NYDFS issued a consent order against Block, Inc., the parent company of Cash App, citing significant compliance failures in its anti-money laundering (AML) and virtual currency operations. Block agreed to pay a $40 million penalty and to retain an independent monitor to oversee its remediation efforts.
The DFS found that Block, Inc. failed to implement adequate risk-based thresholds, specifically calling out how they configured their blockchain analytic tools. For instance they cited that unless exposure to terrorism-linked wallets exceeded 10%, accounts would not be blocked and that any amount of exposure should have been cause for action. The company’s KYC and customer due diligence controls were also deficient — Block lacked a formal KYC refresh process and allowed users to open multiple restricted accounts using different credentials, enabling a Russian criminal network to operate over 8,300 fraudulent accounts. Additionally, Block suffered from massive SAR filing delays, with alert backlogs growing to over 169,000 and reports averaging 129 days to file, all while misclassifying high-risk mixer transactions as medium risk, exposing the platform to sustained illicit activity.