As we pass the halfway mark of 2022, it's a good time to reflect on what has happened, or not happened, with respect to the legal framework for the provision of financial services to marijuana-related businesses (MRBs). In our review, the answer to this question is "not much," or put differently, the more things change, the more they seem to stay the same. While advocates in Congress continue to push for reform, the prospect of comprehensive legal reform remains uncertain, and the federal government has taken few, if any, additional steps to provide guidance to MRBs or financial institutions seeking to provide them with basic banking services.
Still, even against this uncertain backdrop, more and more financial institutions are providing banking, lending, and even payments services to MRBs in states in which marijuana has been legalized. This expansion is the product of continued legalization of marijuana at the state level (Arizona, Montana, and New Jersey in 2020), and the perception that enforcement risks are manageable for MRB banking programs that are set up carefully and consistent with federal guidance and industry best practices.
Accordingly, for those banks, credit unions, and payments companies that are interested in serving the MRB industry, this article provides a refresher on the legal framework for providing financial services to MRBs and outlines the best practices that we have learned from our experience in counseling financial institutions on how to serve the marijuana industry in a safe, sound, and responsible manner, consistent with federal and state regulatory expectations.
Overview of the Legal Framework
As noted above, the legal framework for providing financial services to the MRB industry has remained remarkably consistent over the past decade or so. Although the Controlled Substances Act (CSA) makes it illegal under federal law to manufacture, distribute, or dispense marijuana, roughly 46 states and the District of Columbia have legalized at least some degree of use of medical marijuana, with 18 states and the District of Columbia having approved at least some degree of both medical and recreational marijuana use.
In response to these state developments, the U.S. Department of Justice (DOJ), the Financial Crimes Enforcement Network (FinCEN), and the federal banking regulators have issued guidance, or made public statements, addressing how financial institutions may provide services to MRBs consistent with regulatory compliance obligations. In particular, in 2013 and 2014, respectively, the DOJ's Deputy Attorney General, James M. Cole, issued the "Cole Memos" to U.S. Attorneys providing guidance on marijuana enforcement under the CSA. At the same time that DOJ issued the second Cole Memo in 2014, FinCEN issued guidance (FinCEN Guidance) based on the Cole Memos advising financial institutions on how they could provide financial services consistent with their AML obligations.
Although the Cole Memos were rescinded under the Trump Administration, the current Attorney General, Merrick Garland, has made it clear that he does not intend to focus DOJ's attention on MRBs operating in compliance with state laws (consistent with the Cole Memos). Moreover, the FinCEN Guidance remains in place. and Treasury has indicated it will continue to remain in place until a better solution is found. Furthermore, our experience has been that federal and state regulators continue to advise financial institutions interested in marijuana banking to follow the FinCEN Guidance and the Cole Memos and operate in a manner consistent with state law. (Separate from federal and state law, most payment networks (cards, etc.) continue to take the position that their networks may be used only to process payments for lawful transactions.)
Against this backdrop, we have seen a lack of federal enforcement against financial institutions based on the mere fact that an institution is providing banking services to the marijuana industry in states where marijuana has been legalized. DOJ and the federal banking regulators are well aware that financial institutions in numerous states are providing services to MRBs, and their lack of public enforcement actions suggests that they have no present plans to target financial institutions that are providing services in a safe and sound manner.
Instead, the more likely risk of an enforcement action against a financial institution lies in (1) failing to implement and manage an appropriate risk-based MRB compliance program, (2) ignoring compliance deficiencies in the AML program or red flags with respect to specific MRBs, (3) engaging in additional, unlawful conduct involving the MRB program (e.g., assisting an MRB in engaging in activity that violates state laws), or (4) disregarding any examination findings, guidance, or orders issued by a regulator with respect to the MRB program.
This assessment is supported by the limited number of enforcement actions that have been brought against financial institutions providing services to MRBs. None of the enforcement actions that have been publicly reported in this space have targeted financial institutions solely because they were serving the marijuana industry. Instead, these actions have targeted institutions that had implemented deficient AML compliance programs in connection with providing services to MRBs. Most recently, for example, in February 2021, the NCUA issued the first consent order pursuant to a federal enforcement action that explicitly cited marijuana-related BSA/AML violations. While there were no factual allegations of violations made in the consent order, Life Federal Credit Union (Live Life), a credit union based in Michigan, was required to implement a number of upgrades to its AML programs and policies, which suggests that the NCUA found deficiencies in them. The consent order required Live Life to implement an automated suspicious activity monitoring system that complied with FinCEN's regulations, among other requirements. We are also aware, anecdotally, of other non-enforcement matters where bank regulators have required banks to shut down MRB programs, but only where the banks did not have adequate policies and procedures in place.
Best Practices for Minimizing Potential Risk
The best way for a financial institution to minimize legal and regulatory risk when providing services to MRBs is to (a) maintain an open, transparent relationship with the institution's regulators and business partners, and (b) implement a robust, risk-based, and tailored MRB program that adheres to the FinCEN Guidance, Cole Memos, and industry best practices. There is no one-size-fits-all design for a compliance program, and each financial institution needs to tailor its policies and procedures based on its circumstances.
