By some estimates, the cannabis business will be $80 billion by 2022. From 2013 (the Cole memo) until 2018, the federal government was tacitly supportive of some banking activity for cannabis businesses. Then, at the beginning of 2018, the Cole memo was rescinded, and the “support” descended into abject ambiguity. The FinCEN guidelines outlining, among other things, enforcement priorities and SAR practice, remain in effect (see FinCEN Marijuana Banking Update) and appear to represent the “rules to live by” if anything does.

To date, no financial institutions have been sanctioned for marijuana/cannabis-related banking. The more time passes without enforcement actions while states continue to “legalize” medical or recreational uses, the more politically and regulatorily unpalatable strict enforcement becomes.

In “legal” states, marijuana/cannabis is a grey market product (legal under state law, illegal under federal law), but non-cash financial transactions in the cannabis business are closer to black market—with little support from the traditional banking system. Most financial institutions (including virtually all nationally chartered banks) will not touch marijuana/cannabis-related businesses if they can help it. Credit card companies in the US won’t process marijuana/cannabis-related transactions if they can avoid it. This means that a multi-billion dollar per year business relies mostly on currency (fiat or crypto).
Regardless of our opinion on the current regulatory environment, it is important for financial institutions to have proper detection and reporting of marijuana/cannabis-related businesses whether the financial institution chooses to bank or not bank marijuana/cannabis business.

What are the steps needed to detect and report on marijuana/cannabis-related businesses?

Step 1: Decide what you define as a marijuana/cannabis business.
You must first define “marijuana/cannabis-related business” before you can identify and decide how to react to them. We recommend defining and documenting what constitutes a marijuana/cannabis business by discovering to what degree the existing or potential customer deals with and derives revenue from the marijuana/cannabis business.
Commentators have arrived at a common language for evaluating marijuana/cannabis businesses:

• Tier 1: Businesses that touch the seeds or plant including growers, harvesters, processors (producing marijuana/cannabis-based oils or other products), transporters, wholesalers, and retailers.
• Tier 2: Businesses that sell products or provide services to Tier 1s or otherwise facilitate the growing, processing, transport, sale, or consumption of marijuana/cannabis potentially including hydroponic suppliers, payment processors, private ATM (both fiat and crypto) companies, and licensing and tax consultants, packaging suppliers, and trade groups. To meet our informal definition of a Tier 2, the business should have reason to know it is supplying goods or services to the Tier 1 and should derive some “material” part (“material” to be defined by the financial institution although some commentators suggest that a certain percentage of revenue derived from marijuana/cannabis—such as 50% or more—could separate a Tier 2 from a Tier 3) of their revenue from Tier 1s. More on this below.
• Tier 3: Businesses not focused on providing products or services to Tier 1s but who do so as an ancillary or immaterial part of their business. Examples include armored car companies who transport cash on behalf of Tier 1s as an immaterial part of their overall business, accountants or tax or licensing consultants who work with Tier 1s as an immaterial part of their practice, or fertilizer companies who sell products to the general market including Tier 1s.

Some bright lines exist along these tiers, but there can be considerable ambiguity.  Take a landlord who rents space to a Tier 1. If the landlord’s building is a single tenant facility deriving all its revenue from the Tier 1, you could put the landlord solidly in the Tier 2 category. On the other hand, a landlord that owns a 25,000 square foot strip center and rents 1,500 square feet to a Tier 1, could be considered a Tier 3.

To deal seriously with the marijuana/cannabis question, your policies and procedures will detail how you determine what customers and potential customers fall into each tier and then what customer relationships you are willing to maintain or de-risk. In the course of this analysis, your business leaders will answer questions such as: (1) What systems will you use to determine marijuana/cannabis business  status (e.g., additional questions in the CIP process for new customers, adjustments to transaction monitoring systems to look for cash transactions, the use of outside database resources/vendors to search licensing resources and public records)? (2) What percentage of the customer’s revenue may be derived from marijuana/cannabis before it is classified as a Tier 2 (as opposed to Tier 3 or unclassified)? (3) Are you willing to maintain any relationship with a business classified as Tier 2?

