Skip to main content
Speech

Assistant Attorney General for National Security John C. Demers Delivers Keynote at ACI’s Sixth National Conference on CFIUS: Compliance and Enforcement

Location

Washington, DC
United States

Remarks as Prepared for Delivery

Good morning, and thank you for that kind introduction and the invitation to speak with you.

One of the major activities of DOJ’s National Security Division is working with our interagency partners to protect against adversaries that would exploit our country’s open investment climate to harm our national security interests.  This conference is devoted to that aspect of our work, and offers an opportunity to engage with the private sector about the threats we face, the steps taken to address those threats.

What I would like to discuss with you today is one specific element of our Division’s foreign investment review work, which is our increasing focus on compliance and enforcement.

Looking at the numbers, only very few of the transactions we review are blocked.  That does not necessarily mean the others pose no national security risk; rather, for most transactions that involve national security risk, we are successful in working with companies to craft mitigation measures that enable us to resolve the risk without resort to barring the transaction.  Our ability to negotiate mitigation agreements with parties and then monitor compliance is often overlooked in public discussions of foreign investment review, but that part of our program is absolutely crucial.  For that reason, today I would like to focus on the “back end” or “compliance tail” of our reviewed transactions, and to provide what I hope are some helpful insights into our compliance priorities and how those priorities can inform your own approach to mitigation and compliance.

As you are all aware, the Department of Justice’s mitigation activities related to foreign investment arise chiefly in the context of two interagency groups: (1) the Committee on Foreign Investment in the United States; and (2) the newly minted Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.  This new committee was established this past spring by Executive Order, and formalized the process known for years as Team Telecom, but unfortunately burdened it with the nearly unpronounceable acronym of CAFPUSTSS (pronounced caf-PUSS-tiss).  Here, for ease of our conversation, I will set aside this tongue twisting acronym and instead continue to refer to the committee as Team Telecom.

In both of these interagency groups, the Department of Justice and our interagency partners can usually resolve national security and law enforcement risks by negotiating mitigation measures with the transaction parties.  Those measures can range from the relatively straightforward, such as routine notice requirements to the very complex – for example, imposing certain governance restrictions.  Once memorialized in a written agreement, we monitor compliance to ensure our identified concerns remain mitigated.

Since 2012, the number of mitigation agreements monitored by the Department of Justice has nearly doubled, and this upward trend shows no signs of abating.  Without effective mitigation monitoring by both the government and the parties themselves, the number of reviewed transactions able to clear CFIUS and Team Telecom would be far fewer.  For this reason, robust and effective compliance programs are in the mutual interest of both government and industry.

Before I turn to some of the specifics of our compliance work, however, let me first discuss how compliance and enforcement have recently changed as the result of two significant reforms – first, the Foreign Investment Risk Review Modernization Act (FIRRMA); and second, the Team Telecom Executive Order.

COMPLIANCE AND ENFORCEMENT CHANGES IN FIRRMA

The passage of FIRRMA represents the most significant expansion of the Committee’s authority to address national security risks in over a decade.  Less discussed, but also important, are the expanded authorities under FIRRMA to mitigate identified risks to national security.

Foremost, FIRRMA now statutorily requires that mitigation agreements be effective, verifiable and enforceable.[1]  The Department of Justice evaluates all mitigation agreements through this framework, which includes determining how potential obligations and commitments will work in the real world.  In light of what motivates the transaction and the incentives of the parties, is the agreement reasonably calculated to be effective?  Can compliance with the agreement be verified?  Can the terms be meaningfully monitored and, if needed, enforced?

I want to highlight that for mitigation to be a feasible option, we need to have confidence that the party with whom we are engaged can be trusted.  If we have reason to believe a party will violate a mitigation agreement, we’re not going to enter into the agreement and hope that our monitoring will be able to catch all violations; rather, we will have no choice to but to block a transaction.  Examples of situations that could present trust issues are a company with a history of non-compliance; or a company that is either owned by a foreign government we do not trust, or is under the jurisdiction of a government that is not subject to the rule of law and can compel that company to act in ways that violate its mitigation agreement.  All of these factors bear on the Department’s evaluation of the feasibility of proposed mitigation, and should also serve as guideposts for industry as to how the Department views mitigation.

