rules
  2. Pursuant to the CFIUS governing statute and implementing regulations, CFIUS is authorized to impose monetary penalties and seek other remedies for (1) failure to submit a mandatory filing; (2) non- compliance with CFIUS mitigation agreements, conditions, or orders; and (3) failure to provide accurate and complete information to CFIUS.

    If parties fail to make a mandatory CFIUS filing, CFIUS can assess a civil monetary penalty against the foreign investor, the US business, or both “not to exceed $250,000 or the value of the transaction, whichever is greater.”1 (To learn more about the types of transactions that may trigger a mandatory filing, see Committee on Foreign Investment in the United States: Key Questions Answered.) Similarly, any party that fails to comply with CFIUS mitigation may be subject to a civil penalty of $250,000 per violation or the value of the transaction, whichever is greater. Material misstatements, omissions, or false certifications are also subject to a civil penalty of up to $250,000 per violation.

    The Guidelines reinforce that these three types of conduct may lead to enforcement action. They also highlight that material misstatements or omissions may include those made during informal consultations with CFIUS or in response to requests for information regarding non-notified and non-declared transactions.

    If CFIUS determines that a violation has occurred, it will exercise its discretion in determining when a penalty is appropriate, including by considering applicable aggravating and mitigating factors, as described below.

  3. CFIUS strongly encourages self-disclosure of conduct that may constitute a violation of its rules
  4. CFIUS generally considers a variety of sources to determine whether a violation has occurred, including information that is publicly available, information provided by transaction or filing parties, information from third-party auditors and monitors, and other information from across the US government.

    The Guidelines emphasize that CFIUS relies on information provided by parties in response to direct requests from CFIUS. In addition, CFIUS considers information submitted by the public to the CFIUS tips line and encourages the public to report suspected violations to the Office of Investment Security Monitoring & Enforcement (the Monitoring & Enforcement Office) at the Treasury Department. The Guidelines include a reminder that, when necessary and appropriate to gather information, CFIUS may use its subpoena authority to request information from relevant parties.

    Like similar US regulatory regimes, CFIUS encourages timely and voluntary self-disclosures of violations. And the Guidelines note that a voluntary self-disclosure may be a mitigating factor. However, CFIUS will consider whether its officials or other US government officials were already aware of the conduct — or whether they were about to discover the conduct — in determining whether the disclosure was timely.

  5. CFIUS will weigh aggravating and mitigating factors in determining an appropriate enforcement response
  6. The Guidelines include the following non-exhaustive list of factors (in alphabetical order) that CFIUS may consider:

    • Accountability and future compliance: The impact of the enforcement action on protecting national security and ensuring that parties are held accountable for their conduct and incentivized to comply. Notably, the Guidelines provide that CFIUS will make public information related to specific enforcement actions, but will do so without disclosing information that is subject to confidentiality requirements under the CFIUS rules.
    • Harm: The extent to which the conduct impaired or threatened to impair US national security.
    • Negligence, awareness, and intent: The intent or willfulness of the conduct. CFIUS may also take into consideration whether the party attempted to conceal or delay the sharing of relevant information with CFIUS, and the seniority of personnel within the entity who knew or should have known about the conduct.
    • Persistence and timing: The frequency and duration of the conduct, and the length of time that elapsed after the party became aware or had reason to become aware of the conduct, and before CFIUS itself became aware of it.
    • Response and remediation: Whether a party submitted a voluntary self-disclosure, including the timeliness, nature, and scope of information included within such disclosure. CFIUS may consider whether the party cooperated completely in the investigation of the matter (e.g., by providing timely and detailed responses to CFIUS’s requests). CFIUS may also consider the promptness of the party’s complete and appropriate remediation of the conduct, including remedial steps taken upon learning of a violation, and whether the party conducted a throughout internal review.
    • Sophistication and record of compliance: The party’s history and familiarity with CFIUS and, if applicable, its past compliance with CFIUS. Other factors to be considered include the existence of resources dedicated to compliance with legal obligations (e.g., legal counsel, consultants, auditors, and monitors), internal compliance measures (e.g., policies, training, and procedures in place), and the compliance culture of the company.

  7. Parties may petition for reconsideration as part of the penalty process
  8. The Guidelines describe the key steps in the penalty process. If CFIUS determines that a penalty is warranted, it will send the relevant party an initial written notice identifying the conduct constituting a violation, the penalty amount, the legal justification for determining the violation, and any aggravating and mitigating factors considered by CFIUS in arriving at the penalty amount.

    Within 15 business days of receiving a notice of penalty, the party may submit a petition for reconsideration. This can include defenses, justifications, mitigating factors, or explanations. “Upon a showing of good cause” this 15-business-day period can be extended by written agreement with CFIUS.

    Within 15 business days of receiving a petition for reconsideration, CFIUS will issue a final penalty determination. This timeline may be extended by written agreement between the relevant party and CFIUS. If the party does not submit a timely petition for reconsideration, CFIUS will issue a final penalty determination.

  9. CFIUS is likely to take a more public and robust approach to enforcement
  10. Since the creation of the Monitoring & Enforcement Office following the passage of the Foreign Investment Risk Review Modernization Act of 2018, CFIUS has publicly announced only two civil monetary penalties:

    (1) a $1,000,000 penalty in 2018 for “repeated breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS” and (2) a $750,000 penalty in 2019 for “violations of a 2018 CFIUS interim order, including failure to restrict and adequately monitor access to protected data, as defined in the order.” Much of the enforcement process and factors considered by CFIUS in these enforcement cases was not publicly disclosed.

    The release of the Guidelines suggests that CFIUS is likely to take a more public and robust approach to enforcement, particularly with respect to compliance with CFIUS mitigation agreements. Assistant Secretary of the Treasury for Investment Security Paul Rosen stated in the press release accompanying the Guidelines that “[c]ompliance with CFIUS mitigation agreements is not optional, and the Committee will not hesitate to use all of its tools and take enforcement action to ensure prompt compliance and remediation.”

    In light of the Guidelines, and for those looking for more information about the CFIUS process, Latham & Watkins recently released a comprehensive update to its groundbreaking Foreign Direct Investment (FDI) Regimes mobile app. The app provides easy-to-use summaries of key aspects of the national security review process administered by CFIUS and other FDI regimes around the world.

Client Alert is published by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. A complete list of Latham’s Client Alerts can be found at If you wish to update your contact details or customize the information you receive from Latham, visit our subscriber page.


1 See 31 CFR § 800.901.