Block, Inc. to pay $40M for failures in BSA/AML program

The New York State Department of Financial Services (DFS) has licensed Block. Inc. (formerly Square, Inc.) to operate a money transmission service in the state of New York since 2013. In June 2018, DFS issued Block a BitLicense, permitting Block conduct Virtual Currency Business Activity in New York State. Block owns and operated Cash App, a peer-to-peer money transmission service. In 2018, Block began offering Bitcoin transactions through Cash App.

In examinations and subsequent investigations, DFS identified serious compliance deficiencies with respect to Block’s Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) program. These failures include insufficient KnowYour-Customer (“KYC”) and transaction monitoring processes, and a backlog of Suspicious Activity Reports (“SARs”) during 2018-2021, which together created a high-risk environment vulnerable to exploitation by criminal actors. The Department also identified violations of the Department’s consumer protection regulations.

DFS details in its Consent Order (Linked above on this page) the suspicious activity alert backlog that grew from 18,000 alerts in 2018 to over 169,000 by 2020, caused in part by Block's "inability to predict the impact of Cash App's growing customer base on alert volumes and staffing needs, as well as the increase in alerts generated by the implementation of new transaction monitoring tools.... A review conducted by the Department revealed that between February 2021 and September 2022 SARs, for both Bitcoin and fiat transactions, were at times filed over a year after the alerts were first generated. The average number of days between the date of the transaction monitoring alert and the SAR filing was 129 days. The average number of days between the date of the transaction monitoring alert and the start of a case investigation was 70 days, which further delayed Block’s reporting of suspicious activity.

Also detailed in the Consent Order are transaction monitoring failures (starting on page 7 of the Order), Know Your Customer/CDD deficiencies (page 9), Cybersecurity Deficiencies (page 11).

Consumer Protection Definciencies (starting on page 12) included a failure to present certain disclosures to consumers in "clear, conspicuous, and legible writing." Also, certain consumer receipts failed to contain the company's refun policy or a statement of liability for non-delivery or delayed delivery as required by NY regulations.