Block Inc., the parent company of the popular mobile payment platform Cash App, agreed to a $40 million settlement with the New York Department of Financial Services (NYDFS) following extensive regulatory findings that exposed serious deficiencies in its compliance framework.
The enforcement action represents one of the most substantial penalties imposed by a US state regulator on a FinTech firm, sending a clear signal to the financial services industry that rapid growth without proportionate compliance controls carries strict consequences.
The NYDFS investigation concluded that Block "failed to maintain a compliant and effective AML program, as well as failed to comply with other critical requirements contained in the Superintendent's Money Transmitter and Virtual Currency Regulations."
Among the specific failings cited were inadequate customer due diligence procedures, a lack of timely suspicious activity reporting, and ineffective monitoring of cryptocurrency transactions, particularly concerning the app's bitcoin-related services.
These issues were deemed particularly significant given the scale of Cash App's operations. In 2024 alone, the platform processed over $283 billion in transactions with around 57 million monthly active users. Despite this reach, regulators found that Block had not invested appropriately in the compliance infrastructure necessary to mitigate risks associated with financial crime.
The terms of the settlement include not only the $40 million penalty but also a requirement for Block to appoint an independent monitor. This monitor will oversee and report on the company's remediation efforts over the coming months and focus on the development of a more robust compliance programme. Notably, this is not the first regulatory penalty the company has faced in 2025: in January, Block paid $80 million to resolve related claims brought by a coalition of 48 US state financial regulators.
What this means for business and legal professionals
For UK-based legal and compliance professionals, especially within the FinTech sector, the Block case offers a cautionary warning. As UK regulators, including the Serious Fraud Office (SFO), Financial Conduct Authority (FCA) and the Information Commissioner's Office (ICO), continue to ramp up their scrutiny of FinTech and crypto-asset firms, there appears to be a growing appetite among regulators worldwide to enforce high standards of corporate governance in digital finance.
With the UK's forthcoming "failure to prevent fraud" offence under the Economic Crime and Corporate Transparency Act 2023 due to come into force in September 2025, the regulatory landscape is evolving to impose stricter guidelines on organisations that fall short in fraud detection and prevention and firms must now consider how their systems, controls and culture stack up against these new expectations. Reactive compliance is no longer sufficient, and those who fail to adapt risk not only financial penalties but lasting reputational damage.