CFIUS’s recently released guidelines describe the factors considered by the Committee in imposing civil monetary penalties and other remedies and signal a stricter enforcement posture by the Committee.

On October 20, 2022, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) released its first-ever Enforcement and Penalty Guidelines (the “Guidelines”),[1] describing the Committee’s process and decision-making in imposing penalties for violations of mandatory filing requirements and mitigation agreements. The Guidelines describe the types of conduct that can give rise to a violation under Section 721 of the Defense Production Act of 1950 (“Section 721”) and its implementing regulations, the process that CFIUS generally follows in imposing penalties, and a non-exhaustive list of aggravating and mitigating factors that CFIUS may consider in determining whether to impose a penalty and the scope of such a penalty. The aggravating and mitigating factors described in the Guidelines are broad and open-ended, and like the Guidelines generally, they give CFIUS substantial flexibility to determine an appropriate response based on the facts and circumstances at issue (including by considering entirely different factors). CFIUS emphasizes throughout the Guidelines, however, that a party’s timely and voluntary self-disclosure of a violation may have a meaningful effect on the Committee’s decision-making.

The Guidelines and the associated press release underscore the Committee’s willingness “to use all of its tools and take enforcement action” in response to violations of mitigation agreements and filing requirements, “including through the use of civil monetary penalties and other remedies.”[2] Given that the conditions imposed under mitigation agreements are often vague, this strict enforcement posture may place transaction parties in a difficult position that the Guidelines arguably fail to solve. Because the statutory timetables provide limited opportunities to fine-tune the details of mitigation agreements, it is often unclear whether a violation has occurred. Nevertheless, the Guidelines and press release suggest that CFIUS will adopt a policy of aggressive enforcement – even where transaction parties lack clear guidance and standards against which to assess their conduct.

Although the Guidelines shed light on CFIUS’s view of its authority, they are not binding on the Committee and do not create new law.  As discussed below, their implementation may increase both the likelihood and the chances for success of judicial challenges to CFIUS action, which to date have been very rare.

I. Violations of CFIUS regulations and penalty process

The Guidelines provide a brief overview of the conduct that can violate CFIUS’s regulations, the sources of information that CFIUS may consider in determining if a violation has occurred, and the procedures that the Committee generally follows in imposing penalties. CFIUS is authorized to impose monetary penalties for violations of Section 721, and the Department of the Treasury’s Office of Investment Security has promulgated regulations governing the imposition of those penalties. The regulations establish, and the new Guidelines identify, three categories of conduct that may be subject to a monetary penalty or other remedy:[3]

(1) Failure to timely submit a mandatory declaration or notice;(2) Conduct that is prohibited by or fails to comply with CFIUS mitigation agreements, conditions, or orders (“CFIUS Mitigation”); and

(3) Material misstatements in or omissions from information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation.

In determining whether or not a violation has occurred, CFIUS relies on information from a number of government and non-government sources, including requests for information from the parties, voluntary self-disclosures, and tips through the newly created CFIUS hotline. CFIUS will consider the cooperativeness of the individual or entity believed to have committed the violation (the “Subject Person”) with requests for information when determining the appropriate remedy. In response to a request for information, parties may also present exculpatory evidence, as well as any defense, justification, mitigating factors, or explanation for the conduct at issue.

The Guidelines emphasize the importance of self-disclosure by anyone who believes they may have committed a violation, even if they are not expressly required to do so under the regulations or CFIUS Mitigation. CFIUS will consider the timeliness of any self-disclosure – including whether the disclosure occurred prior to CFIUS’s discovery of the violation – as a factor when determining its administrative response to a violation. If a Subject Person must conduct an additional investigation to determine if a violation has occurred, “the Subject Person may submit an initial self-disclosure and follow it up with a more detailed self-disclosure.” As noted above, however, this determination may be difficult to make in practice, as some mitigation agreements can be imprecise in their wording and scope. In contrast to OFAC’s Economic Sanctions Enforcement Guidelines, the Committee’s Guidelines do not explicitly provide for a reduction in penalty for parties that voluntarily self-disclose a violation (although CFIUS, also unlike OFAC, does not provide a formula for a baseline penalty calculation).[4]

