Tag Archives: EDD

Cannabis Banking: The Ins, the Outs & the Unknowns

By Tamara L. Kolb, Amy Bean, Caitlin Strelioff
No Comments

As the legal cannabis market expands, banks and nonbank financial institutions (NBFIs) across the United States continue to explore how to safely provide banking and other financial services to cannabis-related businesses (CRBs) and other CRB ecosystem players. At the same time, these organizations are taking into account changes they might need to consider relative to their Bank Secrecy Act ( BSA), anti-money laundering (AML) and related compliance programs. 

Regulatory conundrum

The Controlled Substances Act (CSA) identifies the cannabis plant and all its derivatives as a Schedule 1 controlled substance. Schedule 1 controlled substances have a “high abuse potential with no accepted medical use,” and they cannot be “prescribed, dispensed, or administered.” Because cannabis remains classified as a Schedule 1 controlled substance, the CSA “imposes strict controls on possession, manufacturing, distribution, and dispensing” of cannabis.

Under the Money Laundering Control Act of 1986 (MLCA) and the BSA as amended, covered banks and NBFIs are prohibited from providing financial services to businesses that are engaged in illicit activities. Because federal law prohibits the distribution and sale of cannabis, financial transactions involving CRBs are therefore deemed to be transactions that involve funds derived from illegal activities.

As of Feb. 3, 2022, 18 states, two territories, and the District of Columbia have enacted legislation to regulate cannabis for adult use. Thirty-seven states, the District of Columbia and four territories have approved comprehensive, publicly available medical and cannabis programs. Eleven states allow for the use of low-THC, high-CBD substances for medical reasons in limited situations or as a legal defense.

The growing divide between federal prohibition and state legalization of the cannabis industry creates a precarious position for federally regulated banks and NBFIs with the main concern involving exposure to legal, operational and regulatory risk. The situation begs the question: How might the federal government and regulators pursue and prosecute players in the legal cannabis industry?

The current economic trajectory predicts that retail sales of legal cannabis products in the U.S. will surpass an estimated $41.5 billion annually by 2025, and many banks and NBFIs are eagerly awaiting the federal green light to do business with CRBs without fear of prosecution or legal ramifications.

From 2018 forward, Congress has made several attempts to pass legislation that would protect CRBs when cultivating, distributing, marketing, and selling cannabis products in their state-legalized form. These efforts to declassify cannabis-related activity as a specified unlawful activity have thus far been unsuccessful.

The House passing the MORE Act back in 2020

Passage of the Secure and Fair Enforcement Banking Act of 2021 (SAFE Banking Act) and the Marijuana Opportunity Reinvestment and Expungement Act of 2021 (MORE Act) would enable banks and NBFIs to provide financial services to CRBs. The SAFE Banking Act would provide a safe harbor for banks and NBFIs that provide financial services to CRBs. The MORE Act would deschedule cannabis from the CSA entirely.

Questions to ask

Banks and NBFIs interested in providing financial services to CRBs should ask these questions:

  • Do we adequately understand our risk, and what are the implications for our organization? How should we augment our risk assessment process and our controls?
  • To what extent are we willing to accept the risk of banking CRBs? Do we have the ability to identify CRB customers, and if so, do we have any?
  • How should we advise the board of directors about setting risk appetite?
  • What customer due diligence (CDD) and enhanced due diligence (EDD) will we need to safely continue with existing customers and onboard new ones?
  • How will we monitor for unusual and suspicious activity? What will be the alerting and judgmental criteria?
  • How will our resource needs change so that we stay abreast of new processes and controls?

Risk appetite considerations

In order to determine whether to accept or prohibit CRBs, banks and NBFIs should identify the level of acceptable risk they are willing to take on. Several key components need to be considered, such as:

  • The board of directors’ stance on legal cannabis, given that good governance recommends and regulators expect that the board sets risk appetite
  • Cannabis laws in states within the customer footprint and the impact on customers’ communities
  • Risk profile, customer base, geographic location, products, and services
  • Relationship with regulators and any recent deficiencies or weaknesses in the BSA and associated compliance programs
  • Ability to implement appropriate controls and staffing

 Developing a strategic road map

If the decision is made to bank CRBs, banks and NBFIs should perform an assessment of compliance maturity for existing BSA/AML program processes and controls to identify potential gaps and develop a strategic road map that helps the organization achieve its vision for future state compliance and sustainable operations. 

A well-developed and well-articulated strategic road map visualizes what actions or key outcomes are needed to help organizations achieve their long-term goals. When creating the road map, banks and NBFIs need to demonstrate a keen understanding of their desired strategy, outcomes, markets, and products for onboarding and banking CRB customers. Specifically, banks and NBFIs need to define and explain how desired outcomes and business strategies create risk and exposure.

In addition to a road map, banks and NBFIs should develop and document a detailed risk-based approach that is aligned to the organization’s risk tolerance to determine necessary compliance steps when banking CRB customers.

