If you’re looking for a landslide in the 2020 elections, look no further than the undisputed winner—marijuana. In each of the ballot initiatives up for consideration, voters said yes to expanded liberalization in cannabis-related laws by undeniably wide margins. Voters from across the political spectrum in red and blue states alike approved medical and recreational cannabis laws, including the legalization of medical cannabis in Mississippi and South Dakota and the legalization of cannabis possession by adults in Arizona, Montana, New Jersey, and South Dakota. Legislatures will soon enact laws in conformance with these ballot initiatives. A total of 35 states and the District of Columbia have legalized marijuana for medical use, 15 of which allow adults to legally use the drug for recreational use as of November 2020.
As cannabis legalization proliferates across the country, significant amounts of money will need to be processed, stored, leveraged, loaned, and borrowed by what financial institutions call “marijuana-related businesses” (MRBs), including growers, retail dispensaries, and service providers. To support the development of the cannabis market, the industry needs access to trusted financial institutions. Unfortunately, most financial institutions avoid serving the cannabis industry or provide only limited support to it.
Previously wary financial institutions may consider dipping their toes in the warming water of the growing cannabis market, which is projected to double to $41.5 billion by 2025, according to New Frontier Data. Caution has always been important when serving this industry—given that the underlying product remains illegal under federal law—but with a plan and appropriate policies and procedures, there is a path forward to working with MRBs.
Complying with the Bank Secrecy Act
The Bank Secrecy Act (“BSA”) requires financial institutions to assist the government in detecting and preventing money laundering through establishing an anti-money laundering (“AML”) program, that includes recordkeeping and reporting requirements. The BSA prohibits possessing the proceeds generated from criminal activity, such as the sale of illegal drugs. The Department of Justice (“DOJ”) has jurisdiction to prosecute all cannabis-related crimes, but in practice has not taken action against MRBs or their related financial institutions under both the Obama and Trump Administrations.
The BSA expectations and customer due diligence (CDD) guidance issued by the Financial Crimes Enforcement Network (FinCEN) should serve as the base for any financial institution designing an AML program to service MRBs. FinCEN’s guidance builds on a set of enforcement objectives first detailed by the Department of Justice in the now-rescinded Cole Memo. In short, to meet these enforcement objectives and comply with the BSA, FinCEN directs financial institutions to conduct CDD that includes:
(i) verifying with the appropriate state authorities whether the business is duly licensed and registered; (ii) reviewing the license application (and related documentation) submitted by the business for obtaining a state license to operate its marijuana-related business; (iii) requesting from state licensing and enforcement authorities available information about the business and related parties; (iv) developing an understanding of the normal and expected activity for the business, including the types of products to be sold and the type of customers to be served (e.g., medical versus recreational customers); (v) ongoing monitoring of publicly available sources for adverse information about the business and related parties; (vi) ongoing monitoring for suspicious activity, including for any of the red flags described in this guidance; and (vii) refreshing information obtained as part of customer due diligence on a periodic basis and commensurate with the risk. With respect to information regarding state licensure obtained in connection with such customer due diligence, a financial institution may reasonably rely on the accuracy of information provided by state licensing authorities, where states make such information available.
FinCEN’s guidance also details a financial institution’s Suspicious Activity Report (SAR) filing obligations, which establishes thresholds and timing requirements for financial institutions to file various types of SARs related to MRB activities. Different types of SAR filings are required depending on the activities of the MRB and whether those activities implicate one of the Cole Memo priorities or violate state law.
Financial institutions should treat this FinCEN guidance as a floor for its AML program and also look to the BSA’s legal requirements to ensure that the resulting AML program is tailored to the risks the financial institution faces when it takes on MRBs as customers. Under the BSA, a financial institution must establish and maintain an effective AML program that meets the BSA’s five pillars:
- Establish written internal policies, procedures, and controls.
- Conduct an independent testing and audit of the institution’s AML policies, procedures, and controls.
- Designate an AML compliance officer.
- Provide ongoing training to relevant employees.
- Conduct appropriate customer due diligence.
Each pillar is important to an effective AML program—especially when a financial institution is taking on MRB clients. The backbone of a financial institution’s strategy for serving MRBs should be establishing written internal policies, procedures, and controls, with a focus on its CDD.
The internal controls should be tailored to the size, structure, risks, and complexity of the financial institution. Similarly, internal controls should address the unique risks and compliance requirements of specific lines of business in the written internal policies and procedures. Accordingly, a financial institution’s MRB program should identify the risks posed by the MRBs’ operations, products, services, customers, and geographic locations. This information should be used to develop written policies and procedures, so that the board of directors and compliance personnel may adequately prepare for servicing these MRBs and developing a culture of compliance that fits the financial institution’s needs.
Customer Due Diligence
Effective CDD policies and procedures will enable a financial institution to detect and report suspicious activity, avoid criminal exposure for the financial institution from persons who attempt to use the financial institution for illegal purposes, and adhere to safe and sound practices. Part of an effective CDD program for financial institutions providing services to MRBs is developing procedures for identifying MRB customers and the risks they pose. When an account is opened, the financial institution’s CDD questionnaire should elicit information that will expose the customer’s MRB activities. Once those details are obtained, requesting additional identifying information from the MRB customer may be necessary, which could include information related to the MRB’s state license, or details about the MRB’s owners, investors, and employees.
At a minimum, a CDD program should examine the applicable licensure or registration status of prospective MRBs, the normal and expected activity for the MRB, the types of products and services that the MRB provides (e.g., medical versus recreational customers and services), and any suspicious activity associated with the MRB. In addition to monitoring this information throughout the customer relationship, the financial institution should also periodically refresh collected information commensurate with the risk posed by the MRB customer.
By incorporating FinCEN guidance, risk assessments of MRB customers, and an effective CDD program, a financial institution can achieve better-tailored AML procedures that meet the expectations set forth by the BSA while reducing the risks associated with servicing the burgeoning cannabis industry.