Last Friday, the Financial Crimes Enforcement Network issued Guidance that is intended to clarify how banks can provide financial services to marijuana-related businesses and still comply with their BSA/AML obligations. Unfortunately, the intent of the Guidance is undermined by its stipulations. So much so, in fact, as to beg the question of whether FinCEN’s actual intent is to make compliance impossible.
It is not surprising that the new Guidance identifies marijuana-related businesses as “high-risk.” Thus, banks serving these businesses will be expected to implement heightened risk management, diligence and monitoring activities under their regular BSA/AML programs. Some of the Guidance’s suggested diligence activities are relatively straightforward—they are activities for which banks are well equipped. Most banks, for example, can easily undertake monitoring of publicly available sources for suspicious activity or obtain information from state authorities about the nature and licensing of the bank’s customers.
But then the Guidance takes a turn toward impossible. It suggests additional monitoring activities that are vague and beyond the capabilities of most banks’ existing BSA/AML programs. Under the Guidance, for example, banks must “develop an understanding of the normal and expected activity for the [marijuana-related] business.” So presumably, a bank must show that it knows the normal and expected pot usage of the demographic served by its marijuana business customers? Not surprisingly, the Guidance doesn’t specify how a bank should develop this knowledge or what activities will be deemed sufficient. Also, the Guidance states that a bank must “consider whether a marijuana-related business implicates one of the Cole Memo priorities or violates state law.” This means that a bank must determine whether a marijuana-related business potentially involves (among other things) distribution of marijuana to minors, diversion of marijuana to states where it is illegal, and using state-authorized marijuana activity as a cover for trafficking other illegal drugs. Again, the Guidance does not suggest how a bank is supposed to make this determination. On its face, the Guidance seems to suggest that a bank should conduct its own, ongoing criminal investigation.
Presumably the bank must undertake these heightened monitoring activities so that they can comply with the Guidance’s new Suspicious Activity Report (“SAR”) requirements. Here, the Guidance implements a new marijuana-specific SAR filing system that is not applicable to other businesses. Generally speaking, if a bank serves a marijuana-related business that it “reasonably believes” (based upon the above-described diligence activities) does not violate the law, it must file a “Marijuana Limited SAR.” The new “Marijuana Limited SAR” contains limited identifying information about the subject business and a statement by the bank that “no additional suspicious activity has been identified.” Then, if the bank detects any changes in activity that potentially implicates a violation, the bank must file a “Marijuana Priority SAR,” or if the bank believes that the suspected violation merits account termination, a “Marijuana Termination SAR.” The Guidance does not specify how a bank is to determine when a violation is sufficiently serious as to merit a Marijuana Termination SAR over a Marijuana Priority SAR.
The practical difficulty of complying with the Guidance’s new SAR filing system becomes even more apparent when you dig into its list of “red flag” filing triggers. There, as with the suggested diligence activities, the list includes a number of things that most banks are not in a position to observe or identify. For example, the Guidance suggests that a Marijuana Priority SAR or Marijuana Termination SAR should be filed when the “business makes cash deposits or withdrawals over a short period of time that are excessive relative to local competitors or the expected activity of the business.” Also, a heightened SAR is required when “the business is depositing more cash than is commensurate with the amount of marijuana-related revenue it is reporting for federal and state tax purposes.” These types of filing triggers imply that the bank must analyze their customer’s income relative to the marijuana using demographics of its customer base and perform, in effect, an annual tax audit on these businesses.
Based upon the plain language of the Guidance, it would appear that a bank seeking to provide financial services to the legal marijuana industry is essentially tasked with active, day-to-day policing of these businesses in a manner that extends far beyond account monitoring. The level of expected monitoring is suggestive of an ongoing criminal investigation or forensic audit, but with stiff consequences for the bank if it fails to catch the criminals.
The bottom line here is that, even in light of the new Guidance, providing banking services to the “legal” marijuana businesses is still a risky business. However, given the trend toward legalization and high sales projections for this industry, some banks may decide that the potential benefit justifies the additional risk. Our advice to those banks is to proceed with caution and with a robust system of diligence and monitoring. Those banks should consider engaging outside consultants to assist with the development and implementation of a risk management program specific to this industry. In addition, those banks should ask for heightened contractual protections from marijuana-related business customers. Such protections would include things like broad indemnities supported by cash reserves, heightened representations and warranties regarding compliance with applicable law and ongoing document production and access requirements. Also, banks should consider and incorporate additional monitoring and risks management costs into their fee structure for marijuana-related business customers. Banks who employ these types of protections will be in a much better position to withstand regulatory scrutiny than those who do not.