U.S. Department of the Treasury

Authority & Possible Basis of Violation

Enforcement 

• Introduction
• What is New in CFIUS Enforcement? 
• When do Violations Lead to Penalties or Other Remedies? 
• Enforcement and Penalty Guidelines

Enforcement Actions Taken by Committee

• Enforcement Actions That Impose Penalties
• Determination of Noncompliance Transmittal (DONT) Letters

Tips & Referrals 

Authority & Possible Basis of Violation: 

Section 721 of the Defense Production Act of 1950, as amended (50 U.S.C. § 4565) (Section 721) authorizes the Committee to impose monetary penalties and seek other remedies for violations of Section 721, the regulations promulgated thereunder, or related mitigation orders, conditions, or agreements. Treasury’s Monitoring and Enforcement team administers the regulations that address the imposition of such penalties and other remedies. (For more on these authorities, see Section 721 and 31 C.F.R. §§ 800.901, 800.902, 801.409, 802.901, and 802.902.) 

Three categories of acts or omissions may constitute a violation giving rise to civil penalties:

• Failure to File.  Failure to timely submit a mandatory declaration or notice, as applicable.
• Non-Compliance with CFIUS Mitigation Terms.  Conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders.
• Material Misstatement, Omission, or False Certification.  Material misstatements or omissions filed with CFIUS, and false certifications provided in connection with CFIUS filings. 

Enforcement 

Introduction 

In exercising its mission to protect U.S. national security, CFIUS takes compliance very seriously and carefully investigates potential violations of mitigation agreements, conditions, and orders, and violations of CFIUS regulations. In each case, the Committee reviews and considers the facts and circumstances, including any mitigating and aggravating circumstances as described in our CFIUS Enforcement & Penalty Guidelines, and makes a case-by-case decision on what, if any, enforcement action is appropriate.  

CFIUS member agencies have dedicated staff for monitoring and enforcement activities. At the Department of the Treasury, the Office of Investment Security houses the Treasury’s Monitoring and Enforcement team, which is responsible for coordinating all CFIUS enforcement matters. These include civil monetary penalties and other remedies for material misstatements and omissions in CFIUS filings, false certifications, violations of mandatory filing requirements, and violations of mitigation agreements, conditions, or orders. 

What is New in CFIUS Enforcement? 

Over the last few years, the Committee has increased its investment in and focus on its monitoring and enforcement efforts. This has included dedicating substantially increased resources and staff across the Committee, and within Treasury in particular, further building out processes and procedures to proactively identify and address potential violations, and taking enforcement action where appropriate.  

The Committee was initially established by executive order in 1975. Subsequently, Congress enacted legislation codifying the Committee’s membership, its authority to review and investigate transactions, and its enforcement authority.  From that time through 2022, CFIUS had only issued two civil penalties. 

Now, CFIUS is increasingly exercising its enforcement remedies, including civil monetary penalties, while also honing and refining its enforcement regulations and tools. 

The Committee is building out institutional business tools and practices to further strengthen CFIUS compliance and enforcement functions. For example, there is now a Committee-wide monitoring and enforcement Case Management System to improve data collection, sharing, retention, and analysis. This will allow more targeted, prompt, and systematic reviews of potential compliance matters and associated enforcement before the Committee. 

In 2024, Treasury proposed amendments to CFIUS regulations to strengthen enforcement authorities in several key respects. Such amendments were designed to increase the maximum penalties for violations of statutory and regulatory provisions, including agreements entered into and conditions or orders issued pursuant thereto; expand the types of information the Committee may require transaction parties and other persons to provide; and modify certain other provisions in the regulations that implement provisions of Section 721 of the Defense Production Act of 1950, as amended. 

The Committee also continues to actively engage with lawyers, auditors, and other professional service providers regularly involved in CFIUS matters to advance stronger compliance, receive feedback and discuss voluntary filings, voluntary self-disclosures, and mandatory declarations. 

