Cannabis Banking: The Ins, the Outs & the Unknowns

As the legal cannabis market expands, banks and nonbank financial institutions (NBFIs) across the United States continue to explore how to safely provide banking and other financial services to cannabis-related businesses (CRBs) and other CRB ecosystem players. At the same time, these organizations are taking into account changes they might need to consider relative to their Bank Secrecy Act ( BSA), anti-money laundering (AML) and related compliance programs. 

Regulatory conundrum

The Controlled Substances Act (CSA) identifies the cannabis plant and all its derivatives as a Schedule 1 controlled substance. Schedule 1 controlled substances have a “high abuse potential with no accepted medical use,” and they cannot be “prescribed, dispensed, or administered.” Because cannabis remains classified as a Schedule 1 controlled substance, the CSA “imposes strict controls on possession, manufacturing, distribution, and dispensing” of cannabis.

Under the Money Laundering Control Act of 1986 (MLCA) and the BSA as amended, covered banks and NBFIs are prohibited from providing financial services to businesses that are engaged in illicit activities. Because federal law prohibits the distribution and sale of cannabis, financial transactions involving CRBs are therefore deemed to be transactions that involve funds derived from illegal activities.

As of Feb. 3, 2022, 18 states, two territories, and the District of Columbia have enacted legislation to regulate cannabis for adult use. Thirty-seven states, the District of Columbia and four territories have approved comprehensive, publicly available medical and cannabis programs. Eleven states allow for the use of low-THC, high-CBD substances for medical reasons in limited situations or as a legal defense.

The growing divide between federal prohibition and state legalization of the cannabis industry creates a precarious position for federally regulated banks and NBFIs with the main concern involving exposure to legal, operational and regulatory risk. The situation begs the question: How might the federal government and regulators pursue and prosecute players in the legal cannabis industry?

The current economic trajectory predicts that retail sales of legal cannabis products in the U.S. will surpass an estimated $41.5 billion annually by 2025, and many banks and NBFIs are eagerly awaiting the federal green light to do business with CRBs without fear of prosecution or legal ramifications.

From 2018 forward, Congress has made several attempts to pass legislation that would protect CRBs when cultivating, distributing, marketing, and selling cannabis products in their state-legalized form. These efforts to declassify cannabis-related activity as a specified unlawful activity have thus far been unsuccessful.

Passage of the Secure and Fair Enforcement Banking Act of 2021 (SAFE Banking Act) and the Marijuana Opportunity Reinvestment and Expungement Act of 2021 (MORE Act) would enable banks and NBFIs to provide financial services to CRBs. The SAFE Banking Act would provide a safe harbor for banks and NBFIs that provide financial services to CRBs. The MORE Act would deschedule cannabis from the CSA entirely.

Questions to ask

Banks and NBFIs interested in providing financial services to CRBs should ask these questions:

• Do we adequately understand our risk, and what are the implications for our organization? How should we augment our risk assessment process and our controls?
• To what extent are we willing to accept the risk of banking CRBs? Do we have the ability to identify CRB customers, and if so, do we have any?
• How should we advise the board of directors about setting risk appetite?
• What customer due diligence (CDD) and enhanced due diligence (EDD) will we need to safely continue with existing customers and onboard new ones?
• How will we monitor for unusual and suspicious activity? What will be the alerting and judgmental criteria?
• How will our resource needs change so that we stay abreast of new processes and controls?

Risk appetite considerations

In order to determine whether to accept or prohibit CRBs, banks and NBFIs should identify the level of acceptable risk they are willing to take on. Several key components need to be considered, such as:

• The board of directors’ stance on legal cannabis, given that good governance recommends and regulators expect that the board sets risk appetite
• Cannabis laws in states within the customer footprint and the impact on customers’ communities
• Risk profile, customer base, geographic location, products, and services
• Relationship with regulators and any recent deficiencies or weaknesses in the BSA and associated compliance programs
• Ability to implement appropriate controls and staffing

 Developing a strategic road map

If the decision is made to bank CRBs, banks and NBFIs should perform an assessment of compliance maturity for existing BSA/AML program processes and controls to identify potential gaps and develop a strategic road map that helps the organization achieve its vision for future state compliance and sustainable operations. 

