When Data Residency Meets Geopolitical and Competitive Reality: The Airwallex Controversy and DOJ Data Transfer Rules

---

Executive Summary

The recent public dispute between venture capitalist Keith Rabois and Airwallex CEO Jack Zhang has thrust into the spotlight a critical question facing global fintech companies: Can firms with significant Chinese operations credibly promise that U.S. customer data remains beyond Beijing’s reach? This controversy arrives at a pivotal moment—just months after the Department of Justice’s groundbreaking rule restricting sensitive U.S. data transfers to “countries of concern” took effect in April 2025.

What makes the Airwallex case particularly instructive is not just the he-said, he-said between a Stripe investor and a competitor CEO, but rather the revelation of internal compliance struggles that suggest even well-intentioned companies face structural challenges in quarantining data access across jurisdictional lines. According to Capital Brief reporting, Airwallex itself identified in early 2023 that it was “unable to quarantine access to existing customer data from China,” a problem the company has since claimed to have rectified, but which underscores the complexity of maintaining cross-border data sovereignty in a globalized business environment.

This article examines how the Airwallex controversy illustrates the practical challenges of compliance with the new DOJ framework and what it means for fintech companies navigating the increasingly fraught intersection of cross-border payments, data security, and U.S.-China tensions.

The Allegations: A Stripe Investor Fires the Opening Salvo

On December 2, 2024, Keith Rabois, Managing Director at Khosla Ventures and an early investor in Stripe, launched a detailed series of posts on X (formerly Twitter), accusing Airwallex of operating as a “Chinese backdoor into sensitive American data.” Rabois’s allegations were specific and pointed:

1. Operational Footprint: Approximately 40% of Airwallex’s 1,700 employees are located in mainland China and Hong Kong, including core engineering and operations staff who “touch production payment systems.”
2. Ownership Structure: Over 20% of Airwallex is owned by Chinese firms, including Tencent and HongShan (formerly Sequoia China), creating what Rabois characterized as obligations to comply with Chinese Communist Party intelligence requests.
3. Legal Obligations: Chinese staff and the company itself are subject to the PRC National Intelligence Law and Hong Kong National Security Law, which require entities to assist state intelligence efforts and maintain secrecy about such cooperation.
4. Sensitive Client Base: Airwallex processes payments for U.S. companies in critical sectors, potentially giving Beijing access to supplier payments for AI labs, payroll data for defense contractors, and personal data for employees of financial institutions.

Rabois’s central thesis: “Thanks to you, the Chinese government now has direct, covert, legally enforceable access to sensitive financial information belonging to America’s AI labs, defense contractors, financial institutions, healthcare firms, and Fortune 500s.”

The timing and tone of Rabois’s attack, directed at a competitor to his portfolio companies, Stripe, Ramp, and Block (owner of Afterpay), invited immediate questions about competitive motives. But the substantive allegations raised genuine concerns that transcend venture capital rivalry.

The Defense: Data Residency and Technical Architecture

Airwallex CEO Jack Zhang responded forcefully, calling the allegations “inaccurate claims to give a portfolio company an edge in competing.” Zhang’s defense rested on several pillars:

1. Data Residency: U.S. customer data is stored exclusively in data centers located in the United States, the Netherlands, and Singapore; not in China.
2. Access Controls: “No members of Airwallex China or Hong Kong entities have access to US customer PII [personally identifiable information].”
3. Legal and Technical Architecture: The company’s structure is “intentionally designed to prevent cross-border data access, regardless of where engineers are located.”
4. Regulatory Compliance: Airwallex holds over 70 licenses globally, is regulated in over 48 U.S. states, and complies with U.S. federal requirements regarding China and Hong Kong access to sensitive personal information.
5. Talent vs. Access: Zhang emphasized that “where our engineers sit is different from where your data sits and who has access to that data,” drawing comparisons to Apple, Tesla, and Microsoft, all of which employ engineers in China while maintaining that customer data remains segregated.

Co-founder Lucy Liu reinforced this message: “Our legal structure and technical architecture are intentionally designed to prevent cross-border data access, regardless of where engineers are located.”

