Federal prosecutors are digging into internal practices cloggedthis Fintech The company founded by Twitter co-founder Jack Dorsey spoke with a former employee about its two main divisions, Square and cash appsaid two people who knew the contact directly.
During the discussions, the former employee provided documents to prosecutors for the Southern District of New York that they said showed insufficient information was collected from Square and Cash App customers to assess their risk, and that Square processed thousands of transactions involving Countries and regions subject to economic sanctions.
The former employee said most of the transactions discussed with prosecutors, including credit card transactions, U.S. dollar transfers and Bitcoin, were not reported to the government as required. The former employee told prosecutors and NBC News that when Block was alerted to the breach, the company did not correct its processes.
About 100 pages of documents provided to NBC News by the former employee show that transactions that occurred last year, many of which were smaller, involved entities in countries subject to U.S. sanctions: Cuba, Iran, Russia and Venezuela.
“Everything about the compliance part was flawed from the beginning,” the former employee told NBC News. “It was led by people who should not be in charge of regulated compliance programs.”
Another person with direct knowledge of Bullock’s surveillance programs and practices echoed that assessment. NBC News granted the former employee and the second person anonymity to prevent potential retaliation.
The Southern District of New York did not respond to a request for comment on the investigation.
Edward Siedle, a former SEC attorney who represented former employees and was involved in discussions with prosecutors, said: “From what I understand from the documents, Bullock leadership and the board were aware of compliance lapses in recent years. .
Prosecutors meet with former employee after NBC News Reported in mid-February Two other whistleblowers informed financial regulators of compliance failures at Cash App, the popular mobile payments platform owned by Block.one. cash appLaunched in 2013, it allows users to instantly send and receive funds between each other as well as buy stocks and Bitcoin. Cash App had 56 million active trading accounts as of December and had inflows of $248 billion in the first four quarters, the company said.
When asked about the investigation, a Block spokesperson issued the following statement: “Block has a responsible and extensive compliance program, and we regularly adjust our practices to respond to emerging threats and the evolving sanctions regulatory environment. Our The Compliance Program includes systems, tools and processes for: Sanctions screening and investigating and reporting sanctions issues consistent with our regulatory obligations are a top priority for Block.
The company said it believed it had voluntarily reported what the former employee described as “thousands of transactions” to the Office of Foreign Assets Control (OFAC), the arm of the U.S. Treasury Department responsible for enforcing economic sanctions. But the former employee disputed that, saying thousands of different transactions were not notified.
Block’s other major business unit, Square, is a financial services platform used by millions of merchants. Documents provided to prosecutors reviewed by NBC News show that Square failed to conduct basic customer due diligence on its international merchant sellers and improperly repaid some merchant funds that had been frozen due to sanctions violations. (Merchants are considered customers of Square, while users are considered customers of Cash App.) New customers of Square and Cash App trigger a sanctions alert during initial screening and are allowed to transact until the alert is resolved, the filing said. They also show instances where employees flagged customer biographical information, such as linked social media accounts, that was not filtered against sanctioned keyword lists.
The design of Cash App increases the risk of compliance lapses, documents show. A document states: “Due to the nature of the product, it does not appear that customers will leave stored balances in Cash App for very long, so our ability to freeze stored balances or reject funds is limited. In almost all cases, the balance has been been deleted.
The former employee also disclosed to prosecutors the findings of an outside consultant hired by Bullock to evaluate its internal systems to monitor suspicious activity, assess customer risk and screen for sanctions violations. The consultant discovered nearly 50 flaws in these systems last year, documents show.
In response to NBC News, the company said hiring the consultant demonstrates Block’s commitment to enforcing and improving compliance, adding that 50 deficiencies were not unusual given the scope of the report. The company said the former employee’s interpretation of the report misunderstood its findings and their significance.
The company declined to answer questions about the specific flaws mentioned in the filing. The company said that when a defect was discovered, Bullock “worked with our internal legal team and outside counsel and advisors to advise us on the issue and appropriate remedies.” The company said it conducts regular sanctions screenings of all merchants and its program includes basic components of OFAC’s expectations.
Office of Foreign Assets Control The agency administers and enforces economic sanctions to protect the country from “targeted foreign countries and regimes, terrorists and terrorist organizations, proliferators of weapons of mass destruction, drug smugglers and others,” according to its website. It “strongly encourages” companies to develop, implement and regularly update sanctions compliance plans. “Senior management’s commitment to and support of an organization’s risk-based sanctions compliance program is one of the most important factors in determining its success,” OFAC said, “and is critical to fostering a “compliance culture throughout the organization.”