Second, when a party materially breaches a mitigation agreement or order, FIRRMA creates new authorities to supplement the existing power to impose civil penalties or reopen the review of the transaction.  Those new authorities include:

  • imposing a remediation plan on non-compliant parties that, if not adhered to, will serve as the basis for a finding of material breach;
  • mandating a party to file certain other covered transactions for review after a determination of breach; and
  • seeking injunctive relief.[2]

Third, FIRRMA requires CFIUS to review existing mitigation agreements or conditions to determine if they should be amended, phased out or terminated.[3]  This authority is particularly noteworthy because, given the lengthy life span for many mitigation agreements, we now have the flexibility to adapt to unanticipated changes in technology, practices, or circumstances.

Finally, FIRRMA imposes on the Committee increased reporting requirements to Congress to help maintain accountability for the Executive Branch’s work to mitigate cases, consistent with Congress’s oversight role.[4]

TEAM TELECOM EXECUTIVE ORDER

As many of you know, the President signed in April 2020 an Executive Order that formalizes and improves the work of Team Telecom.  This new committee will advise the FCC on national security and law enforcement concerns associated with applications for telecommunications licenses meeting certain foreign ownership and control thresholds.  With respect to enforcement, the Executive Order explicitly anticipates that Team Telecom may need to conduct reviews of existing license holders that could lead to a recommendation to revoke their licenses.  The Executive Order made the Attorney General the chair of Team Telecom, and the Department will pay particular attention to compliance with any Team Telecom mitigation agreements upon which FCC licenses are conditioned.

Taken together, these changes to both CFIUS and Team Telecom have laid the groundwork for a more robust and comprehensive mitigation regime, and mark an important inflection point in the approach of the Department to mitigation.

CHANGES TO FIRS STRUCTURE

A manifestation of that inflection point is the recent restructuring and expansion of the Department of Justice’s Foreign Investment Review Section (FIRS), which is part of the National Security Division.

Among other changes, in early 2018, FIRS stood up a dedicated compliance and enforcement team headed by a newly created Deputy Chief position.  Although many considerations informed this decision, a useful shorthand is to note that over the last decade the number of agreements monitored by the Department has increased by over 135%.  On equal footing with the teams that review the CFIUS and Team Telecom cases, the compliance and enforcement team will help ensure that the National Security Division’s mitigation agreements are complied with and, when necessary, enforced.

When I talk about compliance and enforcement, I want to emphasize that those two words are not viewed as synonyms within the Department of Justice, but rather as expressions of two different types of work to achieve our mitigation goals.

Compliance encompasses a broad range of concepts that coalesces around a cooperative relationship between the transaction parties and the government monitoring agencies.  Although we strive to keep all our mitigation efforts in this cooperative posture, we acknowledge that circumstances may sometimes necessitate a more adversarial engagement to protect our national security priorities, if parties are not complying with the mitigation requirements.

That is when we transition into an enforcement posture, and we believe the Department is uniquely qualified through its investigative and litigation resources to make effective use of such enforcement actions, to include seeking judicial remedies.

THE EVOLVING COMPLIANCE AND ENFORCEMENT LANDSCAPE

Partly for the reasons I just described, the Department of Justice has been at the forefront of the changing compliance and enforcement landscape.  No doubt most of you are aware of the recent emphasis by CFIUS on enforcement, reflected by two enforcement actions in which the Department of Justice played an integral role.

In 2018, CFIUS imposed a $1 million civil penalty for multiple breaches of a 2016 CFIUS mitigation agreement, including failure to establish requisite security policies and failure to provide adequate reports to CFIUS.  This was the first penalty imposed by CFIUS since the enactment of the Foreign Investment & National Security Act (FINSA) in 2007.

This penalty was followed by a $750,000 penalty in 2019 that was assessed for violations of a 2018 CFIUS interim order, including failures to restrict and adequately monitor access to protected data, as defined in the order.  The parties agreed to the penalty amount.

