Audit and Assessment of Controls for an MRB/CRB Program

Cannabis Banking

Independent audit and control assessment is the testing that proves a cannabis banking program works as designed, not just that it exists on paper. The BSA requires independent testing as one of the pillars of an AML program, and for an MRB/CRB book that testing must be tailored to cannabis-specific risks: licensing verification, marijuana SAR filing, sales-to-deposit reconciliation, cash logistics, and capacity limits. A clean, well-scoped audit is both a governance necessity and the strongest evidence an institution can present to an examiner.

The core question every audit answers is the one examiners ask: can you show me that the control operated, on these accounts, on these dates?

Key takeaway: Audit the cannabis program independently and against its own design. Test that licenses were verified, SARs and CTRs were filed correctly and on time, reconciliations were performed, alerts were dispositioned, and capacity limits held, with sampled evidence for each.

Who should perform the testing

Testing must be independent of the people who run the program day to day, performed by internal audit, a qualified third party, or another function with no operational stake in the outcome. Independence is the point: a review by the same staff who built and operate the controls cannot credibly assess them. For smaller institutions without internal audit capacity, a qualified external BSA auditor with cannabis experience is the norm.

Scope the audit to cannabis-specific risk

A generic BSA audit will miss what matters in a cannabis book. Scope the testing to the controls unique to MRB/CRB banking:

  • License verification: were licenses confirmed with regulators at onboarding and re-verified before expiration?
  • SAR filing: were the correct categories chosen, narratives sufficient, and 30-day and 90-day timelines met?
  • CTR filing and structuring detection: were CTRs accurate, aggregated, and complete?
  • Reconciliation: were deposits compared to reported sales, and variances investigated?
  • Alert handling: were alerts dispositioned with documented rationale?
  • Capacity limits: did the book stay within board-approved limits?
  • Due diligence currency: were periodic and event-driven reviews performed on schedule?

Test with sampling and trace to evidence

Effective testing pulls a risk-based sample of accounts and transactions and traces each through the control chain to source evidence. For a sampled MRB, the auditor should be able to find the verified license, the onboarding file, the SAR filings and their dates, the reconciliation records, and the alert dispositions. Gaps in the evidence trail, not just missing controls, are findings.

Assess design and operating effectiveness separately

Distinguish whether a control is well designed from whether it operates effectively. A monitoring rule may be correctly designed yet fail because thresholds are mis-tuned or alerts go uncleared. Conversely, a control may operate consistently but be designed too narrowly to catch the relevant risk. Reporting both dimensions tells management precisely what to fix.

Common findings to pre-empt

  • Missed or late continuing-activity SARs on known MRBs.
  • Limited SARs filed where red flags warranted Priority.
  • Lapsed license verifications.
  • Undocumented alert dispositions.
  • Reconciliation performed inconsistently or not at all.
  • The book exceeding board-approved capacity without escalation.
  • Risk assessment stale relative to the current book.

Close the loop with remediation tracking

An audit's value is realized only when findings are remediated. Track each finding to an owner, a corrective action, and a due date, and re-test to confirm the fix held. Present results and remediation status to the board or its designated committee. This closed loop, find, fix, verify, report, is exactly what examiners look for and what distinguishes a maturing program from a static one.

Frequently asked questions

Who can audit a cannabis banking program?

Someone independent of program operations: internal audit, a qualified third-party BSA auditor with cannabis experience, or another function with no operational stake. Independence is required because operators cannot credibly test their own controls.

What should a cannabis program audit cover?

Cannabis-specific controls: license verification at onboarding and renewal, SAR category accuracy and timeliness, CTR accuracy and structuring detection, sales-to-deposit reconciliation, alert disposition documentation, capacity-limit adherence, and the currency of due-diligence reviews, all tested with sampled evidence.

What are the most common cannabis banking audit findings?

Missed or late continuing SARs, Limited SARs where Priority was warranted, lapsed license verifications, undocumented alert dispositions, inconsistent reconciliation, capacity limits exceeded without escalation, and stale risk assessments.