Tag Archives: civil

Cannabis Banking: The Ins, the Outs & the Unknowns

By Tamara L. Kolb, Amy Bean, Caitlin Strelioff
No Comments

As the legal cannabis market expands, banks and nonbank financial institutions (NBFIs) across the United States continue to explore how to safely provide banking and other financial services to cannabis-related businesses (CRBs) and other CRB ecosystem players. At the same time, these organizations are taking into account changes they might need to consider relative to their Bank Secrecy Act ( BSA), anti-money laundering (AML) and related compliance programs. 

Regulatory conundrum

The Controlled Substances Act (CSA) identifies the cannabis plant and all its derivatives as a Schedule 1 controlled substance. Schedule 1 controlled substances have a “high abuse potential with no accepted medical use,” and they cannot be “prescribed, dispensed, or administered.” Because cannabis remains classified as a Schedule 1 controlled substance, the CSA “imposes strict controls on possession, manufacturing, distribution, and dispensing” of cannabis.

Under the Money Laundering Control Act of 1986 (MLCA) and the BSA as amended, covered banks and NBFIs are prohibited from providing financial services to businesses that are engaged in illicit activities. Because federal law prohibits the distribution and sale of cannabis, financial transactions involving CRBs are therefore deemed to be transactions that involve funds derived from illegal activities.

As of Feb. 3, 2022, 18 states, two territories, and the District of Columbia have enacted legislation to regulate cannabis for adult use. Thirty-seven states, the District of Columbia and four territories have approved comprehensive, publicly available medical and cannabis programs. Eleven states allow for the use of low-THC, high-CBD substances for medical reasons in limited situations or as a legal defense.

The growing divide between federal prohibition and state legalization of the cannabis industry creates a precarious position for federally regulated banks and NBFIs with the main concern involving exposure to legal, operational and regulatory risk. The situation begs the question: How might the federal government and regulators pursue and prosecute players in the legal cannabis industry?

The current economic trajectory predicts that retail sales of legal cannabis products in the U.S. will surpass an estimated $41.5 billion annually by 2025, and many banks and NBFIs are eagerly awaiting the federal green light to do business with CRBs without fear of prosecution or legal ramifications.

From 2018 forward, Congress has made several attempts to pass legislation that would protect CRBs when cultivating, distributing, marketing, and selling cannabis products in their state-legalized form. These efforts to declassify cannabis-related activity as a specified unlawful activity have thus far been unsuccessful.

The House passing the MORE Act back in 2020

Passage of the Secure and Fair Enforcement Banking Act of 2021 (SAFE Banking Act) and the Marijuana Opportunity Reinvestment and Expungement Act of 2021 (MORE Act) would enable banks and NBFIs to provide financial services to CRBs. The SAFE Banking Act would provide a safe harbor for banks and NBFIs that provide financial services to CRBs. The MORE Act would deschedule cannabis from the CSA entirely.

Questions to ask

Banks and NBFIs interested in providing financial services to CRBs should ask these questions:

  • Do we adequately understand our risk, and what are the implications for our organization? How should we augment our risk assessment process and our controls?
  • To what extent are we willing to accept the risk of banking CRBs? Do we have the ability to identify CRB customers, and if so, do we have any?
  • How should we advise the board of directors about setting risk appetite?
  • What customer due diligence (CDD) and enhanced due diligence (EDD) will we need to safely continue with existing customers and onboard new ones?
  • How will we monitor for unusual and suspicious activity? What will be the alerting and judgmental criteria?
  • How will our resource needs change so that we stay abreast of new processes and controls?

Risk appetite considerations

In order to determine whether to accept or prohibit CRBs, banks and NBFIs should identify the level of acceptable risk they are willing to take on. Several key components need to be considered, such as:

  • The board of directors’ stance on legal cannabis, given that good governance recommends and regulators expect that the board sets risk appetite
  • Cannabis laws in states within the customer footprint and the impact on customers’ communities
  • Risk profile, customer base, geographic location, products, and services
  • Relationship with regulators and any recent deficiencies or weaknesses in the BSA and associated compliance programs
  • Ability to implement appropriate controls and staffing

 Developing a strategic road map

If the decision is made to bank CRBs, banks and NBFIs should perform an assessment of compliance maturity for existing BSA/AML program processes and controls to identify potential gaps and develop a strategic road map that helps the organization achieve its vision for future state compliance and sustainable operations. 