When do Violations Lead to Penalties or Other Remedies? 

CFIUS is authorized to seek remedies for violations of applicable law and regulations, as well as of mitigation orders, conditions, and agreements. However, a violation does not necessarily lead to a civil monetary penalty or other remedy, as CFIUS will assess whether a penalty or other remedy is appropriate. CFIUS will determine the appropriate course of action by investigating the facts and circumstances of the violation, and weighing the aggravating and mitigating factors as described in our CFIUS Enforcement & Penalty Guidelines. Factors that are relevant in the context of one violation will not necessarily be relevant in the context of another.  

In addition to monetary penalties, CFIUS has the authority to, in certain circumstances: 

• Revoke safe harbor and unilaterally initiate a new review of the transaction, which may include the imposition of mitigation measures - 50 U.S.C. § 4565(b)(1)(D)(iii), 50 U.S.C. § 4565 (l)(3)(A)(i).
• Negotiate a remediation plan, the breach of which is subject to penalties - 31 C.F.R. § 800.902(a), §802.902(a).
• Require a party to file with CFIUS regarding future covered transactions for up to five years - 31 C.F.R. § 800.902(b), § 802.902(b).
• Seek injunctive relief - 31 C.F.R. § 800.902(c), § 802.902(c).

Enforcement and Penalty Guidelines

In 2022, Treasury released the first-ever CFIUS Enforcement and Penalty Guidelines describing:

• The types of conduct that may result in enforcement action
• The sources of information on which CFIUS relies
• The key steps of the penalty process that the Committee generally follows
• Examples of aggravating and mitigating factors the Committee may consider in determining the appropriate response to a violation, including the following. 
  • Accountability and future compliance
    • The impact of the enforcement action on protecting national security and ensuring that Subject Persons are held accountable for their conduct and incentivized to ensure compliance, including promoting compliance and cooperation with Section 721, such as through self-disclosures, where appropriate.
  • Harm to national security
    • The extent to which the conduct impaired or threatened to impair U.S. national security.
  •  Negligence, awareness, and intent
    • The extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness.
    • Effort to conceal or delay the sharing of relevant information with CFIUS.
    • The seniority of personnel within the entity that knew or should have known about the conduct.
  • Persistence and timing
    • The length of time that elapsed after the Subject Person became aware, or had reason to become aware, of the conduct, and before CFIUS became aware of the conduct and/or its remediation.
    • The frequency and duration of the conduct.
    • In the case of a violation of CFIUS agreements, conditions, or orders (“CFIUS Mitigation”), the length of time since CFIUS Mitigation was issued or became effective.
    • In the case of a failure to file a mandatory declaration, the date of the transaction at issue.
  • Response and remediation
    • Whether the Subject Person submitted a self-disclosure, including the timeliness, nature, and scope of information reported to CFIUS.
    • Whether the Subject Person cooperated completely in the investigation of the matter (e.g., providing timely and detailed responses).
    • The promptness of complete and appropriate remediation of the conduct, including the remedial steps taken upon learning of a violation.
    • Whether there was an internal review of the nature, extent, origins, and consequences of the conduct to prevent its reoccurrence.

  • Sophistication and record of compliance of the involved actor

    • The Subject Person’s history and familiarity with CFIUS and, if applicable, past compliance with CFIUS Mitigation.
    • Internal and external resources dedicated to compliance with applicable legal obligations (e.g., legal counsel, consultants, auditors, and monitors).
    • Policies, training, and procedures in place to prevent the conduct and the reason for the failure of such measures.
    • Variation in the consistency of compliance, both horizontally across the entity, and vertically from directors and officers to supporting staff.
    • The compliance culture that exists within the company (e.g., demonstrated commitment to compliance with applicable legal obligations).
    • The experience of other federal, state, local, or foreign authorities with knowledge of the Subject Person in the assessment of the quality and sufficiency of compliance with applicable legal obligations.
    • In the case of a violation of CFIUS Mitigation, the extent to which written compliance policies or training on the terms of the relevant CFIUS Mitigation were communicated and implemented across the entity.
    • In the case of a violation of CFIUS Mitigation, the extent to which the authority, role, access and independence of any security officer were sufficient and in compliance with the terms of CFIUS Mitigation.

