Not banking CRBs?

Cannabis-related risks still exist

Amy Bean, Caitlin Strelioff, Jillian Arezzi
| 3/24/2023
Not banking CRBs? Cannabis-related risks still exist

Deciding not to bank cannabis-related businesses doesn’t mean organizations are exempt from risk exposure.

Financial services organizations in states where cannabis has been legalized have to decide whether to bank cannabis-related businesses (CRBs) now, wait to do so until all cannabis becomes federally legal, or not bank them at all. Even in states where cannabis is legal, processing cannabis-related funds could be deemed as criminal activity and money laundering, and financial services organizations could be found in violation of the Bank Secrecy Act (BSA) for not reporting cannabis-related transactions.

Some cannabis is federally legal, for example hemp and hemp-derived CBD, while other types of cannabis remain federally illegal. Now is the time for financial services organizations – especially banks and credit unions – to evaluate how they are responding to the changing landscape. Specifically, organizations should analyze their risk exposure to effectively identify and manage any cannabis-related risks.

Keep informed
Sign up to receive the latest insights on strengthening your financial crime program.

Potential risks of not banking CRBs

As more states decide to legalize cannabis, financial services organizations need to be intentional about understanding their risk. Some might have already chosen to close the door on this new market for the time being, but simply saying “no” to CRBs is not enough, and it does not fully reduce their exposure.

For example, people who do not smoke cigarettes but are in environments where smoking is present expose themselves to a measure of risk with the damages secondhand smoke can cause. In a similar way, the so-called secondhand smoke in the form of unknown risk exposure from cannabis-related transactions could cause problems for financial services organizations because cannabis-related funds could already be moving through the organizations in one form or another.

Such risk exposure can appear in many ways. It could be a gas station, grocery, or convenience store stocking a cannabidiol (CBD) product, or it could be a chiropractor or yoga studio offering CBD as an enhancement to their services. When banks and credit unions decide not to bank CRBs, they need to have an adequate understanding of their risk exposure in order to establish controls that effectively prohibit related activity.

While some financial services organizations and private financiers play a pivotal role in the growth of the cannabis industry, others might limit that growth by not providing CRBs access to banking services. The uncertainty of the regulatory landscape has left many organizations unwilling to accept the exposure. Many are biding their time, waiting for others to continue making the first moves, so they are temporarily – or even permanently – choosing not to bank CRB customers. If the ultimate choice is to take a risk-based approach and avoid banking CRBs, simply prohibiting such activity in a policy and risk assessment is not sufficient to protect the organization.

Commonly, when a financial services organization has chosen not to bank CRBs, outside of this strict prohibition, no other mention is made regarding CRBs (federally legal or not) in the organization’s BSA and anti-money laundering (AML) policies or procedures. Understanding the complexities of cannabis – whether it is hemp or marijuana – and determining the level of customer involvement are integral to identifying the organization’s unique risk exposure and profile. Additional controls are necessary to help management confirm that CRBs are not present in the customer base. Additionally, if an organization is comfortable banking federally legal CRBs, for example, hemp customers, the organization still should document a tailored control structure.

Taking a risk-based approach

First, if a bank or credit union prohibits CRBs, it needs to understand exactly what it is prohibiting. A tiered CRB framework is intended to help organizations differentiate types of CRBs and their corresponding risks. Every organization’s risk is different; therefore, the approach to cannabis, in all forms, should be tailored to the specific bank or credit union.

While a tiered approach is helpful, it should only be an initial framework to define a unique control environment. A risk assessment should thoroughly examine inherent risks and the mitigating controls that are in place to adequately identify the remaining residual risk.

An organization’s analysis should include consideration of indirect connections in the CRB ecosystem and where federally legal hemp and hemp-derived CBD are in that picture. Common examples of relationships that have the potential for indirect access and risk for a bank or credit union include businesses such as marketing companies, lawyers, accountants, landlords, and even utilities and taxing authorities. Management should explain within the organization’s risk assessment where indirect risks reside for cannabis implications and note the impact of federally legal activity like hemp and hemp-derived CBD in the risk environment.

Additionally, these risks and control measures should be documented appropriately, as policies to prohibit or restrict cannabis activity will be audited or examined for comprehensiveness and accuracy. While regulatory agencies have not issued clear guidance on how to manage these relationships, demonstrating the evaluation and effective management of associated risks is essential for banks and credit unions.

Identifying CRB exposure

The uncertain landscape of cannabis necessitates expertise in identifying and evaluating risks within the many layers of CRBs. For example, a financial services organization that banks a consumer (such as a CRB’s employee) or a business that indirectly touches cannabis (such as a lawyer or accountant providing services to CRBs) would be classified differently when compared with an owner of a gas station that sells one CBD product. If the organization fails to properly implement risk-based controls that allow for comprehensive identification (or document the known lack thereof for all cannabis activity) and demonstrate mitigation of risks associated with banking CRBs, the organization would potentially be susceptible to scrutiny or audit findings.

