Potential risks of not banking cannabis-related businesses
As more states decide to legalize cannabis, financial services organizations need to be intentional about understanding their risk. Some might have already chosen to close the door on this new market for the time being, but simply saying “no” to cannabis-related businesses is not enough, and it does not fully reduce their exposure.
For example, people who do not smoke cigarettes but are in environments where smoking is present expose themselves to a measure of risk with the damages secondhand smoke can cause. In a similar way, the so-called secondhand smoke in the form of unknown risk exposure from cannabis-related transactions could cause problems for financial services organizations because cannabis-related funds could already be moving through the organizations in one form or another.
Such risk exposure can appear in many ways. It could be a gas station, grocery, or convenience store stocking a cannabidiol (CBD) product, or it could be a chiropractor or yoga studio offering CBD as an enhancement to their services. When banks and credit unions decide not to bank cannabis-related businesses, they need to have an adequate understanding of their risk exposure in order to establish controls that effectively prohibit related activity.
While some financial services organizations and private financiers play a pivotal role in the growth of the cannabis industry, others might limit that growth by not providing cannabis-related businesses access to banking services. The uncertainty of the regulatory landscape has left many organizations unwilling to accept the exposure. Many are biding their time, waiting for others to continue making the first moves, so they are temporarily – or even permanently – choosing not to bank cannabis-related business customers. If the ultimate choice is to take a risk-based approach and avoid banking cannabis-related businesses, simply prohibiting such activity in a policy and risk assessment is not sufficient to protect the organization.
Commonly, when a financial services organization has chosen not to bank cannabis-related businesses, outside of this strict prohibition, no other mention is made regarding cannabis-related businesses (federally legal or not) in the organization’s BSA and anti-money laundering (AML) policies or procedures. Understanding the complexities of cannabis – whether it is hemp or marijuana – and determining the level of customer involvement are integral to identifying the organization’s unique risk exposure and profile. Additional controls are necessary to help management confirm that cannabis-related businesses are not present in the customer base. Additionally, if an organization is comfortable banking federally legal cannabis-related businesses, for example, hemp customers, the organization still should document a tailored control structure.
Taking a risk-based approach
First, if a bank or credit union prohibits cannabis-related businesses, it needs to understand exactly what it is prohibiting. A tiered cannabis-related business framework is intended to help organizations differentiate types of cannabis-related businesses and their corresponding risks. Every organization’s risk is different; therefore, the approach to cannabis, in all forms, should be tailored to the specific bank or credit union.
While a tiered approach is helpful, it should only be an initial framework to define a unique control environment. A risk assessment should thoroughly examine inherent risks and the mitigating controls that are in place to adequately identify the remaining residual risk.
An organization’s analysis should include consideration of indirect connections in the cannabis-related business ecosystem and where federally legal hemp and hemp-derived CBD are in that picture. Common examples of relationships that have the potential for indirect access and risk for a bank or credit union include businesses such as marketing companies, lawyers, accountants, landlords, and even utilities and taxing authorities. Management should explain within the organization’s risk assessment where indirect risks reside for cannabis implications and note the impact of federally legal activity like hemp and hemp-derived CBD in the risk environment.
Additionally, these risks and control measures should be documented appropriately, as policies to prohibit or restrict cannabis activity will be audited or examined for comprehensiveness and accuracy. While regulatory agencies have not issued clear guidance on how to manage these relationships, demonstrating the evaluation and effective management of associated risks is essential for banks and credit unions.
Identifying cannabis-related business exposure
The uncertain landscape of cannabis necessitates expertise in identifying and evaluating risks within the many layers of cannabis-related businesses. For example, a financial services organization that banks a consumer (such as a cannabis-related businesses employee) or a business that indirectly touches cannabis (such as a lawyer or accountant providing services to cannabis-related businesses) would be classified differently when compared with an owner of a gas station that sells one CBD product. If the organization fails to properly implement risk-based controls that allow for comprehensive identification (or document the known lack thereof for all cannabis activity) and demonstrate mitigation of risks associated with banking cannabis-related businesses, the organization would potentially be susceptible to scrutiny or audit findings.
Once a bank or credit union has determined what inherent risks exist and if it is willing to transact with direct cannabis-related businesses (plant touching) or indirect cannabis-related businesses (once or twice removed from plant cultivation or dispensing), the next considerations are exposure and compensating controls. Even if an organization prohibits banking cannabis-related businesses of all forms, it is still imperative to establish controls that confirm that cannabis-related business activity is not occurring. Also, if an organization prohibits banking federally legal cannabis-related businesses like direct hemp and hemp-derived CBD dispensaries, cultivators, or other businesses generating their majority revenue from these services, documented controls to confirm the organization is not banking this federally legal cannabis-related business activity would be required as well.
