As TikTok CEO Shou Zi Chew was facing (often contentious) questions from members of Congress during a four and a half hour hearing on March 23, 2023, many casual observers were learning for the first time about the interagency Committee on Foreign Investment in the United States (“CFIUS” or “the Committee”). CFIUS, chaired by the Department of the Treasury (“Treasury”), conducts national security reviews of transactions that can lead to control or significant influence by foreign persons over U.S. businesses, among other national security reviews. Based on the general tenor of the TikTok hearing, which took place during an ongoing review by CFIUS, one could be forgiven for thinking that CFIUS has been particularly active in enforcement.

However, CFIUS has enacted only two enforcement actions resulting in civil penalties. These actions were a $1 million fine in 2018 related to the “repeated breaches of a 2016 CFIUS mitigation agreement” and a $750,000 fine in 2019 related to the failure of the transaction parties to restrict and adequately monitor protected data.¹ Based on this rather lenient history of the Committee with respect to enforcement, some transaction parties may feel there is a low risk of penalties related to the breach of mitigation agreements or failure to notify CFIUS of a covered transaction requiring a mandatory filing with the Committee. But over the last year, through a variety of means, the Committee has telegraphed its intention to ramp up enforcement.

Increased Enforcement

On August 2, 2022, the Committee released its 2021 Annual Report to Congress (the “2021 Report”),² which we described in our previous article, Key Takeaways from the CFIUS Annual Report for 2021. The 2021 Report reflected the Committee’s commitment to finding non-notified transactions involving national security risks and requesting filings when necessary. Additionally, the 2021 Report explained certain mitigation measures and conditions imposed upon transaction parties.

Importantly, the 2021 Report is the first CFIUS report covering a full year of transactions after the enactment of revised regulations pursuant to the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), which provides for more resources related to enforcement. In fact, the 2021 Report specifically disclosed the Committee’s plans for “increasing staff resources dedicated to monitoring and enforcement activities.” Additionally, “CFIUS will also continue to assess noncompliance on a case-by-case basis as it evaluates whether civil penalties or other measures should be implemented.” Backing up these claims in its 2024 CFIUS Congressional budget justification, Treasury requested funds to hire an additional 39 full-time employees focused on CFIUS activities.³ If the employee request is fulfilled, the number of Treasury employees working on CFIUS matters will increase from 92 full-time employees in fiscal year 2023 to 141 full time employees in fiscal year 2024, an increase of 53%.

As described in our previous Trade Alert, on October 20, 2022, Treasury, acting as Chair of CFIUS, released the first-ever CFIUS Enforcement and Penalty Guidelines (“the Guidelines”). These Guidelines address three categories of violations:

1. Failure to file a mandatory declaration;

2. Non-compliance with CFIUS mitigation; and

3. Material misstatement, omission, or false certification in connection with dealings with CFIUS.

The Guidelines also described the Committee’s penalty process in detail and elaborated on aggravating and mitigating factors when determining a penalty in response to a violation.

Taken together, the enforcement increase referenced in the 2021 Report from August 2022 and the October 2022 publication of CFIUS Guidelines clearly speak to an intent to increase enforcement.

National Security Risk Focus

With respect to the focus of CFIUS, the Committee traditionally conducts its national security reviews pursuant to Section 721 of the Defense Production Act of 1950 (“Section 721”), as amended by the Foreign Investment and National Security Act of 2007 (“FINSA”) and FIRRMA, Treasury’s 2008 Guidance Concerning the National Security Review Conducted by CFIUS (“2008 Guidance”),⁴ and the CFIUS regulations at 31 C.F.R. Part 800.

From these sources, CFIUS established its national security risk-based analysis, described in 31 C.F.R § 800.102:

For purposes of this part, any such analysis of risk shall include and be informed by consideration of the following elements:

(a) The threat, which is a function of the intent and capability of a foreign person to take action to impair the national security of the United States;

(b) The vulnerabilities, which are the extent to which the nature of the U.S. business presents susceptibility to impairment of national security; and

(c) The consequences to national security, which are the potential effects on national security that could reasonably result from the exploitation of the vulnerabilities by the threat actor.

On September 15, 2022, President Biden signed Executive Order (E.O.) 14083, which ensures “robust consideration of evolving national security risks.” Although E.O. 14083 does not expand CFIUS jurisdiction, it directs the Committee to ensure that certain existing factors from Section 721 are reviewed. The specific factors described in E.O. 14083 on which the President directed the Committee to focus include:

• Impact to critical U.S. supply chains;

• U.S. technological leadership and fundamental technology;

• Aggregate investment trends;

• Transactions that could lead to the ability of foreign persons to exploit cyber vulnerabilities; and

• Protection of sensitive data of U.S. persons.

Divestments

When viewed holistically, enforcement through the imposition of civil monetary penalties is not necessarily the worst outcome that can result from CFIUS action. As discussed in previous articles (e.g., CFIUS Heightens Scrutiny of Non-Notified Transactions) and reinforced through more recent examples, the true sting of CFIUS – and what keeps M&A parties and practitioners up at night – is the Committee’s ability to require foreign acquirers or investors to divest of their investment. For example, on December 19, 2022, Borqs Technologies Inc. (“Borqs”), a Chinese corporation, announced that CFIUS will require it to fully divest of its ownership in Holu Hou Energy LLC (“HHE”), a top solar energy supplier in Hawaii.⁵ Borqs initially acquired controlling shares of HHE in October 2021. The requirement from CFIUS is based on the national security threat caused by Borqs’s access to HHE’s solar storage technology and Borqs’s ability exert influence over HHE’s business operations.

Returning to TikTok, the Committee’s review of the social media and video sharing app has been ongoing since November 2019, following the 2017 acquisition of TikTok by ByteDance, a Chinese company. As evidence of the potential power of CFIUS, reports in March described that the Committee demanded that ByteDance divest of its ownership in TikTok or face a ban within the United States.⁶

Conclusion

Now, in addition to the longstanding ability for CFIUS to require divestment where it finds too great a risk to national security, all signs point to increased enforcement of violations of CFIUS regulations, including failure to file with the Committee in circumstances of mandatory declarations. Parties to mergers and acquisitions, foreign investors, and deal counsel will need to be even more vigilant in conducting CFIUS due diligence to prevent potential penalties or, often worse, divestment.

If you require assistance in determining whether a potential transaction requires a mandatory declaration to CFIUS, deciding if a voluntary filing may be prudent to prevent future consequences, or any questions related to CFIUS enforcement, please to not hesitate to contact the knowledgeable attorneys at Torres Trade Law.