A well-developed and well-articulated strategic road map visualizes what actions or key outcomes are needed to help organizations achieve their long-term goals. When creating the road map, banks and NBFIs need to demonstrate a keen understanding of their desired strategy, outcomes, markets, and products for onboarding and banking CRB customers. Specifically, banks and NBFIs need to define and explain how desired outcomes and business strategies create risk and exposure.

In addition to a road map, banks and NBFIs should develop and document a detailed risk-based approach that is aligned to the organization’s risk tolerance to determine necessary compliance steps when banking CRB customers.

Specifically, the following activities should be considered when developing a CRB banking program that meets regulatory expectations:

  • Identifying BSA/AML control gaps related to CRB risk identification and mitigation and formulating a plan to address them
  • Updating a board-approved policy framework
  • Updating detailed operating policies and procedures
  • Planning for capacity, developing job descriptions, and onboarding new personnel
  • Training for all three lines of defense, senior management, and the board
  • Developing and documenting a phased or full approach to acceptance of CRB customers
  • Developing and documenting a CRB program oversight policy

CRB risk framework

A three-tiered CRB risk framework first proposed in 2016 has quickly become the cannabis industry standard. The framework has evolved and expanded comprehensively to consider many types of CRBs, and evolving legal systems continue to refine the framework.

This framework is intended to help banks and NBFIs differentiate types of CRBs and their corresponding risks, and it separates CRBs into three tiers and details risks for each tier. The following exhibit summarizes the approach:

Risk framework by tier

Level Risk
Tier 1 Direct
Tier 2 Indirect with substantial revenue from Tier 1
Tier 3 Indirect with incidental revenue from Tier 1

Source: CRB Monitor

Even the most conservative of risk appetites equivalent to outright prohibition is not devoid of significant risk considerations. Residual risk frequently encompasses a large number of indirect connections in the total CRB ecosystem. Common examples are printers, lawyers, accountants, landlords, and even utilities and taxing authorities, and all of these are subject to regulatory scrutiny and, importantly, visibility to law enforcement. Also, policies to prohibit or restrict will be audited and examined for compliance, and exceptions will require explanations.

This panorama necessitates expertise and prudence in identifying and evaluating risks within the many layers of CRBs. For example, consider a bank or NBFI that banks a CRB’s employee or vendor. If a bank fails to properly implement controls that would allow it to identify and mitigate risk associated with banking CRBs, it will be susceptible to severe violations of the BSA, including civil money penalties, criminal penalties, and regulatory enforcement actions. 

Implementing necessary precautions

A well-developed road map should consider and implement the following activities:

  • Understanding the most current state and federal cannabis laws and regulations to ensure the bank or NBFI’s compliance
  • Understanding the local, state, or tribal program to ensure CRB customers are compliant with the program
  • Implementing a CRB risk assessment
  • Implementing executive approval practices for direct CRBs
  • Developing adequate risk ratings (possibly through a risk-based, tiered approach) and corresponding monitoring for CRB customers that includes:
    • Integrating various customer onboarding and AML solutions at both onboarding and periodic levels
    • Scheduling regular reviews to include recurring enhanced due diligence, site visits, and transaction monitoring
    • Monitoring for suspicious activity, including red flags, via open sources for adverse information about the CRB customers and related parties such as beneficial owners
  • Performing adequate CDD and EDD that will validate that the CRB-offered products, services, and programs are compliant with most current state laws and regulations by:
    • Collecting appropriate documentation as evidence of compliance, perhaps including a comprehensive onboarding questionnaire, beneficial ownership information, and contracts for the growing, harvesting, transporting and processing of the product
    • Reviewing applications and supporting documentation used to obtain a legal cannabis state license
    • Understanding the normal and expected activity of the organization’s CRB customers and their product usage
  • Developing adequate training programs and governance and oversight programs to address this customer type by:
    • Updating existing policies and procedures to review inherent risk presented by banking CRB customers
    • Updating annual training for employees
  • Auditing initial program design and periodic operational effectiveness

Moving forward cautiously

The ins, outs, and unknowns of cannabis banking are complex, and they require banks and NBFIs to be extremely vigilant with current policy and aware of new developments. Overall, the idea of creating a cannabis program might seem like a daunting task, but with appropriate guidance and care, organizations can provide services in compliance with laws and regulations.

