Fintech Weekly Digest: 7/16 — From India’s UPI to JPMorgan’s API Fees

Welcome to this week’s edition of ONSEC Fintech Cyber Weekly, brought to you by the ONSEC team.

The global fintech sector saw bold regulatory moves, major partnerships, and rising cyber threats this week. From JPMorgan’s data fee shake-up to Turkey’s new digital finance alliance and India’s UPI milestone, innovation and oversight are accelerating in tandem. Here’s your roundup of the key developments shaping the future of finance.

Trends & Innovation

• ESMA Warns Crypto Firms on Regulation. Europe’s markets regulator cautioned crypto companies on July 11 not to overstate the regulatory protections of their products, amid the EU’s new MiCA rules. ESMA told firms not to use their licensed status as a “promotional tool” or blur lines between regulated and unregulated offerings, stressing that misleading consumers could invite enforcement. Source: Reuters
• US House Advances Crypto Bills after Trump Intervention. On July 16, the U.S. House overcame a procedural hurdle to set up likely passage of several cryptocurrency bills, a day after President Donald Trump urged Republicans to act. One measure would establish a federal framework for stablecoins, poised to be a landmark win for the crypto industry once approved. Source: Reuters
• India’s UPI Overtakes Visa in Daily Transactions. India’s instant payments system UPI now handles 650 milliontransactions per day, surpassing Visa’s 639 million, a milestone reached in just nine years. This reflects UPI’s explosive growth and its emerging role as a global payments leader, despite operating in only 7 countries so far. An IMF fintech note confirms India leads the world in faster payments, with UPI’s rise accelerating while card usage plateaus. Source: Times of India
• Turkish E-Commerce Giant Forges Fintech Venture. Turkey’s Trendyol Group is teaming up with drone-maker Baykar, Abu Dhabi’s fund ADQ, and Ant Group’s international arm to build a new digital finance platform. As per a July 16 announcement, the venture will offer payments, loans, deposits, investments, and insurance services – focused on Trendyol’s vast seller network and Turkey’s large digital consumer base. The project aims to combine Trendyol’s e-commerce reach, Baykar’s AI cybersecurity tech, and Ant’s fintech expertise to capitalize on Turkey’s growth in online financial services. Source: Reuters
• JPMorgan to Charge Fintechs for Bank Data Access. In a move that could reshape open banking, JPMorgan Chase plans to levy fees on fintechs that connect to its customer accounts. Bloomberg reported on July 11 that pricing sheets were sent to data aggregators, signaling an end to free API data feeds. JPMorgan argues it has built a “valuable, secure” data-sharing system and that all players should help invest in protecting customers. The new policy – expected to take effect later this year – may upend fintechs’ business models that rely on free bank data and has already rattled markets (shares of PayPal and other payment apps fell on the news). Source: Reuters

Security & Cyber Threat

• $42M DeFi Heist Resolved via Bounty Payback. A hacker who stole $42 million from crypto exchange GMX on July 5 returned nearly all the funds after being offered a $5 million bounty and immunity from lawsuits. On-chain messages showed the thief agreed to return about $40.5M in ETH and stablecoins, which GMX confirmed by July 11. The episode rekindles debate on “white hat” arrangements – GMX’s bug bounty made users whole, yet experts note the hacker could still face liability if identified despite the deal. Source: The Records
• UK Retailer’s Data Breach Hits 6.5M Customers. London-based conglomerate Co-op Group revealed on July 16 that hackers stole the personal data of all 6.5 million of its members in an April cyberattack. The breach – part of a broader hacking campaign by the Scattered Spider group – also targeted Marks & Spencer and others. Authorities have since arrested four suspects (aged 17–20) linked to the retail hacks on charges of hacking and blackmail. Co-op, which lacked cyber insurance, faces significant recovery costs as the hackers exploited helpdesk spoofing tactics to penetrate systems. Source: TC
• Ransomware Gang Dismantled in Europe. Italian police, with French and Romanian support, took down a ransomware outfit dubbed “Diskstation” accused of extorting nonprofits and firms with cryptocurrency ransom demands. In raids last month, multiple Romanian nationals were caught in the act and a Milan court ordered the group’s 44-year-old leader detained on hacking and extortion charges. The gang had been active since 2021, known for exploiting vulnerabilities in corporate file servers. The bust – announced July 16 – underscores intensified cross-border enforcement against ransomware crews. Source: The Records
• Massive Health Data Breach in US. Medical billing provider Episource (a unit of UnitedHealth’s Optum) is notifying 5.4 million Americans that their personal and health data was stolen in a weeklong ransomware attack. The breach, which occurred in late January, exposed names, contacts, medical record numbers, diagnoses, test results and insurance details. Episource disclosed the incident in July filings, and at least one healthcare client indicated the attack involved ransomware. This is one of the largest healthcare breaches this year and follows an even bigger hack of an Optum-affiliated system in 2024, raising concerns about third-party vendor security. Source: TC
• Luxury Brands Suffer Multi-Country Data Hacks. High-end retailer Louis Vuitton said data breaches at its stores in Turkey, South Korea, and the UK exposed sensitive customer info. Turkish regulators revealed on July 7 that hackers exploited a third-party vendor’s access to steal data on ~142,995 Turkish customers (the breach ran June 7–July 2) A similar incident hit Louis Vuitton’s Seoul operations with customer data leaked, and the UK arm also reported a breach last week. The incidents, possibly coincidental, came as authorities warn that the Scattered Spider group has been aggressively targeting retail and luxury firms across regions. Other LVMH brands like Dior and Tiffany’s, as well as retailers like North Face and Adidas, have all disclosed cyberattacks, highlighting a wave of breaches hitting consumer data globally. Source: The Record

