Federal prosecutors are digging into internal practices at Block, the financial technology firm launched by Twitter co-founder Jack Dorsey, discussing with a former employee alleged widespread and yearslong compliance lapses at the company’s two main units, Square and Cash App, two people with direct knowledge of the contacts say.

During the discussions, the former employee provided prosecutors from the Southern District of New York documents that they say show that insufficient information is collected from Square and Cash App customers to assess their risks, that Square processed thousands of transactions involving countries subject to economic sanctions and that Block processed multiple cryptocurrency transactions for terrorist groups.

Most of the transactions discussed with prosecutors, involving credit card transactions, dollar transfers and Bitcoin, were not reported to the government as required, the former employee said. Block did not correct company processes when it was alerted to the breaches, the former employee told prosecutors and NBC News.

Roughly 100 pages of documents the former employee provided to NBC News identify transactions, many in small dollar amounts, involving entities in countries subject to U.S. sanctions restrictions — Cuba, Iran, Russia and Venezuela — as recently as last year.

“From the ground up, everything in the compliance section was flawed,” the former employee told NBC News. “It is led by people who should not be in charge of a regulated compliance program.” 

A second person with direct knowledge of Block’s monitoring programs and practices echoed that assessment; NBC News granted the former employee and the second person anonymity to guard against potential reprisals.

The Southern District of New York did not respond to a request for comment about the inquiry.

Edward Siedle, a former Securities and Exchange Commission lawyer who represents the former employee and participated in the discussions with prosecutors, said, “It’s my understanding from the documents that compliance lapses were known to Block leadership and the board in recent years.”

Prosecutors met with the former employee after NBC News reported in mid-February that two other whistleblowers had told financial regulators about compliance failures at Cash App, the hugely popular mobile payment platform owned by Block. Cash App, introduced in 2013, allows users to send and receive money instantaneously among themselves and to buy stocks and Bitcoin. As of December, Cash App had 56 million active transacting accounts and $248 billion in inflows during the previous four quarters, the company said.

Asked about the probe, a Block spokeswoman provided the following statement: “Block has a responsible and extensive compliance program and we regularly adapt our practices to meet emerging threats and an evolving sanctions regulatory environment. Our compliance program includes systems, tools, and processes for sanctions screening, as well as investigating and reporting on sanctions issues in accordance with our regulatory obligations. Continually improving the safety and security of our ecosystem is a top priority for Block. We have been and remain committed to building upon this work, as well as continuing to invest significantly in our compliance program.”

The company said it believed it had voluntarily reported the “thousands of transactions” described by the former employee to the Office of Foreign Assets Control, or OFAC, a department of the U.S. Treasury that enforces economic sanctions. But the former employee disputed that, saying thousands of different transactions were not reported.

Square, the other main business unit at Block, is a financial services platform used by millions of merchants. Documents provided to prosecutors and reviewed by NBC News identify instances at Square when it failed to conduct basic customer due diligence on its international merchant sellers and improperly reimbursed some of the merchants’ funds that had been frozen for sanctions violations. (Merchants are considered customers at Square, while users are considered customers at Cash App.) New customers at both Square and Cash App who triggered sanctions alerts at their initial screenings were permitted to conduct transactions before the alerts were resolved, the documents say. They also show instances of employees’ flagging that customer biography information, such as linked social media accounts, was not screened against sanctions keyword lists. 

Cash App’s design increased the risk of compliance lapses, the documents indicate. “Due to the nature of the product,” a document said, “customers do not appear to leave stored balances in Cash App very long so our ability to block a stored balance or reject funds is limited. In virtually all situations, balances have been depleted by the time of review.”

The former employee also told prosecutors about the findings of an outside consultant Block hired to assess its internal systems for monitoring suspicious activities, rating customer risks and screening for sanctions violations. The consultant identified almost 50 deficiencies in those systems last year, the documents show. 

In its response to NBC News, the company said the hiring of the consultant showed Block’s commitment to perform and improve compliance, adding that 50 deficiencies were not unusual given the report’s scope. The former employee’s interpretation of the report misconstrues its findings and their significance, the company said. 

The company declined to answer questions about the specific deficiencies cited in the documents. It said that when deficiencies are identified, Block works “with our in-house legal team, as well as with outside counsel and consultants, to advise us on the issue and appropriate remediation.” The company conducts recurring sanctions screening on all merchants, it said, and its program includes the essential components expected by OFAC.

