CFIUS Update: 2023 Report to Congress and new enforcement website

2023 Annual Report

The CFIUS Annual Report to Congress (the Report) provides information on CFIUS’s activities in the previous calendar year, which in 2023 included reviewing 342 distinct transactions.

We have included below our key takeaways from the Report.

• Fewer filings: CFIUS received nearly 25% fewer filings than in 2022. This can be attributed, in part, to decreased global M&A activity.

• CFIUS reviewed 233 long-form notices in 2023, which is a decrease from 286 notices in 2022 and 272 notices in 2021. Of the 233 notices, 128 proceeded to the 45-day investigation phase (following the initial 45-day review period). In addition, 57 notices were withdrawn after commencement of an investigation, 43 of which were refiled as a new notice (likely to give the parties more time to resolve any identified national security issues).

• CFIUS reviewed 109 short-form declarations in 2023, which is a decrease from 154 declarations in 2023, 164 declarations in 2021, and 126 declarations in 2020. Following the 30-day assessment period for declarations, CFIUS requested that the parties file a full notice in 20 instances and informed the parties that it was unable to conclude action on the basis of the declaration in six instances (meaning that the parties had the option to file a full notice but were not required to). CFIUS cleared the remaining 83 declarations following the 30-day assessment period. The 76% clearance rate for declarations was an increase from the 58% clearance rate for declarations in 2022.

• Increased use of mitigation measures: CFIUS imposed mitigation measures and/or conditions in 43 instances, representing approximately 18% of the total number of 2023 notices. In 2022 and 2021, CFIUS imposed mitigation measures and/or conditions on 14% and 10% of notices, respectively.

• More clearances after 30 or 45 days: CFIUS cleared 66% of transactions that did not require mitigation measures within either 30 days (for short-form declarations) or 45 days (for long-form notices), an increase from 58% in 2022.

• Fewer withdraws and refiles: The number of notices that were withdrawn and refiled decreased from 63 in 2022 (24% of notices) to 43 in 2023 (18% of notices), the first such reduction in five years.

• Increased enforcement activity: As further detailed below, CFIUS imposed four civil monetary penalties for violations of material provisions of mitigation agreements, double the number of civil monetary penalties CFIUS had previously issued during its nearly 50-year history. CFIUS also issued its first ever formal determinations of non-compliance in connection with failures to comply with the mandatory filing requirements, and received its first voluntary self-disclosure of a potential failure to file a mandatory filing.

• Investors from China and the UAE lead the way in the number of filings: Investors from China filed the highest number of notices (33), accounting for 14% of the overall total, followed by investors from the United Arab Emirates (22), United Kingdom (19), Singapore (19), and Canada (16). However, when taking into account distinct transactions (i.e., counting only once those transactions that originated as a declaration and were then also filed as a notice, or notices that were refiled), the highest number of notices in 2023 were filed by investors from Canada, Japan, and the United Kingdom.

• Finance, information, and services sector continues to be the subject of most notices: In line with previous years, 50% of non-real estate notices were in the finance, information, and services sector, followed by the manufacturing sector (29%), the mining, utilities, and construction sector (11%), and the wholesale trade, retail trade, and transportation sector (10%).

• Continued focus on non-notified transactions: According to the Report, CFIUS identified and considered thousands of non-notified transactions (i.e., transactions for which a CFIUS filing was not made). CFIUS opened official inquiries for 60 transactions and formally requested filings for 13 transactions. There were also three instances in 2023 where the parties filed a declaration or notice for a non-notified transaction prior to receiving a formal request to file.

CFIUS enforcement

On August 14, 2024, the Treasury Department updated the CFIUS website to provide further clarity and transparency regarding CFIUS penalties and other enforcement actions. The new website provides information on the following enforcement actions involving monetary penalties imposed pursuant to Section 721(h) of the Defense Production Act of 1950 and CFIUS’s implementing regulations:

• In 2024, CFIUS resolved an enforcement action against a U.S. telecommunications provider, resulting in a USD60 million penalty, the largest penalty CFIUS has ever issued. The violations involved breaches of a National Security Agreement (NSA) the company entered into with CFIUS in 2018. CFIUS determined that, between August 2020 and June 2021, the company violated a material provision of the NSA when it failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS.

• In 2024, CFIUS imposed a USD1.25m penalty against a transaction party for submitting a notice and supplemental information containing five material misstatements, including forged documents and signatures. As a result of these misstatements, CFIUS rejected the filing, and the transaction was abandoned.

• In 2024, CFIUS resolved an enforcement action against a party to an NSA, resulting in a USD8.5m penalty. CFIUS determined that the company breached the NSA by failing to ensure that the compliance oversight responsibilities assigned to the company’s Security Director and the board of directors’ government security committee were, or could be, performed as required by the NSA. The enforcement action also resolved CFIUS’s investigation of potential additional violations of the NSA by the company relating to the transfer of certain intellectual property to third parties.

• In 2023, CFIUS resolved an enforcement action against a transaction party for two violations of a material provision of a CFIUS Letter of Assurance (LOA), resulting in a USD990,000 penalty. CFIUS determined that on two occasions the U.S. business involved in the transaction failed to maintain a statement on its website regarding its non-U.S. ownership, as required by the LOA.

• In 2023, CFIUS resolved an enforcement action against a transaction party for failing to effect the divestment of a non-U.S. acquirer’s interest in a U.S. business by the deadline specified in an NSA, resulting in a USD100,000 penalty.

• In 2019, CFIUS resolved an enforcement action against a transaction party for violations of a CFIUS interim order, including failure to restrict and adequately monitor access to protected data, resulting in a USD750,000 penalty.

• In 2018, CFIUS imposed a USD1m penalty against a transaction party that CFIUS determined had repeatedly breached its NSA, including failure to establish required security policies and failure to provide adequate reports to CFIUS.

The updated CFIUS website also includes information on Determination of Noncompliance Transmittal (DONT) Letters, which CFIUS can issue if it has determined that one or more violations of its regulations have occurred. The CFIUS website indicates that where CFIUS has issued a DONT Letter instead of pursuing monetary penalties, it has generally been in the context of first-time, inadvertent, and limited-scope violations that did not harm U.S. national security and had little potential to do so. Other relevant considerations include whether the parties made timely and complete voluntary self-disclosures, effectively and promptly remediated the violations, fully cooperated with CFIUS, operate an otherwise strong compliance program, or can demonstrate that the violation was related to difficult extrinsic circumstances.

For more information on CFIUS, please contact the authors or another member of the A&O Shearman team.