     

These Guidelines also highlight the importance and potential benefits of timely and complete self-disclosure of any conduct that may constitute a violation. 

Enforcement Actions Taken by Committee

Enforcement Actions That Impose Penalties 

The following enforcement actions involved monetary penalties pursuant to Section 721(h) of the Defense Production Act of 1950.  In certain instances, such as where a party publicly disclosed the existence and/or completion of a CFIUS review or related compliance obligations, the Committee may disclose more information, consistent with the law and regulations. In each case, the Committee takes into account, among other things, the goals of enforcement and national security, consistent with CFIUS’s confidentiality obligations. 

• In 2024, following an initial Notice of Penalty issued in 2023, CFIUS resolved an enforcement action against T-Mobile US, Inc. (“T-Mobile”), a telecommunications company, resulting in a $60 million penalty. As publicly disclosed by T-Mobile, the company entered into a National Security Agreement (“NSA”) with CFIUS in 2018 in connection with T-Mobile’s merger with Sprint and the foreign ownership of the resulting entity. CFIUS determined that between August 2020 and June 2021, in violation of a material provision of the NSA, T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm. CFIUS concluded that these violations resulted in harm to the national security equities of the United States. T-Mobile has worked with CFIUS to enhance its compliance posture and obligations and has committed to working cooperatively with the U.S. Government to ensure compliance with its obligations going forward. 
• In 2024, CFIUS imposed a $1.25 million penalty, the maximum amount authorized under the applicable CFIUS regulations, against a transaction party for submitting a joint voluntary notice (“JVN”) and supplemental information containing five material misstatements, including forged documents and signatures. CFIUS also rejected the filing as a result of the misstatements, and the transaction was abandoned. Through its investigation, CFIUS found that the foreign acquirer had made material misstatements in the JVN regarding the source of funding for the transaction and related agreements, as well as subsequent material misstatements during CFIUS’s review, which impaired the Committee’s ability to assess the risk to national security arising from the subject transaction and increased the potential harm to national security. 
• In 2024, following an initial Notice of Penalty issued earlier in that year, CFIUS resolved an enforcement action against a party to a National Security Agreement, resulting in an $8.5 million penalty. CFIUS determined that the company’s majority shareholders orchestrated an initiative to remove all of the company’s independent directors, thereby causing the Security Director position to be vacant and the board of directors’ government security committee (“GSC”) to be defunct, resulting in a breach of the NSA.  CFIUS concluded that the company breached its NSA by failing to ensure that the compliance oversight responsibilities assigned to the Security Director and to the GSC under the NSA were or could be performed, increasing the risk to the national security of the United States. The enforcement action also resolved CFIUS’s investigation of potential additional violations of the NSA by the company relating to transfer of certain intellectual property to third parties. 
• In 2023, following an initial Notice of Penalty issued earlier in that year, CFIUS resolved an enforcement action against a transaction party for two violations of a material provision of a CFIUS Letter of Assurance (“LOA”), resulting in a $990,000 penalty.  CFIUS determined that on two occasions the U.S. business failed to maintain a statement on its website regarding its foreign ownership, as required by the LOA. As a result of the two violations, actual and potential customers of the U.S. business may have lacked knowledge of its ownership by a foreign entity, possibly putting customers’ data and technology at risk. Aggravating factors included the duration of the violations, managerial involvement in the violations, failure to self-disclose the violations, and the U.S. business’s lack of compliance procedures and training. The U.S. business’s cooperation with CFIUS during its investigation was a mitigating factor.
• In 2023, following a Notice of Penalty issued earlier in that year, CFIUS resolved an enforcement action against a transaction party for its failure to effect divestment of the foreign acquirer’s interest in the U.S. business by the deadline specified in the National Security Agreement, resulting in a $200,000 penalty. CFIUS determined that this failure to effect divestment by the deadline prolonged the period of time in which the foreign acquirer’s interest in the U.S. business presented a risk to U.S. national security. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and the transaction party’s failure to provide timely notice to CFIUS of its failure to meet the divestment deadline. Mitigating factors included particularly difficult market conditions during the COVID pandemic, among other factors. 
• In 2023, following a Notice of Penalty issued earlier in that year, CFIUS resolved an enforcement action with a transaction party for its failure to effect divestment of the foreign acquirer’s interest in the U.S. business by the deadline specified in the National Security Agreement, resulting in a $100,000 penalty. CFIUS determined that the party’s failure to effect divestment by the deadline prolonged the risk to U.S. national security arising from the foreign acquirer’s ownership interest in the U.S. business. Aggravating factors included repeated violations of other NSA provisions, prolonged failure to make serious efforts to divest, and failure to timely notify CFIUS that it would be unable to meet the divestment deadline. Mitigating factors included the transaction party’s small size and lack of sophistication, and particularly difficult market conditions during the COVID pandemic. 
• In 2019, following a Notice of Penalty issued earlier in that year, CFIUS resolved an enforcement action against a transaction party for violations of a CFIUS interim order, including failure to restrict and adequately monitor access to protected data, as defined in the order, resulting in a $750,000 penalty.  
• In 2018, CFIUS imposed a $1,000,000 penalty against a transaction party that CFIUS determined had repeatedly breached its National Security Agreement, including failure to establish required security policies and failure to provide adequate reports to CFIUS.  

