CFIUS Executive Order on Evolving National Security Risks and CFIUS Enforcement Guidelines, IN FOCUS, CRS, May 17, 2024.
On September 15, 2022, the Biden Administration issued
the “first-ever presidential directive” defining additional
national security factors for the Committee on Foreign
Investment in the United States (CFIUS) to consider in
evaluating foreign investment transactions. Executive Order
14083 reaffirms a “commitment to open investment,” while
seeking to ensure CFIUS “remains responsive to an
evolving national security landscape and the nature of the
investments that pose related risks.” The E.O. informs how
CFIUS reviews strategic transactions—in general and with
regard to key sectors and factors—and could potentially
enhance scrutiny of investments from countries of concern,
such as the People’s Republic of China (PRC or China).
Also, in October 2022, the U.S. Department of the Treasury
published CFIUS Enforcement and Penalty Guidelines
(Guidelines) that describe how it approaches enforcement
and penalty determinations for violations by parties subject
to CFIUS action. Some see the Guidelines as a signal that
CFIUS may more proactively seek enforcement actions and
civil monetary penalties. In April 2024, Treasury proposed
regulatory updates intended to further “sharpen [CFIUS]
penalty and enforcement authorities.”
CFIUS Background
CFIUS is an interagency body, chaired by the U.S. Treasury
Secretary, that serves the President in overseeing the
potential U.S. national security implications of certain foreign
investment in the U.S. economy. It has associated authorities
(50 U.S.C. §4565; 31 C.F.R. Chapter VIII) to review, clear, and,
if required, impose terms of mitigation to address national
security risks before allowing transactions to proceed. CFIUS
also has authority to refer transactions to the President for
action, including prohibiting or compelling divestiture of
transactions that present risks CFIUS determines it cannot
sufficiently mitigate. See CRS In Focus IF10177, The
Committee on Foreign Investment in the United States
Executive Order 14083
CFIUS decisionmaking is not public, in part to protect the
confidentiality of parties to a transaction. E.O. 14083 gives
insight into issues CFIUS may be navigating. The E.O.
requires CFIUS to adopt specified approaches and
direction. While the E.O. does not name China, it targets
behaviors common to PRC investments that seek U.S.
capabilities in strategic areas prioritized and funded by
China’s industrial policies (see CRS In Focus IF10964).
The E.O. focuses on countries that have a strategic goal of
acquiring critical technology or critical infrastructure that
affects U.S. leadership in areas related to national security.
It also addresses foreign investors’ use of U.S. entities and
persons to act as third parties. This focus may signal U.S.
government concerns that China among others may be
using U.S. workarounds to evade scrutiny.
E.O. 14083 makes explicit certain national security factors
that CFIUS is required to consider in reviewing investment
transactions, but does not otherwise change its authorities
or jurisdiction. The E.O. elaborates on two existing
factors in the CFIUS statute:
• Critical U.S. supply chains resiliency—both inside
and outside the defense industrial base. Key sectors
include microelectronics, artificial intelligence,
biotechnology, quantum computing, advanced clean
energy, climate technologies, critical materials,
agriculture, and food security. The E.O. requires CFIUS
to consider U.S. supply chains broadly, not only U.S.
Department of Defense supply chains.
• U.S. technological leadership—with a focus on areas
affecting national security. The E.O. directs the Office
of Science and Technology Policy (OSTP) to publish
“periodically” a list of sectors, in addition to those the
E.O. identified, fundamental to U.S. technological
leadership. This provision may broaden the scope of
technologies and risk areas CFIUS considers. CFIUS is
also to consider “relevant third-party ties” of the foreign
person, and whether a transaction could lead to future
advancements and applications in such technologies for
the foreign actor that could undermine U.S. national
security. This framing directs CFIUS to not only
consider how the transfer of a capability to a foreign
acquirer could affect a loss of certain U.S. national
capabilities (with respect to manufacturing capabilities,
services, critical mineral resources, or technologies) but
also how an acquisition could enhance a foreign
acquirer’s gain in capabilities. With China’s use of U.S.
acquisitions to fill technology gaps, this provision may
require CFIUS to more fully consider how a transaction
advances PRC national capabilities.
CFIUS is also to consider three additional factors:
• Aggregate industry investment trends—whether a
transaction may affect U.S. national security with
regard to the broader industry, and the effect of a series
of investment transactions in which a foreign investor
might gain control of a technology or sector over time.
• Cybersecurity—whether a transaction may provide
foreign persons or third parties access to capabilities or
information databases and systems to conduct cyber
intrusions or malicious cyber-enabled activity, e.g.,
designed to affect election outcomes or operation of
critical infrastructure, such as smart grids. This
provision looks at how transactions may create specific
points of connection, access, and related touch points
and risks in U.S. critical infrastructure.