The Revealed Compliance Challenge: Unable to Quarantine Access

While Airwallex’s public statements project confidence in its data security architecture, Capital Brief reporting revealed a more complex reality. According to three sources with knowledge of the incident, by the time Airwallex officially moved its headquarters to Singapore in early 2023, the company had identified a serious problem: it was unable to quarantine access to existing customer data from China.

This revelation is significant for several reasons:

1. Timeline: The data access issue was identified as the company was positioning itself to crack the lucrative U.S. market, suggesting internal awareness of how U.S. regulators and customers would perceive Chinese data access.
2. Nature of the Problem: The inability to quarantine data access suggests a technical architecture that had not been designed from the ground up with strict jurisdictional data segregation—a common challenge for rapidly growing companies that expand into multiple markets.
3. Internal Concerns: Separate reporting indicates that Briar Mercier, Airwallex’s head of operations and strategy, allegedly raised alarms in internal Slack conversations in 2023, flagging potential pushback from the Chinese arm of the business when seeking to lock down KYC (know your customer) files. The concern reportedly centered on “potential revenue loss” despite compliance considerations.
4. Remediation: Airwallex states that the issue was “ultimately rectified and internal access permissions tightened,” but the acknowledgment that such an issue existed validates concerns about the structural challenges of maintaining data sovereignty across jurisdictional boundaries.

The DOJ Framework: Countries of Concern and Covered Data

The controversy must be analyzed against the backdrop of the Department of Justice’s groundbreaking rule that took effect April 8, 2025: “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons.”

Scope and Definitions

The rule, implementing Executive Order 14117, designates six “countries of concern”:

• China (including Hong Kong and Macau)
• Russia
• Iran
• Cuba
• North Korea
• Venezuela

“Covered data transactions” are prohibited or restricted when they involve sharing or providing access to:

1. Bulk Sensitive Personal Data: Including geolocation, health, financial, biometric, and personally identifiable information, defined by thresholds based on the number of U.S. persons whose data is transferred over a 12-month period.
2. U.S. Government-Related Data: Information about government personnel, facilities, or activities.

Critically, the rule applies even if data is anonymized, pseudonymized, de-identified, or encrypted; recognition that modern data analytics can often re-identify individuals from seemingly anonymized datasets.

Coverage of “Covered Persons”

The restrictions extend broadly to individuals and entities “located in or subject to the jurisdiction” of countries of concern. This is expansive, potentially reaching:

• Chinese nationals working anywhere in the world
• Entities incorporated in China
• Foreign entities with Chinese ownership stakes
• Individuals subject to Chinese legal jurisdiction (including Hong Kong under the National Security Law)

Prohibited and Restricted Transactions

The rule creates two categories:

1. Prohibited Transactions: Certain data transactions are flatly banned, with no security measures adequate to permit them.
2. Restricted Transactions: Other transactions may proceed, but only with robust security measures, due diligence, audit trails, and compliance programs.

Compliance Timeline and Enforcement

While the rule took effect April 8, 2025, additional compliance provisions, including due diligence, audit, and reporting requirements, came into force October 6, 2025. The DOJ has stated it will not prioritize civil enforcement for violations between April 8 and July 8, 2025, for companies making “good faith efforts” to comply, though egregious, willful violations remain subject to immediate enforcement.

Penalties are severe:

• Civil: Up to $368,136 per violation or twice the transaction amount, whichever is greater
• Criminal: For willful violations, fines up to $1 million and/or imprisonment for up to 20 years

Importantly, unlike many U.S. export controls, the rule operates under a “knowledge” standard; the U.S. person had actual knowledge or reasonably should have known about the conduct. Failure to implement a data compliance program could be an aggravating factor in enforcement actions.

How Does the DOJ Rule Apply to Airwallex?

Analyzing Airwallex through the DOJ framework reveals both technical compliance questions and broader structural concerns.