Once a bank or credit union has determined what inherent risks exist and if it is willing to transact with direct CRBs (plant touching) or indirect CRBs (once or twice removed from plant cultivation or dispensing), the next considerations are exposure and compensating controls. Even if an organization prohibits banking CRBs of all forms, it is still imperative to establish controls that confirm that CRB activity is not occurring. Also, if an organization prohibits banking federally legal CRBs like direct hemp and hemp-derived CBD dispensaries, cultivators, or other businesses generating their majority revenue from these services, documented controls to confirm the organization is not banking this federally legal CRB activity would be required as well.

The value of onboarding

Identifying CRB customers at onboarding is a critical first step. Asking specific questions at account opening and during the customer due diligence (CDD) process can help reveal CRB activity. Typical onboarding questions to assess CRB activity and risks include:

  • Is this a cannabis-related business?
  • Does your business derive or have plans to derive a significant percentage of revenue from a direct CRB?
  • Does your business lease or have plans to lease property to a cannabis-related business?
  • Are you a hemp cultivator or manufacturer?
  • Do you sell or have plans to sell hemp-related products?
  • Does your business sell or have plans to sell hemp-related products such as CDB oil, food, or dietary supplements?

If a CRB customer is identified at onboarding, front-line personnel should be aware of specific prohibitions and what to do when these entities are identified. A robust onboarding and due diligence information collection process is critical for determining if CRB customers are in compliance with the organization’s defined policies and procedures.

Controls that confirm the front-line employee’s awareness of the prohibited customer type can include:

  • Setting pop-up alerts or system-generated hard-stops for specific answers to due diligence questions
  • Conducting training about onboarding restrictions for prohibited customers
  • Updating procedures to include prohibitions
  • Providing compliance contacts for any additional questions

Account-opening quality control processes can also help keep the prohibited CRB from passing through the onboarding process.

Ongoing monitoring

As states continue to legalize cannabis, existing customers might unknowingly enter into CRB-related transactions. Without proper controls, banks and credit unions could easily miss such activity and expose themselves to risk.

Onboarding controls can help prevent account openings for prohibited CRBs. However, if an existing customer enters this space, marijuana-, hemp- or CBD-related activity could pass through the organization without awareness, and onboarding controls won’t be able to prevent these risks. As such, it is imperative for financial services organizations to establish ongoing controls to confirm CRB activity is not occurring in conflict with an organizational prohibition on cannabis-related activity. Further, ongoing controls can help management confirm that customers are in compliance with defined policies, processes, and practices. Ongoing controls include:

  • Ongoing keyword and business searches. Keyword and business searches can be executed manually or automated through an existing transaction monitoring (TM) or watchlist system by creating a custom list or relying on available vendor lists.
  • Periodic customer screening. Banks and credit unions can periodically screen the customer base for cannabis-registered businesses. Multiple vendors offer screening functionality to assist in the identification of registered CRBs in existing customer bases. Additionally, known hemp dispensaries in an organization’s footprint can be searched.
  • Updated CDD and enhanced due diligence (EDD) processes. Screening can help identify direct CRBs, but indirect CRBs are not subject to the same requirements and might not be identified through usual screening methods. Enhancing ongoing CDD and EDD processes is prudent, including adding additional questions to confirm no changes are evident with the customer’s CRB activity. Periodic check-ins and site visits are also beneficial for true high-risk customers that inherently pose more cannabis-related risk.
  • Transaction monitoring controls. TM vendors continue to increase their offerings for monitoring CRB activity, including customized rules for CRBs. Implementing CRB-specific rules and red flags into the transaction monitoring process can help identify unwanted CRB activity. Additionally, it is important for management to understand that effective monitoring methods are still being refined, so supplemental controls and transactional analysis are recommended in addition to automated monitoring controls.

Escalating to management

When the established ongoing controls identify a prohibited CRB customer, the relationship must be immediately escalated for management’s review and evaluation for closure. It is critical to document the defined termination strategy and necessary processes to exit a prohibited relationship. These processes need to include filing marijuana suspicious activity reports (SARs) on these clients as necessary, and they must align to guidance from the Financial Crimes Enforcement Network.

Management will need to make sure all executive committees and board members approve the exit strategies. If the organization’s policy is to prohibit CRB activity, isolated extensions or approvals to accept this activity cannot be issued haphazardly. If the organization might grant an occasional exception, additional language, terms, and controls must be implemented to protect the organization and keep these occasional exceptions consistent. Additionally, procedures should include a review and investigation of customer activity and a marijuana termination SAR report filing for true cannabis activity.

Knowing the risks to limit the exposure

Choosing not to bank CRB customers requires more consideration than a simple prohibition policy statement. Financial services organizations need to limit their exposure to the unknown risks that CRBs might introduce.

By considering the types of accounts and prohibited activity, establishing onboarding and ongoing controls, and setting an exit process if prohibited accounts are identified, financial services organizations can mitigate the risk of not banking CRBs and strengthen their financial crime and AML programs at the same time.

Crowe disclaimer: Qualified organizations only. Independence and regulatory restrictions may apply. Some firm services may not be available to all clients. Given the continued evolution and inconsistency of various state and federal cannabis-related laws, any company should seek competent legal advice relating to its involvement in the cannabis industry, including when considering a potential public offering as a cannabis-related company.