OFAC administers and enforces economic sanctions to protect the nation against “targeted foreign countries and regimes, terrorists and terrorist organizations, weapons of mass destruction proliferators, narcotic traffickers, and others,” according to its website. It “strongly encourages” companies to develop, implement and routinely update sanctions compliance programs. “Senior management’s commitment to, and support of, an organization’s risk-based sanctions compliance program is one of the most important factors in determining its success,” OFAC says, and it is essential to fostering “a culture of compliance throughout the organization.”

Along with senior management, the Block board of directors was informed of extensive lapses at the company, the former employee told prosecutors. In recent months, Block has announced the unexpected departures of two directors: Lawrence Summers, the former U.S. treasury secretary and a Block director since 2011, resigned in February, and in April it said Sharon Rothstein, a director since 2022, will not stand for re-election at the company’s annual meeting in June.

Block said that Summers and Rothstein were leaving the board to devote more time to other professional and personal activities and that their departures were not “a result of any disagreements with the company on any matter relating to the company’s operations, policies or practices.”

During his time on the board, Summers served on the audit committee, which is charged with reviewing and discussing with management the company’s program and policies on risk assessment and risk management. The committee is overseen by Lord Paul Deighton, a former Goldman Sachs executive who was commercial secretary to the treasury in the U.K. government from 2013 to 2015. NBC News requested interviews with Deighton and Summers, but they declined, forwarding the requests to Block’s corporate communications unit. 

Block has encountered difficulties with regulators before. In late 2021, the Financial Market Supervisory Committee of the Bank of Lithuania ordered Verse Payments Lithuania UAB, the company’s European version of Cash App, to determine the identity of its existing clients whose identities had not been established or had been established out of compliance with the law on Prevention of Money Laundering and Terrorist Financing. 

Verse and its former head were fined last year when the Bank of Lithuania inspected Verse and “found serious and systematic violations of the prevention of money laundering and terrorism financing.” The top Verse executive “did not ensure the safe and reliable operation of the institution, did not take effective measures to eliminate violations and did not ensure the compliance of the institution’s activities with the established requirements, although information about the violations committed by the institution was known to him for a long time,” the Bank of Lithuania said at the time.

Block shut down Verse last year. On an earnings call in August, Dorsey said that Verse required significant investment and that its market had “not seen the growth and profitability we had expected.”

Mobile payment apps like Cash App, PayPal and Venmo are popular, with over three-quarters of U.S. adults using them, according to a study last year by the Consumer Finance Protection Bureau. Known as person-to-person payment platforms, the services pose risks to their users and to the financial system, regulators say. In recent years, for example, law enforcement officials have cited criminals’ use of payment apps to evade laws, such as laundering stolen Covid relief funds in 2020.

Cash App is not a bank, but it uses external banking partners to conduct various services. One is Sutton Bank, the small Ohio institution that issues Cash App’s prepaid Visa debit cards, allowing users to spend or withdraw their funds. Banks are required to know every one of their customers, but the Cash App program “had no effective procedure to establish the identity of its customers,” the previous whistleblowers said in their complaints to federal financial regulators.

On March 29, Sutton Bank settled a consent order with the Federal Deposit Insurance Corp. that echoed the whistleblowers’ allegations. In the order, the FDIC alleged “unsafe or unsound banking practices and violations of law or regulation” at Sutton, including those relating to the Bank Secrecy Act. 

Under the order, Sutton agreed to revise its internal programs to “improve its supervision and direction” of its anti-money laundering and terrorism financing program and “to assure and maintain the Bank’s full compliance with the Bank Secrecy Act.” Sutton also agreed to look back to July 2020 “to ensure that all required customer identification program information has been obtained and the bank has formed a reasonable belief that it knows the true identity” of its customers. 

The FDIC order cited Sutton Bank’s work with “third parties” or outside entities and required it to provide details about anti-money-laundering compliance and customer identification programs at the outside companies it works with. The FDIC did not name Cash App in the order, but it is the largest third party that Sutton Bank works with, according to its chief compliance officer. The FDIC order also required Sutton to provide quarterly reporting of “third-party compliance with legal, contractual, and service level responsibilities, and management actions to address anti-money laundering and countering the financing of terrorism deficiencies.”

James Booker, senior counsel at Sutton Bank, said in an email that the bank is working closely with regulators and that the recent consent order “settled some longstanding issues concerning anti-money laundering controls” that had arisen “prior to the bank’s 2023 restructuring of its anti-money laundering program.” 

As for Block, it said the Sutton consent order was not likely to affect Cash App’s ongoing business relationship with the bank.