CFIUS Means Business, Unwinding Non-Notified Transactions and Penalizing Non-Compliance with Mitigation Agreements

The Committee on Foreign Investment in the United States (CFIUS) has proven in recent weeks that it is an increasingly powerful force that foreign investors and U.S. businesses alike ignore at their peril. While many paid attention to CFIUS’s critical technologies pilot program implemented last November, these parallel and unprecedented developments demonstrate that CFIUS is aggressively investigating transactions not submitted under its voluntary review regime, and imposing and enforcing agreements to mitigate national security concerns.

In the past two weeks alone, reports have emerged that CFIUS has:

• Forced Beijing Kunlun Tech Co. Ltd. to divest its 2016 acquisition of the dating app company Grindr LLC, apparently based on concerns about the Chinese government’s potential exploitation of sensitive data relating to U.S. citizens;
• Required iCarbonX — another Chinese investor — to divest its majority stake in PatientsLikeMe Inc., an online network for discussing health conditions, likely due to similar concerns about sensitive personal data;
• Pressured a partially Russian-backed investment fund, Pamplona Capital Management, to divest its minority stake in a U.S. cybersecurity firm; and
• Imposed the first-ever civil penalty — $1 million — for repeated violations of a 2016 CFIUS mitigation agreement requiring the parties to a transaction to establish security policies and provide periodic compliance reports to CFIUS.

Key Takeaways

• CFIUS has the mandate, resources, and intent to investigate “non-notified” transactions, i.e., transactions for which parties do not voluntarily submit a notice to CFIUS. As a result of last year’s CFIUS-reform legislation — the Foreign Investment Risk Review Modernization Act (FIRRMA) — the Departments of the Treasury, Defense, and Justice have dedicated additional resources to identifying and investigating non-notified transactions.
• The unprecedented announcement of three forced divestitures within the past two weeks means that more examples of post-closing CFIUS actions are likely coming. Reports of CFIUS interfering in transactions post-closing used to be exceedingly rare. The news of the past two weeks demonstrates the real-world impact of CFIUS’s modernization.
• The risks of not voluntarily notifying CFIUS of a transaction that could be of interest are substantial. This should, in turn, impact the calculus of parties to a transaction within CFIUS’s jurisdiction regarding whether to voluntarily notify CFIUS of the transaction and seek pre-closing “clearance,” i.e., confirmation that there are no unresolved national security concerns. Once Treasury completes the rulemaking process to implement FIRRMA, parties to transactions that appear to present a low risk to national security should be able to avail themselves of a shorter-form declaration, which may enable parties to obtain clearance without going through the full CFIUS review and investigation process. Based on the experience thus far with the use of declarations in the CFIUS pilot program, however, it is not at all clear that submitting a declaration will be advantageous or more efficient, because CFIUS is generally not clearing transactions on the basis of the declaration alone. 
• Complying with a CFIUS mitigation agreement is at least as important as negotiating one. CFIUS has also increased its scrutiny of parties’ compliance with the terms of mitigation agreements, and we may see additional examples of civil penalties, likely in more extreme cases where these terms have been repeatedly violated or ignored.
• Consider likely CFIUS mitigation early in the process. Parties to more sensitive transactions from a CFIUS perspective — e.g., transactions involving U.S. businesses with sensitive technologies or vast amounts of sensitive personal data — should consider potential mitigation measures as early as possible. When considering these measures, note that the U.S. government will focus on whether they can be easily monitored and verified after closing the transaction.

Background: The New Reality of the “Modernized” CFIUS

CFIUS is an interagency committee of the U.S. government that reviews foreign acquisitions of or investments in U.S. businesses to ensure that any national security concerns are adequately addressed. Outside of the mandatory reporting requirements of the recently implemented critical technologies pilot program, the CFIUS process is voluntary. In other words, parties to a transaction within CFIUS’s jurisdiction have the option of notifying CFIUS and seeking clearance.

CFIUS clearance immunizes a transaction from future U.S. government scrutiny on national security grounds. Conversely, if the parties do not submit a voluntary notice on their own, CFIUS may request that they do so and has the authority to investigate the transaction unilaterally if necessary. In the most extreme cases, CFIUS can recommend that the president issue an executive order forcing the parties to unwind the transaction after closing. As demonstrated by the three divestitures noted above, however, a presidential order is usually not necessary to reach the same result — merely the threat of a recommendation to the president can be sufficient to convince the foreign investor to relinquish its stake in the U.S. business.

FIRRMA bolstered CFIUS’s authorities and resources, and enhanced its focus on key national security concerns, such as cybersecurity and foreign exploitation of personally identifiable information and other sensitive data of U.S. citizens. In response to concerns raised by Congress that too many transactions were eluding CFIUS’s review, FIRRMA directed CFIUS to establish a process to identify and report on transactions not voluntarily notified to CFIUS, but for which information is “reasonably available.” CFIUS was also directed to outline additional resources needed to better identify such non-notified transactions. As context for the three recent divestments, CFIUS has historically had the authority to investigate non-notified transactions, but such cases resulting in post-closing divestments have been relatively infrequent, in part because of CFIUS’s limited resources to find and pursue them.

FIRRMA also includes provisions relating to the enforcement of agreements entered into between CFIUS member agencies and the transaction parties to mitigate national security concerns CFIUS identified during its review. FIRRMA mandates that CFIUS consider, before entering into such a mitigation agreement, whether the agreement will enable effective monitoring and enforcement of its terms. CFIUS can now also impose civil penalties for any breach of a mitigation agreement, whether or not the violation was intentional or grossly negligent, as required under the prior standard for such penalties.