5 Considerations When Evaluating Marijuana-Related Business Banking Practices

Financial institutions should pay attention to these best practices to mitigate risk.

Changes in the current political, regulatory and business climate have made it ever more acceptable for financial institutions to offer banking services to marijuana-related businesses (MRBs). For financial institutions with clients in this industry, compliance officers must develop a compliance program that mitigates AML and sanctions risks and meets current regulatory expectations relative to financial services to MRBs.

As with any business banking practice, an appropriate risk-based independent testing regime should be established. While the FFIEC has not yet published detailed procedures in this area, there are steps and best practices that banks can take to help address current regulatory expectations.

Proper scoping, appropriate sampling and testing procedures and well-qualified staff still remain the key components of any successful review. Although not all-inclusive, any audit of marijuana-related business banking practices should include a review of the following five areas.

1. Program governance

Any program governance evaluation should at least include a review of:

• The comprehensive risk assessment for the MRB business line;
• The Board’s approval of the MRB business line, a review of the financial institution’s preceding due diligence and MRB lending and account pricing standards;
• Board approved policies and procedures for on-boarding and monitoring MRB customers;
• Initial and on-going due diligence of MRB customers;
• Monitoring processes and procedures of MRB customers;
• MRB-specific training, including “red flags”;
• Cash management and cash reporting of MRB customers;
• Ensure policies prohibit the exemption of MRB customers for Currency Transaction Report (“CTR”) filing purposes;
• Policies and procedures for identifying, investigating and reporting suspicious activity related to MRBs.
• Exit strategies for MRB customers; and,
• Management reporting.

2. File review

Any review of MRB customer files should include a review of the adequacy and timeliness of the due diligence conducted on each account.

3. Account testing

Account activity reviews should identify:

• If account activity is within expected and anticipated thresholds; and,
• Any evidence of MRB red flags activity identified by FinCEN.

4. Adherence to published regulatory guidance

Any MRB Banking Compliance Program should follow:

• The MRB guidance, issued by the Financial Crimes Enforcement Network (“FinCEN”) in 2014, entitled “BSA Expectations Regarding Marijuana-Related Businesses” (“FinCEN Guidance”);
• The parallel guidance issued by the U.S. Department of Justice (“DOJ”) in the Cole Memo and the DOJ Companion Letter.

Although the Justice Department rescinded the Cole Memo in 2018, industry best-practices continue to follow this guidance.

5. Filings with FinCEN

No evaluation of banking practices would be complete without a review of reports filed with FinCEN.

It is of critical importance that financial institutions file Suspicious Activity Reports (SARs) with FinCEN related to their MRB customer’s banking activities at onset of the banking relationship, throughout the entirety of the banking relationship, and upon termination of the banking relationship. Untimely or inadequate SARs are indicative of regulatory non-compliance and may lead to enforcement actions.

Offering banking and financial services to marijuana-related businesses can be a profitable business venture. However, when doing so, financial institutions should take a risk-focused approach to mitigating the risks inherent in these types of banking relationships. Compliance officers and auditors should consider engaging risk advisors who can provide a risk-focused assessment of their MRB compliance program.

To learn more about how to appropriately manage the risks posed by MRBs, contact me or another member of Kaufman Rossin’s Risk Advisory Services team.