NYDFS FINES BLOCK $40MM for AML, CYBER and CONSUMER PROTECTION DEFICIENCIES

Bloomberg reported on April 10 that.

• Digital payments company Block Inc. has reached a $40 million settlement with New York regulators over alleged compliance misconduct tied to its Cash App platform.
• Bloomberg said after reviewing the government agency's consent order that Block was fined by the New York Department of Financial Services (NYDFS) following an investigation into Cash App’s Anti-Money Laundering (AML) and cryptocurrency compliance operations
• NYDFS determined that Block allegedly violated consumer protection laws and didn’t conduct proper customer due diligence. The company was allegedly too slow in reporting suspicious transactions to regulators and failed to adequately screen so-called “high-risk” Bitcoin (BTC) transactions.
• Block confirmed it had worked with NYDFS to “resolve the matter principally related to Cash App’s past compliance program.” However, according to Bloomberg, it did not admit to any wrongdoing.
• Block, founded by internet entrepreneur and Bitcoin advocate Jack Dorsey in 2009, has been negotiating a settlement with the NYDFS since last year, based on filings submitted with the US Securities and Exchange Commission (SEC).

Enforcement and guidance takeaways (according to DFS allegations):

• Due to its rapid growth, Block accumulated a transaction monitoring backlog of nearly 170,000 alerts by 2020 via its Cash App services, which included fiat payments and a crypto business.
• Block used two blockchain analytic vendors; concerning one vendor, Block’s settings did not generate alerts on Bitcoin transactions until the recipient’s wallet had more than 1 per cent exposure to terrorism-connected wallets, and Block did not blacklist terrorism-connected wallets until exposure exceeded 10 per cent.
• DFS offered what is essentially mandatory guidance: “Any amount of funds transferred to terrorism-connected wallets is illegal, and setting threshold alerts above 0% without a risk-based analysis supporting that decision falls short of the regulatory requirement that licensees implement risk-based policies, procedures, and practices to ensure compliance with BSA and OFAC regulations.”
• DFS also identified deficiencies in OFAC reporting and monitoring transactions sent to mixers, citing the agency’s April 2022 guidance on risk rating for mixers and tumblers.
• DFS also alleged deficiencies in the KYC program, such as the lack of a refresh process, customers' ability to open multiple accounts using different email addresses and phone numbers, which allowed them to exceed transaction limits, and failure to monitor restricted accounts adequately.
• Block, via its internal investigation, identified over 8,000 accounts linked to a Russian criminal network. DFS commended Block’s response but highlighted it as emblematic of alleged KYC deficiencies.
• DFS also alleged cybersecurity and consumer protection deficiencies, including failure of the Board to review and approve cyber policies, failure to maintain a compliant BCDR plan, and failure to present customer disclosures in a “clear, conspicuous, and legible writing” since the required disclosures “were disseminated between various pages” of the Cash App’s Terms of Service.
• DFS imposed a one-year monitor to “inform and enhance the Company’s efforts to remediate any deficiencies in the Company’s compliance programs.”

The Consent Order may be found here:

• https://www.dfs.ny.gov/system/files/documents/2025/04/ea20250410-block.pdf

Sources

• https://www.msn.com/en-us/money/other/jack-dorsey-s-block-fined-40m-for-alleged-crypto-compliance-aml-failures/ar-AA1CHn0e