Proposed CFIUS Rules Affirm Evolution and Growth of Review Process, Expansion of Penalties 

April 15, 2024

On April 11, 2024, the Committee on Foreign Investment in the United States (CFIUS) issued a proposed update expanding its mitigation and enforcement provisions, the first such action since the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). The update, issued via a Notice of Proposed Rulemaking (NPRM), includes various provisions to enhance CFIUS’s ability to review and monitor both notified and non-notified transactions, as well as increases to the maximum applicable penalties for violating CFIUS’s regulations.

CFIUS Jurisdiction and Processes

Broadly speaking, CFIUS retains jurisdiction to review transactions in which foreign persons/entities invest in businesses or real estate within the United States. This jurisdiction includes transactions in which the U.S. investment represents a minority of the overall transaction (i.e., a small U.S. subsidiary of a larger international conglomerate) or when the investment does not amount to a majority stake in the U.S. business at issue.

For transactions subject to jurisdiction, parties may either (i) be required to file pursuant to CFIUS’s mandatory regime or (ii) elect to submit a voluntary declaration or notification to receive CFIUS clearance. As CFIUS has jurisdiction to review transactions even following closing, the latter voluntary filing regime provides parties with regulatory certainty in the event a transaction is subject to CFIUS jurisdiction. In the event parties do not notify CFIUS of a transaction, CFIUS may still initiate its own review and, depending on the circumstances, request the parties file a notification to address any potential national security concerns.

For transactions in which CFIUS does identify national security concerns, the parties may be required to agree to mitigation measures to address said concerns and, therefore, receive regulatory clearance from CFIUS.

NPRM Provisions as Compared to Current Processes

The NPRM addresses three areas:

  1. CFIUS’s ability to request information from parties in notified and non-notified transactions,
  2. timing for responding to proposed mitigation measures from CFIUS, and
  3. the applicable penalty regime for violating CFIUS regulations.
1. Requests for Information

Current Regulation: CFIUS may request information necessary to determine whether a non-notified transaction is a “covered transaction” subject to CFIUS jurisdiction. CFIUS may also issue a subpoena “[i]f deemed necessary” by the Committee.

NPRM: The NPRM expands CFIUS’s ability to request information to do any of the following:

  1. Determine whether a non-notified transaction meets the requirements of CFIUS’s mandatory declaration regime or may raise national security concerns.
  2. Monitor compliance with the terms of a mitigation agreement.
  3. Determine whether parties made a material misstatement or omitted information during a previously closed investigation.

Further, the NPRM would revise CFIUS’s ability to issue subpoenas to only require a finding that such subpoena is “appropriate” (rather than necessary).

2. Responding to Mitigation Proposals

Current Regulation: Parties are not subject to any specific timeframe to respond to proposed mitigation measures from CFIUS. Although filing parties generally have significant incentives to respond in a timely manner, transactions that were not notified or already closed may not carry the same incentive mechanism.

NPRM: Parties must substantively respond within three business days of CFIUS’s proposal. A “substantive” response includes:

  1. acceptance of terms,
  2. a counterproposal, or
  3. an explanation of why parties cannot comply with the proposed terms.

The proposed timeline aligns with other aspects of the CFIUS review process where parties must provide information within two to three business days of the request.


Current Regulation: Civil penalties may be assessed in several scenarios, including parties making material misstatements, failing to submit a mandatory declaration when required, and violating the terms of a mitigation agreement. The maximum penalty per such violation is the greater of $250,000 or the value of the transaction. Parties may request reconsideration of a civil penalty within 15 business days.


  1. Includes a substantial increase of the maximum penalty to $5M per violation for material misstatements, omissions, or false certifications made in a voluntary declaration or notice. Additionally, the maximum penalty is increased to the greatest of $5M, the value of the party’s interest in the U.S. business, or the value of the transaction for similar violations (e.g., false statements) in the mandatory filing setting or breaches of mitigation agreements or orders. CFIUS bases this increase on the fact that the $250,000/violation figure was developed over 15 years ago and may not properly reflect the value of transactions submitted to CFIUS.
  2. Expands the penalty regime to apply to material misstatements or omissions made in response to any CFIUS request for information, including non-notified transactions and compliance/monitoring of mitigation agreements.
  3. Increases the timeframe for requesting reconsideration of a civil penalty from 15 to 20 business days.

The NRPM represents the most substantive expansion of CFIUS regulations since the enactment of FIRRMA in 2018, further indicating the continuing growth and importance of CFIUS review in transactions where foreign persons or entities invest in U.S. businesses. Parties that are considering transactions with such investments, even on a minority basis, should closely consider the foregoing when determining if and when a CFIUS filing is appropriate.

Share on LinkedIn


Robert K. Magovern

Co-Vice Chair, Transportation & Trade

(202) 463-2539

Matthew J. Howell


(202) 912-4879

Rachel Schwartz


(202) 280-6507

Related Practices