A well-developed and well-articulated strategic road map visualizes what actions or key outcomes are needed to help organizations achieve their long-term goals. When creating the road map, banks and NBFIs need to demonstrate a keen understanding of their desired strategy, outcomes, markets, and products for onboarding and banking CRB customers. Specifically, banks and NBFIs need to define and explain how desired outcomes and business strategies create risk and exposure.

In addition to a road map, banks and NBFIs should develop and document a detailed risk-based approach that is aligned to the organization’s risk tolerance to determine necessary compliance steps when banking CRB customers.

Specifically, the following activities should be considered when developing a CRB banking program that meets regulatory expectations:

• Identifying BSA/AML control gaps related to CRB risk identification and mitigation and formulating a plan to address them
• Updating a board-approved policy framework
• Updating detailed operating policies and procedures
• Planning for capacity, developing job descriptions, and onboarding new personnel
• Training for all three lines of defense, senior management, and the board
• Developing and documenting a phased or full approach to acceptance of CRB customers
• Developing and documenting a CRB program oversight policy

CRB risk framework

A three-tiered CRB risk framework first proposed in 2016 has quickly become the cannabis industry standard. The framework has evolved and expanded comprehensively to consider many types of CRBs, and evolving legal systems continue to refine the framework.

This framework is intended to help banks and NBFIs differentiate types of CRBs and their corresponding risks, and it separates CRBs into three tiers and details risks for each tier. The following exhibit summarizes the approach:

Risk framework by tier

Source: CRB Monitor

Even the most conservative of risk appetites equivalent to outright prohibition is not devoid of significant risk considerations. Residual risk frequently encompasses a large number of indirect connections in the total CRB ecosystem. Common examples are printers, lawyers, accountants, landlords, and even utilities and taxing authorities, and all of these are subject to regulatory scrutiny and, importantly, visibility to law enforcement. Also, policies to prohibit or restrict will be audited and examined for compliance, and exceptions will require explanations.

This panorama necessitates expertise and prudence in identifying and evaluating risks within the many layers of CRBs. For example, consider a bank or NBFI that banks a CRB’s employee or vendor. If a bank fails to properly implement controls that would allow it to identify and mitigate risk associated with banking CRBs, it will be susceptible to severe violations of the BSA, including civil money penalties, criminal penalties, and regulatory enforcement actions. 

Implementing necessary precautions

A well-developed road map should consider and implement the following activities:

• Understanding the most current state and federal cannabis laws and regulations to ensure the bank or NBFI’s compliance
• Understanding the local, state, or tribal program to ensure CRB customers are compliant with the program
• Implementing a CRB risk assessment
• Implementing executive approval practices for direct CRBs
• Developing adequate risk ratings (possibly through a risk-based, tiered approach) and corresponding monitoring for CRB customers that includes:
  • Integrating various customer onboarding and AML solutions at both onboarding and periodic levels
  • Scheduling regular reviews to include recurring enhanced due diligence, site visits, and transaction monitoring
  • Monitoring for suspicious activity, including red flags, via open sources for adverse information about the CRB customers and related parties such as beneficial owners
• Performing adequate CDD and EDD that will validate that the CRB-offered products, services, and programs are compliant with most current state laws and regulations by:
  • Collecting appropriate documentation as evidence of compliance, perhaps including a comprehensive onboarding questionnaire, beneficial ownership information, and contracts for the growing, harvesting, transporting and processing of the product
  • Reviewing applications and supporting documentation used to obtain a legal cannabis state license
  • Understanding the normal and expected activity of the organization’s CRB customers and their product usage
• Developing adequate training programs and governance and oversight programs to address this customer type by:
  • Updating existing policies and procedures to review inherent risk presented by banking CRB customers
  • Updating annual training for employees
• Auditing initial program design and periodic operational effectiveness

Moving forward cautiously

The ins, outs, and unknowns of cannabis banking are complex, and they require banks and NBFIs to be extremely vigilant with current policy and aware of new developments. Overall, the idea of creating a cannabis program might seem like a daunting task, but with appropriate guidance and care, organizations can provide services in compliance with laws and regulations.

Crowe disclaimer: Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.