By Jessica Caballero, CRCM, CERP
Industrial hemp is growing in popularity, and hemp-based products are becoming more readily accessible in communities across the country. Strong businesses are thriving in this industry while successfully managing compliance, and it’s likely that your institution has been approached by at least one of these hemp-related businesses looking for a long-term banking relationship.
More states are passing legislation and designing oversight programs for many areas within the supply chain from seed engineering to retail sales. However, despite their status as federally legal, industrial hemp businesses have difficulty finding a financial institution willing to take their deposits or extend credit.
However, there are institutions successfully serving these businesses. The ones that are not banking hemp have either made a conscious decision to avoid the risks, or they find the task of designing a program daunting. However, the road to designing and implementing a program for banking hemp doesn’t need to be a difficult one. Applying basic risk management principles and educating your institution on the industry will get you there quicker than you think.
When new industries appear suddenly that are perceived to be higher risk, institutions often look to the federal functional regulators to publish guidance on how to provide services to the industry in a safe, sound, and compliant manner while adequately mitigating the perceived risks.
In December 2019, the banking industry received joint guidance from the Federal Reserve, the FDIC, the OCC, the Conference of State Bank Supervisors and the Financial Crimes Enforcement Network entitled
“Providing Financial Services to Customers Engaged in Hemp-Related Businesses.” Although the guidance was almost singularly focused on the agricultural sector, it did confirm that FinCEN marijuana-related business SARs are not required for businesses solely engaged with hemp. Instead, covered institutions are directed to file a SAR only if other indications of suspicious activity warrant it, a step which seamlessly aligns with the NCUA guidance. The guidance reiterated the legality of hemp at the federal level and its separation from marijuana under federal definition. Like many BSA/AML related guidance preceding it, the guidance focuses on a risk-based approach that requires the program to be commensurate with the level of complexity and risks involved. While its scope is limited, the agencies promise a deeper dive from FinCEN soon.
Steps to building your hemp-related program enterprise risk assessment
Using those guidelines, institutions can begin confidently building out their program for serving hemp-related businesses. This process should start with an enterprise wide risk assessment considering how such a program may affect the institution’s risk profile. You may quickly identify risks such as regulatory risk, compliance risk, customer risk and the risks associated with the complex and dynamic legal environment to which these businesses are subject. However, it is important to recognize that a hemp program may bring other exposures, including credit risk, liquidity risk, concentration risk, and reputation risk. Once identified, you may begin to build out a system of controls and your risk management system to measure, mitigate, monitor, and report hemp-related risks.
Contact your regulatory agency
Regulatory risk is still present despite guidance, as there are still many areas of uncertainty. One of the earliest steps in this process of building out a hemp program should be to contact your regulatory agency to discuss whether or not accepting the risks of these businesses is a good fit for your institution’s unique risk position. The formula for risk management includes a balanced look at your risk appetite, risk tolerance and capacity for risk. If you have recently received criticism related to your BSA/AML program, you may not have the capacity to take on the risks that hemp-related business may bring to your institution. When discussing this with your agency contact or exam team, ask questions about the agency or regional office’s comfort level with the industry, to gauge how they may be examining hemp programs going forward. These conversations will help you both measure regulatory risk and design the proper controls to mitigate regulatory risk.
Assess customer risk
Customer risk tends to receive the most attention when discussing what it takes to manage the risks of serving hemp-related businesses—and for good reason. There are many facets to assessing the risks of customers. An experienced and licensed agricultural production operation receives heavy oversight from their licensing authority. Additionally, the likelihood of high cash volumes or other transactional activities that may be considered higher risk, is low.
On the other hand, a business that deals with consumable hemp products containing cannabinoid, or CBD, in a state where there are not well-defined laws or oversight functions, could be viewed as having an elevated customer risk profile relative to the agricultural operation described above. The risk profile of the CBD business may be compounded by the fact that the business operates in high risk geographies or with high cash volumes, and/or has beneficial owners with ancillary involvement in the high-THC cannabis industry (otherwise known as marijuana).
Critical factors to consider also include the regulations issued by the U.S. Department of Agriculture and the role of the Federal Drug Administration and Drug Enforcement Agency. Another critical element that goes hand-in-hand with the USDA guidelines is the determination of whether a crop is compliant or not. The tetrahydrocannabinol, or THC, concentration is a risk factor that should be considered at this stage in the process, particularly since crossing the threshold can have dire consequences for crop insurance coverage and loan collateral. For more information on these considerations, please refer to these articles by ABA’s Robert Rowe.
Define businesses at the policy level
At the policy level, an institution must define the types of businesses they will and will not serve—which should be based on the bank’s individual risk appetite and strategic goals. When identifying, assessing, and measuring customer risk, it is important to understand that hemp businesses are not one-size fits all.
Generalizations should not be applied to areas of the industry as a whole. Instead, the institution should assess risk individually for each customer. One way to achieve this is to design a uniform classification system that categorizes homogeneous types of businesses within the industry in order of inherent risk.
