Unlock New Growth with Crypto

NYDFS issued a consent order against Block, Inc., the parent company of Cash App, citing significant compliance failures in its anti-money laundering (AML) and virtual currency operations. Block agreed to pay a $40 million penalty and to retain an independent monitor to oversee its remediation efforts.

The DFS found that Block, Inc. failed to implement adequate risk-based thresholds, specifically calling out how they configured their blockchain analytic tools. For instance they cited that unless exposure to terrorism-linked wallets exceeded 10%, accounts would not be blocked and that any amount of exposure should have been cause for action. The company’s KYC and customer due diligence controls were also deficient — Block lacked a formal KYC refresh process and allowed users to open multiple restricted accounts using different credentials, enabling a Russian criminal network to operate over 8,300 fraudulent accounts. Additionally, Block suffered from massive SAR filing delays, with alert backlogs growing to over 169,000 and reports averaging 129 days to file, all while misclassifying high-risk mixer transactions as medium risk, exposing the platform to sustained illicit activity.

Germany’s financial regulator BaFin prohibited Ethena GmbH from issuing or distributing its USDe token to German customers, citing unauthorized e-money issuance under the EU’s Markets in Crypto-Assets Regulation (MiCAR). BaFin also froze Ethena’s assets in Germany and warned consumers about the lack of regulatory oversight for the stablecoin product. This action underscores the increased enforcement activity under MiCAR, especially targeting stablecoins marketed or distributed without proper licensing in the EU.

Compliance staff should note that under MiCAR, issuing or distributing stablecoins like USDe without proper authorization can trigger immediate enforcement actions — including asset freezes and sales bans — even if the issuer is based outside the EU. Firms marketing to EU residents must ensure their cryptoassets qualify under MiCAR’s e-money or asset-referenced token categories and obtain the necessary licensing in advance. This case highlights the urgency of conducting a regulatory perimeter assessment before launching or promoting tokenized products in EU jurisdictions.

FINRA sanctioned Robinhood Financial and Robinhood Securities with a $26 million fine and over $3.75 million in restitution for widespread supervisory failures spanning nearly a decade. Robinhood misled customers by "collaring" market orders — converting them to limit orders — without proper disclosure, leading to millions in missed executions. The firm also lacked effective AML and KYC systems, allowing fraudulent account openings and failing to monitor $300 million in third-party transfers. Robinhood’s clearing system failed repeatedly during market surges, including a spike tied to Bitcoin trading, and the firm improperly blocked 116,000 account transfers — some due to customers holding crypto at affiliate Robinhood Crypto LLC, violating FINRA rules.

Robinhood’s AML program lacked controls to detect prearranged trading in low-priced securities and suspicious options activity; firms should ensure their surveillance tools cover these high-risk behaviors comprehensively. The failure to monitor $300 million in third-party transfers and to flag ACH name mismatches highlights the need for robust transaction monitoring that incorporates identity verification signals. Robinhood did not have systems to detect account takeovers — an essential capability given FinCEN’s long-standing advisories — underscoring the importance of integrating cyber threat detection into AML protocols. Staffing was severely inadequate, with just two analysts handling nearly one million daily trades; firms must invest in AML teams that scale with volume and use case complexity. Surveillance reports were discontinued due to technical limitations, suggesting a need for scalable infrastructure and regular audit of monitoring effectiveness. Lastly, Robinhood’s CIP failed to reject accounts with identity mismatches; financial institutions should implement strong identity verification controls and conduct periodic reviews to ensure effectiveness.