Our best advice?  Create policies and procedures that define marijuana/cannabis for your institution and create a risk assessment to identify, manage, and report on the risk. A modern risk assessment tool can generate a risk assessment and reports in minutes eliminating the need for any manual work.

Step 2: Make sure you are willing to “de-risk” marijuana/cannabis relationships.
Many financial institutions, especially those in markets in which cannabis is legal, have effectively adopted a “don’t ask, don’t tell” policy about potential marijuana/cannabis businesses. “Don’t ask, don’t tell” at least in the sense that they may not have effective KYC to identify marijuana/cannabis businesses in their customer base. One possibility is due to system limitations where financial institutions will now need to re-do their entire KYC forms to add questions related to marijuana/cannabis businesses. Another possibility is since the marijuana/cannabis industry is changing every day, the questions being asked should be changed in a real-time basis in order to be effective. The solution would be to use a modern CDD/KYC system that can give you the ability to customize and configure your KYC form that fits your financial institution’s customer segmentation on the fly. This will make your KYC form future-proof.

Step 3: Ask, Look, Smell, Adjust, File. Recognize that even legitimate/licensed marijuana/cannabis businesses are likely trying to “fly below your radar” and act accordingly.
Step 3.1: Ask.
This one is obvious: Revise your KYC procedures to ask direct and indirect questions about the potential customer’s involvement with marijuana/cannabis. In our experience, direct, clear questions work the best, both for determining marijuana/cannabis business status and then supporting later de-risking if necessary. For example, How much of your revenue do you derive from businesses that grow, harvest, transport, process (create oils or edibles), or sell marijuana/cannabis or related products? A modern KYC system will allow you to customize questions to fit the customer segmentation of your financial institution.

Step 3.2: “Look” at outside data.
There are some very good data providers that keep track of licenses and individuals associated with these licenses. Without utilizing these resources, it will be difficult for you to argue to auditors or regulators you have an effective program to prevent marijuana/cannabis banking.

Step 3.3: Smell.
Cash that spends time around weed tends to smell like weed. Marijuana/cannabis businesses tend to do business in cash. You should investigate businesses that would not normally be cash-based (for example, transportation companies or “farms”) that deposit piles of cash. Additionally, you should “smell” out other transaction types as well. Wire, ACH, or check transactions to companies with unusual names, such as “Miracle Tasty Gummy Bears LLC” should be a red flag.

The point here is that all financial institutions should revise their BSA/AML policies and procedures to account for known characteristics of marijuana/cannabis-related transactions—cash transactions with stinky cash, cash transactions for businesses that do not normally deal in cash, and wire/ACH/check transactions from/to unusual company names. A modern transaction monitoring system will allow for a keyword list to be uploaded to a specific configurable rule, therefore allowing you to control how you want the rule to alert and what you want to alert on.

Step 3.4: “Adjust” your transaction monitoring systems to be more sensitive to cash transactions in certain locations or with customers who may be acting as marijuana/cannabis businesses or doing business with marijuana/cannabis companies.
Transaction monitoring system adjustments reflecting the evolving risk landscape should be part of your BSA practice. For many institutions, it is not. This is as good a time as any to start.

You can discover (through the data sources discussed above) or you may already have a pretty good idea in your local markets, where marijuana/cannabis is grown, processed, and distributed.  For areas of concentration of marijuana/cannabis activity, have your transaction monitoring system look for cash. For companies who might meet your definition of a marijuana/cannabis business, look for unusual cash transactions. These red flags will give you a good sense of where you are exposed to marijuana/cannabis. A modern transaction monitoring system will allow you to configure certain parameters for a specific region and configure other parameters to other region to reduce false positives.