Determination of Noncompliance Transmittal (“DONT”) Letters 

Where CFIUS has determined that one or more violations occurred, Treasury or another CFIUS Monitoring Agency (“CMA”) may issue a Determination of Noncompliance Transmittal (“DONT”) Letter. A DONT Letter notifies the party or parties that the CMAs have determined that one or more violations occurred, but that, after considering the relevant information in their possession as well as the relevant aggravating and mitigating factors, the CMAs have either decided not to pursue further enforcement remedies or require additional information to assess if a penalty is warranted. In the event that CFIUS later pursues penalties against the same party for a separate violation, the violation identified in the previous DONT Letter may be a relevant aggravating factor.   

Generally, where the CMAs have issued a DONT Letter instead of pursuing monetary penalties, it has been in the context of first-time, inadvertent, and limited-scope violations that did not harm national security and had little potential to do so. Other relevant considerations include whether the parties made timely and complete voluntary self-disclosures, effectively and promptly remediated the violations, fully cooperated with the CMAs, operate an otherwise strong compliance program, or can demonstrate that the violation was related to difficult extrinsic circumstances. However, even where some or all of such factors are present CFIUS may nevertheless determine that the violation merits a penalty, in which case the presence of these mitigating factors will be taken into consideration in determining the amount and/or terms of the penalty. 

Examples of violations where CFIUS found that the circumstances, including the aggravating and mitigating factors present in these cases, warranted issuing a DONT Letter include:

• Failing to timely submit a mandatory declaration when it was a first-time offense and there was no resulting harm to national security and little potential for such harm.
• Failing to limit receipt and distribution of certain protected information to a segregated network, as required by a CFIUS Letter of Assurance.
• Transferring assets to a company controlled by certain foreign persons in violation of a CFIUS Order. 
• Failing to prevent unauthorized access to restricted intellectual property. 

In each of these situations, CFIUS determined that, in light of the unique mitigating and aggravating factors, a DONT letter, rather than another enforcement measure including monetary penalties, was appropriate.

Tips & Referrals

Members of the public may contact Treasury with any tips, referrals, or voluntary self-disclosures at CFIUS.tips@treasury.gov.