The first step in managing risk is defining it. This is a truth shared by many industries, but rings especially true for financial services compliance. As we continue to see a cultural shift in attitudes toward cannabis, institutions have the opportunity to facilitate the growth of an industry which has been excluded from financial services for far too long. However, the ambiguity surrounding regulatory guidance makes this easier said than done.
The definition for a Marijuana-Related Business (MRB) is elusive in many regards. Neither the DEA or FinCEN in their 2014 guidance offer a definition of “marijuana-related business”. The closest to a federal definition we have is from a 2018 SBA Policy Notice (Revised Guidance on Credit Elsewhere and Other Provisions in SOP 50 10 5(J)) that breaks them down into “direct”, “indirect”, and “hemp-related businesses”.
As long as marijuana remains illegal at the federal level, BSA teams will either have to wait for a definition or create their own in the interim. For those willing to get creative, frustration usually follows because a cohesive descriptor becomes harder to formulate as the industry expands.
Luckily, experts familiar with both industries have been hard at work on this question. Most now advocate for buckets of risk for a variety of business types. This allows institutions to follow a risk-based approach to each of the buckets, along with targeted due diligence. The early adopters in the industry began using a three tiered system, developed by Steve Kemmerling of CRB Monitor, which generally involved the following descriptions:
Tier I: These are the highest risk as they are businesses which are “plant touching” and generally licensed by the state. Dispensaries, cultivators, as well as testing and processing facilities fall under this definition.
Tier II: Composed of businesses which rely on the cannabis industry for the majority of their revenue and play a large support function for the industry. These can include equipment suppliers, consultants, and industry associations. While they are not considered nearly as high risk as Tier I, they are identified for enhanced due diligence as they derive nearly all of their revenue from businesses in Tier I.
Tier III: Largely considered “incidental” and posing the lowest risk, these are businesses that also service Tier I but do not rely on the cannabis industry for their primary source of revenue. Entities can include lawyers, accountants, property management firms, and utility companies.
However, the Tiers are not a legal framework - just an expedient model. Why is this a challenge, and why does Green Check use a different model?
An important feature of risk management is a methodology that can be applied consistently across a program or population. Depending on the location of a financial institution’s customer base, one could argue that entire counties fall under the Tier II or Tier III definition if the cannabis industry plays a large role within the community -- this is especially true for harvest season in many cultivation areas. Gray areas are becoming all too common with the creation of new business ventures such as tourist and event planning companies that permit private marijuana consumption as a key part of their offered experience. These tiers can quickly become arbitrary due to the evolving nature of the industry, and financial institutions run the risk of being unable to demonstrate a consistent approach when it’s time to meet with auditors and regulators.
The solution presented by Green Check Verified is simple: Direct or Indirect. These simple, clear definitions look like this:
Direct MRB is one that is plant touching, and therefore licensed by the state’s marijuana authority. This group is impacted by FinCEN Marijuana guidance, and will require initial and ongoing due diligence and monitoring as well as Marijuana SAR filing.
Indirect MRB is a business that derives 51% or more of its revenue from Direct MRBs, and therefore requires some additional monitoring.
We believe that if a financial institution is able to rely on demonstrable evidence rather than prescriptive definitions, BSA officers will be able to manage any existing or emerging risks posed by the industry.
With this definition, all Direct MRBs found in the former Tier I become some of the easiest entities within the industry to monitor. Marijuana licensure is managed by the state and makes identification of these businesses simple. Thanks to the licensing process, all of the supporting documentation required to remain compliant with the state should be readily available upon request thus making CIP collection relatively simple and straightforward.
Transaction monitoring is already enhanced due to seed-to-sale tracking for plants as well as specialized point-of-sale software for the final product. While MRBs should continue to be treated as high risk and subject to appropriate enhanced due diligence, their compliance with all state and federal laws is easier to demonstrate.
Green Check takes this a step further. Our software provides a document management solution which allows for easy CIP collection, retention, and archival. Additionally, it syncs with both seed-to-sale and point-of-sale systems for automated transaction and account monitoring.
Remember that the language you put in your policy will guide your institutions to its actions around these businesses. You’ll want to be as clear and concise as possible.
Interested in learning more? Green Check offers a complimentary Cannabis Banking Bootcamp every month. During this free session, you will learn more about our Direct and Indirect MRB classification as well as an overview of the current regulatory challenges facing the cannabis industry today. Additionally, you will hear our approach to mitigating these challenges from our Director of Program Development, Paul Dunford, and Director of Banking Compliance, Stacy Litke.