What should you know about these cases?

Although I cannot offer specific details, a common feature is the systemic failure to appropriately resource and support their compliance obligations.  Stated simply, these companies lacked a compliance culture up to the task of the compliance obligations they undertook.

Returning to an earlier point, mitigation agreements must be effective, verifiable and enforceable.  Those baseline requirements impose on companies entering into mitigation agreements – at a minimum – an obligation to weigh carefully their ability to comply with the terms.  Will the agreement be effective?

It is not just the government that needs to assess the answer to this and related questions.  Companies must also consider the cost of compliance, and must be willing and able to make a commitment to prioritize compliance.  Otherwise, the obligations undertaken in a mitigation agreement may wind up positioning a company for failure, and resulting in enforcement actions by the government.

We understand the very real financial and other costs often associated with complying with mitigation agreements.  Part of our effort is to ensure that mitigation agreements are realistic in light of the business purpose of the transaction in question (otherwise, it seems unlikely compliance will follow).  But our responsibility for protecting national security, and enforcing the agreements we reach, always takes precedence.

I would like to make brief mention of recent enforcement activities regarding the U.S. subsidiary of China Telecom, which is a Chinese state-owned entity.  As you may be aware from our April 2020 recommendation to the FCC, the Executive Branch agencies identified substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations, which is why we recommended that the FCC revoke its licenses.  That recommendation was based on several factors, but many of them relate to the company’s failure to comply with a 2007 mitigation agreement.  Other factors include the company’s inaccurate statements concerning the storage of U.S. records and its cybersecurity policies.  The company’s operations also provided opportunities for P.R.C. state actors to engage in malicious cyber activity enabling economic espionage and disruption and misrouting of U.S. communications.  And, it followed logically that additional mitigation terms would give us no comfort with a party we cannot not trust to follow them.  The Foreign Investment Review Section identified those compliance issues through its mitigation monitoring program.  As a result, the Executive Branch agencies concluded that the national security and law enforcement risks associated with China Telecom’s international Section 214 authorizations could not be mitigated by additional mitigation terms.

WHAT WE LOOK FOR IN A MITIGATION AGREEMENT

So what are we looking for when we enter into a mitigation agreement with you?  To give a classic lawyer answer, it depends.

There is, of course, no “off the shelf” mitigation agreement that will work with every reviewed transaction, or a menu of boilerplate provisions that need only be plugged into a template.  In the Department of Justice’s view, effective mitigation agreements must be tailored to the unique needs and risks identified by each transaction.  Importantly, our compliance obligations are not static, but rather ever evolving with technological changes, new business practices or any number of developments that can change our analysis.

There are, however, certainly some common characteristics of an effective mitigation agreement.

Internal Compliance Oversight

Mitigation agreements should contain sufficient internal compliance controls and procedures.  Although the specifics will be different for each mitigation agreement, examples include security directors and officers who are appropriately resourced to enforce compliance and are within or have direct access to senior management when issues arise.

External Compliance Oversight

Mitigation agreements should also have provisions for independent verification of compliance obligations.  In the complex business ecosystem in which many companies exist, fully appreciating the industry-specific complexities relevant to all compliance matters can be daunting.  Some of the more robust mitigation agreements will therefore employ the use of third-party monitors to assist with the specialized monitoring requirements involving such fields as accounting or information technologies.

Engagement with the Monitoring Agencies

Mitigation agreements should also provide for engagement with the monitoring agencies.  This broadly means transparent and prompt communication regarding all aspects of the material obligations undertaken in a mitigation agreement.  Put simply, we need to know when a compliance matter arises, and will need your active assistance with any necessary follow-up or investigation.  This engagement also includes commitments to support site visits, interviews of company personnel, review of responsive documents, as well as similar access requirements.  Mitigation agreements should reflect these priorities through access provisions, notice requirements and reporting obligations.  And we note that, as significant as recent CFIUS penalties have been, those penalties themselves reflect significant discounts because of the cooperation we ultimately received and other positive aspects of our relationship with the parties.

