3 minutes
Data collection and compliance audits help credit unions deal with high-risk businesses.
Tony Gallo, managing partner of the Dallas-based Sapphire Risk Advisory Group, has been involved with retail businesses for more than 30 years and the cannabis industry for the last four. He suggests that financial institutions deal with cannabis businesses as they would any other high-risk business, such as those selling liquor, jewelry, firearms and tobacco.
“There are lots of similarities with the Big Four,” he points out. As with them, credit unions should look into their cash management strategy before opening depository accounts for a cannabis business. It’s especially important to understand what mechanisms they have in place for security. How are they transporting cash? In addition, have they had any robberies or internal theft problems? Are they following all the rules set by the state? Are they following best security practices?
Most states that allow cannabis use for any purpose (see map of states and what they allow) have applications to run a related business that require completing several hundred pages of paperwork. Just the security section of the application may be 40-60 pages. Looking at a business’s application gives a credit union a very good snapshot of that enterprise. Gallo’s company’s Texas security application section for pot businesses is about 50 pages long. “You have to be much more involved in your cannabis security planning than most businesses,” he says.
John Morgan, SVP/client engagement at Simplifya, says his company’s software makes verifying consistent compliance with all state—and credit union—requirements efficient. The Denver-based company uses simple yes and no questions to gather information on everything from location to type of business.
Location is important beyond which state is involved. For instance, Colorado state regulations allow pot outlets to be open until midnight, but Denver sets closing time at 10 p.m. Municipalities can ban marijuana sales completely—in fact, most do.
Type of business is also critical. Colorado has seven types of licenses, covering everything from cultivation to creating marijuana-infused products. Each must meet specific rules. A medical-marijuana business, for example, has what’s called a 70-30 requirement: 70 percent of its production must go its associated medical outlet.
Morgan says Simplifya software helps to create a culture of compliance. The company has forged partnerships in the insurance sector; some firms offer discounts of up to 10 percent to pot businesses that use the software. Simplifya was launched last November by partners from Vicente Sederberg, a prominent Denver law firm in the cannabis field. It was pulled into doing third-party compliance audits—and was doing so with a pen and a clipboard. Not only was it a time-consuming approach, but they found that many customers were not addressing the issues in the report. “They wanted to streamline it. They wanted to see that things got fixed,” Morgan says.
Simplifya recommends that cannabis businesses perform audits at least once a month, says Morgan. If there are “action items”—areas where there is non-compliance—the software suggests fixes. The company is about to introduce remediation reports.
Morgan advises credit unions that provide services for cannabis businesses to require member businesses to use self-auditing software and also have a third-party auditor come in every quarter or six months. “It adds a level of accountability,” he says. And accountability is to pot businesses what location is to real estate: what’s most important.
Charlene Storey is a veteran credit union writer based in New Jersey.
