CFIUS Enforcement and Penalty Guidelines

Section 721 of the Defense Production Act of 1950, as amended (50 U.S.C. § 4565) (“Section 721”), authorizes the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) to impose monetary penalties and seek other remedies (e.g., directed notices, action plans) for violations of Section 721, the regulations promulgated thereunder, or mitigation orders, conditions, or agreements pursuant thereto (each of these referred to herein as a “Violation”).  The U.S. Department of the Treasury’s Office of Investment Security (“OIS”) administers the regulations that address the imposition of such penalties and other remedies under Section 721: 31 C.F.R. §§ 800.901, 800.902, 801.409, 802.901, and 802.902.  These Enforcement and Penalty Guidelines (the “Guidelines”) describe three categories of conduct that may constitute a Violation, the process the Committee generally follows in imposing penalties, and some of the factors it considers in determining whether a penalty is warranted and the scope of any such penalty.  These Guidelines also highlight the importance of prompt and complete self-disclosure of any conduct that may constitute a Violation.  In these Guidelines, we refer to the person (whether an individual or entity) who may be liable to the United States for a monetary penalty or otherwise be subject to one of the other remedies provided for in the CFIUS regulations as the “Subject Person.”

CFIUS penalties and other remedies under Section 721 are available without prejudice to civil or criminal penalties that may be applicable under other authorities, and CFIUS may refer conduct to other government enforcement authorities where appropriate. 

Types of Conduct That May Constitute a Violation 

These Guidelines address three categories of acts or omissions that may constitute a Violation:

  • Failure to File.  Failure to timely submit a mandatory declaration or notice, as applicable.
  • Non-Compliance with CFIUS Mitigation.  Conduct that is prohibited by or otherwise fails to comply with CFIUS mitigation agreements, conditions, or orders (“CFIUS Mitigation”).
  • Material Misstatement, Omission, or False Certification.  Material misstatements in or omissions from information filed with CFIUS, and false or materially incomplete certifications filed in connection with assessments, reviews, investigations, or CFIUS Mitigation, including information provided during informal consultations or in response to requests for information. 

As described in further detail below, a Violation will not necessarily lead to a penalty or other remedy under Section 721.  CFIUS will exercise its discretion in determining when a penalty is appropriate, including by considering applicable aggravating and mitigating factors.

Sources of Information on which CFIUS Relies

In determining whether a Violation has occurred, CFIUS considers information from a variety of sources, including from across the U.S. government, publicly available information, third-party service providers (e.g., auditors and monitors), tips, transaction parties, and filing parties.  

  • Requests for Information.  CFIUS often requests information to support its monitoring of compliance with CFIUS Mitigation, as well as to investigate whether a Violation has occurred and what enforcement action, if any, should be taken.  As noted below, if CFIUS determines that a Violation has occurred, it will consider the Subject Person’s cooperation in response to requests for information in determining what action, if any, to take.  In addition to providing the requested information, parties may choose to provide any exculpatory evidence, as well as any defense, justification, mitigating factors, or explanation for the conduct at issue.
  • Self-Disclosures.  The Committee strongly encourages any person who engaged in conduct that may constitute a Violation to submit a timely self-disclosure, even if not explicitly required by any applicable CFIUS Mitigation or any other law or regulation.  A self-disclosure should take the form of a written notification describing all of the conduct that may constitute a Violation and all of the persons involved.  As noted below, CFIUS will consider the timeliness of any self-disclosure in determining the appropriate response to a Violation.  In assessing timeliness, CFIUS will consider whether discovery of the conduct at issue by CFIUS or other government officials has already occurred or was imminent prior to the self-disclosure.  CFIUS will also consider whether the reporting party or parties complied with any applicable CFIUS Mitigation requiring the disclosure of the conduct.  For the avoidance of doubt, these Guidelines do not replace or modify any reporting or notification requirements provided for under any applicable CFIUS Mitigation or any other law or regulation.  Where discovery of conduct that may constitute a Violation requires further investigation, the Subject Person may submit an initial self-disclosure and follow it up with a more detailed self-disclosure.  
  • Tips.  If anyone believes that a Violation may have occurred, CFIUS encourages them to submit tips, referrals, or other relevant information to the CFIUS tips line found on the CFIUS Monitoring & Enforcement page at 

To report conduct related to a transaction that is under review by CFIUS, the appropriate points of contact are those notified to the filing parties by OIS.  To report conduct related to CFIUS Mitigation, the appropriate points of contact are the CFIUS Monitoring Agencies.  To report other failures to comply with Section 721, such as failing to submit a mandatory declaration or notice, the appropriate point of contact is the CFIUS tips line.  For other points of contact, see the CFIUS Contact Information page at

When necessary and appropriate to gather information, CFIUS may use the subpoena authority provided for in the Defense Production Act, as amended. See 50 U.S.C. § 4555(a). 

In certain circumstances, CFIUS may communicate with Subject Persons prior to initiating the formal penalty process described in the next section.  These initial communications are purely for informational purposes and never constitute any form of waiver of any penalty, remedy, or other authorities by the government or any defense or excuse for the Subject Person. 

