Block, Inc., the company behind Cash App, will pay a $40 million penalty to New York’s top financial regulator following a scathing investigation that uncovered widespread anti-money laundering failures and compliance lapses in its crypto operations.

The New York State Department of Financial Services (DFS) announced the settlement on Thursday, concluding that Block's rapidly expanding Cash App platform lacked the internal controls necessary to detect and prevent illicit financial activity—particularly involving Bitcoin transactions. The company is also required to bring in an independent monitor to oversee improvements to its compliance systems.

According to DFS Superintendent Adrienne A. Harris, the company’s growth dramatically outpaced its ability to maintain a compliant risk management structure. “Compliance functions must keep pace with company growth or expansion,” she said in a statement. “The Department is taking decisive steps to ensure accountability.”

Block, formerly known as Square, has held a money transmitter license in New York since 2013 and has operated under a BitLicense—New York’s regulatory framework for virtual currency businesses—since 2018. However, state investigators found that between 2018 and 2022, the company failed to meet several critical obligations, including proper customer identification protocols and timely suspicious activity reporting.

One of the most troubling findings was the staggering backlog in transaction monitoring. By 2020, Block had more than 169,000 alerts awaiting review. This delay led to suspicious activity reports being filed months late—some more than a year after the transactions occurred—compromising the company’s ability to flag potential criminal behavior in real time.

The investigation also revealed shortcomings in how Block handled high-risk crypto activity. Transactions involving so-called “mixers”—tools often used to obscure the source and destination of crypto funds—were incorrectly rated as medium risk, despite being commonly associated with criminal networks and money laundering schemes.

In another instance, DFS noted that Cash App’s “restricted” accounts, which allow limited fiat transactions without full identity verification, were misused by bad actors. Some individuals exploited loopholes to open dozens of accounts using recycled emails, phone numbers, and payment instruments, bypassing platform limits and exposing the system to fraud.

Block also stumbled in cybersecurity and consumer protection. State examiners found the company failed to follow standard governance procedures—like board approval of key security policies—and maintained an inadequate disaster recovery plan. In addition, required disclosures around transaction risks and refund policies were not clearly presented to consumers.

While the Department acknowledged that Block cooperated fully during the investigation and has begun remediating many of the identified gaps, the settlement outlines significant corrective action. The appointed independent monitor will review Block’s current AML and sanctions compliance systems, examine historical transaction activity, and ensure that the company’s blockchain analytics tools align with both state and federal regulatory expectations.