Ongoing Due Diligence Requirements for Cannabis Banking

Cannabis Banking

Ongoing due diligence is the periodic re-verification and refresh that keeps a cannabis customer's profile current after onboarding. FinCEN's CDD rule requires institutions to maintain and update customer information on a risk-based schedule and to keep their understanding of the customer's nature and purpose accurate over time. For MRBs, where licenses expire, ownership changes, and business models shift, ongoing due diligence is not a formality; it is how the institution keeps its monitoring baseline and SAR categorization honest.

Think of it as onboarding that never fully ends: the file should always reflect the business as it is today, not as it was on the day the account opened.

Key takeaway: Refresh cannabis customer files on a risk-based cadence: re-verify licenses before they expire, update beneficial ownership when control changes, recompute the risk rating, and re-baseline expected activity. Higher-risk MRBs warrant more frequent review.

Set review cadence by risk tier

Periodic reviews should run on a frequency tied to the customer's risk rating. A common, defensible structure:

  • High-risk plant-touching MRBs: full review at least annually, with interim checks (often quarterly) on licensing and activity.
  • Moderate-risk CRBs with significant cannabis revenue: review every 12 to 18 months.
  • Lower-risk ancillary CRBs: review on the institution's standard commercial cycle, with cannabis-specific triggers layered on.

Document the cadence in the BSA policy so it is consistent, repeatable, and examinable.

Track and re-verify licenses before expiration

License lapse is one of the most consequential events in a cannabis relationship: an unlicensed marijuana business is no longer a state-sanctioned business, and continuing to bank it changes the risk profile materially. Maintain a license register with expiration dates and verify renewal directly with the regulator before each expiration. If a license lapses or is suspended, escalate immediately, the relationship may need a Marijuana Priority SAR or termination.

Refresh beneficial ownership and control

Update beneficial ownership when there is a triggering event, such as a sale of equity, a change in management, or information that calls prior data into question. The February 2026 FinCEN exceptive relief means re-verification is no longer automatically required at every new account opening, but institutions must still maintain risk-based procedures to keep ownership information current. For higher-risk MRBs, many programs schedule periodic ownership re-attestation regardless of triggering events.

Recompute risk rating and re-baseline activity

At each review, recompute the customer's risk rating using current facts: license status, geography, volume, product lines, counterparties, and any SAR or alert history. Where the business has grown or pivoted, re-baseline the expected-activity profile so monitoring continues to compare actual behavior against a realistic expectation. A dispensary that has tripled its locations should not be monitored against last year's volume assumptions.

Document negative news and event-driven reviews

Beyond the calendar, ongoing due diligence is event-driven. Trigger an off-cycle review when adverse media, a regulatory enforcement action, a state investigation, an ownership dispute, or anomalous account activity surfaces. Record the trigger, the review performed, and the conclusion. Event-driven reviews demonstrate that the program reacts to risk in real time rather than only on a schedule.

Keep the audit trail intact

Every refresh should leave a dated, attributable record: what was reviewed, by whom, what changed, and what action followed. Examiners assess not just whether reviews happen but whether they are documented well enough to reconstruct the institution's reasoning. Compliance technology that timestamps and stores each review step makes this trail durable and retrievable.

Frequently asked questions

How often should a bank review a cannabis customer?

On a risk-based cadence. Direct Tier 1 MRBs typically get a full review at least annually and routine daily and quarterly monitoring of transaction activity, with interim license and activity checks; lower-risk ancillary indirect Tier 2 (or Tier 3) CRBs may follow the standard commercial review cycle with cannabis triggers added. The cadence should be set in policy and applied consistently.

What triggers an off-cycle cannabis due diligence review?

Events such as a license lapse or suspension, ownership or control changes, adverse media, regulatory actions, or anomalous account activity. Event-driven reviews supplement the periodic schedule and should be documented like any other review.

Does FinCEN still require beneficial ownership updates for cannabis customers?

Institutions must keep beneficial ownership current under risk-based procedures and update it on triggering events. A February 2026 FinCEN order removed automatic re-verification at each new account opening, but ongoing, risk-based maintenance of the information is still required.