Penalty Process

The process for considering and imposing penalties is described in 31 C.F.R. §§ 800.901 and 802.901, or, for certain older transactions, in earlier regulations, as applicable.  The key steps in the penalty process are:

  • CFIUS sends the Subject Person a notice of penalty, including a written explanation of the conduct to be penalized and the amount of any monetary penalty to be imposed.  The notice will state the legal basis for concluding that the conduct constitutes a Violation and may set forth any aggravating and mitigating factors that the Committee considered.
  • The Subject Person may, within 15 business days of receipt of a notice of penalty, submit a petition for reconsideration to the CFIUS Staff Chairperson, including any defense, justification, mitigating factors, or explanation.  Upon a showing of good cause, this period may be extended by written agreement between the Staff Chairperson and the Subject Person.
  • If a petition for reconsideration is timely received, CFIUS will consider it before issuing a final penalty determination within 15 business days of receipt of the petition, which may be extended by written agreement between the Staff Chairperson and the Subject Person.
  • If no petition for reconsideration is timely received, CFIUS ordinarily will issue a final penalty determination in the form of a notice to the Subject Person.

Aggravating and Mitigating Factors

When determining any appropriate penalty in response to a Violation – including determining the appropriate amount for the penalty – CFIUS engages in a fact-based analysis in which it weighs aggravating and mitigating factors.  The weight CFIUS gives to any factor will necessarily vary depending on the particular facts and circumstances surrounding the conduct giving rise to the Violation.  Factors that are relevant in the context of one Violation will not necessarily be relevant in the context of another.  Some factors that CFIUS may consider aggravating or mitigating in determining an appropriate response to a Violation include this non-exhaustive list (presented in alphabetical order): 

  • Accountability and Future Compliance
    • The impact of the enforcement action on protecting national security and ensuring that Subject Persons are held accountable for their conduct and incentivized to ensure compliance, including promoting compliance and cooperation with Section 721, such as through self-disclosures, where appropriate.[1]
  • Harm
    • The extent to which the conduct impaired or threatened to impair U.S. national security.
  • Negligence, Awareness, and Intent
    • The extent to which the conduct was the result of simple negligence, gross negligence, intentional action, or willfulness.
    • Effort to conceal or delay the sharing of relevant information with CFIUS.
    • The seniority of personnel within the entity that knew or should have known about the conduct.
  • Persistence and Timing
    • The length of time that elapsed after the Subject Person became aware, or had reason to become aware, of the conduct, and before CFIUS became aware of the conduct and/or its remediation.
    • The frequency and duration of the conduct.
    • In the case of a Violation of CFIUS Mitigation, the length of time since the CFIUS Mitigation was issued or became effective.
    • In the case of a Failure to File, the date of the transaction at issue.
  • Response and Remediation
    • Whether the Subject Person submitted a self-disclosure, including the timeliness, nature, and scope of information reported to CFIUS.
    • Whether the Subject Person cooperated completely in the investigation of the matter (e.g., providing timely and detailed responses).
    • The promptness of complete and appropriate remediation of the conduct, including the remedial steps taken upon learning of a Violation.
    • Whether there was an internal review of the nature, extent, origins, and consequences of the conduct to prevent its reoccurrence.
  • Sophistication and Record of Compliance
    • The Subject Person’s history and familiarity with CFIUS and, if applicable, past compliance with CFIUS Mitigation.
    • Internal and external resources dedicated to compliance with applicable legal obligations (e.g., legal counsel, consultants, auditors, and monitors).
    • Policies, training, and procedures in place to prevent the conduct and the reason for the failure of such measures.
    • Variation in the consistency of compliance, both horizontally across the entity, and vertically from directors and officers to supporting staff.
    • The compliance culture that exists within the company (e.g., demonstrated commitment to compliance with applicable legal obligations).
    • The experience of other federal, state, local, or foreign authorities with knowledge of the Subject Person in the assessment of the quality and sufficiency of compliance with applicable legal obligations.
    • In the case of a Violation of CFIUS Mitigation, the extent to which written compliance policies or training on the terms of the relevant CFIUS Mitigation were communicated and implemented across the entity.
    • In the case of a Violation of CFIUS Mitigation, the extent to which the authority, role, access and independence of any security officer were sufficient and in compliance with the terms of the CFIUS Mitigation.

*    *    *

These Guidelines are non-binding and are not intended to, do not, and may not be relied upon to create any right or benefit, substantive or procedural, enforceable at law by any party in any administrative, civil, or criminal matter.  They can and will be updated as circumstances require.

The applicable statutes and regulations govern all CFIUS activities, and in the event of any inconsistency between these Guidelines and the applicable statutes and regulations, the applicable statutes and regulations shall prevail.  For additional information, please see 50 U.S.C. § 4565, 31 C.F.R. §§ 800.901, 800.902, 801.409, 802.901, and 802.902.

[1] Consistent with the goal of promoting compliance and cooperation with Section 721, CFIUS will continue its practice of publishing on its website information related to specific enforcement actions, but without disclosing information that is subject to confidentiality under section 721(c) of the Defense Production Act of 1950 as amended (50 U.S.C. § 4565(c)).