The Risk Management of Banking Higher Risk Businesses: A 3-Tiered Approach

As more states legalize marijuana for medical and recreational use, the banking industry faces new challenges in managing the risks associated with serving the marijuana business and marijuana-related businesses (MRBs). While the federal government still considers marijuana illegal, many states have legalized it in some form, creating a complex regulatory landscape for financial institutions.

The most relevant regulatory guidance and articles from the Financial Crimes Enforcement Network (FinCEN) are:

• FIN-2024-G001 BSA Expectations Regarding Marijuana-Related Businesses, and
• The Cole Memo, which notes these enforcement priorities are listed in general terms; each encompasses a variety of conduct that may merit civil or criminal enforcement.

Explore a three-tiered approach to risk management for MRBs in the banking industry. It’s important to note this article is not legal advice and should not be relied upon as such. We recommend consulting with your examiners and legal professionals to comply with all applicable laws and regulations.

Marijuana is legal in your state, now what? 

As various states legalize marijuana, that generally means it’s legal for medical and recreational use. This means MRBs are operating legally in the state and may need banking services. However, it's important to note marijuana is still illegal under federal law, which creates challenges for financial institutions wanting to serve these businesses. Various restrictions may be present at the city or county level and further research may be necessary.  

A multi-tiered approach, first detailed in a 2016 ACAMS Today Magazine article by CRB Monitor’s Steven Kemmerling (and later updated in 2020), has become industry practice. There’s no guidance or regulation directing a tiered approach but has typically been considered the acceptable process from examining bodies.

• Tier 1 — Touching, selling, cultivating the product, direct sales, etc.
• Tier 2 — Portion of proceeds come from Tier 1. For example, landlord, lawyer, shipping, accountant, etc. The percentage of proceeds from Tier 1 should be further defined and monitored on a continual basis during EDD. 
• Tier 3 — Incidentals such as municipalities, internet services, etc. 

Generally, employees of Tier 1 are not included in tiers but should have oversight monitoring those accounts during the defined EDD periodic reviews, as warranted.  

Financial institutions considering serving marijuana businesses and/or MRBs should have a strong risk management program in place from the top down. Review FinCEN’s Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (FIN-2014-A007) for how to incorporate a strong compliance structure. This includes policies and procedures for EDD, customer due diligence (CDD), ongoing monitoring, and suspicious activity reporting (SARs). 

Financial institutions should also have a strong compliance program including training for employees and regular audits to comply with all applicable laws and regulations. This includes conducting detailed CDD to onboard marijuana and/or MRBs to understand their business activities and identifying potential risks associated with serving them.  

Board of directors involvement

The board of directors should be involved in the decision to serve this industry and fully understand the elevated risks associated with serving these businesses. Strong risk management programs should be in place and the board should also confirm the compliance program is robust and employees are trained to identify and manage the risks associated with serving this industry.  

Operational areas to consider

In addition to BSA compliance, financial institutions serving this industry should also consider other areas of risk management. This may include, but is not limited to:

• Legal risk — Financial institutions should verify they comply with all applicable laws and regulations, including state and federal laws related to marijuana.
• Reputation risk — Serving this industry can create reputational risk for financial institutions, particularly if the financial institution is seen as supporting illegal activity.
• Operational risk — Financial institutions should verify they have the operational capacity to serve MRBs, including the ability to manage cash deposits and withdrawals.
• Credit risk — Financial institutions should carefully evaluate the creditworthiness of the business before extending credit and the volatility of the collateral used.
• Liquidity risk — With having elevated balances in these accounts, there’s risk of having large/liquid balances on your balance sheet.  

Before you onboard this business or when you identify the business in your current business base, the CDD collected is a critical component of risk management. Financial institutions should conduct thorough CDD to understand the business activities and identify any potential risks associated with serving them. This may include, but is not limited to:

• Understanding the nature of the business activities, including the types of products or services they offer and the markets they serve and their percentage of revenue from the federally illegal proceeds.
• Identifying the owners and key personnel and conducting background checks on them.
• Understanding the source of funds and conducting ongoing monitoring to verify the funds are legitimate.

EDD/ongoing monitoring

EDD and ongoing monitoring are also critical components of risk management for this industry as the marijuana business or the MRB. Financial institutions should conduct extensive EDD on these businesses given they may pose a higher risk of money laundering or other illicit activities due to cash-intensive nature, and lack of regulatory oversight. If financial institutions do not understand the activity change noted on statements or other activity, an open dialogue with the higher risk businesses is imperative. This may include:

• Conducting more in-depth background checks on the owners and key personnel.
• Conducting site visits to the facilities to verify their business activities.
• Conducting ongoing monitoring to verify the activities remain within the scope of what is legal under state law.

Fee considerations

Financial institutions serving this industry may need to charge higher fees to offset the additional compliance burden associated with serving these businesses. However, financial institutions should be careful not to charge fees that are discriminatory or that violate fair banking laws. Fees should not be something you set and forget, the agreement for what fees are charged should be mutually beneficial and flexible enough to encourage the businesses to bring their cash into the financial system.  

Fees will generally vary depending on the financial institution, the specific services being offered and various aspects of the banking relationship. Financial institutions should carefully evaluate costs and risks associated with serving this industry when setting fees; fees should be periodically reviewed to remain mutually beneficial to both parties involved.

Financial institutions serving this higher risk industry should have policies and procedures in place for reporting suspicious activity. This includes filing SARs; when necessary, refer to the FIN-2024-G001 BSA Expectations Regarding Marijuana-Related Businesses for a full explanation of SAR filings. Financial institutions should train employees to identify and report suspicious activity related to MRBs, including transactions inconsistent with the MRB's business activities or involving large amounts of cash.

How we can help

With ever-changing laws and business opportunities, it’s important for financial institutions to stay on top of legal, financial, and accounting regulations. Our financial services team is well versed in the many rules regarding marijuana-related businesses and can help navigate the rules and meet them. 

Contact us

Serving marijuana businesses? Strengthen your risk management. Complete the form below to connect with CLA.