Product & Platform Launches

• UniCredit & Wise Team Up for Global Transfers. Italian banking giant UniCredit announced a partnership with fintech Wise to power international money transfers for its customers. The new service, launched mid-July, lets UniCredit clients send money abroad with Wise’s low-cost, fast transfer network integrated into the bank’s channels. The rollout will begin in Italy and then expand, aiming to provide more seamless cross-border payments within UniCredit’s app and web platforms. Source: Fintech Futures
• Xero Partners with Plaid for Richer Bank Feeds. Accounting software maker Xero has joined forces with API platform Plaid to enhance US bank feed connectivity, the companies announced on July 16. The alliance will triple the number of banks and credit unions that small business users can link to Xero, improving data reliability and coverage. It also introduces more secure OAuth connections (token-based access) in place of credentials sharing, protecting financial data while giving SMBs a clearer, real-time view of their cash flow and transactions. Source: The Paypers
• Mastercard Unveils ‘World Legend’ Elite Card Tier. Mastercard introduced a new top-tier credit card – the World Legend Mastercard – on July 16, alongside a suite of upscale benefits dubbed “The Mastercard Collection.” Aimed at high-spending customers, World Legend offers exclusive dining reservations, premium event access, and luxury travel perks (from fast-track airport screening to global lounge access) across 150+ countries. Banks worldwide can now issue World Legend cards, with U.S. cardholders getting access starting in Q3 2025 and an international rollout to follow. The move bolsters Mastercard’s premium offerings as it competes for affluent consumers seeking experience-driven rewards. Source: Mastercard
• Kraken Launches Regulated US Crypto Futures. Crypto exchange Kraken rolled out Kraken Derivatives US on July 16 – a regulated platform offering cryptocurrency futures trading for American clients. Initially, users gain direct access to Bitcoin and Ether futures listed on CME Group via the Kraken Pro interface. The unified service lets traders manage crypto spot and futures positions in one place with integrated collateral and risk tools, all under US compliance oversight. Kraken’s launch follows its acquisition of futures broker NinjaTrader and signals an expansion into traditional asset classes (commodities, equities, FX futures) later this year – part of Kraken’s strategy to build a multi-asset trading hub bridging digital and traditional markets. Source: The Paypers
• Bahrain Embraces BNPL: EazyPay & Tamara Partner. In a bid to expand buy-now-pay-later options in the Middle East, Bahrain’s payments provider EazyPay has teamed up with Saudi-headquartered Tamara. Announced on July 16, the partnership will integrate Tamara’s BNPL installment offerings into EazyPay’s point-of-sale and online checkout solutions across Bahrain. This allows local merchants and shoppers to use Tamara’s flexible payment plans through EazyPay’s network. The move comes as digital lenders and fintechs drive consumer financing growth in the GCC region, and it marks Tamara’s first major entry into the Bahraini market, widening its Gulf footprint. Source: Fintech News

Final Words

From India’s record-breaking UPI volumes to Europe’s tightened crypto oversight and JPMorgan’s bold data monetization shift, the fintech world is rapidly reshaping its foundations. As digital payments mature and embedded finance expands globally, the lines between tech, banking, and policy continue to blur. Amid these shifts, security remains critical—as shown by recent ransomware takedowns and luxury brand data breaches. Fintechs navigating this landscape must balance innovation with vigilance, embracing regulatory clarity while staying agile in product delivery. Stay tuned—next week promises more disruption, partnerships, and digital finance breakthroughs.

Book a call with the ONSEC team—and let’s secure your platform together.