It is estimated that by 2020, revenue from both legal recreational and medical cannabis in the US is likely to be in the region of $15 billion, surpassing the revenue of the National Football League. If your institution can navigate the legal and regulatory implications, the emerging cannabis banking sector presents significant opportunities.
But, banking the cannabis sector is complex and made even trickier from an abundance of misinformation and industry myths. While potential legislation like the SAFE Banking Act continues to progress through Congress and offers some future clarity, FIs can begin preparations now by putting robust cannabis compliance policies and procedures in place.
If you work in compliance at a financial institution (FI), you’re likely well-versed in the steps required to achieve Bank Secrecy Act (BSA), know your customer (KYC), anti-money laundering (AML) compliance. It’s a given that you should be effectively identifying and/or screening for sanctioned entities and other high-risk entities like politically exposed persons.
But what about cannabis compliance? Do you actually know if your organization is banking a direct or indirect Cannabis-Related Business (CRB)? Do your internal governance guidelines and procedures have a structure to effectively reflect and effectuate policies?
Whether or not you are knowingly servicing (or considering servicing) CRBs, it is increasingly essential and expected that your FI can demonstrate a willingness and ability to effectively identify and manage cannabis-related risk. And just like any other risk, that means making a full risk assessment of the clients you onboard to determine if they are actually a high-risk entity, regardless of what they may self-report. As the cannabis industry continues to quickly grow throughout the country and world, it’s increasingly likely that “seemingly unrelated companies” in fact have connections to — or actually are — CRBs, which require identification, enhanced due diligence (EDD) at on-boarding and close on-going monitoring.
Being able to effectively identify CRBs will allow your financial institution to make fully informed decisions that fulfill strategic objectives and support Banking Secrecy Act (BSA) AML compliance and FinCen Marijuana Banking Guidance.
Understanding the Sector
The three main cannabis segments
A critical first step is simply understanding and being able to differentiate between Cannabis, Marijuana, Hemp and Cannabidiol (CBD). Each segment has its own unique legal and regulatory differences. In our Cannabis Cheat Sheet for Compliance Officers, we delve deeper into the forms of “cannabis,” but as a refresher:
- Marijuana is “cannabis” with Tetrahydrocannabinol (THC) content over 0.3 percent. It is listed as a Schedule 1 drug on the Controlled Substances Act (CSA) due to its psychoactive properties and “no medical use.” From the federal perspective marijuana remains illegal, but, state-by-state legality varies for medical and recreational use. These are “Marijuana-Related Businesses” aka MRBs.
- Hemp is “cannabis” with THC content of 0.3 percent or less. Its low levels of THC led federal authorities to remove “hemp” from the CSA’s definition of “marijuana” via the 2018 Farm Bill. Hemp purportedly has thousands of industrial uses, however most hemp is currently grown to produce CBD. From a federal perspective, hemp was “legalized,” but federal and state implementation has been slow to roll out and there are numerous federal and state licensing and regulatory considerations (eg, anyone cannot simply start growing hemp in their backyard like tomatoes). These are “Hemp-Related Businesses” aka HRBs.
- CBD is a compound found in “cannabis” -- it can be extracted from either “marijuana” or “hemp.” CBD is the primary driver of the US hemp industry and is set to be worth $16 billion in the US by 2025. However, much of the CBD currently produced and sold appears to fall into a legal grey area as a result of FDA rules, questionable sources, THC content and state laws. Financial institutions can reference our CBD Decision Tree when considering providing banking services to CBD-related businesses. These are “CBD-Related Businesses” aka CBD-RBs.
Assessing risk: Tiering the nature of different types of CRBs
CRB Monitor’s CEO, Steven Kemmerling, first laid out a risk-tiering framework in 2016 to differentiate types of marijuana-related businesses and perceived risk in his ACAMS Today white paper Defining Marijuana-Related Businesses. Although the framework was originally written with marijuana-related businesses in mind, the framework still generally applies across all types of CRBs — marijiuana-related, hemp-related and CBD-related.
Tier 1 = Direct
This tier poses the highest perceived risk to financial institutions and is divided by CRB Monitor into two parts, 1A and 1B:
Businesses in this tier literally touch the cannabis plant at some point along the supply-chain from “seed-to-sale” and are generally licensed by a government agency or regulator. Effectively all of their actual or expected revenue is derived from the cultivation, production, testing, or sale of cannabis. Although marijuana-related businesses are generally considered riskier than hemp-related businesses by CRB Monitor; both marijuana and hemp cultivators and processors are plant-touching and licensed, and thus categorized as Tier 1A.