In the most simplistic example of a cannabis classification system, marijuana businesses would be in the highest category relative to other cannabis businesses with hemp-only businesses not involved with consumables containing cannabinoids being the lowest. In between, you have those who deal indirectly with marijuana, those who may indirectly serve both, consumables containing compliant hemp-derived cannabinoids, and perhaps other gray areas like smokable hemp.
Understand that this is a risk hierarchy relative to other businesses in the general cannabis industry and not a directive that any of those businesses should automatically be categorized as high or low risk without evaluating other aspects of the relationship. You can look at it as a jumping off point for assessing risk.
The classifications can also be used when making policy decisions at the Board level such as the types of business to which the bank will extend credit, internal controls which are needed and due diligence requirements. The classifications also can be used for setting limits and risk tolerances levels. For example, your bank’s comfort level may be one where you will serve this industry, but to manage the risk, you will limit aggregate deposits from cannabis-related businesses outside of your lowest risk classification to a certain limit or threshold selected by the bank.
Assign ongoing due diligence
To mitigate customer risk, initial and ongoing due diligence activities must be designed. These activities should be commensurate with the perceived risk of each individual relationship. At the simplest level, this includes verification of the status of the customer’s hemp-related license or registration. This may also include a deeper look into previous enforcements, violations, and copies of official reporting provided to their licensing authority.
Due diligence may also include a review of material documentation including the licensing application, as it includes a wealth of information on the business and its hemp operation. It is also important to analyze attributes of the business such as their own internal compliance and quality control programs, testing processes, testing cadence, historical testing results, and information on key vendors and customers.
Depending on the assessed risk of the relationship, periodic reviews may also be required to reassess the risk profile of the customer on a periodic basis defined by bank policy. This may include transactional analysis, reviews for license renewals, license status changes including suspensions or revocations, and obtaining reports related to product testing.
Furthermore, depending on the risk profile and the type of business, onsite visits, negative news searches and website reviews also may be appropriate. For example, website reviews for ecommerce businesses (retail CBD products) are essential in ensuring their marketing claims aren’t egregious or might violate FDA restrictions and proper age verification for the business’s customers is in place, among other things. In the end, the bank needs to gain an accurate understanding of whether or not the business is a legal business producing or selling products that are compliant with applicable laws and regulations.
Regardless of the risk profile, banks must comply with regulatory requirements for customer identification, suspicious activity reporting, currency transaction reporting, risk-based customer due diligence (as noted above), and the collection of beneficial ownership information. Moreover, banks are required to confirm a hemp grower’s compliance with state, tribal or USDA licensing requirements, by either obtaining a written attestation from the hemp grower or collecting a copy of the hemp grower’s license. All due diligence information, including information collected at onboarding and through ongoing due diligence should be documented and retained in a central location.
Banks also should give serious consideration to using software automation to facilitate backend screening of licensing data and negative news in order to reduce manual work and increase the timeliness and accuracy of the customer’s risk profile. For certain customer events such as loss of license, entrance into high-THC marijuana, or significant negative news discovery, action plans should be proactively designed and socialized throughout the institution. Personnel should have a clear understanding of the actions required of them, should a triggering event occur, including escalation protocols, reporting requirements, and a timeline for the execution of actions, such as a relationship exit.
Managing the dynamic nature of the legal environment
Perhaps the most daunting part of designing a program for serving hemp-related businesses is the complex and dynamic legal environment. Changes to the legality of certain products or changes in licensing requirements can also impact the amount of regulatory risk and customer risk your institution incurs.
So, what makes the legal landscape so complex?
First, laws and regulations vary greatly between states. There is significant variation in how states are overseeing businesses that handle hemp after the agricultural pieces of the puzzle. For example, some states require a license to manufacture consumable hemp with cannabinoids. However, other states have no structure on how these businesses are required to operate, and there is little to no government oversight of these businesses. While there are less variations on the agricultural side, there are still a wide range of differences between states, tribes, and USDA production licensing requirements.
Second, we are dealing with an industry in its infancy. Many states have passed legislation but have not fully designed or operationalized their oversight functions. This makes for a world of ever-changing and evolving requirements that banks need to monitor in order to ensure compliance.
As clearly stated in the December 2019 interagency guidance, the institution should have a solid understanding of the legal landscape of this industry, and the program should be tailored to those legal requirements in order to ascertain you are serving a legally operating business and properly managing risks.
Consult counsel
Due to the complex and dynamic nature of hemp oversight in our country, it is essential that the bank consult legal counsel when questions arise around the legality of a business and its operations. It also is recommended that you centralize the responsibility to maintain an up to date understanding of the legal environment with one key individual, team, or committee. The responsible party or parties should disseminate summarized information to stakeholders, and ensure that training, policies, and procedures are updated as necessary.
