This is the third piece in our 3-part series on cannabis banking. You can find the first two pieces here:
- What Is the Current Status of the SAFE Banking Act?
- Cannabis Banking Programs: Strategic Considerations for Financial Institutions
Once a financial institution’s board approves the development of a cannabis banking program (check out our second piece in this series for tips), there are several steps involved before it can open the doors to banking these entities and offer services such as deposit accounts, loans, and cash management. This article highlights the major areas of focus to begin the process. Note that the ultimate answer to enter the space or not depends on the conclusions drawn out by completing a CRB risk assessment.
Risk Assessment
A comprehensive cannabis risk assessment/gap analysis is the first major step in developing the program and should incorporate the elements discussed in part 2 of the series. In addition, the Risk Assessment should discuss the products to be offered (deposit, loan, cash management), staffing and training levels, audit function, independent program review, the components of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program, and operational risk. Future articles will drill down through the risk assessment and its contents.
Even though the board has given the green light to program development, a comprehensive and detailed risk assessment may tell another story, leading a financial institution to put the brakes on cannabis. Some financial institutions have discovered that after promising conversations outlined within the strategic considerations article, the ultimate conclusion was that the financial institution was not in a position to open the doors to cannabis after completing the risk assessment. Analogies can be made to banking money service businesses, which few financial institutions bank to begin with, and adding the risks of federal prosecution, asset seizure, and regulatory scrutiny on top.
Assuming that after completing the risk assessment the answer is “yes” to banking CRBs, the financial institution can begin assembling the program.
Policies and Procedures
This will be the roadmap of the program. The CRB policy should be a standalone, board-approved document that discusses the entire program and points to related procedures that detail such areas as onboarding, ongoing monitoring, regulatory reporting, vendor due diligence, oversight, and exit strategies, among many other areas that will be explored in a future series.
Training
A common phrase used in business and risk management is, “you’re only as good as your weakest link.” Training, from the board to customer-facing staff, lending, and operations is a major factor in ensuring the safety and soundness of the institution from a risk management perspective. As applicable to roles, a thorough and ongoing understanding of the space is key to a strong program. Elements would include a specific understanding of cannabis federal regulations and guidance, state laws, internal processes, and key terms and definitions among other areas.
On-Boarding/Customer Due Diligence (CDD)
The actual processes and controls implemented in this area will need to encompass areas not normally associated with common deposit and loan accounts. Processes and controls for validating source of funds, reviewing and validating the state licensing documentation, obtaining all applicable licenses and contracts for cultivating, processing, selling, and transporting the product, and the process for executive management approval would need to be devised and implemented. This is in addition to normal onboarding controls such as identifying beneficial owners, expected activity, completion of a comprehensive onboarding questionnaire, and other CDD details. Many financial institutions partner with third-party operators who specialize in assisting financial institutions in the onboarding process. These entities contract with financial institutions to facilitate the process between the parties.
Suspicious Activity Reports (SARs)
Federal law requires the filing of SARs every 90-120 days on direct CRB relationships. To that end, financial institutions would need to enhance established suspicious activity monitoring and filing controls to ensure that all CRB activity is captured and reported, and to ensure that the SAR filing represents the applicable “type” of SAR (Marijuana Limited, Marijuana Priority, Marijuana Termination). Recall that these differing types have specific meanings, and it would be especially important to differentiate for example, a “limited” SAR, which is an SAR filed merely because the business is a CRB, and a “priority” SAR, which is an SAR indicating violations of state law, that identifies FinCEN red flags, or that violates Cole Memo priorities (even though rescinded, these are still applicable according to FinCEN).
Ongoing Enhanced Due Diligence
Like suspicious activity filing and monitoring, ongoing due diligence processes and controls would need enhancement. Typically, CRB customers would be considered “high-risk” and monitored accordingly. This function is separate from suspicious activity monitoring. Examiners like to see CRBs monitored within the high-risk process, and not just through the SAR filing process. This allows the financial institution to review the relationship from a holistic standpoint using a risk-based approach, and include research normally associated with high-risk monitoring such as open-source research on the business and owners for negative news, running “clear” reports, continuing source of funds analysis, transaction trend analysis (year-over-year or other period), and other monitoring that would not necessarily be captured through the SAR monitoring process. Many financial institutions partner with third-party operators who specialize in assisting financial institutions in monitoring these entities, in addition to any AML software the financial institution has in place that would also most likely have analytics for ongoing monitoring. Vendor due diligence and fine-tuning existing AML software would be ongoing considerations as part of the cannabis banking program.
The above is a good framework to start the journey toward developing a sound CRB program and opening the doors to banking these businesses.
Stay tuned for more insights into specific discussions institutions should have on what to include in a CRB program risk assessment and within specific areas of a CRB program.
Our Cannabis Team offers comprehensive compliance and advisory services to financial institutions and CRBs alike, as well as robust accounting and tax services specifically tailored for CRBs – contact us to learn how we can help.
