Since the initial legalization of medical/recreational marijuana in California in 1996, the conversation has been open about how the legislation would affect financial institutions (FIs). Since then, many unique business lines have been developed as part of the expansion of the legal cannabis industry. Now, in 2022, the conversation is more open than ever as to which institutions in which states will choose to onboard the varying degrees of business customers involved in cannabis-related sales. While regulatory guidance has been issued to guide institutions with exposure to the cannabis market, there are still many areas that leave officers searching for guidance on how to properly mitigate the risk posed by exposure to the cannabis market. Today, the cannabis market continues to “knock louder” on the door of U.S. FIs:

• In 2021, cannabis industry borrowing approached $5 billion, roughly triple 2020 levels, with 2022 expected to experience an even greater increase.¹
• The demand for product has increased each year since legalization.
• The Secure and Fair Enforcement (SAFE) Banking Act of 2021 is currently pending.

Inherently, customers classified as marijuana-related businesses (MRBs), cannabis-related businesses (CRBs) and hemp businesses offer tremendous opportunities for FIs. Onboarding these customers opens up institutions to a rapidly growing industry with limitless potential as the market evolves. In addition, unique revenue and fee opportunities are available by banking these customers.

Conversely, as with any new opportunity, this new industry also presents significant risk. All customers with business exposure to the cannabis market will most likely be classified as “high-risk” customers with required unique monitoring practices. While many anti-money laundering/Bank Secrecy Act (AML/BSA) compliance programs have been developed to be comprehensive in monitoring unique customer types, banking cannabis businesses will most likely require additions to policy, added monitoring procedures and heightened due diligence performed by qualified staff. The risk, of course, is if the customer base is improperly handled, which could result in fines, regulatory comments or reputational damage to the bank.

Making the Decision

As with many new products/services, geographical areas or customers, the bank must perform a detailed risk assessment to consider both inherent risk and mitigating controls over the following factors:

• Quantity and quality of staff
• Degree of exposure to product (three tiers, direct vs. indirect, product touching)
• Legislation in operating region
• Tone at the top of governance to enforce necessary controls

The goal of completion of a specific risk assessment is to arrive at an exposure level to the customer base that is commensurate with the monitoring practices in place at the institution. As with many risk-based decisions, the institution must set the proper “tone at the top” regarding its stance on the customer base. These decisions must then be documented within the AML/BSA policy. The decision to bank the varying degrees of MRBs is risk-based, as shown in Graphic 1.

Legality

When it comes to the legality of different substances that all fall under the broad cannabis definition, federal and state legality varies drastically. At the federal level, the use, sale and possession of cannabis over 0.3% THC (tetrahydrocannabinol) in the U.S., despite laws in many states permitting it under various circumstances, continues to be illegal. Marijuana is still classified as a controlled substance, much like cocaine or heroin.

However, Congress currently prohibits the Department of Justice from using funds to prevent the state from implementing its own medical marijuana laws. Therefore, at the state level, the legality of marijuana varies. In addition, hemp is legal at the federal level but varies at the state level as well. CBD (cannabidiol) legality will depend on a variety of factors at both the federal and state level.

Due to the inconsistencies with regard to legality, many institutions are hesitant to provide accounts to businesses with ties to the marijuana industry out of fear of reputational damage or monetary penalties. The SAFE Banking Act, which is still pending legislative approval, aims to provide safe harbor to banks and requires the establishment of regulatory examination procedures.

Many states, similar to Florida, deem it unlawful to cultivate hemp without a license, and hemp businesses must submit fingerprints and GPS coordinates for verification prior to commencing business. Graphic 2 summarizes the legality as it currently stands at the state level.

Classification and Terminology

There is currently no published definition of the specifics that make a particular business an MRB. Interpretations and policy notices can help establish a uniform definition. For example, the Small Business Administration adopts the direct/indirect/hemp-related approach, which is explained in Graphic 3.

Conceptually, marijuana, hemp and CBD are all cannabis substances, but they differ in multiple ways. At the institutional level, institutions often are in search of ways to differentiate between the various businesses and their involvement with the product. The most common framework currently used within the industry involves a three-tiered system dependent on an entity’s involvement with the cannabis product itself. The business classifications are broken into three tiers in this approach, as shown in Graphic 4.

Guidance from banking regulators has been limited. FinCEN published guidance related to BSA expectations regarding MRBs in 2014 and again in 2020

In addition, the direct vs. indirect methodology builds on the approach in Graphic 4. Direct MRBs are entities that engage in “Tier 1” activities. They are plant-touching and therefore licensed by the state’s marijuana authority. This group is impacted by the Financial Crimes Enforcement Network’s (FinCEN) marijuana guidance and will require initial and ongoing due diligence and monitoring as well as marijuana suspicious activity report (SAR) filing.

