Block, the financial services firm formerly known as Square, has been hit with a $40m penalty by New York’s Department of Financial Services (NYDFS) for what regulators called “serious compliance deficiencies.”

The infractions center around Cash App, Block’s popular peer-to-peer payment service, which allegedly failed to keep up with basic anti-money-laundering (AML) obligations and virtual currency oversight.

The settlement follows a multi-year examination that revealed Block’s AML infrastructure had not evolved fast enough to match its explosive growth, leading to vulnerabilities that regulators say may have allowed illicit financial activity to go undetected. These compliance gaps, not uncommon in the fast-evolving crypto landscape, exposed systematic weaknesses that the NYDFS says violated both state and federal AML requirements.

“All financial institutions, whether traditional financial services companies or emerging cryptocurrency platforms, must adhere to rigorous standards that protect consumers and the integrity of the financial system,” said NYDFS Superintendent Harris.

In addition to the fine, Block has agreed to bring in an independent monitor for at least a year to oversee and support its compliance overhaul. Block has since funneled more resources into its compliance programs, expanded staffing, tightened consumer account controls, and revamped its AML and sanctions procedures.

While the penalty sends a strong message to the fintech and crypto sectors, regulators also signaled that meaningful remediation and transparency could temper harsher consequences, provided the firm stays on course.

Deficiencies in AML program

Block was found to have significant deficiencies in its AML program, as required by both federal regulations and New York’s Virtual Currency and Money Transmitter laws. Regulators concluded that these systematic gaps allowed the platform to remain vulnerable to being used for money laundering, tax evasion, or other illicit financial conduct.

One of the most critical failures identified was Block’s mishandling of suspicious activity alerts. Between 2018 and 2021, Block allowed a massive backlog in transaction monitoring alerts to accumulate, from approximately 18,000 alerts in 2018 to over 169,000 by 2020.

This backlog stemmed from poor forecasting of how Cash App’s customer growth and new monitoring tools would impact alert volumes, combined with insufficient staffing and resource allocation.

As a result, analysts were unable to keep up with reviewing alerts in a timely manner, severely compromising the company’s ability to detect and respond to potentially criminal behavior.

Backlog and SARs

The backlog had direct and serious consequences for the timely filing of Suspicious Activity Reports (SARs). According to the Department of Financial Services, SARs for both Bitcoin and fiat transactions were often filed by Block long after suspicious transactions had occurred, sometimes more than a year later.

On average, it took 70 days just to begin reviewing the alert, and 129 days to file a SAR. These delays far exceeded the regulatory requirement.

The lapse not only compromised Block’s legal obligations but also created a prolonged window during which potentially criminal behavior went unchecked.

Block’s failure to properly monitor transactions for links to sanctioned individuals and entities has drawn sharp criticism from New York regulators. Under both state and federal law, financial institutions are required to implement risk-based systems to ensure compliance with OFAC (Office of Foreign Assets Control) rules, which are designed to prevent the facilitation of terrorism and other illicit activities.

Block’s system, however, set alarmingly high thresholds for flagging suspicious bitcoin transactions, ignoring wallets with terrorism exposure below 1% and only blocking transactions once exposure exceeded 10%.

Such thresholds, regulators said, lacked any justification based on risk assessments and violated the zero-tolerance approach expected under the law.

The firm’s monitoring practices also failed to address the high-risk use of cryptocurrency “mixers,” anonymizing tools that obscure transaction trails and are widely known to facilitate criminal behavior on the dark web.

Despite clear regulatory guidance identifying mixers as a red-flag typology, Block consistently rated transactions involving them as only “medium risk.”

KYC hurdles

Block’s Know Your Customer (KYC) and Customer Due Diligence (CDD) practices, cornerstones of any sound anti-money-laundering framework, were found to be lacking in both design and execution. Regulators noted that Block failed to establish a formal system for refreshing and updating consumer data, leaving the company unable to reassess risk as consumer behavior evolved.

More troublingly, individuals were able to create multiple accounts using different email addresses and phone numbers, evading transaction limits and sidestepping identity verification protocols.

Particularly concerning were Cash App’s “restricted” accounts, which allow fiat transactions up to a certain threshold without full ID checks. Block’s systems did not effectively prevent restricted accounts from being opened by users tied to previously flagged accounts, allowing bad actors to re-enter the platform undetected.

In one instance, Block filed SAR involving $1.6m in suspicious activity tied to over 16,000 accounts opened by 91 individuals, an outcome regulators attributed to insufficient account-level controls.

Cybersecurity deficiencies

Despite handling sensitive personal data from tens of millions of users, Block fell short of key cybersecurity obligations mandated under New York’s Virtual Currency and Cybersecurity Regulations.

Regulators found that the company’s Information Security Policy had not been reviewed or approved by its board of directors as required, delegating the task instead to its Chief Information Security Officer. Additionally, the company’s cybersecurity framework failed to include essential elements such as capacity and performance planning.

Compounding those issues was a deficient Business Continuity and Disaster Recovery plan, which focused narrowly on pandemic scenarios, and only one additional scenario and omitted critical components such as backup systems, offsite shortage, and third-party dependencies.

On the consumer protection front, Block’s shortcomings were no less notable. While the company technically provided the disclosures required for virtual currency transactions, regulators determined these were buried within lengthy terms of service agreements, falling short of the legal requirement that such information be presented clearly and conspicuously.

Shifting regulatory tide

This $40m penalty is not Block’s first brush with compliance enforcement. Just months earlier, in January, the company agreed to pay $80m to settle similar anti-money-laundering violations with 48 US state financial regulators. That settlement also required the appointment of an independent consultant and substantial internal reforms.

The recurrence of such fines underscores not only persistent structural weaknesses within Block’s compliance operations but also the growing assertiveness of state regulators in policing the fintech and crypto sectors.

As states continue to navigate a fragmented regulatory landscape, cases like this may serve as a catalyst for harmonizing AML standards nationwide, especially in the realm of digital assets.

Moreover, while the Department of Justice’s new directive limits critical liability for platforms based solely on user misconduct, regulators and observers alike will be watching closely to see whether enforcement will extend to firms whose oversight failures will expose the financial system to abuse.