Regulatory Action Tracker

NYDFS issued a consent order against Block, Inc., the parent company of Cash App, citing significant compliance failures in its anti-money laundering (AML) and virtual currency operations. Block agreed to pay a $40 million penalty and to retain an independent monitor to oversee its remediation efforts.

The DFS found that Block, Inc. failed to implement adequate risk-based thresholds, specifically calling out how they configured their blockchain analytic tools. For instance they cited that unless exposure to terrorism-linked wallets exceeded 10%, accounts would not be blocked and that any amount of exposure should have been cause for action. The company’s KYC and customer due diligence controls were also deficient — Block lacked a formal KYC refresh process and allowed users to open multiple restricted accounts using different credentials, enabling a Russian criminal network to operate over 8,300 fraudulent accounts. Additionally, Block suffered from massive SAR filing delays, with alert backlogs growing to over 169,000 and reports averaging 129 days to file, all while misclassifying high-risk mixer transactions as medium risk, exposing the platform to sustained illicit activity.

Germany’s financial regulator BaFin prohibited Ethena GmbH from issuing or distributing its USDe token to German customers, citing unauthorized e-money issuance under the EU’s Markets in Crypto-Assets Regulation (MiCAR). BaFin also froze Ethena’s assets in Germany and warned consumers about the lack of regulatory oversight for the stablecoin product. This action underscores the increased enforcement activity under MiCAR, especially targeting stablecoins marketed or distributed without proper licensing in the EU.

Compliance staff should note that under MiCAR, issuing or distributing stablecoins like USDe without proper authorization can trigger immediate enforcement actions — including asset freezes and sales bans — even if the issuer is based outside the EU. Firms marketing to EU residents must ensure their cryptoassets qualify under MiCAR’s e-money or asset-referenced token categories and obtain the necessary licensing in advance. This case highlights the urgency of conducting a regulatory perimeter assessment before launching or promoting tokenized products in EU jurisdictions.

FINRA sanctioned Robinhood Financial and Robinhood Securities with a $26 million fine and over $3.75 million in restitution for widespread supervisory failures spanning nearly a decade. Robinhood misled customers by "collaring" market orders — converting them to limit orders — without proper disclosure, leading to millions in missed executions. The firm also lacked effective AML and KYC systems, allowing fraudulent account openings and failing to monitor $300 million in third-party transfers. Robinhood’s clearing system failed repeatedly during market surges, including a spike tied to Bitcoin trading, and the firm improperly blocked 116,000 account transfers — some due to customers holding crypto at affiliate Robinhood Crypto LLC, violating FINRA rules.

Robinhood’s AML program lacked controls to detect prearranged trading in low-priced securities and suspicious options activity; firms should ensure their surveillance tools cover these high-risk behaviors comprehensively. The failure to monitor $300 million in third-party transfers and to flag ACH name mismatches highlights the need for robust transaction monitoring that incorporates identity verification signals. Robinhood did not have systems to detect account takeovers — an essential capability given FinCEN’s long-standing advisories — underscoring the importance of integrating cyber threat detection into AML protocols. Staffing was severely inadequate, with just two analysts handling nearly one million daily trades; firms must invest in AML teams that scale with volume and use case complexity. Surveillance reports were discontinued due to technical limitations, suggesting a need for scalable infrastructure and regular audit of monitoring effectiveness. Lastly, Robinhood’s CIP failed to reject accounts with identity mismatches; financial institutions should implement strong identity verification controls and conduct periodic reviews to ensure effectiveness.

DCG and former CEO of Genesis Global Capital, agreed to pay a combined $38.5 million for misleading investors about Genesis’s financial health. Following a $1 billion default by one of Genesis’s largest borrowers (Three Arrows Capital) in mid-2022, DCG and CEO allegedly downplayed the extent of the resulting losses and falsely suggested that DCG had infused new capital into Genesis.

A $1 billion default by 3AC severely impacted Genesis. A single, high-risk counterparty can threaten both solvency and compliance integrity of another firm. Ensure robust diligence for major counterparties of crypto firms, especially those using leveraged or complex structures.

Prior case with sentencing announcement. US Attorney’s Office announced a $100 million fine against BitMEX for violating BSA. According to the enforcement action, BitMEX operated its trading platform without registering as required and failed to implement critical AML and KYC controls. US authorities alleged that BitMEX deliberately allowed U.S. customers to trade on the platform without proper compliance measures.

The BitMEX enforcement action highlights key AML risks for crypto firms. Failure to register, weak KYC, not filing SARs for years and willful AML non-compliance led to a $100 million penalty and executive liability. Regulators expect robust identity verification, transaction monitoring, and clear AML accountability — paper policies won’t suffice. US authorities are aggressively targeting offshore platforms serving US customers without compliance.

State money transmission regulators from multiple states alleged that Block, Inc. (formerly Square, Inc.) had deficiencies in its anti-money laundering program. Under the settlement, Block agreed to pay a total of $80 million in penalties and administrative costs, enhance its AML controls, and engage an independent consultant to verify compliance going forward.

State regulators levying significant fine and implimentation of a third-party auditor to monitor progress of Block's compliance program. May signal increased scrutiny coming from state regulators