That New York Action Against Block
Last week New York state regulators sanctioned online payments giant Block for persistent shortcomings in the anti-money laundering compliance program for Cash App, the popular digital wallet owned by Block. Even for folks not in financial services or subject to New York state regulation, this case offers important lessons about modern compliance risks that any company might face, so let’s take a look.
The enforcement action came from the New York Department of Financial Services, which fined Block $40 million and imposed a compliance monitor for one year. At issue were numerous poor AML compliance practices that DFS regulators documented during inspections in the early 2020s: poor suspicious activity reporting, poor transaction monitoring, poor customer due diligence, poor cybersecurity practices. You know, all the usual stuff we see in AML compliance enforcement.
Alas, the larger failure here is one we’ve seen many times before, too: Block grew too quickly, and didn’t invest in its compliance program along the way to keep pace with the increasing risks that came along with all that growth.
“Compliance functions must keep pace with company growth or expansion,” DFS superintendent Adrienne Harris said in a statement. “The rapid growth of Block’s Cash App absent a robust compliance function created risk and vulnerabilities that violated the rules financial services companies operating in New York must adhere to.”
That’s a cautionary tale as old as time, and one that applies to any business whether you’re in the financial services sector or not. Management sees some path to rapid growth and plunges ahead, without considering the stronger risk controls that might need to be erected — better technology, tighter approval processes, and above all, more staff — to keep all that growth on the right side of your compliance obligations and risk tolerances.
State vs. Federal Compliance Risk
Lesson No. 2 for compliance officers is about how Block tripped into this enforcement sandtrap with DFS in the first place. To understand this lesson we need to dork out on DFS rules for a moment, so please bear with me.
As a financial firm doing business in New York, Block must comply with all DFS regulations. Section 417.2 of those regulations states that any money-transfer business (and Block is one, through its Cash App subsidiary) must establish and maintain an AML program that complies with all applicable federal anti-money laundering laws.
Do you see the sandtrap there? If a financial firm doesn’t satisfy federal AML compliance standards, that is a violation of New York state law. So even though the Trump Administration might put enforcement of AML obligations into the deep freeze, that doesn’t mean you can now ignore those obligations, because the state of New York requires you to meet those obligations anyway. If you don’t, state regulators could bring their own enforcement action against you.
For anyone out there muttering, “Cool story bro, but we’re not subject to DFS oversight” — let’s remember that this dynamic of states using federal law to drive compliance exists in other scenarios, too. Just two weeks ago, the state attorney general of California published an alert warning that violations of the Foreign Corrupt Practices Act can qualify as violations of the state’s Unfair Competition Law.
I don’t know how many other states have similar laws where some ambitious state attorney general might try to shoehorn your FCPA violation into a state-level offense, but California’s alert did expressly say, “Violations of the FCPA may also constitute unfair, deceptive, or abusive acts or practices under other states’ laws,” so clearly it’s possible.
Where to Go From Here
The Block enforcement action and California’s warning about FCPA violations do raise some interesting points about how you perform a compliance risk assessment these days.
First is the block-and-tackle stuff: identify all those state rules and regulations that might apply to your business, to understand what they require and which ones cite federal statutes and rules as the compliance standards your program must meet.
That exercise might sound straightforward, even if painstaking to do — but as with all things Trump 2.0, in practice it’s likely to be more complicated.
For example, if some federal agency rescinds a longstanding rule, will your regulatory change management process catch that? What if the agency rescinds the rule without any public notice or comment? (That’s the latest hare-brained and likely illegal idea from the White House, proclaimed by executive order last week.) What if state regulators then update their rules to incorporate those erstwhile federal rules into the states’ own books; will your regulatory change management system catch that too?
Second, even if you notice that deregulatory move, do you know how to incorporate those more relaxed standards into your own policies, procedures, controls, and training? This is something I discussed more fully in a recent guest post for Navex: that you still need strong policy management, training, and risk assessment capabilities to embrace deregulation as much as you needed those capabilities for new regulation.
And third, let’s be honest: CFOs, general counsels, and management teams are motivated to invest in strong compliance programs based on the risk of enforcement against the company and what that enforcement might cost them. So how will we estimate enforcement risk in today’s fraught political climate?
That is, at least some state regulators and attorneys general want to bring enforcement actions simply to remind corporations that good conduct (as they define it, anyway) still matters, even if the Trump Administration doesn’t care about enforcement. How do you figure that into your risk-reward decisions for compliance program investments?
I don’t have an answer to that question. Moreover, it cuts in all sorts of ways: Trump regulators enforcing their political agendas against DEI and immigrants, but not against other offenses; states such as Florida picking that fight two years ago with Disney over the state’s Don’t Say Gay law; now states such as California eyeing FCPA violations as a potential state matter or New York imposing compliance monitors even as the feds move away from them.
In that sort of all-against-all political world, understanding what enforcement actions will come from whom, and how harsh those actions might be, is going to be an exceedingly difficult task. And as usual, compliance officers will be caught in the middle of it.