Block's $40M Settlement

The importance of AML compliance

Photo by Gabriel Meinert on Unsplash

Cash App owner Block a few days ago agreed to pay $40 million in a settlement that highlighted the company’s compliance deficiencies. In a consent order, the New York State Department of Financial Services (DFS) noted that it had identified serious compliance deficiencies with respect to Block’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program.

These failures include insufficient Know-Your-Customer (“KYC”) and transaction monitoring processes, and a backlog of Suspicious Activity Reports (“SARs”) during 2018-2021, which together created a high-risk environment vulnerable to exploitation by criminal actors.

Ouch.

I highlighted recently that regulators aren’t playing when it comes to compliance. Money laundering, sanctions evasion, and other financial crimes expose the US financial system to abuse, including by terrorist groups, which were also highlighted in the DFS consent order and reported in the media.

The deficiencies at Block, some involving cryptocurrencies, “created a high-risk environment vulnerable to exploitation by criminal actors,” the New York State Department of Financial Services said in the consent order, noting, for example, that Block’s system did not trigger blocks on bitcoin transactions involving terrorism-connected wallets until that exposure exceeded 10%.

Block is a licensed money transmitter, as well as a BitLicensee, so they’re subject to BSA regulations that include establishing and maintaining an AML program that complies with all applicable federal AML laws.

I’m not going to nerd out here and get technical, but rather I’m going to focus on the threats posed by Block’s failures and some mitigation strategies.

Photo by Mariia Shalabaieva on Unsplash

Failure to keep up with risk

DFS noted that the company’s AML program failed to keep up with its growth, and the Department assessed that the AML program run by Block, which governs both fiat and Bitcoin transactions on the Cash App platform, failed to adequately consider the substantial risks posed to an entity of its new size and complexity.

What were the risks?

They included, customer risk, geographic risk, and product risk.

In other words, it was just too much, and the significant backlog in suspicious activity report (SAR) reporting showed exactly how bad it had gotten.

Between 2018 and 2021, Block experienced a significant transaction monitoring alerts backlog. In 2018, Block had accumulated a transaction monitoring backlog of approximately 18,000 alerts, which grew to over 169,000 by 2020. This extensive backlog was caused, in part, by Block’s inability to predict the impact of Cash App’s growing customer base on alert volumes and staffing needs, as well as the increase in alerts generated by the implementation of new transaction monitoring tools.

I would assess there was also an issue with insufficient resources. Investigating and analyzing the suspicious activity to generate and submit a SAR takes analysts, you have to pay those analysts, and it certainly looks like the number of analysts required to do the task didn’t keep up with the growing number of alerts. It sometimes took a year or more to file the SAR after the suspicious activity was detected.

A SAR must be filed with FinCEN 30 days after the suspicious activity is detected.

Worse yet, Block had a terrorism financing problem, according to DFS.

Block utilized information from two vendors to block and alert transactions with exposure to terrorism associated wallets. The Department’s investigation revealed that, with respect to one of the vendors, Block’s system did not generate alerts on Bitcoin transactions until the recipient’s wallet had more than 1% exposure to terrorism-connected wallets, and Block did not automatically block transactions to wallets with exposure to terrorism-connected wallets until the exposure exceeded 10%. Any amount of funds transferred to terrorism-connected wallets is illegal and setting threshold alerts above 0% without a risk-based analysis supporting that
decision, falls short of the regulatory requirement that licensees implement risk-based policies, procedures, and practices to ensure compliance with BSA and OFAC regulations.

In addition, Block’s failure to effectively monitor Bitcoin transactions for sanctioned counterparties, money laundering, and other potential financial crimes was partially caused by its deficient monitoring and risk rating of transactions that used anonymizing services such as mixers, which obscure the source of illicit funds by tossing them with other assets into an intermediary wallet and comingle licit and illicit assets to make the funds untraceable. Think: Tornado Cash, which was recently removed from OFAC’s SDN list pursuant to a court decision.

However, FinCEN still considers virtual currency mixers a primary money-laundering concern under Section 311 of the USA PATRIOT Act, and Block should have been monitoring this increased risk posed by mixers and taking it into consideration, instead of rating their use as a “medium” risk.

Accurately assessing risk—be it customer, jurisdictional, or product—is critical to a robust AML program. Devoting adequate resources to the program also signals commitment to compliance.

