AuditOne Advisory: Cannabis 2019

AuditOne Advisory

From Bud Genovese, Chairman

This advisory summarizes regulations and guidelines related to banking cannabis related businesses (CRB) and also suggests a means for your institution to comply with FinCEN’s third pillar of an effective BSA Program (independent testing) as it pertains to CRB customers.  Our BSA Practice Director, Kevin K. Watson, will review our audit approach to determine your institution’s compliance.  I hope you find this article useful – please share with your colleagues having responsibilities related to BSA/ AML compliance in this area, thank you, — Bud

According to a recent periodical by the Meredith Corporation, George Washington and Thomas Jefferson were cannabis farmers.  Apparently, the cannabis grown by our two former presidents was only of the hemp variety and cultivated for the purpose of producing cloth as opposed to the marijuana strain that can be smoked or ingested to relieve pain or induce mind altered experiences.  Interestingly, President Jefferson made the business decision to discontinue hemp farming at Monticello in 1815.  His reasoning is said to be based on the cost and benefit as the process to convert hemp to cloth was laborious and also led his enslaved laborers to complain about the hardships.  Cotton, tobacco and other crops were easier to harvest.1

The modern day problem for American society and financial institutions (FI) is how to bring the cannabis related business (CRB) into the federally insured financial services market.  The issue has been that, with cannabis being a Schedule I drug under the Controlled Substances Act, federally regulated institutions could not accept deposits without great risk.  That is despite more than 30 states having legalized cannabis for one or more uses such as for medicinal use, recreational use or for hemp and hemp derived products.  As a result, transactions have been typically conducted in cash or crypto currency outside the banking system.  The social costs of that have been high, with significant money laundering and violent crime associated with doing business in the black market.

Marijuana related businesses (MRB) and hemp related businesses (HRB) pose different concerns for a FI.  Thankfully, with the passage of the Farm Act in December 2018, the low-THC (tetrahydrocannabinol) cannabis variety, commonly known as hemp, is very near to being completely legal.  THC is the chemical ingredient that causes psychoactive effects and cannabis with levels less than .3% are considered to be hemp rather than marijuana.  Although federally legalized by the December 2018 Farm Act, cultivation and interstate sales of hemp are not technically protected unless a) grown under one of the federal pilot programs, b) the USDA has created its own plan, or c) the USDA has a separate plan for the state where the business operates from.  That hasn’t stopped many states from licensing hemp farmers.  Also, the USDA has issued an interim final rule on October 29, 2019. With the legalization of hemp cultivation and sales, processed hemp, known as CBD (Cannabidiol), is also legalized, but not as an ingredient in food or drink even though it has THC levels lower than 0.3%.  CBD products are thought to have therapeutic benefits for a variety of ailments and so are available in a variety of non-food forms such as ointments, capsules and tinctures.

Cannabis related businesses (CRB) represent unique challenges for the AML Pillars of Independent Testing and Customer Due Diligence (CDD).   As an audit firm, our responsibility pertaining to CRB is to independently test whether the FI exercises appropriate due diligence and ongoing monitoring over those customers.  This article presents our approach to that testing.  But first, it is useful to summarize the current regulatory environment.  The important regulations and guidelines are as follows.

  • Controlled Substance Act
  • U.S. Justice Department Cole Memorandum (rescinded, but still referenced by regulators)
  • FIN-2014-G001: “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014.
  • State laws2
  • The Farm Acts of 2014 and 2018

Our audit approach is to determine compliance with the most significant requirements or guidelines within those documents.  To do that we organize our test procedures as follows.

Risk assessment

Verify that the overall AML Risk Assessment considers the following pertaining to cannabis:

  • The FI’s state CRB regulatory setup (extent of legality for medicinal marijuana, recreational marijuana, and hemp or CBD)
  • Specific risks (e.g., not operating under federal regulations; hemp or CBD product inadvertently  > 0.3% THC; co-mingling or front for illegal activity; violation of one of the Cole Memo objectives)
  • Activity levels
  • Mitigating controls such as for policies and procedures, customer due diligence, and monitoring

Policies and procedures

Assess the appropriateness of policies and procedures, especially to the extent the following are addressed:

Customer Due Diligence (CDD)

For a sample of MRB and HRB customers, we verify that basic CDD processes are in place at account opening and are updated on a periodic basis, including customer identification, beneficial owner identification, expected activity documentation and customer risk rating.  There is no universal standard for risk rating cannabis related businesses, though certainly Tier I or II would be high risk in most any circumstance, FIs might want to classify most hemp/CBD and MRB Tier III as high risk so that they can be sure to conduct appropriate Enhanced Due Diligence (EDD) on  those businesses, especially suspicious activity monitoring.

We also verify that Enhanced Due Diligence (EDD) procedures described in the 2014 FinCEN Guidance on MRBs have been completed by the FI.  Those include the following:

  • Verification of appropriate and current license
  • Review of the license application
  • Consideration of information on the business from the applicable state (such as inspection reports)
  • Ongoing monitoring of public information (negative news searches)

Ongoing Monitoring

The FinCEN Guidance also requires risk based ongoing transaction monitoring for suspicious activity.    Assess whether ongoing monitoring is appropriately risk-based.  Many FIs utilize a tier classification system with businesses actually touching marijuana as Tier I and others as Tier II or III.  HRB should be its own classification.  At the very least, we expect all transactions for Tier I companies to be reviewed.  Many FIs also collect supplemental information from MRBs such as daily sales and purchasing registers and inventory reports.  As a consequence, it is typical that a specialized automated system is implemented to monitor Tier I businesses.

Suspicious Activity Reporting

The FinCEN Guidelines have specific instructions for the filing of regular SARs or limited SARs for marijuana businesses.  They do distinguish between marijuana and hemp, so we would expect that limited SARs be filed on hemp businesses, until such time as there is official guidance on how it should be treated for SAR purposes.  Our test procedure is to review a sample of marijuana and hemp businesses and assess whether SARs have been appropriately filed in compliance with the FinCEN Guidelines. 

The independent testing approach described above might alert directors, managers and BSA personnel to the most critical compliance concerns pertaining to offering financial services to CRBs.  In our opinion, cannabis banking presents a unique opportunity for community FIs in this era when deposit relationships are so difficult to develop.  With a robust control program, an associated deposit pricing mechanism and an appropriate independent testing program, the cannabis business just might take your FI to a higher place.


  1. “History: Marijuana, Meredith Corporation”, 2019.
  2. “Cannabis Job Aid”, Conference of State Bank Supervisors (CSBS), September 2019.
  3. “Defining Marijuana Related Businesses”, Steven Kemmerling, ACAMS Today, September 20, 2016.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these. 

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an  Automated AML System Validation or BSA/ Anti-Money Laundering Program audit please contact Kevin K. Watson, BSA Practice Director, AuditOne LLC, at: Contact Us.

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see