Authority and Powers: CFIUS has the authority to negotiate, enter into, or impose any agreement, condition, or order with any party to mitigate national security risk arising from a covered transaction or covered real estate transaction. CFIUS may do so after determining that (i) other provisions of law do not provide adequate authority to address the national security risk, (ii) mitigation measures will resolve such national security risk, and (iii) the mitigations measures are reasonably calculated to be effective, verifiable, and monitorable for as long as necessary. This includes circumstances in which a party has voluntarily chosen to abandon a covered transaction if CFIUS determines that mitigation measures are needed to effectuate such abandonment and address any attendant risk that arose as a result of the transaction. Examples of mitigation measures negotiated and adopted by CFIUS are available in the CFIUS Annual Report to Congress.
CFIUS Staffing and Resources: At the Department of the Treasury, the Office of Investment Security houses the Monitoring and Enforcement team, which oversees and coordinates monitoring of compliance with CFIUS mitigation measures established with transaction parties to address national security risks arising from covered transactions. Treasury, as the Chair of CFIUS, designates at least one other CFIUS member agency with a substantive interest in the transaction to negotiate, monitor, and enforce each active mitigation agreement, condition, and order. This ensures that compliance with all mitigation measures is monitored by the agencies best equipped to do so, each with its own expertise and specialized resources (the “CFIUS Monitoring Agencies” or “CMAs”). Monitoring activities coordinated by Treasury’s team include: conducting on-site compliance inspections; reviewing regular and ad hoc reports by designated compliance personnel and third-party auditors and monitors; investigating potential violations; and overseeing remedial action, as appropriate.
Designated Compliance Personnel: The Committee’s monitoring and compliance functions often leverage the skills and expertise of designated personnel of the transaction parties to ensure continuous and effective monitoring. For example, a mitigated entity will often be required to appoint a security officer—an employee with the requisite technical or managerial credentials—to oversee implementation and compliance at the operational level. Mitigation agreements may also require appointment of a security director or board observer. These personnel are responsible for board-level oversight of the mitigated business’s compliance efforts and for monitoring and reporting on related board decisions and discussions. Certain mitigation agreements, conditions, and orders may also require that the foreign investor’s role in the U.S. business be completely passive. This may be effectuated through the appointment of a proxyholder or voting trustee to represent the foreign investor in the business’s governance.
While each mitigation agreement, condition or order specifies the particular duties and responsibilities of the security officers and directors, board observers, proxyholders, or voting trustees, CFIUS expectations for these designated compliance personnel include that they:
- Maintain frequent, substantive contact with the mitigated entity’s other designated compliance personnel and the CMAs regarding all matters relevant to mitigation agreement compliance;
- Be available to meet with the CMAs without other company representatives;
- Act in the manner that they reasonably believe is in the national security interest of the United States;
- Refrain from providing guidance, counsel, or advice to any mitigated entity in connection with any matter that could be inconsistent with their duties as described in the mitigation agreement or order;
- Refrain from serving as an advocate on behalf of mitigated entities in their interactions with the CMAs; and
- Promptly notify the CMAs if they believe a conflict arises between their duties as designated compliance personnel and other positions they may hold in the mitigated entity.
CFIUS also supplements its monitoring efforts, where appropriate, by utilizing independent third-party providers as monitors, auditors, or consultants. Mitigation agreements, conditions, and orders typically require the use of such providers in sensitive and complex cases. These independent third-party providers often possess technical or industry expertise and can rapidly deploy resources when and where needed. Their work is critical not only in facilitating compliance and identifying gaps in processes or procedures, but also in devising improvements and other measures to improve compliance by mitigated companies.