• U.S. persons’ sensitive data—whether a transaction
involves a U.S. business with “access to U.S. persons’
sensitive data,” including “health, digital identity, or
other biological data and any data that could be
identifiable or de-anonymized,” that could be
exploited. The E.O. introduces a broader definition
than current CFIUS regulations with respect to U.S.
businesses that maintain or collect sensitive personal
data. This factor also appears to promote greater
scrutiny of claims that parties use only anonymized
data by examining de-anonymizing capabilities.
Enforcement and Penalty Guidelines
CFIUS’s first-ever Guidelines outline its approach to
enforcement actions and penalty determinations. The
Guidelines are non-binding and do not change CFIUS’s
statutory or regulatory authority to impose penalties. The
Guidelines outline three categories of conduct that can
constitute a violation of CFIUS’s legal authorities or
mitigation agreements: (1) failing to file a mandatory notice
or declaration triggering CFIUS review; (2) failing to
comply with a mitigation agreement; and (3) making
material misstatements, omissions, or false certifications.
In April 2024, Treasury proposed changes to mitigation and
enforcement provisions that would inform the Guidelines
and enhance CFIUS’s regulatory authorities. As proposed,
the terms would, among other changes, (1) extend penalties
for material misstatements or omissions to include
responses to CFIUS requests for information, (2) increase
the maximum civil penalty amount to $5 million, and (3)
allow 20 business days for the petition and decision
process.
CFIUS Penalty Process
CFIUS first sends a notice that explains the conduct to be
penalized, the penalty amount, and the legal basis for the
action. The recipient has 15 days to submit a petition for
reconsideration. CFIUS makes a final penalty determination
within 15 days of receiving the petition or after the deadline
to submit the petition expires; deadlines may be extended. If
CFIUS concludes that an enforcement action is warranted,
regulations (31 C.F.R. §§800.901, 902) authorize imposing
penalties and damages, including a civil penalty of up to
$250,000 or, in some cases, the value of the transaction. To
date, CFIUS has announced two civil penalties: a $1 million
penalty in 2018 for a party’s failure to establish security
policies and report as required in a mitigation agreement, and
a $750,000 penalty in 2019 for a party violating a CFIUS
interim order while a transaction was under review.
The Guidelines explain that CFIUS relies on U.S.-
government data, publicly available information, third-party
service providers (e.g., auditors), tips, and information from
parties to transactions to determine violations. CFIUS also
has subpoena authority under 50 U.S.C. §4555(a). The
Guidelines encourage cooperation and “strongly
encourage” self-disclosure of potential violations. Not all
violations result in penalties; CFIUS has discretion to
determine appropriate remedies. CFIUS considers the
timing of self-disclosure when determining how to respond
to a violation. CFIUS also considers several factors in
determining penalties, such as
• harm to U.S. national security;
• whether the conduct was intentional or the result of
negligence, efforts to conceal or delay sharing
information, and seniority of personnel involved;
• actions taken in response to the violation, including
voluntary self-disclosure and cooperation; and
• the subject’s history, familiarity, compliance record
with CFIUS, and adequacy of internal policies
Considerations for Congress
The 118th Congress is considering legislation to strengthen
CFIUS by addressing perceived gaps in jurisdiction and
PRC-related concerns, including U.S. outbound investment
and technology transfer to China in strategic industries;
PRC investments in U.S. strategic sectors; “greenfield”
investments in new U.S. facilities and land purchases.
The E.O. and Guidelines raise issues for possible legislation
and oversight of the Foreign Investment Risk Review
Modernization Act of 2018 (FIRRMA, P.L. 115-232, Title
XVII, Subtitle A), which expanded CFIUS jurisdiction in
key areas. Congress might update in statute the risk factors
and sectors that CFIUS must consider, drawing from the
E.O. and factors Congress recommended in FIRRMA
§1702(c). Congress last updated such factors in the Foreign
Investment and National Security Act, 2007 (P.L. 110-49).
Congress might also consider whether to adopt the OSTP-
defined technologies as the operative list that establishes
CFIUS jurisdiction over investments in which foreign
parties have sensitive access to or influence over a U.S.
business, but not formal control (i.e., non-passive and non-
controlling investments). The technologies on OSTP’s list
are more broadly defined than CFIUS statute/regulations,
which set jurisdiction by export-controlled technologies.
Congress might engage Treasury and other CFIUS member
agencies to ascertain the extent to which CFIUS is acting on
the new guidance in practice. With the E.O.’s focus on
aggregate investments, Congress could require enhanced
reporting on PRC investments over time by sector, critical
supply chains, company, and country of investor. It could
examine when instances of aggregation should trigger a
new CFIUS review, or other agency responses to mergers
and acquisitions (e.g., related to antitrust, securities, and
telecom). On enforcement, Congress might scrutinize
CFIUS mitigation terms and practices, define in legislation
the enforcement mandates, expand penalties, or seek clarity
on how disagreements among CFIUS agencies are resolved.
Peter J. Benson, Legislative Attorney
Cathleen D. Cimino-Isaacs, Specialist in International
Trade and Finance
Karen M. Sutter, Specialist in Asian Trade and Finance
https://sgp.fas.org/crs/natsec/IF12415.pdf