.svg)
So far in 2025, US fintech giant Block has agreed to pay almost $300m to settle allegations of fraud prevention, anti-money laundering (AML) and know your customer (KYC) failures.
With a potential criminal case also looming, firms should be aware that compliance failures can trigger a chain reaction of enforcement, if multiple regulators decide to pursue similar or overlapping cases.
In the US, with its patchwork of state and federal agencies, an enforcement spree such as the one suffered by Block can result in costly regulatory penalties, drawn-out negative media coverage and significant reputational damage.
In the case of the latest enforcement action to hit the company, Block will also experience significant operational disruption, due to the imposition of an independent monitor for a period of 12 months.
Key considerations
The series of enforcements against Block began in January this year, when financial regulators in 48 states announced an $80m settlement with the firm.
Supported by the Conference of State Bank Supervisors (CSBS), the 48 states alleged that Block had failed to uphold its AML obligations under the Bank Secrecy Act (BSA).
Specifically, Block was alleged to have failed to perform required customer due diligence, including verifying customer identities, failed to report suspicious activity and failed to apply appropriate controls to high-risk accounts.
The allegations relate to Block’s peer-to-peer (P2P) platform, Cash App, which regulators believe was left vulnerable to money laundering, terrorist financing and other illegal activities.
Although Block cooperated with the investigation, it neither admitted to nor denied any wrongdoing. However, it did agree to hire an independent consultant to review its BSA compliance program, and to file a report on the review to the 48 states within nine months.
Block will then have one year to correct any AML deficiencies that were identified during the review.
One day later, the Consumer Financial Protection Bureau (CFPB) announced a $175m settlement with Block, focused on alleged fraud prevention and customer service failures.
The firm agreed to pay up to $120m to customers who should have received refunds for unauthorised transactions, or whose reports of unauthorised transactions were not investigated at the time.
In addition, it agreed to pay $55m in penalties to settle alleged violations of the Consumer Financial Protection Act (CFPA) of 2010.
Again, Block neither admitted to nor denied any wrongdoing, and claimed that the “historical issues” raised by the CFPB “do not reflect the Cash App experience today”.
Finally, in April 2025, the New York State Department of Financial Services (DFS) announced a $40m settlement with Block over alleged AML and virtual currency compliance failures.
Although many of the allegations in the New York case are similar to those of the CSBS and the 48 states, the most recent enforcement differs in its focus on suspicious activity reporting failures and on Cash App’s Bitcoin business.
Key to the DFS case is its claim that Block’s AML program for both fiat and Bitcoin transactions was insufficient for a platform of Cash App’s size, complexity and rapid growth.
This led, among other things, to a significant backlog in the filing of suspicious activity reports (SARs), and to KYC failures that left Cash App open to abuse by bad actors.
For example, the DFS found that between February 2021 and September 2022, Block had at times taken more than a year to file SARs after receiving related transaction monitoring alerts.
The average number of days between a transaction monitoring alert and a SAR filing was 129, and the average number of days between a transaction monitoring alert and the start of a case investigation was 70.
During its investigation, the DFS also found that Cash App’s KYC and customer due diligence failures were widely exploited by criminals, both domestic and foreign.
Cash App imposes a $1,000 transaction limit per 30-day period on accounts that have not passed full identity verification.
However, the DFS found that the same individuals were able to open multiple accounts by using different email addresses and phone numbers, therefore bypassing the transaction limit.
In 2022, for example, Block identified more than 8,000 accounts that were linked to a Russian criminal network, and that had been opened by no more than 30 individuals.
Another SAR was filed in relation to $1.6m of transactions, which were believed to have been made by 91 individuals who collectively held more than 16,000 accounts.
The bigger picture
The cost of Block’s alleged compliance failures continues to rise, and the most serious enforcement action may still be to come, should the Department of Justice (DOJ) decide to pursue criminal charges.
In May last year, NBC News reported that federal prosecutors are investigating potential sanction violations by Block, involving both Cash App and Square, its merchant acquiring arm.
The investigation is said to be focused on allegations that Block processed transactions to sanctioned jurisdictions such as Cuba, Iran, Russia and Venezuela, and that it processed cryptocurrency transactions to terrorist organisations.
NBC’s report added that whistleblowers have provided documents indicating that many of these transactions were not reported to US authorities as required, and that Block did not address known compliance breaches when alerted.
Why should you care?
The 2025 enforcement spree against Block holds two key lessons for other US payments firms.
The first is that firms’ compliance capabilities should be commensurate with their size, complexity and projected growth curve.
Between 2016 and 2020, Cash App’s user base grew more than tenfold, from 3m to 36m.
Between 2019 and 2022, when Cash App was selected as one of the conduits for the US COVID-19 relief fund, its user base more than doubled from 24m to 51m.
According to the DFS, Block’s policies, procedures and processes “did not keep pace” with the significant growth of the company during this time.
This resulted in Block’s “inability” to comply with its obligations to monitor and report transactions for suspected money laundering and other illicit activity.
The second key lesson is that, in the US context, an enforcement action by one regulator can quickly snowball into enforcement actions by multiple regulators, both state and federal.
As a holder of money transmitter licenses (MTLs) in all 50 states, systemic failures in Block’s US compliance program were always likely to lead to enforcement actions across multiple states.
Such extensive licensing meant that Block was able to transform Cash App into one of the largest P2P platforms in the US, alongside Zelle and Venmo.
However, the company’s investment in licensing and regulatory approvals, including a coveted BitLicense in New York, has not been matched by its investment in oversight and compliance.
For a firm of Block’s size, regulatory penalties of almost $300m are unwelcome, but they are not likely to bankrupt the company, given its net income of $2.8bn in FY2024.
However, smaller firms should ask themselves whether they have the financial resources to weather enforcement action in almost every US state and by several federal agencies and live to tell the tale.
