Recently, the New York State Department of Financial Services (NYSDFS) issued a penalty of $40 million to Block, Inc. This fintech, formerly known as Square, is licensed in the state of New York to operate as a money transmission business and owns and operates Cash App, a peer-to-peer Money Transmission Service (MTS). Block, Inc also holds a BitLicense, which allows it to offer Bitcoin transactions.
In April, the NYSDFS released its consent order against Block, Inc. There are several key takeaways regarding the proper operation of a BSA/AML program if you are a Money Transmitter (MT). Let’s dig in!
1. Block did not have a sufficient Know-Your-Customer (KYC) program established. During the period of 2018-2023, Block’s systems allowed users to open multiple accounts with multiple email addresses. Their program could not or did not aggregate users that opened accounts with multiple email addresses. To add to that, Block established transaction limits but did not establish limits to the number of accounts a user could open or connect. Further, Block did not require its users to complete a full ID verification prior to allowing the account to transact. This was such a problem that during an internal investigation, Block found that it had 25-30 individuals linked to a Russian criminal network. These individuals successfully opened over 8,300 accounts using falsified information and auto-generated email addresses before Block became aware of this situation. In this case the average user held between 278 and 334 accounts.
2. Block failed to implement a sufficient monitoring program. Block’s insufficient program began when Cash App’s popularity soared. Block was unable to predict the growth of Cash App, and thus, failed to scale its monitoring program accordingly. Because it didn’t scale the program, Block also did not have adequate staffing to manage alerts. To add to the growing pressures, Block implemented a new monitoring tool, which resulted in many alerts that Block was not accustomed to. The implementation of a new monitoring tool always results in a heavier workload until rule-tuning can occur. In 2018, Block had begun to establish a backlog of alerts, with over 18k alerts that need to be reviewed. By 2020, this number of alerts grew by 939% which resulted in a backlog of over 169k alerts.
3. Block didn’t file Suspicious Activity Reports (SARs) timely. As you’d expect with a backlog of 169k alerts, Block was not able to review, write, and file SARs within the 30-60 day required timeframe. In fact, some SARs were filed more than a year after the alert had been generated. On average, the alerts took 129 days from generation to review. Then, when the review became a case, it took an additional 70 days on average until that case became a SAR. For comparison, FinCEN requires SARs to be filed within 30 days from the date of initial detection. In the cases of unknown suspects, the filing must be submitted within 60 days.
4. Block’s monitoring system didn’t properly alert OFAC concerns related to wallets linked to terrorism. The system was configured to only generate alerts for concerns once the recipient’s wallet met a 1% exposure threshold. Beyond that, the system did not automatically block transactions until the recipient’s wallet met a 10% exposure threshold. Because the regulatory expectation is that terrorism-related transactions have a 0% threshold, these configurations were inappropriate.
5. Block had several OFAC issues. First off, Block used two different third-party systems to verify OFAC. One of these systems never performed subsequent OFAC verifications for OFAC updates. Until 2023, Block did not conduct OFAC scans for restricted accounts which conducted transactions in fiat. While there is no prescriptive language stating when OFAC must be run, Block had no knowledge if a customer had been added to an OFAC list after the customer was onboarded. Because of this, 15 rejected Bitcoin transactions were not timely reported to the Treasury.
6. Block failed to appropriately risk-rate and monitor “mixers” in its portfolio. These mixers allow the anonymization of funds and involved parties in an intermediary wallet to obfuscate the true source, destination, and ownership of funds. Because of the mixers, the funds and users were virtually untraceable and are at an extremely high risk of being used by criminals and sanctioned parties. These mixers pose a significant threat to National Security. Block had these accounts risk rated as a medium threat and failed to appropriately identify red flags, deviations of users, and other typologies which exposed Block and the US financial system to risk.
7. Finally, Block did not prevent Cash App from opening accounts for users which had been the subject of a SAR filing. Because Block did not have account limits (see item #1), these users were permitted to open multiple accounts using the same email address that had been previously included on a SAR. In one example identified by regulators, a SAR had been filed for a total of $1.6 million. This SAR listed 91 subjects that collectively held 16,811 accounts. The $1.6 million had been conducted over 19,518 transactions. This means the average user held 185 accounts and the average transaction was only $81.98.
Regulators reported Block had several other issues with its compliance program, which are not included here since they did not focus on BSA/AML. However, the theme here is this: If you are a money transmitter, you’d better have a solid BSA/AML program. Keep in mind that each state has its own definition of what makes an MT. FinCEN has its own definition.
If you are a money transmitter, NPG can help! NPG now offers BSA/AML program review, independent testing, and personalized consulting services! You need to make sure your program is up to standards, and we can help you get there!