Data Residency as a Starting Point—But Not the End

Airwallex’s claim that U.S. customer data resides in U.S., Netherlands, and Singapore data centers is relevant but not dispositive. The DOJ rule focuses on “access” to data, not merely where it is physically stored. Key questions include:

1. Access Controls: Can employees in China or Hong Kong, even if not routinely accessing U.S. customer data, gain such access through elevated privileges, incident response procedures, or system administration functions?
2. Data in Transit: When U.S. customer data moves between systems, are there points where it could be intercepted or accessed by staff in countries of concern?
3. Metadata and Derived Data: Even if PII is segregated, does Airwallex aggregate, analyze, or derive insights from U.S. customer data that flow to Chinese operations?
4. Backup and Disaster Recovery: Where are backups stored, and who can access them?

The Engineering Challenge

Airwallex’s assertion that 40% of its workforce operates in China/Hong Kong, including “core engineering,” creates inherent tensions:

1. Code Access: Engineers with access to production codebases may be able to modify systems to extract data, even if not authorized to access customer data directly.
2. DevOps and Infrastructure: Staff managing cloud infrastructure, databases, or networking may have elevated privileges that enable data access.
3. Incident Response: When security incidents or system failures occur, rapid response often requires granting temporary elevated access. Are Chinese-based staff excluded from such access?

The Ownership and Governance Factor

With over 20% Chinese ownership (Tencent, HongShan), questions arise about:

1. Board Representation: Do Chinese investors have board seats or observer rights that provide visibility into data practices?
2. Contractual Rights: Do investment agreements grant Chinese investors information rights that could extend to customer data or data practices?
3. Corporate Structure: While Airwallex is officially domiciled in the Cayman Islands with headquarters in Singapore (and now dual headquarters in San Francisco), how are decision-making authority and data governance distributed across jurisdictions?

The Intra-Corporate Transfer Exemption—And Its Limits

The DOJ rule includes exemptions for “intra-corporate group transactions,” including:

• Data transfers for employees and contractors
• Transfers for “ancillary business operations”
• Transfers for compliance with certain foreign regulations

However, these exemptions are narrow. The rule specifically contemplates that companies may need to restructure operations to segregate U.S. data from access by affiliates in countries of concern. Moreover, even exempt transactions may still be subject to reporting and recordkeeping obligations.

For Airwallex, relying on intra-corporate exemptions would require demonstrating that Chinese operations genuinely operate as a separate legal entity with robust technical and organizational barriers preventing data access, precisely what the company’s internal 2023 compliance challenge calls into question.

The Article 7 Problem: Chinese Legal Obligations

Central to Rabois’s allegations and fundamental to the DOJ’s concerns about China data transfers is Article 7 of the PRC National Intelligence Law, enacted in 2017:

“All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.”

The Scope of Article 7

While some commentators argue Article 7’s practical application is ambiguous, noting it lacks explicit enforcement mechanisms and must be read in conjunction with other legal protections, several aspects are clear:

1. Broad Coverage: The law applies to “all organizations and citizens,” encompassing both Chinese companies and Chinese nationals wherever they operate.
2. Mandatory Cooperation: The obligation to “support, assist, and cooperate” is not discretionary. While the law requires such cooperation to be “in accordance with law,” Chinese law provides few meaningful constraints.
3. Secrecy Requirements: Entities must “protect national intelligence work secrets”—meaning they cannot disclose that they have been compelled to assist intelligence gathering.
4. Extraterritorial Reach: Article 11 authorizes intelligence agencies to collect information about “overseas entities or individuals” that may endanger Chinese national security—a term defined so broadly as to encompass virtually any economic, political, or security interest.

Complementary Laws Expand the Obligation

Article 7 does not operate in isolation. It is reinforced by:

1. 2014 Counter-Espionage Law: Requires organizations and individuals to “provide [information] truthfully and may not refuse” when state security organs investigate.
2. 2017 Cybersecurity Law (Article 28): Mandates that “network operators shall provide technical support and assistance to public security organs and national security organs” investigating criminal activities or safeguarding national security.
3. 2020 Hong Kong National Security Law: Extends Beijing’s security apparatus into Hong Kong, requiring cooperation with mainland security agencies.