Crowe disclaimer: Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.

FAQs: How Cannabis Businesses Can Avoid TCPA Liability

By Artin Betpera
No Comments

As the cannabis industry continues to experience growth in markets across the country, cannabis businesses are becoming an ever-increasing target of plaintiff’s lawyers in Telephone Consumer Protection Act (TCPA) lawsuits. Text messaging provides a potent channel of customer engagement, but at the same time is subject to strict regulations under the TCPA, with violators subject to steep statutory penalties of $500-$1,500 per message. While one-off cases won’t typically break the bank, that’s far from the case when many thousands of texts are bundled together in a class action. And this potential for big paydays means plaintiff’s lawyers have a financial incentive to file cases as class actions whenever they can.

Some well-known names in cannabis have been the target of TCPA class action. Cannabis delivery service Eaze has battled some fairly well-publicized TCPA class actions in the past couple of years. There has also been an assortment of dispensaries across several western states that have been the targets of similar lawsuits. Notably, these lawsuits share a common thread: they are based on marketing or promotional text messages sent to consumers.

In this landscape, firing off texts without the proper compliance safeguards is a game of roulette. At some point in time, one or more messages will invariably land in the wrong hands, sparking an expensive, high-stakes class action. In this competitive space, there are far more productive things any cannabis business can be doing than spending the time and resources on this type of lawsuit.

So how can your business avoid being caught in a TCPA trap? The following Q&A will walk you through some of the questions you should be asking if you are currently texting, or planning to text your customer base for marketing purposes. One quick note before starting: the TCPA has different rules for different types of messages (such as informational versus marketing messages). This Q&A will cover the distinction between these types of messages, but focuses on the rules around marketing messages since these are rules cannabis businesses get tripped up in most frequently when sued for TCPA violations.

Question: How do I know if the TCPA applies to me?

Answer: Are you texting your customers? If so, are you using some kind of platform that lets you send multiple texts at once? If you answered yes to both, then the TCPA most likely applies to you.

In short, the TCPA prohibits calling or sending texts to cell phones using an Automatic Telephone Dialing System (ATDS). Without getting into the many nuances of how courts have interpreted the legal definition of that term (and risk boring you to death), you can assume that unless you’re hitting send on each and every single text that goes to your customers, that you’re using an ATDS, and your texts are subject to the TCPA.

Q: So it looks like the TCPA applies to me. What now?

A: If you don’t have a compliance plan in place, now’s the time to implement one. To start, take stock of (a) how you’re sending texts; (b) who you’re texting; (c) where you obtained their phone number; and (d) whether you have their prior express written consent. That last part is key: under the TCPA, if you’re sending any text messages to your customers for “telemarketing” purposes, you’ll need what the TCPA calls “prior express written consent”.

Q: But I’m a cannabis business, not a telemarketer. Why should I worry about the TCPA again?

A: The TCPA’s rules requiring prior express written consent apply when the text is sent for “telemarketing” purposes, defined as “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.” Put simply, if you are sending texts to market or promote something you sell, then it’s likely the message will be considered “telemarketing” under the law. In contrast, if you’re sending a text for purely information purposes, such as sending a receipt for a transaction, or advising on the status of a delivery, then those message are still regulated by the TCPA, but subject to a more relaxed consent standard (a topic for another article).

Q: What do I need to do to get prior express written consent from my customers?

A: It’s important to know that prior express written consent is a technical, legally defined term that requires the caller be provided a written disclosure containing certain information and disclosures, which they “sign.” There are three key components to prior express written consent:

First, the consent agreement has to be in a signed writing. The law affords some flexibility here, allowing callers to obtain consent digitally through a number of mediums including web-based and electronic forms. If structured properly, consent may even be obtained through a text message flow.

