Originally published on CUInsight.org.
This is the third in a series of articles covering the generation of non-interest income in cash intensive businesses with an emphasis on Marijuana Related Businesses (MRB’s). The first article discussed evaluating if entering this vertical is appropriate for your specific institution. The second article focused on the regulatory guidance that surrounds providing financial services to MRB’s. This installment will discuss establishing appropriate policies and procedures within the institution surrounding the banking of MRB’s.
I receive a number of inquiries from financial institutions asking if there is a policy template that they can utilize which has gone through both legal and regulatory review for MRB’s. The short answer is “no,” but even if one did exist for purchase I would question its use within your institution. I once purchased a policy template regarding “IT Business Continuity.” I then spent around sixty hours of review and modification to customize that document for my specific institution, as the document in its unmodified form was not appropriate for my needs. Given that there is a limited amount of guidance regarding providing financial services to MRB’s, it makes the policy creation process much more challenging.
I have reviewed a number of policies that cover the banking of MRB’s, and I have seen both ends of the spectrum: Some were extremely well crafted with a great deal of detail, containing elements of CIP, enhanced due diligence, on-going monitoring, oversight and audit, and strict operational controls. Other policies I have reviewed were more of a minor extension of the institution’s existing BSA/AML Policy. I strongly recommend the former over the latter.
There are two approaches that can be utilized: Establish a stand-alone MRB Policy or create an MRB addendum to your existing BSA/AML Policy. Either way, you should start with a strong BSA/AML program with both experienced compliance staff and examinations without any significant findings. Any BSA deficiencies prior to the boarding of MRB accounts should be rectified.
Given the importance of adhering to the Cole Memorandum, ensuring that your merchant is in compliance with state cannabis laws is important. Establish a deep understanding of the state’s licensing process as well as what tools and information are available to the financial institution. These tools may include inventory data, lists of currently licensed entities, or even infractions. You will also want to obtain information and validate how your client is adhering to the enforcement priorities as outlined in the Cole Memo.
Although the scope of this article is not to outline every possible detail to include in your policy, I will address several general sections, which you can build on with the details specific to your institution and appropriate to your clients.
- Initial Due Diligence: This should include all typical entity documentation, plus all MRB specific documents. Be aware that in addition to state licenses, both county and local municipality permits may be required, and will need to be validated and monitored. I would also gather and review leases, or review title information if the property is owned. Beneficial ownership is now drawing increasing regulatory scrutiny, so pay additional attention to this area. Information such as anticipated deposit activity will need to be collected not only for the initial due diligence, but to help establish baseline activity for the merchant. You may also want to collect personal financial statements in addition to the business balance sheet, P&L statement, and tax returns. Get a firm understanding of how the business operates, including products, major vendors, and all sources of revenue.
- Governing Laws and Definitions: I recommend having this section in your policy that contains or summarizes the specific state laws and federal guidance (Cole Memo, FinCEN guidance, etc.) that surround the banking of MRB’s. This is also a good place to set forth definitions that will be utilized throughout your policy.
- Specific BSA MRB requirements: The policy should address the three types of specific MRB SAR filings as well as the requirements, triggers, and red flags (Reference the FinCEN guidance regarding red flags). I recommend having specific policy statements for recurrent SAR’s in this section.
- On-going Monitoring: Deposits should match the transactions that occur at the point of sale. Hypur has developed technologies specifically for this purpose. You should also be monitoring activity to baseline, source and destination of account activity, CTR’s, etc., and include processes to begin case management and resolution for abnormal or suspect activity. Remember that the money going out of your institution is just as important as the money being deposited. I also recommend the monitoring of financial statements to tax payments and returns, as well as monitoring of state law compliance of the merchant. Track and monitor all applicable licenses. Insure that processes are in place for 314(a) and OFAC compliance as well.
- Risk Analysis and Ratings: As mentioned in my previous article, develop a process to provide a risk analysis and scoring for your MRB’s. I would have this as an addendum to the policy.
Bear in mind that technically, anyone that derives income from the cannabis industry becomes an MRB. BSA/AML MRB requirements go beyond accounts that are opened for businesses that deal directly with the product, so have provisions in your policies to cover accounts with vendors, owners, and employees as well.