The “We Would Refuse” Defense Is Legally Implausible

Airwallex’s statement that “We do not answer to foreign intelligence demands for non-local sensitive data” faces a fundamental problem: Chinese law does not permit refusal. For a company with substantial Chinese operations and Chinese investors:

1. Staff Obligations: Chinese nationals employed by Airwallex are personally subject to Article 7. An engineer in Shanghai cannot simply refuse a state security demand because his employer’s data policies prohibit such access.
2. Entity Obligations: Airwallex’s Chinese subsidiary (required to operate in China) is subject to Chinese jurisdiction and cannot refuse cooperation.
3. Investor Pressure: Chinese investors like Tencent, itself closely connected to the Chinese state, could potentially exert pressure to cooperate with intelligence requests.
4. Secrecy Provisions: Even if Airwallex resisted a data access demand, Chinese law would prohibit disclosing the demand or any resulting access, making public statements about never complying with foreign intelligence demands inherently unverifiable.

The DOJ’s Institutional View

The DOJ rule reflects a considered judgment that Chinese legal obligations create structural vulnerabilities that cannot be adequately mitigated through compliance programs. The preamble to the final rule addresses this directly, noting that Chinese law:

• Creates legal obligations that override private sector data protection commitments
• Operates through covert mechanisms that companies cannot disclose
• Extends to individuals and entities globally through jurisdictional reach
• Encompasses a broad definition of “national security” that could justify accessing virtually any U.S. data

This is why the DOJ rule treats China categorically as a country of concern, rather than attempting to evaluate individual companies or transactions.

Structural Vulnerabilities in the Fintech Model

The Airwallex controversy illuminates broader challenges for fintech companies operating across the U.S.-China divide:

The Global Talent Problem

Fintech companies are attracted to Chinese engineering talent for good reasons: technical sophistication, cost efficiency, and 24/7 global coverage through distributed teams. But this creates unavoidable tensions with data sovereignty:

1. Logical Access Requirements: Modern DevOps practices often give engineers broad access to infrastructure to enable rapid deployment and troubleshooting.
2. Code Repository Access: Engineers need access to codebases, which may include data access logic and credentials.
3. On-Call Responsibilities: Engineers in different time zones provide after-hours support, requiring access to production systems.
4. Shared Knowledge: In a unified engineering culture, knowledge about systems and data architecture is widely distributed.

The Cloud Infrastructure Challenge

While Airwallex uses data centers in the U.S., Netherlands, and Singapore, modern cloud architectures create potential access points:

1. Management Consoles: Cloud service provider management interfaces may be accessible from anywhere, including China.
2. API Access: Programmatic access to cloud resources doesn’t respect geographic boundaries.
3. Vendor Access: Third-party service providers may have staff in countries of concern with access to customer systems.

The M&A and Investment Complexity

Fintech companies often have complex ownership structures and pursue aggressive growth through acquisitions and partnerships. This creates ongoing compliance challenges:

1. Due Diligence on Investors: As the DOJ rule recognizes, investments by entities from countries of concern may create data access pathways.
2. Acquisition Integration: When a fintech acquires another company, integrating data systems while maintaining jurisdictional segregation is extraordinarily difficult.
3. Joint Ventures and Partnerships: Collaborative arrangements may require data sharing that implicates the DOJ rule.

Comparing Airwallex’s Position to Tech Giants

Zhang’s defense invoked comparisons to Apple, Tesla, and Microsoft, companies that employ thousands in China while maintaining that they protect customer data. But these comparisons have limits:

Apple’s Model: Segregated Services

Apple’s approach to China data involves substantial concessions:

• Chinese customer data is stored in China, operated by a Chinese state-owned firm
• U.S. and other international customer data is strictly segregated
• Chinese operations are legally separate entities with limited integration

Notably, Apple has faced sustained criticism for these arrangements, with security researchers warning that Chinese authorities likely have access to Chinese users’ data. Apple’s “solution” was accepting this reality for Chinese operations while segregating international users, precisely what DOJ rules now recognize as insufficient when U.S. data is involved.

Tesla and Microsoft: Different Data Profiles

Tesla’s Chinese operations primarily involve manufacturing and vehicle data, which is less sensitive than financial services data. Microsoft has similarly segmented its Chinese operations, with separate cloud regions operated by Chinese partners for Chinese customers.

