This is the third part of a four-part series on how to educate your Board and other teams, articulate your plan, structure your program, and then implement (launch) the line of business.

Now that you’ve articulated the overall plan for cannabis banking, it’s time to dig into the specifics of how you will structure an effective compliance oversight and management program. The hard work of convincing your Board that banking cannabis-related businesses (CRBs) was a worthwhile pursuit, and could be a profitable one, has succeeded and you’re authorized to begin. It’s time to set your plans in motion, which means deciding how your institution will manage the risks of cannabis banking on an ongoing basis. As we touched on in Part 2 of this series, cannabis risk frameworks mirror the basic risk handling that every financial institution is already familiar with: identify, measure, monitor, and control.


During the earlier “Educate” and “Articulate” stages of your process, it’s likely that you identified the potential risks (and rewards!) of cannabis banking. That preliminary work should simplify this initial step of preparing a cannabis banking-specific risk assessment. It’s important to note that this should not solely cover, although it must include, an assessment of the BSA/AML risks of cannabis banking. And it’s true those BSA/AML concerns are the most common day-to-day risk exposures that will be highlighted as you engage in this line of business. But you’ll also need to consider, define and document other risks, such as legal, reputational, and competitive risks that will affect or influence this business line. There will also be lots of operational risk, especially when it comes to processing and handling large currency volumes and overseeing the account’s activity.

Some institutions find it easiest to do the BSA/AML/OFAC aspects of risk assessment separately from related evaluations. They rely on inputs from the BSA Officer at the institution to crisply identify potential money laundering and fraud risks, while relying on the formal opinions of counsel to point out legal risk and calling on other officials like retail banking officers to more accurately pinpoint potential operating risks. Reputational risk is often discussed by committees who have a presence in the local community and can gage sentiment around the appetite for doing business with an institution that offers services to CRBs. Regardless of how your institution engages this risk identification practice, you’ll want and need full review and approval by your Board of the final, consolidated risk assessment prior to kicking off your program.

Download our free guide for building a business case


With initial risks now identified, it’s time to set the initial ‘risk appetite’ and the metrics that will reveal when that appetite has been exceeded. Your system of risk metrics should align key risk indicators with key performance indicators, and this requires that you define the system of controls you’ll use to assure KPIs stay within desired ranges. (If the previous sentence sounds like a bunch of regulatory babble, start with a paper like this one for a primer on bank compliance and risk mitigation techniques.) Let’s take a simple example here to illustrate:

One of the risks of banking a cannabis dispensary is that your institution might unknowingly accept as deposits, the cash proceeds from sales deemed “illegal” – such as sales that violate a particular state’s potency or quantity limits. (An example of one state’s rules show just how complex these limits can be.) Given the near impossibility of assuring zero infractions, what can your credit union or bank do to reduce this risk? What type of control could you put in place to curtail this risk?

One control that successful FIs have implemented is a systematic way to validate the dispensary’s sales records before accepting deposits. Through examination of point-of-sale systems data, dollar amounts from state-legal sales can be validated, while unverified amounts can be rejected. In this example:

  • The key risk indicator is the percentage of verified state-legal sales proceeds.
  • The key performance indicator might be set at 90% or more – meaning that 90% or more of cash deposits can be verified as state-legal sales proceeds. The KPI is, effectively, your ‘risk appetite’ expressed as a limit, threshold or other maximum tolerance.
  • With the KRI and KPI identified, the control becomes obvious: it’s the verification and validation of those proceeds.
  • Using this approach, your performance metric is the KPI – the 90% or better standard. When validated deposits dip below that level, you know more attention (i.e., ongoing diligence) must be focused on that account.

Defining KRIs and thresholds and limits for your KPIs is an easier path to compliance than the traditional practice of trying to ‘imagine and inventory’ every possible risk factor. You will also want to build these KRIs and KPIs into your risk formulas, with the KRI being the ‘inherent risk’ and the KPI being the mitigating control. Residual risk becomes what’s left over after the control is applied.


Notice how the approach of setting the KRIs and KPIs and metrics during the previous step makes the tasks of monitoring very straightforward – just a few easy answers will shore up your program design.

  1. What should you monitor? Conditions that allow you to tell when KPIs have exceeded their tolerances, thresholds or limits.
  2. Who will do the monitoring? More than likely, you will have some quality assurance that takes place on the front lines, as well as a second line of defense in the compliance team that conducts monitoring reviews.
  3. How often should you monitor? Ideally, continuously. If your systems are modern and not overly manual, you should be able to perform continuous, real-time monitoring at the point of a transaction. If your systems are older or highly reliant on human effort, you may have to settle for periodic monitoring at the interval that makes the most sense based on the type of activity. Monitoring frequency might be as often as daily for some functions, while others could extend to weekly, monthly, quarterly or less often.

Another key to effective monitoring is consistency. You’ll want to use the same methods, tools and workpapers each and every time to assure that the results you are seeing are truly reflective of the current conditions. Without this type of consistent approach, the measurements may be unreliable, and your risk exposures could escalate without detection. Inconsistent approaches may yield inconsistent data that become difficult or impossible to interpret.

If after all this, you’re still clamoring for info on modernizing your risk management approaches, you may enjoy this Wall Street Journal article from Deloitte.


The overarching goal of every risk management process is to control risk to acceptable levels, within the established risk appetite of the institution. When a risk tolerance/appetite has crossed over an acceptable boundary – or, in other jargon, a key performance indicator has exceeded its threshold – you must ACT to reduce the risk. In this case, ACT is an acronym for ascertain, correct, and test.

  • Ascertain the root cause, severity, duration and pervasiveness of the risk exposure. Your response in the next step should consider all four criteria to reveal the extent and timing of the needed remediation.
  • Correct the problem. Corrective actions might include remedial or additional training, new systems controls, better or more frequent monitoring, or procedural updates or policy revisions. The scope and timing of your response should be commensurate with the extent and severity of the weaknesses identified.
  • Test the remediation. If your risk reduction efforts have been effective, you should see KPIs return to normal levels within a reasonable period of time. By inspecting the metrics at a defined interval after the corrections were applied, you will be able to tell whether the ‘fix’ worked or more effort is required.

Control is about making sure the right people and systems can do the right thing at the right time to constrain risk exposures.

With a solid program to identify, measure, monitor and control the risks of cannabis banking, all that’s left to do is roll out your program! In the next and final installment in this series, we will take you through how trailblazing financial institutions implement their cannabis banking programs. Along the way, you’ll learn the milestones happening before day zero through those happening 12 months after launch and beyond. A program’s success is often determined by the quality of its deployment.

If your institution needs modern technology that runs world-class cannabis-banking programs, we’d love to walk you and your team through a demo of our platform.