The former employee told prosecutors that Block’s board of directors, along with senior management, was informed of numerous missteps at the company. In recent months, Block has announced the unexpected departures of two directors: Lawrence Summers, the former U.S. Treasury secretary and a Block director since 2011, resigned in February and said in April that he would be stepping down starting in 2022. Sharon Rothstein, who serves as a director, will not continue as a director.
Bullock said Summers and Rothstein will leave the board to devote more time to other professional and personal activities, and that their departures are not “due to any issues related to the company’s operations, policies or practices.” There are any differences.”
While serving on the Board of Directors, Summers served as a member of the Audit Committee and was responsible for reviewing and discussing with management the Company’s risk assessment and risk management programs and policies. The committee is overseen by Lord Paul Deighton, a former Goldman Sachs executive who served as the UK government’s commercial secretary to the Treasury from 2013 to 2015. NBC News requested interviews with Dayton and Summers, but they declined and forwarded the request to Bullock’s corporate communications unit.
Bullock has had difficulties with regulators before. At the end of 2021, the Financial Market Supervision Committee of the Bank of Lithuania Already ordered Verse Payments Lithuania UAB, the company’s European version of Cash App, is used to identify its existing customers who have not been identified or have been identified under laws to prevent money laundering and terrorist financing.
The verse and its preceding title are was fined last year When the Bank of Lithuania inspected Verse and “discovered serious and systemic violations of the prevention of money laundering and terrorist financing”. Verse senior officials “failed to ensure the safe and secure operation of the institution, to take effective measures to eliminate irregularities, and to ensure that the institution’s activities complied with established requirements, even though information about the irregularities committed by the institution was disclosed”. We just knew each other,” the Bank of Lithuania said at the time.
Block closed Verse last year.in a Earnings Conference Call In August, Dorsey said Verse needed significant investment and that its market was “not seeing the growth and profitability that we expected.”
Mobile payment apps like Cash App, PayPal and Venmo are popular, with more than three-quarters of U.S. adults using them, according to one company. studied last year Responsible for this by the Consumer Financial Protection Bureau. Regulators say the services, known as person-to-person payment platforms, pose risks to users and the financial system. In recent years, for example, law enforcement officials have cited criminals using payment apps to evade the law, such as laundering stolen COVID-19 relief funds in 2020.
cash app not a bankbut it uses External banking partners Carry out various services. One of them is Sutton Bank, a small institution in Ohio that issues Cash App’s prepaid Visa debit cards, which allow users to spend or withdraw funds. Previous whistleblowers said in a complaint to federal financial regulators that banks must know every customer but that the Cash App program “had no effective procedures to determine the identity of customers.”
On March 29, Sutton Bank entered into a consent order with the FDIC, echoing the whistleblower’s allegations. In the order, the FDIC charged Sutton Bank with “unsafe or unsound banking practices and violations of laws or regulations,” including those related to the Bank Secrecy Act.
Place orderSutton agreed to revise its internal program to “improve oversight and guidance of its anti-money laundering and terrorist financing programs” and “ensure and maintain the bank’s full compliance with the Bank Secrecy Act.” Sutton also agreed to look back to July 2020 “to ensure that all required customer identification scheme information has been obtained and that the bank has formed a reasonable belief that it knows the customer’s true identity”.
The FDIC order refers to Sutton Bank’s work with “third parties,” or outside entities, and requires it to provide details about the anti-money laundering compliance and customer identification programs of outside companies it works with. The FDIC did not name Cash App in the order, but the company is the largest third party Sutton Bank works with, according to Sutton Bank’s chief compliance officer. The FDIC order also requires Sutton to provide quarterly reports on “third parties’ compliance with legal, contractual and service level obligations, as well as management actions to address anti-money laundering and countering the financing of terrorism deficiencies.”
James Booker, senior counsel at Sutton Bank, said in an email that the bank is working closely with regulators and that the recent consent order “addresses a number of long-standing issues regarding anti-money laundering controls” that It “comes ahead of the bank’s 2023 restructuring.”
As for Block, it said the Sutton consent order is unlikely to affect Cash App’s ongoing business relationship with the bank.