Federal prosecutors are delving into internal practices at Block, the financial technology firm co-founded by Twitter’s Jack Dorsey. According to sources familiar with the matter, they are probing alleged widespread and long-standing compliance lapses at the company’s main units, Square and Cash App.

In these discussions, a former employee shared documents with prosecutors from the Southern District of New York, indicating inadequate information collection from Square and Cash App customers, transactions involving countries under economic sanctions, and cryptocurrency transactions for terrorist groups.

The former employee revealed that many credit card transactions, dollar transfers, and Bitcoin transactions were not reported to the government as mandated. Block allegedly failed to rectify these breaches upon notification. As recently as last year, documents provided identified transactions involving entities in countries under US sanctions restrictions, including Cuba, Iran, Russia, and Venezuela.

According to the former employee, Block’s compliance section must be revised and led by individuals ill-suited for regulated compliance programs. A second source familiar with Block’s monitoring programs corroborated this assessment.

C AJrH Me5np2jCkbjYW5AqSljQpInkQvKDpJQR6PIo8uhbP6F7vMHN0en ZELvSe3g4BQuYWIQAhyCtWUvNfXc19gjR3uPl7Mu oY l

Edward Siedle, a former SEC lawyer representing the former employee, indicated that Block leadership and the board had been aware of compliance lapses in recent years.

Following NBC News ‘ mid-February report, prosecutors met with the former employee, in which two other whistleblowers disclosed compliance failures at Cash App. This popular mobile payment platform allows users to send money, buy stocks, and buy Bitcoin.

In response to the probe, a Block spokeswoman emphasized the company’s robust compliance program, regularly updated to address emerging threats and evolving sanctions regulations. However, the former employee disputed Block’s assertion that it voluntarily reported thousands of transactions to the Office of Foreign Assets Control (OFAC), stating that numerous transactions were not reported.

Block received a no-action letter from OFAC after its voluntary disclosure, indicating the resolution of the investigation without administrative action. However, Block’s compliance controls were questioned in documents provided to prosecutors, including instances at Square where essential customer due diligence on international merchant sellers was neglected.

Documents also revealed Cash App’s design heightened compliance risks due to the rapid depletion of stored balances. Despite these revelations, Block asserted that compliance controls and its focus on US customers mitigate the risk of sanctions on Cash App.

Furthermore, an outside consultant hired by Block identified almost 50 deficiencies in its internal systems for monitoring suspicious activities and screening for sanctions violations last year.

Block emphasized its commitment to compliance and improving its processes, collaborating with legal experts to address identified deficiencies. However, they declined to address specific deficiencies cited in the documents.

Regarding the recent departures of board members Lawrence Summers and Sharon Rothstein, Block stated their exits were unrelated to any disagreements on company operations, policies, or practices.

Block has faced regulatory challenges before. The Bank of Lithuania ordered Verse Payments Lithuania UAB, Block’s European Cash App equivalent, to identify existing clients with unestablished identities, leading to fines.

Mobile payment apps like Cash App pose risks to users and the financial system. The FDIC ordered Sutton Bank, which issues Cash App’s prepaid Visa debit cards, to revise its anti-money laundering and terrorism financing programs.

Block believes the Sutton consent order will unlikely impact Cash App’s ongoing business relationship with the bank.