Neither company routes sensitive U.S. customer payment data through systems accessible to Chinese engineers in the way a global payment processor like Airwallex must.

The Critical Difference: Payment Processing

Payment processors face unique challenges:

• Real-time authorization requires low-latency global infrastructure
• Cross-border transactions inherently involve data movement
• Fraud detection and risk management require centralized analytics
• Regulatory compliance requires comprehensive audit trails

These operational requirements make strict data segregation exceptionally difficult, arguably more so than for companies providing consumer services or manufacturing.

Compliance Recommendations for Fintech Companies

The Airwallex controversy offers valuable lessons for fintech companies navigating similar challenges:

1. Comprehensive Data Mapping and Access Auditing

Companies must have granular visibility into:

• Where every category of U.S. customer data resides
• Every pathway by which such data might be accessed
• Every individual and system with potential access privileges
• All data flows, including backups, logs, and derived data

This requires going beyond high-level architectural diagrams to actual access control lists, privilege escalation paths, and exception processes.

2. Technical Architecture for Data Sovereignty

Effective segregation requires:

Network Segmentation: U.S. customer data should reside on networks that are physically and logically separate from systems accessible from countries of concern. This means:

• Separate VPCs/VNets in cloud environments
• Firewall rules blocking access from countries of concern
• Separate authentication systems

Least Privilege Access: Access to U.S. customer data should be limited to:

• Staff in approved jurisdictions only
• Specific job functions requiring such access
• Time-limited and logged access sessions
• Multi-party authorization for elevated privileges

Data Loss Prevention: Technical controls should prevent:

• Unauthorized export of data
• Access from IP addresses in countries of concern
• Elevated privilege use outside approved processes

3. Organizational Structure Decisions

Companies may need to make difficult choices:

Separate Legal Entities: Creating legally distinct entities for U.S. operations, with:

• Separate boards and management
• Independent technical infrastructure
• Contractual prohibitions on data sharing with affiliates

Geographic Reorganization: Consolidating teams with access to U.S. data in approved jurisdictions, even if this increases costs or reduces global talent access.

Divestiture of Operations: In some cases, divesting operations in countries of concern may be necessary to achieve genuine data sovereignty.

4. Enhanced Due Diligence on Partners and Investors

The DOJ rule requires companies to:

Screen Investors: Evaluate potential investors for connections to countries of concern and ensure investment terms do not grant data access or governance rights that implicate the rule.

Vendor Due Diligence: Assess whether vendors’ staff in countries of concern may access customer data, and require contractual commitments and technical controls.

Ongoing Monitoring: Continuously monitor for changes in ownership, management, or operations that might affect DOJ compliance.

5. Documented Compliance Program

The DOJ rule explicitly requires companies to establish, document, and maintain data security compliance programs that include:

Written Policies: Clear policies on data classification, access controls, and prohibited data flows.

Training: Regular training for all staff on data sovereignty requirements and their obligations.

Audit and Testing: Regular audits of access controls, penetration testing, and validation that technical controls operate as intended.

Incident Response: Procedures for detecting and responding to unauthorized data access, including reporting to DOJ when required.

Senior Management Accountability: CEO and board oversight of annual compliance attestations.

6. Transparent Communication With Customers

Beyond legal compliance, companies should consider:

Clear Privacy Policies: Transparent disclosure of where data is stored, who can access it, and what safeguards are in place. Particular focus should be paid to the cross-border data transfer section of privacy policies, as there were allegations that Airwallex has mentioned transferring to China, which the CEO denied in response to such a claim.

Customer Choice: Where feasible, allowing customers to choose data residency options.

Security Certifications: Obtaining independent certifications (SOC 2, ISO 27001) that validate security controls.

7. Preparing for Regulatory Scrutiny

Given the DOJ’s new enforcement authority:

Legal Counsel: Engage counsel with expertise in cross-border data transfers and national security law.

Regulatory Engagement: Consider proactive engagement with DOJ through informal inquiries or advisory opinion requests.

Documentation: Maintain comprehensive records of compliance efforts, as “good faith efforts” are explicitly considered in enforcement decisions.