Related to this point, we have found at times that during negotiations transaction parties will – in the understandable desire to see the deal close – agree to mitigation measures without a complete appreciation of what those measures entail or what burdens they may involve.  From our perspective, this outcome can be avoided by ensuring those who are making the promises are communicating with those who are charged with keeping those promises.  

HOW DO WE MONITOR OUR AGREEMENTS

This brings us to a discussion of how the Department of Justice monitors compliance with mitigation agreements.  Here again, there is no “one-size-fits-all” approached to monitoring.  Each mitigation agreement will require a tailor-made approach that will be informed by, among other considerations, the nature of the business, the identity of the transaction parties, and any prior compliance history with CFIUS.

So how can we tell that parties are complying with agreements, and as a result, that mitigation is working?  As I mentioned earlier, we start with agreements that we assess will be effective if performed.  Then, we make sure parties are holding up their end of the bargain by using a number of methods. 

For example, we often conduct in-depth site visits.  We see this type of monitoring as central to our mission.  Site visits are not intended to be restricted to short briefings with a PowerPoint presentation in a conference room at corporate headquarters.  Instead, they may very well involve multi-day, all-encompassing visits that can include discussions with key officers and staff, inspection of physical premises, and demonstrations of relevant technologies or security features.  We are often accompanied by subject matter experts, including FBI special agents and other personnel who are able to bring their expertise to bear.  Last year alone, we conducted approximately 35 site visits, and as we continue to expand the resources of the compliance and enforcement team, we anticipate a particular emphasis will be placed on expanding the number of companies that we visit, and the frequency of our site visits across the entire portfolio, with a particular focus on those companies with compliance challenges.

Although the present pandemic has restricted some of our efforts around site visits, we are exploring short-term technological solutions that will allow us to continue those engagements even without in-person meetings.  To minimize travel, we have also relied on local FBI field offices and other DOJ components to provide in-person reviews when needed.

Another significant example of compliance measures is that we require internal security directors and security officers to have substantial independence to inform the Department of Justice when issues arise.  Internal compliance is not just a box to check, but a real safeguard for the Department – and for the companies themselves – to help ensure that companies are implementing and adhering to the promises they undertake.  These internal security directors and officers – our “boots on the ground” – give the Department the ability to conduct interviews, seek information, and impose additional monitoring or compliance measures under a mitigation agreement.  It is also important to note that these internal security directors and officers are most effective when companies embrace a culture of compliance, or, as I prefer, a culture of integrity, such that all employees have a ready avenue to report issues freely, without concern about retaliation.

As a final example, mandatory reports and notifications give us a helpful view into a company’s compliance program, and whether the company has been treating compliance as a year-round exercise or as a mere deliverable that must be turned in before the year ends.  Just like a college professor, we can tell when something was thrown together at the last minute.

And a quick word about changed circumstances.  Although in our efforts to assess and mitigate risk we attempt to account for the rapidly changing business and technological landscape, because our agreements may remain in force for decades, changes in business practices or new threat vectors (among others) may cause us to seek to revise our agreements to address those changed circumstances.

Through these mitigation measures and others, the Department of Justice seeks to craft mitigation agreements that are tailored as necessary, and we also try to think creatively when warranted about novel mitigation measures that may help enable us to resolve the national security concerns that would clear a case even in the presence of national security concerns.

I hope my remarks this morning have been helpful in illuminating how the Department of Justice approaches mitigation, compliance, and enforcement in our foreign investment reviews.  We have dedicated more resources to ensuring that the agreements we reach are effective at mitigating the risks that concern us and backed by a credible, long-term commitment to monitoring them for compliance.  A strong compliance and enforcement program gives us greater comfort in clearing cases that we otherwise might not be comfortable with, which, in turns, facilitates the fair and open investment climate that benefits all of us.

Thank you again for your kind invitation to this conference and for your time today.  I wish you all continued health, and please stay safe.  Thank you.


[1] 50 USC § 4565(l)(3)(C).

[2] 50 USC § 4565(l)(6)(D).

[3] 50 USC § 4565(l)(3)(B).

 


Topic
Cybercrime
Updated July 16, 2020