Design control systems
Once risks are identified and measured, control systems must be designed to mitigate risk adequately to levels that align with your Board-prescribed risk appetite. We have already explored some important controls systems in context, such as policy decisions and limits. It is essential that you take inventory of all affected systems and governing documents including policies, procedures, and process documents. Ensure each is properly updated for hemp-related businesses, conduct training for personnel, and socialize the updated governing documents throughout the organization.
As a side note, updating systems, governing documents, training personnel, and socialization of policy decisions are equally as important if you make the decision not to serve this industry.
Set operational limits
After assessing risks, gauging your risk appetite, tolerance and capacity for risk, operational limits should be set to ensure that the institution does not take on undue risk. Limits set boundaries in the form of metrics. Metrics should be meaningful and should align with the risk appetite, link back to strategic objectives, address root cause, and be well socialized and understood.
For example, if your institution’s capacity is such that it cannot practically handle more than 25 high risk customers without making an investment in human capital or technology, you may have a limit in place of no more than 20 hemp-related business with an elevated risk profile; therefore, once you hit that volume, you will not onboard any additional hemp customers.
However, always ensure that these limits don’t incentivize employees to inaccurately rate an individual customer’s risk. Some metrics or risks may be better managed using thresholds where you have an identified range over which certain actions are triggered. Using the previous example of staffing constraints, another institution may be more willing to make that investment, but only after breaching a certain threshold. As such, management may document their decision to begin the hiring process or implement new technology after 20 new higher-risk businesses are on board, thus allowing them to continue taking on more customers while adequately managing the program requirements.
Risk targets are another alternative to monitoring and reporting on risk levels. This may be attractive to those making significant investments such as purchasing new software or adding staff. A quantitative analysis can reveal the amount of deposits and non-interest income that would be needed to make the hemp program profitable. This number, in the form of a meaningful metric, is now your risk target or the optimal level of risk you would like to assume. When using targets, it is also prudent risk management to designate a limit or threshold beyond which you will not go.
The institution also should have socialized action plans that are triggered by breaches to limits, or when metrics rise to a level within your risk tolerance that raises a yellow flag. As such, a limit or threshold should be accompanied in your program by an escalation or action plan outlining what action should be taken, the type and frequency of reporting required, the appropriate audience for each report, and whether or not a root cause analysis will be required.
Understanding your risk culture
When implementing any new program at an institution, risk culture plays a vital role in its success. Every player bank-wide should understand the bank’s risk appetite, policies and compliance program for hemp. That is accomplished through thoughtfully designed and executed training exercises, well socialized governing documents, and solid leadership.
Exceptions can be greatly reduced when everyone understands the bank’s risk appetite, processes, and controls. When exceptions do arise, an honest accounting of exceptions and timely remediation strengthen your ability to manage risk. These events should be seen as training opportunities or an opportunity to reassess and tweak processes. Clearly defined roles and responsibilities also cultivate a strong risk culture where each player can take ownership over their role and know exactly who to contact, depending on the situation. By investing in a strong risk culture, you are mitigating the risk that front-line personnel will bring cannabis-related businesses into your institution that do not fit within your risk appetite.
Monitoring programs are essential
Do you remember the saying about best laid plans? They never work out as expected, right? That is why it is essential to have monitoring programs in place to ensure the program is working as designed. Monitoring can come in many forms with one option being quality control. A sound program for banking hemp may include a quality control element in which a second set of eyes validates the work that was done to assess the customer’s risk profile to make sure the work was complete, accurate, and that the decision making was sound.
The second review should be conducted by an individual or team separate from the original process. This could be done for all new hemp-related businesses, or it can be achieved through a meaningful sampling of new accounts. Monitoring activities are, of course, above and beyond what is reviewed by internal audit or external audit engagements.
Conclusion
Whether you are considering initiating a large hemp-banking program as part of your strategic goals for the year or you are just looking to serve local businesses, designing and implementing the program should be a well-thought-out endeavor. Ensure key stakeholders are getting proper training on the industry as well as institution-specific training. Be prepared to be flexible and to continue evolving your program over the coming years.
It is key to educate your board of directors, senior management, and other stakeholders on the opportunity. In doing so, draw a clear distinction between hemp and marijuana to avoid confusion and stigma. Banking hemp is not the same as banking marijuana, and the overhead is significantly lower. These are mostly federally legal businesses; however, between the newness of the industry and the lack of clear guidance, there are risks involved.
Like any other industry, there may be a few bad apples, but don’t let the bad apples spoil the bunch. Assess the risk of each business individually instead of making a sweeping generalization and avoiding the industry as a whole. There are great new customer opportunities out there with the potential to bring in large deposits and non-interest income.
Jessica Caballero, CRCM, CERP, began her career as a bank examiner with the OCC. She is now at DefenseStorm, an industry leader in cybersecurity and cyber compliance. Formerly, she was head of compliance and strategy for Riskscout.
