The purchase by Ant Financial, which is partially owned by the Chinese government, poses a test for the Treasury Department oversight body.
A Chinese company’s plans to acquire U.S. money transfer giant MoneyGram is raising fears that the communist government in Beijing could gain sensitive intelligence on Americans’ personal and financial information — including data on thousands of government employees and military personnel.
The purchase by Ant Financial, which is partially owned by the Chinese government, also poses a test for the 42-year-old Treasury Department oversight body that has been asked to review the deal to determine any security risks.
Lawmakers, national security experts and veterans of the review process say the Committee on Foreign Investment in the United States is ill-designed to assess all the national security implications of international mergers in the age of information — including the often-blurry picture of who actually controls foreign firms or who has access to an international company’s sensitive data.
Moreover, they say, it is severely understaffed to handle the rising number of complicated cases and lacks the authority to address evolving threats in telecommunications, media, agriculture and other industries.
In the case of Ant Financial’s proposed acquisition of MoneyGram, critics say, the fallout could include exposing personal data on millions of Americans.
CFIUS is expected to complete its review during the next several months.
"If the transaction is approved, China would gain direct access to a significant amount of transactional data in MoneyGram’s network," warns Rep. Robert Pittenger, a North Carolina Republican who serves on the Financial Services Committee and is vice chair of the Task Force on Terrorist Financing. "The data would include names, bank account numbers, as well as the location of MoneyGram customers."
Like other CFIUS critics, Pittenger wants a more rigorous review process to ensure such deals do not make the U.S. more vulnerable to foreign espionage, blackmail or cyberattacks.
Dozens of MoneyGram locations lie inside or within a few miles of some of the largest U.S. military installations, including Fort Bragg, N.C., where soldiers, their families and defense contractors commonly use the company’s money transfer services.
MoneyGram also has locations in about 200 countries. Pittenger told POLITICO he is concerned that the Chinese government could "leverage this personal information to harass dissidents, journalists and human rights activists who dare challenge the Chinese Communist Party.”
Personal data can also fuel a variety of cyberattacks, helping hackers trick these targets into giving up login credentials to sensitive accounts.
The $880 million deal, announced in January, was described by Ant as "a significant milestone." The combination of the two firms, it said, "will provide greater access, security and simplicity for people around the world to remit funds."
The company insists that while Chinese government-owned enterprises, including state-run pension funds, are among Ant Financial's shareholders — making more than 14 percent of the company’s ownership — it remains a privately run business.
"They are non-controlling stakes, don’t participate in management and don’t have access to things like consumer data," said Reze Wong, a company spokesman.
Others intimately familiar with the company's operations also reject the argument that China's leaders could gain access to data held by MoneyGram, which is headquartered in Dallas, Texas.
"You don't really understand China if you think that it has government involvement," said one source with direct knowledge who agreed to speak on the condition he not be identified by name. He said Ant "operates like any other private-sector company in the world," in which shareholders are involved in business operations "only at the macro level."
Moreover, advocates of the acquisition insist that any personal data now maintained on MoneyGram's computer servers in the U.S. will remain so under the deal and will be subject to U.S. regulations.
"We would continue to operate as a stand-alone company" and "customer information will continue to be encrypted and stored on our IT systems in Minneapolis in accordance with all applicable data protection requirements," MoneyGram said in a statement to POLITICO.
But pressure is building for CFIUS, which is made up of representatives of a variety of federal agencies, to give the case special attention.
Among the loudest voices is Euronet, a Kansas City electronic payment firm that has made a counteroffer to acquire MoneyGram.
In a letter to Treasury Secretary Steven Mnuchin this week, the company's CEO, Michael Brown, said that the amount of personal information that MoneyGram requires of its customers raises a series of national security questions, including whether that private data should be controlled by a Chinese company.
That information can include Social Security numbers, dates of birth, employer data, the source of any transfer, the reason for it, the recipient of the funds and the customer's relationship with them.
Similar details are also required for the beneficiary of any funds transferred through MoneyGram.
"The company that purchases MoneyGram will acquire sensitive information and must be in a position to safeguard and keep it secure. It must also ensure it is never misused," Brown wrote.
Ant pushes back against those claims. “Ant Financial volunteered and sought the CFIUS review of our proposed combination with MoneyGram and is steadfast in our commitment to protecting data of U.S. consumer," the company said in a statement in response to Brown's letter.
Euronet has also enlisted The Cohen Group, a D.C. consulting firm run by former Secretary of Defense and Republican Sen. William Cohen, to help make the case that the Ant deal would threaten national security — in the hopes of winning what amounts to a bidding war.
The Treasury Department, for its part, declined to address questions about the case. "We can't comment on or even acknowledge CFIUS filings," said an agency spokesman.
A major question for many remains who actually controls Ant?
The ownership "is difficult to discern," said a former U.S. government official familiar with the situation who spoke on the condition of anonymity, "especially given that Ant's ownership appears to include a significant Chinese government component."
The official points out that Ant now offers its customers credit scoring services and says it is unclear whether that information is ever shared with any Chinese government entity — and whether MoneyGram would also offer such services if acquired by Ant.
"This acquisition runs the risk of providing Ant Financial — and through that likely the Chinese government — access to personally identifiable information and personal financial data on millions of Americans," said another former senior U.S. official with experience in such reviews.
"That is a privacy concern, but it is also a national security concern," he added, citing recent allegations of Chinese government efforts to obtain sensitive information on U.S. citizens, such as the hacking of the Office of Personnel Management, which exposed the personnel files of over 20 million federal workers.
"The Chinese have a track record of trying to obtain personally identifiable information on lots of Americans," the former official said. "For what purpose? You could figure out who could be vulnerable to being targeted for intelligence gathering purposes or who has done things that might make them vulnerable to coercion or blackmail."
But settling such questions poses a real challenge for the inter-agency committee that has just begun reviewing the proposed MoneyGram deal.
"The number of cases there are record setting," said another former official who participated in recent CFIUS reviews. "They are really stretched right now.
The CFIUS cases are also more complex, involving a range of industries to include security-related software, telecommunications and other more traditional American companies such as railroads.
These transactions, the former official said, are “much more complicated, in part because a lot of them are Chinese.”
The Government Accountability Office, the oversight arm of Congress, is in the midst of a study to determine whether CFIUS needs more authority and resources to assess the national security implications of such deals. GAO is also looking at whether other agencies such as the FBI should be given a formal role in the review process, and whether cases involving Russia or China should get special attention.
Pittenger, the North Carolina congressman who requested GAO review the obscure CFIUS process, is working to ensure that, at a minimum, the MoneyGram case gets that extra attention.
"Our national security, especially in the Pacific, is rooted in our ability to hold the Chinese government accountable," he told POLITICO, "as well as opposing policies which provide China any knowledge of the personal financial activities of American citizens."