If CFIUS determines that a violation has occurred, the Committee in most cases follows a process, set out in 31 C.F.R. §§ 800.901 and 802.901, that begins with the issuance of a written notice by CFIUS explaining the legal basis for and amount of the proposed penalty. Subject Persons then have 15 days (which may be extended upon a showing of good cause) to submit a petition for reconsideration, including any defenses or explanations.  If CFIUS receives a timely petition for reconsideration, the Committee will consider the petition before issuing a final penalty statement within 15 business days of receipt of the petition. If the Subject Person fails to submit a petition within the required timeframe, CFIUS will “ordinarily” issue a final penalty determination to the Subject Person.

The most recent revision of CFIUS’s statutory authorities, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA),[5] meaningfully increased CFIUS’s resources by creating a significant filing fee for notifications. In the wake of FIRRMA, CFIUS created a “Monitoring and Enforcement” unit to oversee implementation of CFIUS Mitigation.  This structural change is the culmination of a long-term CFIUS effort to rationalize and monitor the imposition and implementation of CFIUS Mitigation to ensure that the commitments sought are both meaningful and enforced.

II. Factors considered by CFIUS

The Guidelines provide a non-exhaustive list of aggravating and mitigating factors that CFIUS may consider in determining whether to impose a penalty for a violation and the extent of such a penalty. The factors are broadly worded and give considerable interpretive leeway to the Committee, including as to the weight given to each factor in a particular case, and CFIUS may also consider other factors it sees as appropriate. The aggravating and mitigating factors described in the Guidelines include the following:

  • Accountability and future compliance. The “impact of the enforcement action on protecting national security and ensuring that Subject Persons are held accountable for their conduct and incentivized to ensure compliance,” including the submission of voluntary self-disclosures.
  • Harm. The extent to which the conduct impaired or threatens to impair U.S. national security.
  • Negligence, awareness, and intent. Whether the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness, whether there were any efforts to conceal the violation, and the seniority of the personnel that were aware of or should have known of the misconduct.
  • Persistence and timing. The time that has elapsed since the Subject Person became aware of or should have known of the conduct and before CFIUS became aware of the conduct, the frequency and duration of the conduct, and the length of time since the underlying mitigation agreement entered into effect or since the underlying transaction occurred (in the case of failure to file).
  • Response and remediation. Whether the Subject Person submitted a timely voluntary self-disclosure, the Subject Person’s cooperation with CFIUS’s investigation and information requests, the promptness of appropriate and complete remedial actions, and whether the Subject Person conducted appropriate internal investigation of the conduct.
  • Sophistication and record of compliance. The knowledge and experience of the Subject Person with CFIUS and its compliance obligations, past compliance with CFIUS mitigation, the adequacy of the Subject Person’s internal and external resources committed to compliance, and the policies, procedures, and training implemented to prevent the conduct.[6]

These factors are quite similar to those found in other enforcement guidance, including that relating to compliance with OFAC sanctions (also administered by the Department of the Treasury), the Foreign Corrupt Practices Act, export controls, and others.  While CFIUS has not issued any guidance relating to compliance program expectations, we would expect that they similarly would be informed by those found in other regimes applicable to international transactions.

III. Legal impact of the guidelines

As noted above, the Guidelines serve as non-binding guidance on how CFIUS will interpret its regulations rather than new legal or regulatory authority.[7]  However, CFIUS’s emphasis on enforcement may create a new impetus for judicial challenges to CFIUS’s authority, which to date have been extremely rare (only one case has been fully litigated).  In the context of a transaction that has not been completed, the combination of statutory and judicial deference to the Executive Branch’s identification of national security threats and the proper remedy to resolve them, in combination with the commercial dynamics of attempting to complete an M&A transaction in the face of potentially lengthy litigation, provide a powerful disincentive to judicial challenge.

