Position Papers

Servicing the Cannabis Industry:  How an Effective Compliance and Ethics Program Helps Banks Comply

By Melanie Brown, Infinite Compliance Solutions

July 2016

This article is not intended to advocate the use or sale of marijuana, but to simply discuss the tight rope walked by banks when servicing marijuana-related businesses while complying with federal regulations.  Cannabis, mary jane, reefer, and kush are all common names for marijuana.  By1931, marijuana was outlawed in 29 states.  Beginning with California in 1996, states started legalizing and decriminalizing the use of marijuana for medicinal purposes.  Legal marijuana is the fastest growing industry in the United States.  At the time of this article, more than 25 states and the District of Columbia have legalized certain marijuana-related activity.  But as legalized marijuana use has started emerging from the shadows at the state level, industries servicing marijuana-related businesses remain under scrutiny at the federal level, because, marijuana is still listed as a prohibited and controlled substance under the federal Controlled Substances Act (CSA).[1]  One of the industries directly impacted by the state legalization of marijuana is the heavily regulated financial services industry.

Because it is still a federal offense to use, sell and distribute marijuana, banks can be prosecuted under the Bank Secrecy Act (BSA), and anti-money laundering (AML) and unlicensed money transmitter statutes for conducting transactions involving proceeds from marijuana-related businesses. Additionally, attempting to comply with state legislation, not to mention the political implications, enhances the complexity of servicing marijuana-related businesses.   But despite these complexities, banks are service marijuana-related businesses not only because the state’s decriminalization of marijuana has made the use and sale of marijuana a lucrative industry, but also because it deters crime by legitimizing marijuana-related businesses from operating on a cash only basis.

The U.S. Department of Justice (DOJ) issued a memorandum (Cole Memo)[2] in 2013, providing direction to federal prosecutors concerning regarding marijuana enforcement under the CSA in light of conflicting state laws.  The Cole Memo addresses criminal enforcement measures focused on those, including organizations, whose conduct interferes with eight identified priorities (Cole Memo priorities). The priorities include preventing the distribution of marijuana to minors, preventing revenue from the sale of marijuana from going to criminal enterprises, and preventing the diversion of marijuana from states where it is legal to states where it is illegal.[3]  In order to steer banks in the right direction when servicing marijuana-related businesses, in 2014, the Department of Treasury Financial Crimes Enforcement Network (“FinCEN”) propounded minimal suggestions or “guidance” on how financial institutions seeking to service marijuana-related businesses could comply with BSA obligations while observing the Cole Memo priorities.

Under the FinCEN guidance, banks can provide services to a marijuana-related business and still abide by the BSA requirements.  Opponents of the FinCEN guidance claim that the guidelines fall short of real support of the industry because the guidance is not binding, it fails to provide real insight into federal expectations, it provides no protections for the industry and it generally treats marijuana-related businesses as criminals.  However, from a corporate compliance perspective, the guidance provides a framework from which banks can comply, with federal regulations while concurrently servicing the cannabis businesses.

Compliance with the BSA and AML is pivotal in order to avoid fines, forfeitures, community service, possible imprisonment of individual corporate agents and high level personnel[4] or organizational probation to remedy harm caused by organizations, or banks in the immediate case.[5]  Here, because a violation of the BSA or AML would be a federal offense the United States Federal Sentencing Guidelines would apply to this scenario.    Chapter eight of the sentencing guidelines is designed so that the sanctions imposed upon organizations and their agents, taken together, will provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct[6].   The sentencing guidelines and policy statements apply to convicted organizations.  In section §8B2.1 of the sentencing guidelines, the Sentencing Commission outlines seven methods of an effective corporate compliance and ethics program designed to deter and remedy organizational criminal conduct.[7]  In circumstances where an organization is a defendant in a criminal prosecution, two factors that mitigate the ultimate punishment of an organization are:  (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.  Establishing an effective corporate compliance and ethics program is essential to protect the interests of highly regulated organizations, such as banks or other financial institutions, and to reflect that they are good corporate citizens.  The FinCEN guidance works parallel with the sentencing guidelines by providing three distinct compliance elements: (1) Due Diligence; (2) Monitoring; and (3) Reporting to prevent and respond to criminal conduct.  The prevention and detection of criminal conduct, as facilitated by an effective compliance and ethics program, assists an organization in promoting ethical conduct and in complying fully with all applicable laws.

The seven elements of an effective compliance and ethics program are: (1) an organization shall establish standards and procedures to prevent and detect criminal conduct; (2) an organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program in addition to high-level personnel of the organization shall ensure that the organization has an effective compliance; (3) an organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program; (4) an organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program and promote internal training on said standards and procedures; (5) an organization shall take reasonable step and ensure the effectiveness of the compliance program via monitoring and auditing to detect criminal conduct; (6) an organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct; and (7), after criminal conduct has been detected, an organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.[8]

The starting point for designing and implementing any corporate compliance program includes identifying the risks of criminal conduct via conducting a corporate risk assessment.  By conducting a risk assessment, banks can identify the possibility or even the probability of criminal conduct by a marijuana-related business.  The due diligence provisions of the FinCEN guidance encourages this.