Second, the consent agreement has to say certain things. It must authorize the caller to deliver advertisements or marketing messages using an ATDS, it must specify the phone number to which messages are being authorized, and it must say that the consumer doesn’t have to provide their consent as a condition to receiving goods or services.

Third, the disclosures must be “clear and conspicuous”. There’s no real rocket science here, but this is a very important part of the rule. It’s challenging to enforce an agreement that’s hard for a consumer to find or see, meaning the consent disclosures can’t be hidden away, in imperceptible font, or baked into another legal document (such as terms and conditions).

Q: I have a great customer contact database, but I don’t think I check all the boxes for prior express written consent. Can I still text them with specials and promotions?

A: No. At least not with your usual automated or mass-texting platform. But with some legwork, you can leverage your existing database and obtain consent. It’s not ideal, but it’s better than taking the risk of texting in this situation.

Let’s start with the fact that people like to get deals and specials on cannabis products, so there will likely be interest across your customer base for signing up. And with the flexibility afforded by the E-SIGN Act, businesses can try multiple avenues in obtaining prior express written consent from existing customers. This could include a call-to-action campaign, where consumers can initiate a text message consent flow by texting a keyword to a short code. The TCPA does not regulate e-mails, so businesses can consider an e-mail campaign that encourages their customers to follow a link that takes them to a web-based consent form. For businesses with storefronts, customers can be encouraged to sign up for texts on-site by filling out and submitting a form on a tablet device. Bottom line, there’s room for some creativity in designing campaigns to enrich your existing customer database with the necessary consent to send marketing texts.

Q: What happens when a consumer opts out of receiving texts?

A: You should stop all texts to their phone number unless and until they opt back in to receiving texts. Under the TCPA, a consumer has the right to revoke their consent, and any text message sent after an opt-out will violate the TCPA. This means it’s important to have clear opt-out instructions in every message you send (i.e. text stop to stop), and to ensure you have the proper systems in place to automatically suppress any further texts to the consumer’s phone number following an opt out.

Q: If I don’t follow these rules, what are the odds of getting sued for a violation?

A: Pretty high in my opinion. As mentioned, the TCPA is a very lucrative statute for Plaintiff’s lawyers. There are several thousand TCPA cases filed in federal courts each year, and lately cannabis businesses are becoming an increasing share of the defendants named in those suits. Additionally, the TCPA has a four-year statute of limitations, meaning exposure for non-compliant practices has a really long tail. It’s far easier to develop and execute a compliance plan up front, than to take on the risk that comes without one.

Q: Is there anything else I can be doing to protect my business?

Absolutely. Your TCPA compliance policy should be one layer of a holistic approach to legal compliance. Businesses have other tools at their disposal, such as arbitration provisions and class action waivers, that they can build into their consent-gathering process to further protect themselves in the event of a legal dispute.

Q: Any other tips to help keep my business out of the TCPA fracas?

A: Yes. Lots. More than I could fit into just this one article. But my goal here was to get you to think in the right direction when it comes to the TCPA, if you aren’t already. While I tried to make the basics of this as straightforward as possible, there are plenty of grey areas and nuance when it comes to compliance (especially when you inject the real world into the situation). This is where having lawyer experienced in this arena can come in really handy to vet your disclosures, review your compliance processes, and help you implement other risk mitigation strategies.

TCPA claims have become the cost of doing business when contacting consumers on their cell phones. But by being proactive, businesses have ample opportunity to mitigate their risk, and protect themselves in the event the legality of their text message campaigns is challenged.

Why Does GDPR Matter for The Cannabis Industry?

By Marguerite Arnold
2 Comments

The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.

However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.

As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.

If you haven’t heard about it yet, welcome to the world of EU GDPR (European Union General Data Privacy Regulation).

The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.

What is it, and what does it mean for the industry?

GDPR – The Elevator Pitch

Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.

While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).

The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”

On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.

The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.

The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.

Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.

For all of these reasons, the cannabis industry would do well to take note.

What Does This Mean for The Cannabis Industry?

The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently

Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.

It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.

As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.

On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.

Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.