At a minimum, however, the program should include robust customer due diligence, monitoring, and reporting processes.
Maintain a Strong Culture of Compliance
The board, management, and senior officers must understand and take an active role in overseeing the MRB program. As part of this, the board should ensure that sufficient resources are dedicated to the MRB program, including, as appropriate, investments in technology, staff, training, and monitoring. The financial institution's efforts to manage and mitigate BSA/AML deficiencies and risks should not be compromised by revenue interests. If resources are not adequate, individuals should be empowered to make such deficiencies known to senior management and the board. The board, management, and senior officers should ensure that the MRB program is subject to regular audits that review potential risks and assess the effectiveness of existing controls in addressing such risks.
Develop a Stand-alone MRB Compliance Program
The financial institution should adopt policies and procedures for BSA compliance that are tailored for the MRB industry, and which include robust requirements around customer due diligence, monitoring, and SAR reporting.
- Enhanced Customer Due Diligence Is Critical. An effective marijuana-related business compliance program must include an enhanced customer due diligence process for classifying the risks presented by each marijuana-related business. This process should be comprehensive and require the financial institution to have dedicated marijuana-related business compliance personnel and resources. Customer due diligence for a marijuana-related business should include, at a minimum, review of the business, state licenses, principals, premises, and operations of the subject marijuana-related business. Based on the customer due diligence, many financial institutions risk rate marijuana-related businesses on two dimensions: into tiers depending on the degree to which the customer engages directly or indirectly in marijuana-related activities and into categories based on the projected volume of sales and number of licensed locations.
- Monitor for Suspicious Activities and File Required Reports. Once a marijuana-related business is onboarded, it is critical to monitor its transactions and operations for suspicious activity. This process may include using traditional software programs to monitor for suspicious activity, but should also include frequent tailored reviews of the business's transactions and business operations. The frequency of monitoring should be based on the marijuana-related business's risk rating and the types of transactions that are anticipated.
Note that as an MRB program expands, the financial institution is likely to experience an increase in CTR filing requirements. Financial institutions should confirm that they have appropriate resources in place to handle increases and ensure that their policies and procedures require aggregated deposits for CTR filing purposes consistent with FinCEN guidance. This may prove a greater challenge for financial institutions that have customers with multiple locations that make separate deposits. Similar to the above, financial institutions should ensure they have resources in place to manage an increase in SARs and continuing SAR filings for their MRB customers.
- Impose MRB Program Limits. Most MRB programs include limits on the number of permissible MRB customers that may be boarded, or the total volume of MRB deposits that the institution may accept. As an institution expands its services to MRBs in additional jurisdictions, the MRB should review and adjust these program limits as needed to manage risk.
- Be Prepared to Manage the Risk of Increased Volume. Most financial institutions gather a significant amount of information and documents from MRBs as part of the onboarding and periodic monitoring processes. The volume and scope of this information are likely to increase significantly if an institution takes on more customers, including customers that operate in multiple locations across multiple states. The institution will need to ensure that its staffing remains adequate to review all of this additional information and material, and that it is used as required by the MRB program policies and procedures.
- Be Careful in Managing the Risks of Multi-State Complexity. Multi-state MRBs are likely to have more complex corporate structures, including affiliated companies and other companies under common ownership. An MRB program should require that appropriate diligence be performed on these structures and entities, which will require additional time and effort.
- Multi-state MRBs may have multiple lines of business that have various different types of MRB licenses, or that fall into different types of risk categories and tiers. These entities will require their own bank accounts and should be subject to separate underwriting and monitoring.
- Multi-state MRBs are likely to have more dynamic business operations, including the opening of new locations, introduction of new products, and mergers and acquisitions. They also may have more vendors, including those in multiple states. A financial institution will need to ensure that its ongoing monitoring tracks these different vendors and changes to ensure its program is covering the MRB's current operations.
- When reviewing MRB business activities to identify potential suspicious activity, it is possible that multi-state MRBs, with multiple locations and more complex businesses, will have more difficulty in providing accurate estimates of their business activities, given the dynamic aspects of their businesses. The financial institution may need to perform more work to review and clear discrepancies between the estimates and actual results.
- Multi-state MRBs are likely to have significantly more locations that will require onsite visits. In connection with deposits, financial institutions should be transparent regarding the source of funds with each Federal Reserve branch at which they deposit funds. The added complexity of picking up and dropping deposits across the country will require financial institutions to perform heightened supervision of their armored car service providers.
- Recordkeeping. Keep meticulous records and written procedures so that the compliance department can fully document issues and the corrective measures taken.
- Monitor BSA/AML Developments. The board, management, and senior officers should monitor BSA/AML developments generally and any regulatory guidance or statements made with respect to cannabis banking and incorporate any lessons or best practices into its MRB program.
* * * * *
The regulatory landscape for MRBs and ancillary service providers continues to present challenges, given the interplay of relevant state and federal laws and guidance. For those financial institutions that decide to provide services to the industry, it is critical that they do so carefully, and consistent with regulatory expectations and industry best practices. This approach has been followed by a number of institutions so far, and provides the best path for mitigating risk moving forward.