This apparently didn’t happen here - or at least happened insufficiently.

Photo by Sasun Bughdaryan on Unsplash

Mitigation strategies

Risk assessment. A current and accurate risk assessment would have helped ensure that Block’s AML compliance program was appropriately tailored to meet BSA requirements. Given the different methodologies illicit actors use to launder and move money, Block should have closely examined its customers, products, and the jurisdictions in which it operated.

DFS flagged that Block in 2022 identified more than 8,000 accounts linked to a Russian criminal network and reported, closed, and blacklisted them. Great job! However, the actors were subsequently able to open more than 8,000 Cash App accounts. Obviously there was geographic and customer risk present, given that Russia is a highly sanctioned jurisdiction.

Should they have blocked every transaction with a Russia nexus? Not necessarily. But that nexus should have flagged enhanced due diligence research.

Adequate resources, training, and independent audit. Based on the issues identified in the risk assessment, adequately resourcing the AML and sanctions compliance program with appropriately trained, qualified employees definitely signals a public “tone from the top” commitment to mitigating money-laundering and sanctions evasion risk, as well as other illicit financial threats.

Monitoring the company’s growth and keeping close track of regulatory changes will also help ensure that resources are adequate to address AML/CFT and sanctions risks. Checking to ensure resources and training are current and appropriate to any changes in the risk environment is also critical.

Customer Due Diligence (CDD). Just screening against a list is not enough to protect an organization from sanctions evaders and money launderers. Sure, presence on a sanctions list is a huge red flag and should immediately stop transactions, but knowing who your customers and your customers’ customers are is critical. I consider customer due diligence/know your customer efforts (KYC) to be the most important efforts to prevent abuse, and FinCEN’s final rule strengthening CDD requirements recognizes the risks presented by inadequate KYC.

The CDD Rule has four core requirements. It requires covered financial institutions to establish and maintain written policies and procedures that are reasonably designed to:

1. Identify and verify the identity of customers

2. Identify and verify the identity of the beneficial owners of companies opening accounts

3. Understand the nature and purpose of customer relationships to develop customer risk profiles

4. Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

Given the continually evolving and complex methodologies money launderers and other financial criminals use to conduct illicit activities and exploit the US financial system, keeping up with guidance issued by regulators is critical. Monitoring for red flags, exploring adverse media reports, examining links to politically exposed persons (PEPs), documenting transaction history and risky geographies, and really understanding who owns/controls the entities with which you’re about to transact will help reduce regulatory risk and possible penalties.

Training, testing, and auditing. The illicit finance environment has changed drastically since Russia’s full-scale invasion of Ukraine. It’s not just the complexity of the sanctions regime against Russia that’s increased dramatically, but also that evasion methodologies and techniques, as well as the tactics illicit actors use to evade strategic trade controls have evolved and become more complex. Training to ensure all personnel are well-versed in current regulations and financial crimes methodologies, testing to ensure that the controls put in place work to mitigate inherent risks, examining residual risks to match the organization’s risk appetite are all important strategies.

Why is this important?

I almost got nerdy again.

I didn’t want to get too much in the weeds with this article. Suffice it to say, compliance programs need to be constantly monitored, examined, and tweaked as the risk environment changes.

Why?

Because aside from mitigating regulatory risks and avoiding millions of dollars in penalties, the idealist in me says that we need to protect our financial system from abuse by illicit actors.

We don’t want to be exploited by terrorist groups to move and launder funds.

We don’t want to be abused by sanctioned actors to hide assets.

We don’t want to be known as a criminals’ paradise, making it easy for illicit actors to access our financial system.

We don’t want to allow illicit actors to enjoy proceeds of criminal activity, and allow crime and corruption to flourish.

And we don’t want our financial sector to be weakened and corrupted by these actors.

In addition, loss of revenue, economic instability and distortion, and reputational risk—both for the organization and for the US financial system writ large—are also factors that should influence efforts and decisionmaking in the financial crimes sphere.

Let’s do this right, shall we?

No one expects perfection, but reasonable risk assessments and analysis of threats should not be something out of the ordinary. They should be standard practice.

Frankly, the resources your financial institution or other firm devotes to a robust financial crimes compliance program now will be nothing compared to the massive penalties it could face if it just pays lip service to these efforts.