Marijuana-related business services
In August 2013 the DOJ’s Deputy Attorney General James Cole issued the famously known “Cole memo” to state attorney generals that indicated that federal law enforcement would not interfere with states that chose to legalize marijuana as long as they enforced certain enforcement priorities. The Cole memo updated prior guidance issued in 2009 and 2011 and paved the way for FinCEN to issue its marijuana banking guidance (BSA Expectations Regarding Marijuana-Related Businesses) in 2014.
Implementing and managing a marijuana banking program is not a turnkey operation. It takes a tremendous amount of work to comply with FinCEN’s marijuana banking guidance including the expected due diligence in onboarding marijuana-related businesses (MRBs) as well as ongoing monitoring/due diligence.
It’s imperative that credit unions that are currently banking MRBs or considering this book of business understand the processes needed to comply with FinCEN’s marijuana banking guidance.
MRBs are generally classified in one of three tiers depending on the role they serve. The credit union should determine which MRB tier(s) to serve.
- Tier I MRBs, which are the riskiest, include businesses that actually “touch” the plant including dispensaries, suppliers of seeds, growers, and processors.
- Tier II MRBs, which are less risky, include businesses that derive most of their revenue by serving Tier I MRBs including hydroponic suppliers, packaging, consultants, and advertisers.
- Tier III MRBs, which are the least risky, include businesses that provide incidental services to Tier I MRBs attorneys, accountants, and commercial landlords.
Credit unions should establish limits for the size of the marijuana banking program. This is generally expressed in terms of MRB share deposits to total shares. A best practice is to also establish limits for the maximum number of MRBs by type or tier that the credit union will serve.
Additionally, you’ll want to make sure you have adequate staff with sufficient expertise to effectively manage this book of business.
Complying with FinCENs marijuana banking guidance can be a significant burden for many credit unions. You should have staff that are well versed in BSA/AML laws. At minimum, your BSA staff should be certified (e.g., through CUNA or NAFCU’s BSA certification program). A best practice is to have someone with their Certified Anti-Money Laundering Specialist (CAMS) designation overseeing the marijuana banking program.
The due diligence expectations do not end once MRBs are onboarded; rather, they’re just starting. Conducting periodic onsite visits to MRBs should be included in your ongoing monitoring/due diligence procedures.
The frequency of onsite visits should be risk-based. Credit unions are expected to conduct onsite visits at Tier I MRBs, particularly dispensaries, more frequently than Tier II MRBs.
When conducting an onsite visit to a dispensary, staff should ensure the dispensary’s license is properly displayed, evaluate the facility’s security (e.g., robbery alarms, surveillance cameras, etc.), and observe how the dispensary verifies the customer’s eligibility to purchase marijuana products. Onsite visits should be documented preferably using a checklist with findings noted.
Automated BSA software is a must-have for credit unions banking MRBs. FinCEN created three new classes of Suspicious Activity Reports (SARs) related exclusively to banking MRBs:
- Marijuana Limited SAR must be filed when the credit union reasonably believes that the marijuana-related transaction neither implicates one of the enforcement priorities addressed in FinCEN’s marijuana banking guidance.
- Marijuana Priority SAR should be filed when the credit union reasonably believes that the marijuana-related transaction implicates one of the enforcement priorities and/or violates state law.
- Marijuana Priority SAR should be filed when the credit union determines that it is necessary to terminate the relationship with an MRB in order to remain in compliance with BSA/AML laws.
FinCEN’s marijuana banking guidance contains over 20 red flags that indicate an MRB could be engaging in activities that implicate one of the enforcement priorities contained in the guidance or violates state laws. As an example, one of the red flags is an MRB deposits more cash than is commensurate with the sales data the MRB reports to the state. To effectively monitor this red flag the credit union should reconcile the MRB’s cash deposits to the sales data the business reports to the state. Any material reconciliation variance should be investigated and resolved.
In addition, partnering with other third-party vendors for their software platforms greatly assists in automating “know your customer” requirements, document collection and verification, establishing risk ratings, and automated searches for adverse information on MRBs and related companies. There are several vendors that offer this type of software platform, including DocFox, Hypur, Green Check Verified, and Shield Compliance to name a few.
MRBs are known to have large daily cash deposits and can be quite a significant burden on your tellers to verify deposits as well as the risk of having large sums of cash on premise subject to robbery or burglary.
Your credit union will need to be prepared to handle these large sums of cash. A best practice is to require MRBs to contract directly with an armored car service to transport the cash from the MRB to a Federal Reserve Bank. If this is not an option, be sure to monitor branch cash levels and arrange for an armored car to pick up excess cash to be transported to the Federal Reserve Bank.
In addition, some dispensaries may operate their own automated teller machines (ATMs). There is a money laundering risk with privately-owned ATMs in that dispensaries could replenish the ATM with cash derived from illegal sales. The credit union will need to follow the FFIEC’s guidance for privately-owned ATMs. Some credit unions may not want to accept the risk of dispensaries operating their own ATM so they may require the dispensaries to remove the ATM.
Now that MRBs have a relationship with a credit union they may request wire transfers to pay their vendors. Credit unions should adopt a wire transfer agreement due to the potential large wire requests. The agreement should include an agreed upon “security procedure” for authenticating MRBs’ remote wire transfer requests. This allows the credit union to shift liability to the MRB for unauthorized wire transfer requests provided the security procedure is a commercially reasonable security procedure for protecting against unauthorized wire transfer requests, and the credit union accepted the request in good-faith and in compliance with the established security procedure.
Credit unions should have a well-defined exit strategy that identifies how the credit union can exit/terminate a particular banking relationship with an MRB, as well as an overall strategy to exit/terminate the entire MRB banking program, such as the U.S. Department of Treasury or FinCEN indicating financial institutions are no longer permitted to offer services to MRBs.
Ask a risk consultant
Please complete this brief form to route your question to one of our risk consultants.Ask a risk consultant
Access TruStage’s Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.
Serving marijuana-related businesses risk overview*
Lending to marijuana-related businesses risk overview*
Wire transfer risk overview*