Federal prosecutors are conducting a thorough investigation into internal practices. blockThe financial technology company started by Twitter co-founder Jack Dorsey said it has spoken with former employees about widespread and long-standing compliance violations at its two major divisions, Square and Cash App. This was revealed by two people with direct knowledge of the person.
During the discussions, former employees told prosecutors in the Southern District of New York that not enough information was collected from Square and Cash App customers to assess the risks, and that Square was involved in countries subject to economic sanctions. It provided documentation showing it had processed thousands of transactions. The block processed multiple cryptocurrency transactions for terrorist groups.
Most of the transactions discussed with prosecutors, including credit card transactions, dollar transfers and Bitcoin, were not reported to the government as required, former employees said. Former employees told prosecutors and NBC News that Mr. Block did not correct the company’s processes when he was alerted to the violations.
About 100 pages of documents provided to NBC News by former employees show many small-value transactions involving entities in the countries of Cuba, Iran, Russia and Venezuela, which have been subject to U.S. sanctions restrictions since last year. has been identified.
“Fundamentally, everything in the compliance department was flawed,” a former employee told NBC News. “It is led by people who should not be in charge of a regulated compliance program.”
Another person with direct knowledge of Mr. Block’s surveillance program and practices echoed that assessment. NBC News granted anonymity to the former employee and the second person to prevent potential retaliation.
The Southern District of New York did not respond to requests for comment on the study.
“We understand from the documents that compliance violations were known to Bloc’s leadership and board in recent years,” said Edward Seidle, a former Securities and Exchange Commission attorney who represented former employees and participated in discussions with prosecutors. “I am doing so,” he said.
After NBC News reported in mid-February that two other whistleblowers alerted financial regulators to financial regulators about compliance violations at Cash App, the wildly popular mobile payments platform owned by Mr. I met with members. Introduced in 2013, Cash App allows users to instantly send and receive money between themselves, as well as buy stocks and Bitcoin. As of December, Cash App had 56 million active trading accounts, with $248 billion in inflows over the past four quarters, the company said.
Asked about the investigation, a spokesperson for the bloc issued the following statement: “The bloc has a responsible and extensive compliance program and we respond to emerging threats and the evolving sanctions regulatory environment. Our compliance program includes systems, tools and processes to ensure the safety and security of our ecosystem, as well as sanctions reviews in accordance with our regulatory obligations. Continuously improving security is a top priority for Block and we remain committed to this commitment.We continue to invest heavily in our compliance program.”
The company said it believed it had voluntarily reported “thousands of transactions” described by former employees to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC), which enforces economic sanctions. But former employees disputed this, saying thousands of different transactions went unreported.
Block’s other major business unit, Square, is a financial services platform used by millions of merchants. Documents submitted to prosecutors and reviewed by NBC News allege that Square failed to perform basic customer due diligence on international merchant sellers and improperly repaid some merchant funds that had been frozen for sanctions violations. A number of cases have been identified. (Merchant is considered a Square customer and user is considered a Cash App customer.) New customers of both Square and Cash App who trigger a sanctions alert during the initial review will receive a refund before the alert is resolved. The transaction was authorized, the document states. It also provides examples where employees reported that customers’ biographical information, such as linked social media accounts, was not screened against a list of sanctioned keywords.
Documents show that Cash App’s design increased the risk of non-compliance. “Due to the nature of the product, our ability to block saved balances or deny funds is limited as customers do not appear to leave their saved balances in Cash App for very long,” the document reads. In virtually all circumstances, the balance has been maintained. It is depleted at the time of review. ”
The former employee also told prosecutors about the findings of Block, an outside consultant hired to evaluate internal systems for monitoring suspicious activity, assessing customer risk, and examining sanctions violations. Consultants identified nearly 50 flaws in these systems last year, according to documents.
In a response to NBC News, the company said the consultant’s hiring demonstrates Block’s commitment to compliance and improvement, adding that 50 deficiencies are not unusual given the scope of the report. The company said the former employee’s interpretation of the report misunderstands the findings and their significance.
The company declined to answer questions about the specific deficiencies listed in the document. When deficiencies are identified, Block “works with our in-house legal team and outside attorneys and consultants to advise on the issue and appropriate remediation.” The company said it conducts regular sanctions checks on all of its merchants, and its program includes key elements expected by OFAC.
According to the website, OFAC implements and enforces economic sanctions to protect the public from “targeted foreign countries and regimes, terrorists and terrorist organizations, proliferators of weapons of mass destruction, and drug traffickers.” Companies are “strongly encouraged” to develop, implement and regularly update sanctions compliance programs. OFAC states that “senior management’s commitment to and support of an organization’s risk-based sanctions compliance program is one of the most important factors determining an organization’s success” and that it fosters an “organization-wide culture of compliance.” states that it is essential.