Specifically, the following activities should be considered when developing a CRB banking program that meets regulatory expectations:

  • Identifying BSA/AML control gaps related to CRB risk identification and mitigation and formulating a plan to address them
  • Updating a board-approved policy framework
  • Updating detailed operating policies and procedures
  • Planning for capacity, developing job descriptions, and onboarding new personnel
  • Training for all three lines of defense, senior management, and the board
  • Developing and documenting a phased or full approach to acceptance of CRB customers
  • Developing and documenting a CRB program oversight policy

CRB risk framework

A three-tiered CRB risk framework first proposed in 2016 has quickly become the cannabis industry standard. The framework has evolved and expanded comprehensively to consider many types of CRBs, and evolving legal systems continue to refine the framework.

This framework is intended to help banks and NBFIs differentiate types of CRBs and their corresponding risks, and it separates CRBs into three tiers and details risks for each tier. The following exhibit summarizes the approach:

Risk framework by tier

Level Risk
Tier 1 Direct
Tier 2 Indirect with substantial revenue from Tier 1
Tier 3 Indirect with incidental revenue from Tier 1

Source: CRB Monitor

Even the most conservative of risk appetites equivalent to outright prohibition is not devoid of significant risk considerations. Residual risk frequently encompasses a large number of indirect connections in the total CRB ecosystem. Common examples are printers, lawyers, accountants, landlords, and even utilities and taxing authorities, and all of these are subject to regulatory scrutiny and, importantly, visibility to law enforcement. Also, policies to prohibit or restrict will be audited and examined for compliance, and exceptions will require explanations.

This panorama necessitates expertise and prudence in identifying and evaluating risks within the many layers of CRBs. For example, consider a bank or NBFI that banks a CRB’s employee or vendor. If a bank fails to properly implement controls that would allow it to identify and mitigate risk associated with banking CRBs, it will be susceptible to severe violations of the BSA, including civil money penalties, criminal penalties, and regulatory enforcement actions. 

Implementing necessary precautions

A well-developed road map should consider and implement the following activities:

  • Understanding the most current state and federal cannabis laws and regulations to ensure the bank or NBFI’s compliance
  • Understanding the local, state, or tribal program to ensure CRB customers are compliant with the program
  • Implementing a CRB risk assessment
  • Implementing executive approval practices for direct CRBs
  • Developing adequate risk ratings (possibly through a risk-based, tiered approach) and corresponding monitoring for CRB customers that includes:
    • Integrating various customer onboarding and AML solutions at both onboarding and periodic levels
    • Scheduling regular reviews to include recurring enhanced due diligence, site visits, and transaction monitoring
    • Monitoring for suspicious activity, including red flags, via open sources for adverse information about the CRB customers and related parties such as beneficial owners
  • Performing adequate CDD and EDD that will validate that the CRB-offered products, services, and programs are compliant with most current state laws and regulations by:
    • Collecting appropriate documentation as evidence of compliance, perhaps including a comprehensive onboarding questionnaire, beneficial ownership information, and contracts for the growing, harvesting, transporting and processing of the product
    • Reviewing applications and supporting documentation used to obtain a legal cannabis state license
    • Understanding the normal and expected activity of the organization’s CRB customers and their product usage
  • Developing adequate training programs and governance and oversight programs to address this customer type by:
    • Updating existing policies and procedures to review inherent risk presented by banking CRB customers
    • Updating annual training for employees
  • Auditing initial program design and periodic operational effectiveness

Moving forward cautiously

The ins, outs, and unknowns of cannabis banking are complex, and they require banks and NBFIs to be extremely vigilant with current policy and aware of new developments. Overall, the idea of creating a cannabis program might seem like a daunting task, but with appropriate guidance and care, organizations can provide services in compliance with laws and regulations.

Crowe disclaimer: Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.

3 Pillars of Cannabis Banking Compliance

By Mark Lozzi
No Comments

Few people will disagree that financial compliance isn’t the most exciting topic within the cannabis industry. But compliance is, and always will be, the engine grease to the legal cannabis market. Cannabis operators have the arduous task of dealing with multiple layers of compliance, both operational (maintaining and adhering to regulations enforced by the state licensing board) and financial. These compliance measures include managing everything from seed-to-sale systems for all plant-related activity to on-site requirements like facility access points and alarms systems to name a few.

With complex compliance requirements for the business, the last thing cannabis operators want to think about is financial compliance. We created Confia on this notion. Just as cannabis regulators impose the tracking of plants through the supply chain via a seed-to-sale system, we have developed a storyboard similarly designed to follow the money, which is the equivalent of a transaction-to-deposit system.

Having experience in regulatory technology, artificial intelligence and machine learning, we’ve been fortunate enough to work with some of the world’s largest banks across multiple countries. This experience has afforded us the luxury of working alongside regulators, chief compliance officers and chief risk officers, understanding how risk is perceived by financial institutions and how it ought to be mitigated. It was this access and knowledge that allowed us to effectively reform, enhance and improve the antiquated BSA programs with a technology-enabled process. Leveraging technology is a necessity, almost a requirement, for the cannabis industry as legalization nears and banking access begins to broaden.