Indirect MRBs are engaged in “Tier 2” or “Tier 3” activities, and they are entities that derive 51% or more of their revenues from direct MRBs, and therefore require some additional monitoring.⁴

Regulatory Guidance: Ongoing Monitoring

Guidance from banking regulators has been limited. FinCEN published guidance related to BSA expectations regarding MRBs in 2014 and again in 2020. This guidance suggested that banks handling these customers focus on specific types of SAR filings pertaining to MRBs (limited, priority and termination). In addition, examiners stress knowledge of red flags with respect to customer activity as well as customer transaction report filings for these businesses.

Examiner guidance specifically states that banks are discouraged from filing SARs (limited, priority and termination), specifically due to the customer being involved in the growing or cultivation of hemp. However, SARs should be filed if observable inputs are indicative of potentially suspicious activity. Ultimately, decisions are at the discretion of the bank, but it puts pressure on institutions to justify and document reporting/monitoring decisions to ensure compliance. The following red flags can be used to monitor transaction activity with respect to MRBs:

• Cannabis activity within states where the product remains illegal
• Rapid movement of funds inconsistent with the business nature of the account
• More cash deposits than would align with reported financials
• Deposit structuring slightly below reporting thresholds
• Inadequate licensing records
• International/interstate transaction activity

While the regulatory guidance over MRBs has been limited, there are many steps institutions can take to be better prepared to adequately onboard and monitor these customers using a risk-based approach.

Auditor Expectations

A strong internal audit program is based upon and enhanced by examiner guidance and enacted legislation, performed under the standards promulgated by the Institute of Internal Auditors. With respect to banking cannabis, management is encouraged to firmly document the three lines of defense and control structure:

• Board and executive management: Set strong policy
• BSA department leadership/staff: Detailed documented due diligence procedures
• Internal audit: Ongoing assistance, independent testing and consultation

Internal audit testing will first evaluate the policies and procedures set by management and approved by the board/executive management. The emphasis will be placed on the content and level of detail within the policy. The contents of the AML/BSA policy set the standard for your institution. The level of detail present in policy detailing monitoring procedures over MRBs must be commensurate with management’s risk appetite with respect to these customers (i.e., the degree to which the institution is willing to onboard MRBs).

Throughout policy/procedures and the annual risk assessment, an institution can make statements to set benchmarks, risk tolerance and required monitoring attributes to set standards for the department. Definitions of eligible businesses for accounts, risk rating methodology, account review required documents and required monitoring frequencies can all be set in policy statements to clearly demonstrate and firmly define the bank’s efforts to align monitoring procedures with the risk assumed.

Best Practices in Risk Management Over MRBs

1. Policies and procedures: In the instances where regulatory guidance is lacking, your policy sets the standard for your institution.
2. MRB program risk assessment: Document your understanding of these businesses and their transaction profiles on a per-customer basis.
3. Department staffing: Ongoing monitoring will require knowledgeable and ample staffing/training.

Regarding the initial customer identification program (CIP)/customer due diligence process, BSA departments need to ensure all industry-recommended supporting documents are obtained upon onboarding/annually. The requested documents include the following:

• Source of funds
• Licenses/attestations⁵
• Beneficial ownership
• Product testing reports
• Monitoring system reports (if applicable)
• Reevaluation of “Tier”/other classification
• Reevaluation of risk rating
• Regular account reviews
  • Expected and actual activity analysis
  • Site visits
  • Permit renewal
  • Ownership verification
• Reevaluation of monitoring frequency
• Existing CIP requirements

Overall, the marijuana industry varies tremendously based on geographic location and the risk profile of your institution. However, executives/officers have the power to set risk appetite and formulate detailed monitoring procedures for the varying degrees of exposure to this new and unique customer base. As with most high-risk products/services/customers, the residual risk level depends solely on the ongoing efforts of qualified BSA officers and staff.

In the next 12 months, compliance officers and BSA officers should monitor the status of any pending legislation, including the SAFE Banking Act, which aims to increase cannabis company borrowing.

Donald “DJ” Antonacio, CPA, CAMS, managing director, Verittas Risk Advisors, Miami & Tampa, FL, donald.antonacio@verittas.com

1. Stephen A. Lenn and James Young, “United States: Key Takeaways From BMD’s Banking And Cannabis Webinar,” Brennan, Manna Diamond, October 14, 2021, https://www.bmdllc.com/resources/blog/key-takeaways-from-bmd-s-banking-and-cannabis-webinar/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration
2. “Getting into the Weeds on Managing Cannabis Banking Risks,” ACAMS, 2021
3. “Marijuana Legality by State,” DISA, https://disa.com/maps/marijuana-legality-by-state
4. Neither “Tier” classifications nor the direct/indirect classification is defined regulatory framework.
5. Licensing and other documentation requirements can vary by state.