One of the biggest challenges for marijuana dispensaries and other marijuana-related businesses (MRBs) is obtaining access to banking and other financial services. So long as marijuana remains illegal at the federal level, many banks, credit unions, lenders, and other financial institutions (FIs) will continue to remain wary of the industry, no matter how many states legalize the sale and use of marijuana.
There may, however, be hope on the horizon for MRBs, at least according to a Financial Crimes Enforcement Network (FinCEN) report. As of March 2017, FinCEN reports that 368 banks and credit unions are providing services to MRBs. For MRBs, this is undoubtedly a positive, if still nascent, development. For this growth to continue, FIs and MRBs need to work together to ensure that financial services are provided to, and used by, the marijuana industry in a responsible, safe, and sound manner.
The Regulatory Framework for Banking MRBs
The federal Controlled Substances Act (CSA) continues to make it illegal under federal law to manufacture, distribute, or dispense marijuana. Nevertheless, twenty-nine states and the District of Columbia have authorized the use and sale of medical marijuana, and eight states and the District of Columbia have legalized its recreational use.
As more states legalized marijuana, the federal government issued guidance allowing banks to provide services to MRBs under certain circumstances. In August 2013, the Department of Justice's Deputy Attorney General, James M. Cole, issued a memorandum advising United States Attorneys on marijuana enforcement under the CSA, and then issued a second memorandum in February 2014, addressing application of federal law to financial institutions that deal with MRBs (collectively, the "Cole Memos"). The Cole Memos direct DOJ attorneys and law enforcement to focus their resources on persons or organizations whose conduct interferes with any one or more of eight enforcement priorities, such as preventing the distribution of marijuana to minors.
On the same day DOJ issued the second Cole Memo, FinCEN issued guidance ("FinCEN Guidance") clarifying how FIs can provide services to MRBs consistent with their anti-money-laundering (AML) obligations under the Bank Secrecy Act (BSA). The BSA, as amended, requires banks to establish AML programs, file reports on suspicious activity and large cash transactions, and keep certain records of transactions. The FinCEN guidance establishes unique suspicious activity reporting (SAR) procedures for MRB-related accounts, including the filing of limited, priority, and termination SARs, depending on specific circumstances.
Together, the Cole Memos and FinCEN guidance provide the framework for banking the marijuana industry. The guidance, however, is high-level, and leaves most day-to-day compliance issues unaddressed. This gap in guidance can leave banks exposed to regulatory risk. In March 2016, for example, a bank in Illinois entered into a consent order with the Federal Deposit Insurance Corporation and the Illinois Division of Banking relating to its allegedly unsafe and unsound BSA program. Although marijuana is not mentioned in the consent order, it has been reported that the action stemmed from the bank's MRB program. If that was the case, then the consent order serves as a warning that while federal and state regulators have allowed banks to serve MRB customers, such services must be provided carefully and pursuant to the regulators' expectations for servicing a high-risk industry.
How Banks and Merchants Can Work Together to Improve MRB Banking
Given the regulatory challenges in banking MRBs, it is critical for banks and their MRB customers to develop a common understanding of these challenges and best practices for banking high-risk merchants. From a bank's perspective, the starting point for banking MRBs is ensuring that the bank has a BSA program that satisfies all of the regulatory basics. From there, the bank will need to enhance and tailor its program for dealing with MRB customers.
The FinCEN guidance explains that the decision to open, close, or refuse any particular account should be made by each bank based on its business objectives and an evaluation of the risks associated with offering a particular product or service. To assess these risks, FinCEN has directed banks to perform comprehensive due diligence on account applicants, and then to monitor MRB customers closely once accounts are opened. Given these expectations, a bank may be better served by establishing formal MRB-specific components within its AML program and a commitment to providing services to the industry rather than accepting MRB customers on an ad hoc basis.
At a minimum, a bank's MRB compliance program should address the following:
- Due diligence and reviews of MRB lines of business, corporate structure, operations, and licensing;
- MRB advertising and marketing; sales practices; and business and supplier relationships;
- Understanding MRB prior banking relationships, and other current banking relationships;
- Monitoring transactions for suspicious activity, including transactions between corporate and personal accounts;
- Currency transaction reporting (which will increase significantly with MRBs);
- Suspicious activity reporting, including limited, priority, and termination SARs (which will also increase significantly with MRBs); and
- Site visits and confirmation of information provided by MRBs in response to periodic account reviews.
For MRBs seeking financial services, understanding this framework for banking marijuana and the pressures banks face when serving the marijuana industry is critical to obtaining and maintaining a successful banking relationship. With this in mind, an MRB should take certain steps before seeking to open a bank account. Of course, obtaining all necessary state licenses to operate an MRB is a given. In addition, an MRB should appoint a compliance officer and implement policies and procedures for compliance with applicable laws and requirements, including areas impacted by the Cole Memos, such as advertising and marketing. This demonstrates to banks that the MRB is managed responsibly and takes its compliance obligations seriously.
Once an MRB is ready to apply for a bank account, the MRB must provide accurate and truthful information in all application and other materials submitted to a bank. Providing false information to a bank is a potential federal offense. As part of this process, the MRB should be prepared to disclose each company within its business structure with its own employer identification number and seek to obtain a separate bank account for each business. The bank is likely to require its MRB customers and their owners and officers to maintain separate business and personal accounts to avoid any commingling of funds.
Once an account is opened, it's incumbent on the MRB to use the account responsibly and in compliance with applicable laws and regulations. An MRB should work closely with its bank to understand the bank's expectations for using the account – some banks, for example, will want the MRB to maintain records that the bank may need to review periodically as part of the bank's ongoing monitoring and due diligence. Similarly, MRBs should be prepared to provide any documentation or information that the bank requests as part of its initial or ongoing due diligence.
While banks are likely to continue to take a cautious approach to MRBs for the foreseeable future, MRBs and banks would both benefit from working together to ensure that banking services are provided in a safe, sound, and responsible manner. Doing so can help protect the banking system, while also ensuring that responsible MRBs are able to obtain banking services.
* * * * *
Andrew Bigart is a Counsel in the Washington office of Venable LLP. He specializes in helping clients in the payments and banking industries navigate the complex federal and state regulatory environment.