The Broader Policy Questions

The Airwallex controversy raises fundamental questions that extend beyond any single company:

Are Data Residency Claims Verifiable?

In an era where data can move at the speed of light and access can be gained remotely, how can customers or regulators verify claims that data is truly segregated? Traditional audits examine policies and technical architecture at a point in time, but cannot guarantee no unauthorized access occurred. The secrecy provisions of Chinese intelligence laws mean that even if a company complied with a data access demand, it could not disclose this fact.

This creates an epistemological problem: the absence of evidence of improper access is not evidence of absence. The DOJ rule essentially takes the position that structural vulnerabilities, Chinese legal obligations, Chinese staff with potential access, and Chinese ownership stakes create risks that cannot be adequately mitigated or verified.

Can Global Fintech Exist in a Fragmenting World?

The promise of fintech has been frictionless global financial services. But the DOJ rule, along with similar measures in other countries, suggests a future of jurisdictional fragmentation:

• Separate infrastructure for different regulatory regimes
• Reduced ability to leverage global talent and scale
• Higher costs for compliance and redundancy
• Potential incompatibility with real-time global payment networks

The question is whether fintech business models can remain economically viable if they must essentially operate as separate companies in each major jurisdiction.

What Is the Appropriate Level of Caution?

Critics of aggressive restrictions on Chinese data access argue that:

• Many risks are theoretical rather than demonstrated
• Categorical exclusions may be overbroad compared to case-by-case risk assessment
• Restrictions could harm U.S. competitiveness and innovation
• Reciprocal measures by China could hurt U.S. companies

Proponents counter that:

• The consequences of a successful intelligence operation could be catastrophic
• Case-by-case assessment is impractical given the opacity of Chinese state actions
• National security risks warrant precautionary approaches
• Economic costs are acceptable given the severity of potential harms

The DOJ rule reflects a judgment that when dealing with bulk sensitive personal data and government-related data, the precautionary approach is warranted—particularly given China’s documented history of economic espionage and the legal framework compelling cooperation with intelligence services.

Conclusion: Structural Problems Require Structural Solutions

The Airwallex controversy is instructive precisely because it reveals the gap between what companies say about data protection and the operational reality of maintaining data sovereignty across jurisdictional boundaries. Airwallex’s internal identification of an inability to quarantine Chinese access in 2023, even as it pursued U.S. market expansion, demonstrates that good intentions and privacy policies are insufficient without robust technical architecture and organizational design.

The DOJ’s rule on data transfers to countries of concern reflects a sobering assessment: when companies have substantial operations in countries with legal frameworks compelling intelligence cooperation, technical controls, and compliance programs cannot eliminate the risk of covert data access. This is particularly true given secrecy provisions that prevent companies from disclosing cooperation with intelligence services.

For fintech companies and others handling sensitive U.S. data, the implications are clear:

1. Data residency alone is insufficient. What matters is access—who can reach the data, through what pathways, subject to what legal obligations.
2. Chinese operations create unavoidable tensions with U.S. data sovereignty requirements, regardless of a company’s good faith efforts.
3. Structural solutions may be necessary—separate legal entities, geographic consolidation of sensitive data operations, or, in some cases, divestiture of operations in countries of concern.
4. Verification is critical. Claims about data protection must be backed by technical architecture, access controls, and independent audits that can withstand regulatory scrutiny.
5. Transparency matters. Rather than generic assurances, companies should provide specific, verifiable information about data storage, access controls, and legal obligations.

The Airwallex case will likely not be the last such controversy. As the DOJ rule’s enforcement period progresses, companies should expect increased scrutiny of their cross-border data practices. Those that have built their business models around global operations without careful attention to data sovereignty may face difficult choices: restructure operations, accept exclusion from sensitive sectors, or face regulatory action.

The era of frictionless global data flows is giving way to a more complex reality where geopolitical tensions, legal obligations, and national security concerns require careful jurisdictional planning. For lawyers advising fintech and other technology companies, the message is clear: data sovereignty is no longer merely a privacy best practice; it is a legal imperative backed by significant civil and criminal penalties.

---

Disclaimer: This article is provided for informational purposes only and does not constitute legal advice.

---