The value of onboarding
Identifying cannabis-related business customers at onboarding is a critical first step. Asking specific questions at account opening and during the customer due diligence (CDD) process can help reveal cannabis-related business activity. Typical onboarding questions to assess cannabis-related business activity and risks include:
- Is this a cannabis-related business?
- Does your business derive or have plans to derive a significant percentage of revenue from a direct cannabis-related business?
- Does your business lease or have plans to lease property to a cannabis-related business?
- Are you a hemp cultivator or manufacturer?
- Do you sell or have plans to sell hemp-related products?
- Does your business sell or have plans to sell hemp-related products such as CDB oil, food, or dietary supplements?
If a cannabis-related business customer is identified at onboarding, front-line personnel should be aware of specific prohibitions and what to do when these entities are identified. A robust onboarding and due diligence information collection process is critical for determining if cannabis-related business customers are in compliance with the organization’s defined policies and procedures.
Controls that confirm the front-line employee’s awareness of the prohibited customer type can include:
- Setting pop-up alerts or system-generated hard-stops for specific answers to due diligence questions
- Conducting training about onboarding restrictions for prohibited customers
- Updating procedures to include prohibitions
- Providing compliance contacts for any additional questions
Account-opening quality control processes can also help keep the prohibited cannabis-related business from passing through the onboarding process.
Ongoing monitoring
As states continue to legalize cannabis, existing customers might unknowingly enter into cannabis-related business-related transactions. Without proper controls, banks and credit unions could easily miss such activity and expose themselves to risk.
Onboarding controls can help prevent account openings for prohibited cannabis-related businesses. However, if an existing customer enters this space, marijuana-, hemp- or CBD-related activity could pass through the organization without awareness, and onboarding controls won’t be able to prevent these risks. As such, it is imperative for financial services organizations to establish ongoing controls to confirm cannabis-related business activity is not occurring in conflict with an organizational prohibition on cannabis-related activity. Further, ongoing controls can help management confirm that customers are in compliance with defined policies, processes, and practices. Ongoing controls include:
- Ongoing keyword and business searches. Keyword and business searches can be executed manually or automated through an existing transaction monitoring (TM) or watchlist system by creating a custom list or relying on available vendor lists.
- Periodic customer screening. Banks and credit unions can periodically screen the customer base for cannabis-registered businesses. Multiple vendors offer screening functionality to assist in the identification of registered cannabis-related businesses in existing customer bases. Additionally, known hemp dispensaries in an organization’s footprint can be searched.
- Updated CDD and enhanced due diligence (EDD) processes. Screening can help identify direct cannabis-related businesses, but indirect cannabis-related businesses are not subject to the same requirements and might not be identified through usual screening methods. Enhancing ongoing CDD and EDD processes is prudent, including adding additional questions to confirm no changes are evident with the customer’s cannabis-related business activity. Periodic check-ins and site visits are also beneficial for true high-risk customers that inherently pose more cannabis-related risk.
- Transaction monitoring controls. TM vendors continue to increase their offerings for monitoring cannabis-related business activity, including customized rules for cannabis-related businesses. Implementing cannabis-related business-specific rules and red flags into the transaction monitoring process can help identify unwanted cannabis-related business activity. Additionally, it is important for management to understand that effective monitoring methods are still being refined, so supplemental controls and transactional analysis are recommended in addition to automated monitoring controls.
Escalating to management
When the established ongoing controls identify a prohibited cannabis-related business customer, the relationship must be immediately escalated for management’s review and evaluation for closure. It is critical to document the defined termination strategy and necessary processes to exit a prohibited relationship. These processes need to include filing marijuana suspicious activity reports (SARs) on these clients as necessary, and they must align to guidance from the Financial Crimes Enforcement Network.
Management will need to make sure all executive committees and board members approve the exit strategies. If the organization’s policy is to prohibit cannabis-related business activity, isolated extensions or approvals to accept this activity cannot be issued haphazardly. If the organization might grant an occasional exception, additional language, terms, and controls must be implemented to protect the organization and keep these occasional exceptions consistent. Additionally, procedures should include a review and investigation of customer activity and a marijuana termination SAR report filing for true cannabis activity.
Knowing the risks to limit the exposure
Choosing not to bank cannabis-related business customers requires more consideration than a simple prohibition policy statement. Financial services organizations need to limit their exposure to the unknown risks that cannabis-related businesses might introduce.
By considering the types of accounts and prohibited activity, establishing onboarding and ongoing controls, and setting an exit process if prohibited accounts are identified, financial services organizations can mitigate the risk of not banking cannabis-related businesses and strengthen their financial crime and AML programs at the same time.