Jamming cannabis requirements into an existing BSA program doesn’t scale well. BSA programs are very manual, descriptive and process oriented. So, we’ve taken our prior experience and success in banking to form Confia, distilling the complexities and simplifying the deliverables surrounding cannabis banking compliance. To best articulate cannabis banking requirements, I break it down into three pillars.

Pillar One: KYC-Enhanced Due Diligence

The first pillar is the client-onboarding bucket or KYC – Know Your Customer. In the complex world of cannabis banking, banks must know and understand their clients to great depths. It’s not enough to simply know that the client exists; you also have to understand whether or not that client could be a potential risk to the bank, and one step further, the financial system. Cannabis is a high-risk industry, so the KYC requirement is escalated to a deeper diligence and review, called Enhanced Due Diligence (EDD).

Cannabis is a high-risk industry so extra due diligence is needed

Banks need to know and understand their customers’ story, and all the key parties (officers, directors, and those with key decision-making powers or access to the bank accounts) within that organization. This includes reviewing personal, business, and legal history – not to mention watchlists and negative news presence. An initial onboarding review must then be followed with daily screening and monitoring of all watchlists and adverse media. Typically, banks do KYC refreshes every three years. In cannabis, a full refresh should be done annually with the daily monitoring systems in place.

The high-risk nature of the industry also requires a level of diligence on all parties to a transaction, even if one of the parties, whether a payer or recipient, is not a client of your bank. Unlike traditional banking sectors, reliance on other banks’ KYC programs is far less defensible in the cannabis industry.

Pillar Two: Transactional Monitoring & Detection

Tracking and monitoring the actual financial transactions comprises the second pillar required for cannabis banking. At Confia, we have focused on streamlining processes, so the cannabis operator can seamlessly support the compliance obligation for every transaction. A bank must demonstrate supporting documentation for every cannabis transaction, and gathering such information is a large undertaking in and of itself and can pose future issues if not done properly, see the pitfalls for lack of compliance. Banks are obligated to understand the nature and reason for each transaction, the source of funds, ensure cannabis licenses are in good standing for all parties, and collect evidence such as accounting records and seed-to-sale data.

Core to transaction monitoring in the traditional sense, is the overarching support through anomaly detection. Relying on information is important, but testing those inputs keeps everyone honest. It is important to evaluate transactions from a holistic point of view relative to peers and relative to the general contents of a transaction. This anomaly detection layer is your last line of defense, and as new information is collected, it continues to refine itself.

Pillar Three: Filing and Reporting Requirements

The third component to compliant cannabis banking is regulatory filing and reporting. Once a client is onboarded, the account requires an initial suspicious activity report or SAR-Initial within 30 days of that client being approved by the bank. Then, a report must be filed every 90 days after that for all the transactions of that cannabis operator. Banks must file the SAR-Initial and the Continuing-SAR reports for each cannabis client they have.

The high-risk nature of the industry requires a level of diligence on all parties to a transaction

Solutions like Confia automate the filing process and support the filing with transactional data evidenced on our distributed ledger of record. This provides immutable audibility and simplifies the process for all parties involved.

Compliance Requirements After US Legalization

The anticipation of federal legalization and banking reform bills has many operators hoping for easier banking. Yet, in my opinion, regulatory oversight and audits will likely increase after such reform or legalization. As other financial institutions start to support cannabis, it will inadvertently create greater opportunity and expose the financial system to nefarious or illegitimate transaction activity. This is why cannabis banking will be carefully monitored by regulators, and more so, why banks will be slow and pragmatic in standing up their internal cannabis banking programs. Some banks may forever avoid the cannabis industry due to the known pitfalls of an industry specific program, while others may simply mitigate the possible exposure to reputational risk.

Choose Wisely: Pitfalls for Lack of Compliance

Financial compliance is the responsibility and duty of the banks, but the real losers and result of non-compliance always fall on the cannabis operators. Regulatory action against an institution may result in the bank shutting down its cannabis program or may require them to complete a remediation of all their cannabis transactions for a certain period from its clients. At the end of the day, regardless of action, the cannabis operator is the one being punished. Operators either lose their bank account and have business massively disrupted, or they are asked to provide all the compliance docs for a historic period, which is a huge undertaking and operational distraction, ultimately impacting business and productivity. So, choose your banking partner wisely.

Summarizing Key Banking Requirements

In summary, banking in the cannabis industry will undoubtedly remain a high-risk industry, with or without legalization. Although banking opportunities may expand as US policies change, there will be continued compliance and regulatory requirements for the foreseeable future.

  • Onboarding and ongoing screening are critical
  • Evidence for every transaction is a significant portion of compliance and must not be dismissed
  • Evaluating activity with broader strokes is essential in mitigating against money laundering
  • Managing the staggered filing timelines and due dates for each client

Compliance is the most crucial factor in cannabis banking at this point. It cannot be overlooked or taken for granted. Cannabis operators must take an active role in evaluating the compliance programs of their financial providers. To open a bank account is one thing, but the consideration and effort that goes into keeping a bank account is the difference that will protect your business in the long run.