CRB Monitor tiers businesses that have a financial or controlling interest in a Tier 1A CRB as “Tier 1B”. CRB Monitor generally considers 1B businesses as the “seemingly unrelated businesses” highlighted as red flags by FinCEN in its marijuana banking guidance and are similar in nature to individual beneficial owners. To understand the nature of a 1B, it is necessary to examine the nature of the underlying, linked 1A businesses to make a full risk assessment. CRB Monitor fundamentally thinks of Tier 1B MRBs differently from “indirect” Tier 2 and Tier 3 MRBs (defined below).
Tier 2 = Indirect, with “substantial” revenue from Tier 1 CRBs
This tier poses a moderate risk to financial institutions and consists of businesses that are specifically focused on the cannabis industry and typically newer, but are not otherwise “direct” or Tier 1. When determining what qualifies as “Tier 2” CRBs, CRB Monitor now considers two qualifying tests:
- Tier 1-Derived Revenue: Companies that earn “substantial” revenue by selling products and services to Tier 1 CRBs. “Substantial” revenue is difficult to determine and is open to interpretation, so it is best determined by each institution as part of their risk assessment. Although we generally see 50% as the percentage, we have seen some financial institutions lower this to 10-25-33% while others increase it to 66%. The type of product or service being sold does not really matter — it could be fertilizer, lighting or professional services. The point of revenue-based Tier 2 CRBs is KYCC — do you know your customer’s customer and what is your institution’s risk tolerance? These Tier 2 MRBs might generally be considered to be aiding-and-abetting the federally illegal activity of Tier 1 MRBs.
- Hemp-Derived Product Threshold: This is a new concept since our Defining "MRB" article, which was written 2016 (ie, before “hemp” was fully legalized. One area of frequent discussion among CRB Monitor clients and colleagues was “Do hemp-derived product businesses categorize as Tier 1 or Tier 2?” Although (A) both hemp cultivation/production businesses are categorized as Tier 1 due to state/federal licensing and monitoring requirements and (B) marijuana-derived products are always (currently) Tier 1 due to being federally illegal, CRB Monitor generally categorizes hemp-derived, FDA-regulated products (ie, medicine, food/beverage, nutritional supplements and cosmetics), including CBD, as Tier 2 CRBs.
Furthermore, “substantial” revenue should be derived from hemp-derived products to qualify as Tier 2; if only incidental revenue is generated, CRB Monitor categorizes as Tier 3 (explained below). This generally includes hemp-derived CBD producers, especially given the FDA’s April 2020 de-scheduling of Epidiolex. However, institutions must remain vigilant that CBD-related businesses are not potentially running afoul of any state or federal rules and regulations, such as selling products in a state where CBD is illegal or marketing CBD with false medical claims (like CBD cures COVID19).
At this point, you may be wondering: “What about businesses selling hemp-derived products that are not regulated by the FDA?” In this case, CRB Monitor generally does not consider these businesses as “CRBs” at all as they are (1) selling products that require effectively no licensing/monitoring and (2) are not in violation of any state statute. As such, they arguably pose very little, if any risk, to financial institutions. For example, hemp-derived rope, and hemp clothing, and plastics manufacturers are generally not considered “CRBs” by CRB Monitor.
Tier 3 = Indirect, with “incidental” revenue from Tier 1A CRBs
Posing the lowest perceived level of risk to financial institutions, Tier 3 CRBs are typically larger, older businesses making a foray into the cannabis space and derive only “incidental” revenue from (1) selling some products and services to Tier 1 CRBs and/or (2) selling hemp-derived products. Basically, Tier 3 businesses are like Tier 2; the key difference is the relative portion of the company’s revenue coming from these activities.
Once organizations can differentiate the types of cannabis-related businesses and decide on perceived risk, the next step is to build policies and procedures to put them into practice. For more information on this crucial next step, read our blog on 5 Fundamentals to Understanding, Identifying and Monitoring for CRBs.
The information provided herein presents general information and should not be relied on as legal advice. If you have specific questions regarding a particular fact situation, please consult with competent legal counsel about the facts and laws that apply.