Due Diligence

The guidance proposes that banks conduct due diligence on its marijuana-related customers because arguably these customers present higher risks of criminal conduct, such as money laundering.  In doing so, banks must verify that the customer is appropriately licensed, review state license applications to operate a marijuana business, request information about the business from state agencies and enforcement authorities, develop an understanding of the types of products to be sold and monitor publicly available sources for any negative information about the business.[9]  These processes assist the bank in determining types of transactions in which the customer is likely to engage in and in turn establish the customer’s risk profile.  Identifying risks, understanding the bank’s risk tolerance and managing the overall risk so that banks comply with federal expectations are the cornerstones of any effective compliance program.


The guidance goes further and suggests that a bank’s BSA compliance program should include monitoring and auditing systems that are designed to detect criminal conduct.  A primary goal of monitoring is to identify and address gaps in a business’s program on a regular and consistent basis.[10]  In this instance, the guidance recommends financial institutions to (1) conduct ongoing monitoring of publicly available sources for adverse information about the business and related parties; (2) conduct ongoing monitoring for suspicious activity, taking into account any of the red flags described in the guidance; and (3) regularly refresh information obtained as part of customer due diligence on a periodic basis that is commensurate with the risk.[11]  Changes in a marijuana-related customer’s business practices or industry reputation can affect the customer’s risk profile and in turn impact a bank’s relationship with that marijuana-related customer.   This provision is consistent with element (5) of an effective compliance program as noted above.


If criminal conduct has been detected, a bank shall take reasonable steps to appropriately respond and to prevent further criminal conduct.  Here, a bank that decides to provide financial services to marijuana-related businesses would be required to file Suspicious Activity Reports (“SAR”) aimed at distinguishing legitimate marijuana-related businesses from those that pose a threat to regulatory protections.  Banks must use the following labels when filing SARs based on the bank’s reasonable belief as to whether the business implicates one of the Cole Memo priorities: MARIJUANA LIMITED (business does not implicate a Cole Memo priority), MARIJUANA PRIORITY (business does implicate a Cole Memo priority), or MARIJUANA TERMINATION (bank has terminated the relationship). Further, banks must report any activity suspected to be outside of state regulations[12].  In essence, reporting suspicious activity helps banks comply with federal regulations but also adhere to safe and sound banking practices.

Banking compliance professionals, as with most compliance personnel, regularly balance the business needs with compliance requirements.  The marijuana industry stands to reach $6.7 billion in 2016.[13]  Here, the profitability of providing financial services to such a lucrative yet complicated industry strongly relies on a sturdy compliance program that can withstand operating under the cloak of a controlled illegal substance.  Quite possibly, the FinCEN guidance creates a starting point from which to do just that.


Legal marijuana is impacting service industries, and banks are no exception.  This impact requires reviewing and possibly redefining existing regulatory standards and expectations.   The FinCEN guidance and the Cole Memo priorities are examples of how legal marijuana is driving the interpretation of statutory requirements in a budding yet controversial industry.  From a compliance perspective, this translates into banks creating a program that carefully meets the financial needs of marijuana-related businesses while keeping banks safe in a federally defined high-risk industry.



[1] Controlled Substances Act, 21 U.S.C. §801, et seq.

[2] James M. Cole, Deputy Attorney General, U.S. Department of Justice, Memorandum for All United States Attorneys: Guidance Regarding Marijuana Enforcement (August 29, 2013)

[3] Banking in the Ninth BSA Expectations for Marijuana-Related Businesses Safety and Soundness Update – June 2015, Tori Jasmin-Carter, June 16, 2015

[4] The term includes: a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.

[5] The term includes corporations, partnerships, associations, joint-stock companies, unions, trusts, pension funds, unincorporated organizations, governments and political subdivisions thereof, and non-profit organizations.

[6] United States Sentencing Commission, Guidelines Manual Chapter Eight Sentencing of Organizations, Introductory Commentary

[7] USSG §8B2.1

[8] USSG §8B2.1b(1)-(7).

[9] http://www.columbian.com/news/2016/apr/24/bank-woes-easing-for-legal-pot-businesses/   Bank Woes Easing for Legal Pot Businesses: Number of Financial Institutions Willing to Handle Pot Money Rise, By KRISTENA HANSEN and GENE JOHNSON, Associated Press Published: April 24, 2016, 5:59 AM.

[10] See more at: https://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-compliance/archive/2013/05/23/what-are-the-essential-elements-of-a-corporate-compliance-program.aspx#sthash.tafHRn42.dpuf

[11] Department of Treasury Financial Crimes Enforcement Network Guidance, BSA Expectations Regarding Marijuana-Related Businesses, FIN-2014-G001, February 14, 2014.

[12] Banking in the Ninth BSA Expectations for Marijuana-Related Businesses Safety and Soundness Update – June 2015, Tori Jasmin-Carter, June 16, 2015

[13] http://fortune.com/2016/02/01/marijuana-sales-legal/ Legal Marijuana Sales Could Hit $6.7 billion in 2016 by Tom Huddleston, Jr February 1, 2016, 6:00 AM EDT.