Providing banking services to marijuana-related businesses (MRBs) continues to present a two-fold risk to the U.S. financial sector: i) the mire of state versus federal regulatory posturing regarding marijuana and its derivatives; and ii) the potential for tapping into and capitalizing on a new market. For the most part providing banking services for MRBs has moved to the community banking space due to the 2018 rescinding of the U.S. Justice Department’s Cole memo.
This means that marijuana growers, processors, wholesalers, and distributors are relying on those state-level financial institutions and non-banking financial institutions to facilitate trade. Federally chartered financial institutions then have to create a bright-line risk appetite framework not only for the direct marijuana products but also for related services.
Risk Appetite and Tolerance
First and foremost, it would be worthwhile to categorize the type of banking services to MRBs that financial institutions will and will not onboard. Regulators will presumably expect to see this risk tolerance both documented and tested. Part of that expectation will also be a documented effort by financial institutions of the existing clients which each institution will have to either restrict or exit for exceeding that institution’s risk appetite and tolerance.
This too is not as transparent as one might expect. Knowing that financial institutions are being risk averse, some MRBs have taken to committing fraud, opening up shell companies to gain access to a financial institution, in order to bank a product that is ostensibly legal. Anecdotally, some financial intuitions have gone through investigative due diligence for businesses which may have a previously unknown marijuana-related activities in their midst.
For example, one compliance officer mentioned that a business which had listed itself as a “nursery” for Know Your Customer (KYC) purposes, implying that it was a regular plant and gardening supply retailer, was routinely generating suspicious activity monitoring alerts for cash activity.
Michael Schidlow will be speaking on upcoming panels about #KnowYourData and #ArtificialIntelligence at ACAMS 18th Annual AML & Financial Crime Conference, in Las Vegas in September
It wasn’t until staff looked at the company’s Yelp profile when they discovered a litany of references to marijuana products. Similar tales have circulated throughout the anti-money laundering (AML) communities of companies listed as “pharmacies”, “bakeries”, and in particular “wellness centers.” The broader concern for those federally licensed financial institutions is around their indirect exposure to MRBs. As such, it would be useful for such institutions to establish both quantitatively and qualitative criteria for their own indirect exposure and risk tolerance to MRBs.
Beginning outside the bounds of direct marijuana exposure, the exposure should expand to merchant processors, landlords, and other service providers to MRBs. For example, in acknowledging that a dispensary, although legal at the state level, would still be generating Suspicious Activity Reports (SARs) because of its reportable income at the federal level, financial institutions should determine whether or not they could provide banking services to the dispensary’s landlord, knowing that the money used to pay the rent comes from a complex source. To that end, the risk tolerance expansion should include the extension of business products such as loans or lines of credit to the dispensary, as well as sharply codifying whether or not the financial institution would want to serve a dispensary’s beneficial owner after properly identifying that entity’s source of funds.
As with any other type of risk, the risk tolerance for providing banking service to MRBs needs to be contextualized across the products, services, and geography of each financial institution. While it will be interesting to see the prosecutorial and regulatory approach to the first MRB-related banking enforcement action, it is reasonable to anticipate that any regulatory entity would want to see that the financial institution had acknowledged and documented its risk tolerance in this way.
To that end, it would be worthwhile for financial institutions to engage in routine, risk-based testing for potential breaches of their tolerance levels.
An analytics-driven approach to that risk tolerance testing is strongly advised. The key in this inquiry is not to find illegal narcotics dealers, which traditional suspicious activity monitoring should detect, but rather trying to “smoke” out any MRBs which haven’t been properly identified through routine KYC processes.
Depending on the maturity of its analytics capabilities and taxonomy of clients, a U.S.-based financial institution could target small business banking clients, in particular in decriminalized jurisdictions. The likeliest positive outcomes would be among clients that have previously triggered transaction monitoring alerts for cash-intensive activity, in particularly where that activity makes no business sense.
For example, most legitimate pharmacies do not deal in cash, or certainly not enough to trigger an alert. From there, it might be worthwhile to determine whether or not a site visit was ever conducted and review the adequacy of the documentary and non-documentary verification of the client at issue.
As with any other AML-centric review, it is up to each financial institution to make its own risk-based determination of what and how to pursue these issues. It would likewise be up to the financial institution to determine and document whether to retain and restrict, or exit a business that they believe to be an MRB and to treat that business’s beneficial owner similarly.
One Last Question
The most common question that is asked in this space is, “Where do we begin?” in reference to MRB reviews. The simplest response is the simplest question as an addendum to account opening documents: “Do you or your business have any direct or indirect exposure to marijuana or marijuana-related products?”
Even for financial institutions without a footprint in at-risk jurisdictions, taking the step to update KYC questionnaires will demonstrate (as will subsequent training, followed by quality assurance on its use) an acknowledgement and progress towards risk mitigation.