Today's briefing, and why it matters to you.

[Anthropic Mythos leak] + [LiteLLM supply chain attack March 26] + [97% US banks compromised via thirds] → Triple convergence of AI+supply chain risk. State actors now have foundation model-level code analysis tools, AI supply chains (LiteLLM, 95M downloads/month) are compromised, and 97% of US banks already have breaches via third parties. Most likely Q2 attack vector: compromised AI agent operating within financial infrastructure with legitimate permissions.

[USDC flips USDT in volume] + [Fiserv FIUSD launch] + [MC acquires BVNK for $1.8B March 24] → Incumbents already chose regulated stablecoins as settlement rail. This isn't experimentation — it's infrastructure. BVNK gives MC native stablecoin capability, Fiserv distributes to 10K FIs, and institutional volume confirms USDC as standard. The GENIUS Act is the missing legislative catalyst.

[OpenAI ACP + Shopify Agentic Plan] + [80% acquirers ready, merchants not] + [Stripe enables agentic payments on Facebook March 28] → The future checkout isn't a webpage. Stripe, OpenAI and Shopify build the new purchase funnel where the AI agent is the intermediary. Acquirers have the pipeline ready but merchants don't know how to connect it. The middleware that solves that gap in the next 12 months captures a $385B market.

• DORA ROI (since March 24): Went from "imminent deadline" to "compliance crisis". Only 6.5% passed quality checks. Luxembourg only 40% delivered. Q2 enforcement actions expected.
• PIX MED 2.0 (since March 24): Already operational. Cascading fraud recovery active. Brazilian BC executed 3 actions in one week (eFX + Entrepay liquidation + MED 2.0).
• ECB DLT Collateral (since March 25): Operational tomorrow. From announcement to execution in 5 days.
• Iran cyber threat (since March 24): Escalation confirmed by Unit 42, FINRA and NYDFS. Oil $112.57, Iran charges toll in yuan at Hormuz.
• Fed crisis (since March 27): Powell threatened by DOJ, Warsh blocked in Senate, mandate expires May 15. Gold fell -23% from ATH. US monetary uncertainty is the biggest macro risk for global payments.
• Wero (since March 24): From 50M to 52.5M users in 5 days. Narrative shifted from "A2A alternative" to "European sovereignty against Trump". Worldpay joined as Principal Member.
• PayPay-LINE merger (since March 26): Closes Monday. +24.6% on stock market post-NASDAQ inclusion. Japanese QR near-monopoly confirmed.

• Stripe-PayPal acquisition: Bloomberg reported acquisition evaluation March 24 ($159B vs PayPal in free fall post-CEO ousted). Total silence since. With PayPal bleeding (-$10B market cap, class action, CEO dismissed), optimal buy moment is now. If Stripe hasn't made public move, either due diligence revealed serious problems or they're negotiating in silence.
• GENIUS Act vote: The law that would catalyze institutional stablecoin adoption in US has no confirmed vote date. The entire market (USDC flip, Fiserv FIUSD, MC BVNK) bets it passes, but Congress hasn't scheduled.
• Visa response to MC LTM: Mastercard has spent two weeks announcing AI capabilities (LTM, behavioral biometrics, agentic live) without public Visa response. Either Visa is preparing something big or losing the innovation narrative.
• China retaliation post-Anthropic leak: A Chinese state group was exposed using US AI to infiltrate FIs. Beijing's diplomatic and technical response hasn't appeared. Historically, public exposure of Chinese cyber operations generates asymmetric retaliation in 30-60 days.

• Indonesia PP Tunas (minor protection in payment apps): Regulation forcing blocking of under-16s in payment apps. Early signal that digital wallet onboarding regulation will expand to other markets with young demographics. If this replicates in India, Africa or LATAM, the addressable mobile money base contracts significantly. At 3-6 months: expect similar legislation in Philippines, Vietnam.

• Riksbank requires crisis/war-proof payments infrastructure + mandatory cash: Sweden, the world's most cashless country, reverses course. SEK 10K cash mandatory, offline cards mandatory July 2026. The war in Ukraine and tension with Iran make Nordic central banks reconsider total digital dependency. In 3-6 months: other Nordic and Baltic countries will follow. Implication for payments: all infrastructure must have offline fallback.

• Turkey: TCMB suspends 9 payment entities (Sipay, Vepara, Fzypay, Papara, Ininal): The Turkish crackdown is the biggest fintech purge in an emerging market in 2026. Coincides with EU proposal for Turkey to join SEPA (85M people). Turkish regulatory cleanup prepares ground for European infrastructure integration. In 6 months: Turkey as EU-MENA payments bridge.

• France: payment fraud +23% since January, 30K cards on dark web, QR fraud x4: France emerges as Europe's payments fraud epicenter. The QR fraud x4 data is especially relevant given Wero's push towards QR payments. If Wero scales e-commerce and POS without solving the QR vector, fraud rate could damage adoption.

This week's most dangerous convergence:

Tokenization + Agentic Payments + AI = new systemic attack vector.

ECB accepts DLT collateral tomorrow (tokenization operational). OpenAI launches ACP for AI agents to buy for you (agentic payments operational). Anthropic Mythos demonstrates that a foundation model can find zero-days in financial code (offensive AI operational). SEC publishes post-quantum framework (recognition that current encryption has expiration date).

Convergence: when an AI agent has permissions to execute tokenized payments, and the adversary has a foundation model that finds vulnerabilities in the code managing those payments, systemic risk multiplies. It's not each individual piece — it's the combination.

CBDCs + Stablecoins = regulated coexistence, not competition. Digital Dirham uses mBridge (CBDC), while USDC dominates institutional volume in the West. Fiserv FIUSD distributes to banks. Rails don't compete — they coexist by jurisdiction. Regulation (GENIUS Act, MiCA, CLARITY Act) defines which rail operates where.

Regulation + Fragmentation = compliance as entry barrier. DORA, TIKMI, RBI 2FA, SAMA, FATF Travel Rule — regulatory density is such that only players with compliance-as-infrastructure survive. Those treating compliance as cost will be acquired or liquidated (like Entrepay in Brazil).