This series of articles is about banking and not banking marijuana related businesses. In this first installment, we discuss challenges and solutions for FIs that have decided not to maintain MRB relationships.
Here are the steps for institutions that chose not to bank MRBs.
Step 1: Make sure you mean it and you’re willing to “derisk” MRB relationships.
Many financial institutions, especially those in markets in which marijuana is legal for medical or recreational uses, have effectively adopted a “don’t ask, don’t tell” policy with regard to potential MRBs. “Don’t ask, don’t tell” at least in the sense that they may not have effective policies and procedures (including required CDD and EDD) to identify MRBs in their customer base. This is not irrational (although it is most definitely higher risk than making a conscience decision and supporting it with action), especially for those institutions whose primary regulator is a relatively MRB-friendly state rather than a federal entity. Not looking (or not supporting a no tolerance policy for MRBs) might work until the regulatory landscape is clarified. So, if you want to take the risk that your regulators won’t hold your feet to the fire, then keep doing what you’re doing (or not doing) and see what happens. You won’t be alone if the regulators decide to get tough.
If that’s your institution’s position, save yourself five minutes and STOP reading **HERE**
Step 2: Decide what you define as an MRB.
If you decide to support your no tolerance policy with a system to define, identify, and react to MRBs then you must first define “MRB.” We recommend you define and document what constitutes an MRB by discovering to what degree the existing or potential customer deals with and derives revenue from the marijuana business.
AKA: The “degrees of separation from the herb” analysis.
Commentators have arrived at a common language for evaluating MRBs:
- Tier 1: Businesses that touch the seeds or plant including growers, harvesters, processors (producing marijuana-based oils or other products), transporters, wholesalers, and retailers.
- Tier 2: Businesses that sell products or provide services to Tier 1s or otherwise facilitate the growing, processing, transport, sale, or consumption of marijuana potentially including hydroponic suppliers, payment processors, private ATM (both fiat and crypto) companies, and licensing and tax consultants, packaging suppliers, or trade groups. To meet our informal definition of a Tier 2 MRB, the business should have reason to know it is supplying goods or services to the Tier 1 and should derive some “material” part (“material” to be defined by the FI although some commentators suggest that a certain percentage of revenue derived from MRBs—like 50% or more—could separate a Tier 2 from a Tier 3 ). More on this below.
- Tier 3: Businesses not focused on providing products or services to Tier 1s but who do so as and ancillary or immaterial part of their business. Examples include armored car companies who transport cash on behalf of Tier 1s as an immaterial part of their overall business, accountants or tax or licensing consultants who work with Tier 1s as an immaterial part of their practice, or fertilizer companies who sell products to the general market including Tier 1s.
Some bright lines exist along these tiers, but there can be considerable ambiguity. Take a landlord who rents space to a Tier 1. If the landlord’s building is a single tenant facility deriving all its revenue from the Tier 1, you could put the landlord solidly in the Tier 2 category. On the other hand, a landlord that a 25,000 square foot strip center that rents 1500 square feet to a Tier 1, could be considered a Tier 3.
To deal seriously with the MRB question, your policies and procedures will detail how you will determine what customers and potential customers fall into each tier and then what customer relationships you are willing to maintain or derisk. In the course of this analysis, your business leaders will answer questions like: (1) What systems will the FI use to determine MRB status (e.g., additional questions in the CIP process for new customers, adjustments to transaction monitoring systems to look for cash transactions, the use of outside database resources/vendors to search licensing resources and public records), (2) What percentage of the customer’s revenue may be derived from marijuana before it is classified as a Tier 2 (as opposed to Tier 3 or unclassified)? (3) Is the FI willing to maintain any relationship with a business classified as Tier 2?
Regrettably, regulators have thus far offered no help, and with the rescission of the Cole memo in early 2018, it appears to us help is not on the way anytime soon.
Our best advice? Create policies and procedures that define an MRB for your institution based on the “degrees of separation from the herb” test and for those entities who do not touch the plant, create criteria (like percent or revenue derived from Tier 1) to determine how that customer will be classified in your system.
Step 3: Ask, Look, Smell, Adjust, File. Recognize that even legitimate/licensed MRBs are likely trying to “fly below your radar” and act accordingly.
Step 3.1: Ask.
This one is obvious: Revise your KYC procedures to ask direct and indirect questions about the potential customer’s involvement with marijuana. In a future installment of this series, we will outline inquiries that are critical to determining a potential customer’s MRB status. In our experience, direct, clear questions work the best, both for determining MRB status and then supporting later derisking if necessary. For example: How much of your revenue to you derive from business that grow, harvest, transport, process (create oils or edibles), or sell marijuana or other cannabis related products?
Step 3.2: “Look” at outside data.
There are some very good data providers that keep track of MRB licenses and individuals associated with these licenses. Without utilizing these resources, it will be difficult for you to argue to auditors or regulators you have an effective program to prevent MRB banking.
Step 3.3: Smell.
Cash that spends time around weed tends to smell like weed. MRBs tend to do business in cash. You should investigate businesses that would not normally be cash-based (like transportation companies, “farms”) that deposit piles of cash (stinky or not).
The point here is that all FIs should revise their BSA/AML policies and procedures to account for known characteristics of MRB-related transactions—like cash transactions with stinky cash, cash transactions for businesses that do not normally deal in cash, material increases in cash transactions, farms or processing facilities in marijuana producing areas whose business activity materially changes after legalization.
Step 3.4: “Adjust” your transaction monitoring systems to be more sensitive to cash transactions in certain locations or with customers who may be acting as MRBs or doing business with MRBs.
Transaction monitoring system adjustments reflecting the evolving risk landscape should be part of your BSA practice. For many institutions, it is not. This is as good a time as any to start.
You can discover (through the data sources discussed above) or you already have a pretty good idea in your local markets, where marijuana is grown, processed, and distributed. For areas of concentration of MRB activity, have your transaction monitoring system look for cash. For companies who might meet your definition of MRB, look for unusual cash transactions. These red flags will give you a good sense of where you are exposed to MRBs.
Step 3.5: File SARs.
When your red flag investigation indicates MRB activity meeting your SAR filing policies and procedures, file a SAR. The Cole memo was rescinded, but FinCEN guidelines on enforcement priorities and MRB SAR practices are still in effect. It’s critical that you follow the FinCEN guidance once you have installed policies and procedures discussed above calculated to quantify your MRB risk.
Step 4: Derisk.
Take control of your risk profile and if a customer is an MRB or doesn’t pass the “smell test,” fire them. Marijuana is a Schedule 1 substance under the federal Controlled Substances Act. Is that designation supported by the voters in your state? Doesn’t matter. Federal law prohibits financial institutions from facilitating transactions in Schedule 1 substances, so if your institution has decided to abide by the letter of federal law, then derisking is the best alternative.
If your institution is thinking about servicing MRBs read part two of this series on how to manage the risk when offering services to MRBs.
About the Authors
Mark Stetler is CEO of RegSmart. He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988). Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur. Mark previously co-owned one of the nation’s largest firms specializing in forensic financial audits. He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.
Ben Knieff is an executive advisor and consultant, specializing in fraud detection, identity verification, authentication and biometrics, anti-money laundering, sanctions screening, counter terrorist financing, blockchain technologies and banking high risk entities such as cannabis related businesses. He has worked in the financial services industry for FIS, PayPal, NICE Actimize, and Aite Group and has been quoted by such publications as American Banker, Bank Info Security, The Times of London, Forbes, The New York Times, and Wall Street & Technology.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.