Step 3.5: File SARs.
When your red flag investigation indicates marijuana/cannabis activity with other unusual activity meeting your suspicious activity report (SAR) filing policies and procedures, file the appropriate marijuana SAR (probably a “priority” or “termination” SAR). If there is no unusual activity, file a “marijuana limited” SAR. The Cole memo was rescinded, but FinCEN guidelines on enforcement priorities and “marijuana-related business SAR” practice are still in effect. It’s critical that you follow the FinCEN guidance once you have installed the policies and procedures discussed above, calculated to quantify your marijuana/cannabis risk. A modern AML system will have a prefilled SAR form and a VPN tunnel with FinCEN to make the SAR filing process simpler and more efficient.

Step 4: De-risk.
Take control of your risk profile. Conduct annual risk assessments on your entire customer base and specifically identify marijuana/cannabis-related businesses in the assessment. A modern risk assessment tool can risk assess marijuana/cannabis-related businesses and can automate the institutional risk assessment by just receiving the data from your AML system.

Conclusion and Our Opinion
Whatever you think about marijuana/cannabis, driving billions of dollars of transactions out of the financial system into the black market seems a bad idea. Some believe facilitating marijuana/cannabis transactions does not serve the public interest. They could be right. But, those of us who try to stop money from getting into the hands of terrorists and organized crime are very concerned that driving marijuana/cannabis transactions out of the legitimate, regulated financial system may not be the answer.
Nevertheless, at this time and place, each institution must determine its risk tolerance and act accordingly. We have nothing to add to a financial institution’s evaluation of its risk tolerance, but we strongly recommend against the practice of avoiding the marijuana/cannabis question all together by not performing effective KYC or acting like marijuana/cannabis does not exist. Therefore, we recommend using a modern AML system to detect marijuana/cannabis-related businesses during the customer onboarding stage with a configurable KYC form geared towards your financial institution’s customer segmentation as well as during transaction monitoring with specific rules looking for keywords and specific rules configured for a specific region. We also recommend using a modern risk assessment tool that can risk assess marijuana/cannabis-related businesses and that can intake data from AML systems to instantly generate a risk assessment and board reports.

<span=”font-size: 16px;”>The contents of this article represent our interpretations and opinions regarding the subject matter.  They are not intended as legal or compliance advice, and we always recommend that you consult counsel and/or a compliance professional with direct knowledge of your specific issues and operations.

About the Authors
Mark Stetler is CEO of RegSmart.  He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988).  Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur and previously co-owned one of the nation’s largest firms specializing in forensic financial audits.  He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.

Ben Knieff is an executive advisor and consultant, specializing in fraud detection, identity verification, authentication and biometrics, anti-money laundering, sanctions screening, counter terrorist financing, blockchain technologies and banking high risk entities such as cannabis related businesses. He has worked in the financial services industry for FIS, PayPal, NICE Actimize, and Aite Group and has been quoted by such publications as American Banker, Bank Info Security, The Times of London, Forbes, The New York Times, and Wall Street & Technology.

Matthew Lau is a Product Manager at Guardian Analytics. He has a BA in Economics and Communications from University of California, Davis. He has worked for 6+ years in the BSA/AML programs of two $100B+ asset size regional banks. He is a Certified Anti-Money Laundering Specialist. At Guardian Analytics, he manages the Guardian Analytics AML Evidence Lake product.

About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment SaaS. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.

About Guardian Analytics
Guardian Analytics is the pioneer and leading provider of behavioral analytics and machine learning solutions for preventing banking fraud and anti-money laundering.  Hundreds of financial institutions have standardized on Guardian Analytics’ innovative solutions to mitigate fraud risk and rely on the company to stop the sophisticated criminal attacks targeting retail and commercial banking clients. With Guardian Analytics, financial institutions build trust, increase competitiveness, improve their customer experience, and scale operations. Guardian Analytics is privately held and based in Mountain View, CA. For more information, please visit www.GuardianAnalytics.com.