Former employees told prosecutors that Block’s board of directors, along with senior management, had been briefed on widespread failures at the company. In recent months, Block announced the unexpected resignations of two board members. Lawrence Summers, a former U.S. Treasury secretary who has served on the block’s board since 2011, resigned in February, and in April, Sharon Rothstein, who had served on the board since 2022, announced she would not run. He will be re-elected at the annual general meeting in June.
Mr. Block said Mr. Summers and Mr. Rothstein had resigned from the board to devote more time to other professional and personal pursuits, and that their resignations were “responsible for any matters relating to the company’s operations, policies, or practices.” “This was not the result of any disagreement with the company,” he said.
During his tenure on the Board, Mr. Summers served on the Audit Committee, which was responsible for reviewing and discussing with management the Company’s programs and policies regarding risk assessment and management. The committee is overseen by Sir Paul Deighton, a former Goldman Sachs executive who served as the UK government’s business secretary to the Treasury from 2013 to 2015. NBC News requested interviews with Mr. Dayton and Mr. Summers, but they declined and forwarded the request to Mr. Bullock’s corporate communications. unit.
Mr. Block has faced difficulties with regulators before. In late 2021, the Financial Market Supervisory Board of the Bank of Lithuania issued a complaint against the company’s European Cash App, Verse Payments Lithuania UAB, that either no identity had been established or an identity had been established without complying with legal regulations. Ordered to identify existing customers. Law on the Prevention of Money Laundering and Terrorist Financing.
Last year, Vaas and its former head were fined when the Bank of Lithuania inspected Vaas and “found serious and systematic violations regarding money laundering and prevention of terrorist financing.” Verse’s top executives said, “Despite the fact that information about violations committed by the institution was publicly available, it did not ensure the safe and reliable operation of the institution and did not take effective steps to eliminate the violations.” “He did not ensure that the activities of the institution complied with the established requirements, which he has known for a long time,” the Bank of Lithuania said at the time.
Mr. Block shut down Verse last year. Dorsey said on an August earnings call that Verse required significant investment and that the market “didn’t see the growth and profitability that we had hoped for.”
Mobile payment apps like Cash App, PayPal and Venmo are popular, with more than three-quarters of U.S. adults using them, according to a Consumer Financial Protection Bureau study last year. The service, known as a person-to-person payment platform, poses risks to users and the financial system, regulators said. For example, in recent years, law enforcement officials have cited examples of criminals using payment apps to evade justice, such as laundering stolen coronavirus relief funds in 2020.
Cash App is not a bank, but To external banking partners We provide various services. One is Sutton Bank, a small financial institution in Ohio that issues Cash App prepaid Visa debit cards that allow users to spend and withdraw funds. Banks need to know each customer, but the Cash App program “did not have effective procedures to verify customer identity,” former whistleblowers said in a complaint to federal financial regulators. stated in the letter.
On March 29, Sutton Bank settled with the Federal Deposit Insurance Corporation on a consent order that echoed the whistleblower’s claims. In its order, the FDIC alleged “unsafe or unsound banking practices and violations of laws or regulations,” including those related to the Bank Secrecy Act, at Sutton.
Under the order, Sutton revised internal programs to “improve oversight and guidance” of anti-money laundering and counter-terrorist financing programs and “ensure and maintain the bank’s full compliance with the Bank Secrecy Act.” agreed to do so. Sutton also said that in 2020, “to ensure that all necessary customer identification program information is captured and that the bank forms a reasonable belief that it knows the true identity of the customer.” We agreed to look back on July.
The FDIC’s order cited Sutton Bank’s collaboration with “third parties” or outside entities and required it to provide details about anti-money laundering compliance and customer identification programs of outside companies affiliated with it. Although the FDIC did not name Cash App in its order, it is the largest third party Sutton Bank works with, according to the company’s chief compliance officer. The FDIC’s order also requires Sutton to conduct quarterly updates on “third party compliance with legal, contractual, and service-level responsibilities, and administrative measures to address anti-money laundering and counter-terrorism financing.” required to report.
James Booker, a senior adviser at Sutton Bank, said in an email that the bank is working closely with regulators and that the recent consent order “resolves long-standing anti-money laundering regulations that arose prior to the bank’s 2023 reorganization.” The issue has been resolved.” This is an anti-money laundering program. ”
As for Mr. Block, he said Mr. Sutton’s consent order is unlikely to affect Cash App’s continued business relationship with the bank.