Once CFIUS and the parties have agreed on a remedy, or a transaction has been closed without a filing, and CFIUS is seeking to impose a civil monetary penalty for a purported violation of a national security agreement or CFIUS’s regulations, both the incentives and the grounds of the legal battle may shift.  A party’s incentive to fight a penalty for an action already completed is likely to be different than its incentive to continue to pursue an uncompleted transaction in the face of lengthy and highly uncertain litigation.  Furthermore, CFIUS’s interpretation and implementation of the Guidelines and the underlying penalty provisions of Section 721, while subject to considerable discretion, is bound by the terms of the statute, constitutional due process requirements (although what process is due in the context of national security and classified information differs considerably from ordinary litigation), and at least arguably the Administrative Procedures Act (APA).

A.  Statutory limitations

While as discussed below Section 721 gives substantial discretion the President to identify and address threats to national security, that discretion is not unlimited.  It applies only to transactions that are “covered transactions” under Section 721, including acquisitions of control over U.S. businesses, acquisitions of specified categories of real estate, and acquisitions of specified governance rights in U.S. businesses dealing in critical technologies, critical infrastructure, or sensitive personal data.  If a transaction is beyond CFIUS’s statutory jurisdiction, nothing prevents the parties from challenging that jurisdiction.

B.  Due process

While Section 721 immunizes the President’s finding of a threat to national security and imposition of a remedy from judicial review,[8] it does not eliminate due process requirements.  In the only fully litigated challenge to CFIUS’s authority, the DC Circuit held that the statutory bar to judicial review, even with respect to the determinations specifically shielded from review, does not foreclose constitutional challenges to CFIUS action under the Due Process Clause.[9]  In the context of a transaction within CFIUS’s jurisdiction, given the national security, classified information, and executive privilege considerations at work, due process may require only “notice of the proposed designation, access to the unclassified evidence supporting the designation and an opportunity to rebut that evidence,”[10] but the discretion of the Executive Branch is not unlimited.

C.  Administrative Procedure Act

Once the parties have agreed on a remedy and CFIUS has concluded action under Section 721, it is at a minimum highly doubtful whether the interpretation and enforcement of that agreement is a matter of unreviewable executive discretion. Although it has never been tested in court, one would expect that Section 721’s grant of authority to take such action as the President deems appropriate to address an identified national security threat arising from a covered transaction does not confer a Humpty Dumpty-like power to declare that the terms of a national security agreement between CFIUS and the parties mean whatever the Executive Branch says they mean.  Instead, one would expect that whether the parties have complied with CFIUS Mitigation is an administrative adjudication that is not immune from judicial review.

If that is the case, a court could hold unlawful and set aside CFIUS’s actions, including its penalty decisions, if they are not supported by “substantial evidence” or are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law” within the meaning of the APA.[11] Like any other federal agency, CFIUS would be afforded a significant degree of judicial deference in interpreting its regulations, which would likely be heightened by the fact that its decisions implicate national security.[12]  But that deference is not unlimited under the APA.  The APA requires CFIUS to engage in reasoned decision-making, which requires the Committee, among other things, to apply its rules and guidelines in a consistent manner[13] and “set out legitimate facts upon which it has based reasoning guided by statute, its own rules, and reasonably exercised discretion.”[14] Under the APA, a court may set aside a penalty imposed by CFIUS if the Committee’s decision-making was not based on “substantial evidence” or was otherwise “arbitrary and capricious.”[15] A court could set aside a penalty based on a purported violation of a mitigation agreement if it were to conclude that CFIUS’s interpretation of the mitigation agreement was incorrect – which should, in principle, be determined based on the four corners of the agreement without deference to CFIUS.[16]  Typically consent orders, which appear closely analogous to mitigation agreements, “are interpreted as contracts” by reviewing courts and are construed based on their terms, not the agency’s policy determinations.[17]

IV.  Conclusion

In publishing the Guidelines, CFIUS has clearly signaled its intention to increase its focus on implementation and formal enforcement of both the mandatory filing requirements under FIRRMA and the terms of mitigation agreements. This emphasis is consistent with CFIUS’s allocation of a significant portion of its post-FIRRMA resources to monitoring and enforcement, and the principles it has articulated are broadly consistent with familiar principles applied in other regulatory regimes touching on national security and international transactions. A perhaps unintended implication, though, is that to the extent CFIUS seeks to impose formal legal consequences for violations of its regulations and agreements into which it has entered, its actions may increasingly be subject to meaningful judicial review (and parties may have an increasingly large incentive to seek such review).  While FIRRMA’s revisions to CFIUS’s authority have now largely been implemented, the practical consequences of those revisions will continue to play out in years to come.

