UnionPay, an institution controlled by the People’s Bank of China, is aggressively moving to begin domestic card operations in Brazil, initiating direct competition with Visa and Mastercard. The company aims to launch its card issuance program soon and integrate its services with PIX, Brazil’s preferred instant payment method. This strategic expansion is being facilitated by the Brazilian Fintech Left (Liberdade Econômica em Fintech), which is working to connect the Chinese company to local banking networks, point-of-sale (POS) systems, and ATMs.
UnionPay operates in more than 180 countries and issues more than 9 billion cards worldwide. It dominates about 40 percent of the global debit card transaction volume, Xataka, a technology website reported. UnionPay’s expansion is intrinsically linked to the strategic push of Brazil, China, and the BRICS countries to establish greater global financial independence — a move with clear implications for national economic security.
Data sovereignty: The threat of state surveillance
The core security threat lies in the fact that UnionPay is not a private company but a financial arm of the Chinese state. This ownership structure means the data of Brazilian consumers and businesses will fall under a legal jurisdiction fundamentally different from Western democracies.
Léo Rosenbaum, a partner at Rosenbaum Associate Attorneys and a consumer law, financial markets, and capital markets expert, explains the danger to Brazilian sovereignty.
“From a legal standpoint, this involves issues of sovereignty and transnational regulation. While Visa and Mastercard operate under Western jurisdictions with frameworks such as Europe’s GDPR [General Data Protection Regulation] or U.S. privacy laws, UnionPay is subject to Chinese laws, which prioritize state control over data. This implies a greater risk of government access to personal information without the same due process safeguards seen in Western systems, especially in contexts of geopolitics or international sanctions,” Rosenbaum said.
The concern is paramount: The financial activity of Brazilian citizens could be subject to the direct access and surveillance of a foreign state’s legal and political apparatus, presenting a significant national security risk to economic and transactional privacy.
Economic decoupling
UnionPay’s operational model represents a strategic step in creating a separate, non-Western economic sphere. UnionPay’s strategy is built around avoiding exclusive reliance on the Society for Worldwide Interbank Financial Telecommunication (SWIFT).
Instead of SWIFT, UnionPay promotes the Cross-Border Interbank Payment System (CIPS), a platform for settling international transactions in the Chinese Yuan. CIPS operates in parallel with SWIFT and is intended to anchor a new, alternative financial architecture in the Global South, directly challenging the dominance of the U.S. Dollar.
Rosembaum highlights the security and legal implications of this financial decoupling: “Legally, SWIFT is a global standard with international compliance protocols. CIPS, conversely, is aligned with Chinese state standards, which means less transparency for users outside China. For the end user, the difference lies in the risk of exposure to jurisdictions with different levels of legal accountability: In the event of a dispute, resorting to a Western system may offer more options for international arbitration, while CIPS may complicate cross-border resolutions,” he says.
Structural risks
UnionPay cards are currently used in Brazil by tourists and foreign cardholders. Financial transactions are already processed at terminals from major acquirers like Rede (Itaú) and Stone, and cash withdrawals are possible at Itaú ATMs and the Saque e Pague network. The major change now is that the cards will be issued locally in Brazil. This move transforms UnionPay from a niche foreign service into a competitor for domestic infrastructure, making its inherent geopolitical risks a direct national concern.
UnionPay’s expansion is a geopolitical integration that prioritizes foreign state access over individual privacy.
Rosembaum emphasizes the risks to personal safety and financial integrity: “The risks for users mainly include the leakage of personal and financial data, which can lead to fraud, identity theft, or improper monitoring. Legally, this violates principles of confidentiality and data integrity,” says Rosenbaum. “To protect themselves, users should adopt practices such as regularly monitoring statements, using two-factor authentication whenever available, avoiding sharing data on unsecure networks, and, in Brazil, invoking rights provided for in the LGPD [General Data Protection Law] to question the processing of their data by the card issuer. In addition, it is advisable to opt for cards with fraud insurance and immediately report any suspicions to authorities such as the Central Bank of Brazil.”
While Brazil possesses robust legislation like the LGPD and regulatory oversight from the Central Bank, these measures provide a recourse after a data breach or incident occurs. They do not eliminate the structural risk. Consumers must remain highly vigilant, recognizing that the potential for data misuse and surveillance in this new environment is a significant threat that local regulation alone may not be able to fully contain.
