Cash App To Pay >$250 Million to Settle with State, Government Regulators Over Compliance Failures
In a landmark decision, the U.S. Consumer Financial Protection Bureau (CFPB) recently levied a major penalty against popular money-transfer application Cash App over lax security protocols. The popular peer-to-peer (P2P) payment app’s parent company Block came under fire last week after a regulatory investigation into the firm’s dealings found that the company was operated “irresponsibly” over a multi-year period, with Block alleged to have mislead its customers thus placing them at increased risk of fraud.
The global P2P payments market has exploded during the technological age of finance with a global market size now eclipsing $3 billion and expecting to rise at a compound annual growth rate of over 15% per year. These numbers are largely backed by increased smartphone adoption by the masses and perceived improvements in data security when utilizing online financial services, and are expected to be further bolstered by ongoing
developments in the cryptocurrency space as well as in cross-border payment facilitation over the coming years. Under the leadership of Jack Dorsey – the former founder and CEO of popular social media app Twitter – Cash App has become one of the payment methods of choice over this period, amassing more than 57 million active accounts and a gross profit margin of $1.3 billion in its most recent earnings report. 2 While cash still remains the vehicle of choice in the criminal economy, the unprecedented growth in this sector has drawn increased attention to P2P payment systems by financial criminals, culminating in higher risk for both individuals and businesses using these services. The massive reach of this particular app on the global scale has made it popular for not only law-abiding citizens, but for criminals as well. The substantial amounts of money flowing through Cash App’s network on a day-to-day basis makes it a very large, inviting target for fraudsters – especially when, according to the CFPB, there is widespread negligence with respect to cyber-security.
A statement released by CFPB Director Rohit Chopra on the agency’s investigation read that “Cash App created the conditions for fraud to proliferate on its popular payment platform,” adding that “when things went wrong, Cash App flouted its responsibilities and even burdened local banks with problems that the company caused.” 1 All told, Block’s weak security protocols left customers at risk of both fraud and potential account takeover by bad actors. Making matters worse, the CFPB writes that Block is required by law to investigate and resolve disputes about unauthorized transactions., however, when the company set out to perform their subsequent investigations, they were found to be “woefully incomplete.” 1 Block is also alleged to have directed users who had suffered financial losses as a result of fraud on their platform to ask their linked banks to attempt to reverse these questionable transactions, which Block would subsequently deny, with the company also deploying a wide range of counter-tactics to suppress Cash App users from seeking help in these circumstances to mitigate their own costs stemming from the investigations to follow. Essentially, Cash App was cutting corners by trying to convince their customers through its end-user agreement that their respective banks bore all of the burden for fraud occurring within their own application. As the CFPB’s investigation wore on, this was of course proven to be misinformation.
Further harming their case and their greater reputation, Cash App was discovered to have deprived its users of appropriate customer support throughout the claim process. A customer service phone number provided on a users’ Cash Card would simply play a pre- recorded message and redirect users to contacting support through the app or via email. The responses that were received through these means were usually delayed significantly and/or grossly unhelpful. This made desperate customers even more vulnerable to fraudsters posing as Cash App customer service employees, with individuals potentially handing over personal identification information and login details to bad actors during this process. As a result of these shortcomings, the CFPB issued a whopping $120 million penalty against Block with an additional $55 million devoted strictly to providing financial relief for victims of Block’s poor business practices. The company will also be forced set up 24-hour, live-person customer service to ensure no recurrent misconduct in this regard going forward. The order also requires Block to fully investigate unauthorized transactions and to provide timely refunds, where appropriate. 1
In addition to this penalty, Block also entered an agreement to pay an additional $80 million settlement with forty-eight financial state regulators that were threatening legal action against the company over various anti money laundering (AML) failures. The state regulators allege that the company’s deficiencies in its compliance program could have allowed money laundering, terrorism financing and other illegal financial activity to take place over a lengthy period of time. However, the state regulators fell short of specifically alleging that any money laundering activity had actually occurred during this time period. Under this agreement, Block must also retain a third-party consultant to review its anti- money laundering program indefinitely. Block publicly acknowledged the settlement while also trying to brush it off, claiming that the settlement was only related to their past compliance program while stating that the claims do not reflect the significant improvements/investments they have made in improving these shortcomings as the application and company have grown.
Citations
1. “CFPB Orders Operator of Cash App to Pay $175 Million and Fix Its Failures on Fraud.” Consumer
Financial Protection Bureau, 16 Jan. 2025.
2. Vanderford, Richard. “Cash App Owner to Pay $80 Million over Alleged Anti-Money-Laundering
Deficiencies.” The Wall Street Journal, 15 Jan. 2025, 20.