Law clerk Billy Hicks contributed to this client update.

Chris Looney contributed to this update. He is admitted only in New York, and is practicing in DC under supervision of a partner of the firm.


[1] U.S. Department of the Treasury, CFIUS, CFIUS Enforcement and Penalty Guidelines,

[2] U.S. Department of the Treasury, Press Release, Treasury Releases CFIUS Enforcement and Penalty Guidelines (Oct. 20, 2022),

[3] All monetary penalties may be recovered via action in federal district court pursuant to 31 C.F.R. §§ 800.901(g) and 802.901(f).

[4] See OFAC’s Economic Sanctions Enforcement Guidelines, 31 CFR Appendix A to Part 501 V.B.2.a.

[5] Foreign Investment Risk Review Modernization Act of 2018, Pub. L. 115-232, Title XVII, Subtitle A.

[6] In the case of violations of CFIUS mitigation, CFIUS will also consider the extent to which written compliance policies or training on the terms of the relevant CFIUS Mitigation were communicated and implemented across the entity and the extent to which the authority, role, access and independence of any security officer were sufficient and in compliance with the terms of the CFIUS Mitigation.

[7] In contrast, OFAC’s Economic Sanctions Enforcement Guidelines are codified in its regulations. See 31 C.F.R. Part 501 (2022).

[8] 50 U.S.C. § 4565(e).

[9] Ralls Corp. v. Committee on Foreign Inv. in US, 758 F.3d 296, 307-312 (D.C. Cir. 2014) (“Ralls”).

[10] Ralls at 318.

[11] 5 U.S.C. § 706(2)(A), (E) (2020); see, e.g., Epsilon Elecs., Inc. v. United States Dep’t of the Treasury, 168 F. Supp. 3d 913, 917, 922 (D.D.C., 2016) (setting aside civil monetary penalty imposed by the Office of Foreign Assets Control (“OFAC”) as arbitrary and capricious and remanding to agency where OFAC failed to reasonably interpret the evidence).

[12] Karpova v. Snow, 402 F. Supp. 2d 459, 465-466 (S.D.N.Y.  2005) (noting that agency determinations in the area of foreign relations and national security are owed particularly great deference).

[13] Hatch v. FERC, 654 F.2d 825, 834 (D.C. Cir. 1981); see also Sanders v. Szubin, 828 F. Supp. 2d 542, 556 (E.D.N.Y. 2011) (upholding OFAC penalty where “the Secretary’s designee made specific reference to OFAC’s enforcement guidelines” and applied them reasonably).

[14] Id. (citing Cablevision Sys. Corp. v. FCC, 570 F.3d 83, 91 (2d. Cir. 2009)).

[15] See, e.g., Epsilon Elecs, 168 F. Supp. 3d at 917, 922 (setting aside OFAC penalty as arbitrary and capricious where “OFAC failed to explain adequately why it discounted” certain evidence and failed to explain its conclusion); Islamic Am. Relief Agency, 477 F.3d at 732 (explaining that “with respect to the APA claims, if OFAC’s actions were not arbitrary and capricious and were based on substantial evidence, we must affirm the district court’s decision”).

[16] See Dr Pepper/Seven-Up Cos., 151 F.R.D. at 488.

[17] See, e.g., Delorme Publ. Co. v. ITC, 805 F.3d 1328, 1331 (Fed. Cir. 2015); Dr Pepper/Seven-Up Cos., 151 F.R.D. at 488 (“This principle — that a consent order should be interpreted as a contract would be — is particularly appropriate here, when the issue involves the interpretation of terms contained in the Consent Order itself.”).

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.