Risk Assessment Principles for a Cannabis Banking Program

Cannabis Banking

A cannabis banking risk assessment is the structured analysis that quantifies the BSA/AML risk a marijuana program creates and confirms that the institution's controls reduce it to a level within its risk appetite. It operates at two levels: the program level, sizing the overall book and setting capacity limits, and the customer level, rating each MRB or CRB so monitoring and due diligence scale to the actual risk. A sound risk assessment is the document that justifies every other choice in the program, and it is the first thing an examiner asks to see.

The governing logic is simple: inherent risk minus the effect of controls equals residual risk, and residual risk must fall within what the board has agreed to accept.

Key takeaway: Risk-assess at both the program and customer level. Score inherent risk, credit the controls in place, measure residual risk against board-approved appetite, and translate the result into capacity limits, customer risk tiers, and the intensity of due diligence and monitoring.

Start with risk appetite and capacity

Before any account opens, the board and senior management should define how much cannabis risk the institution will accept, expressed in concrete limits: maximum number of MRB relationships, maximum cannabis deposits as a share of total deposits, geographic scope, and which business types (plant-touching vs. ancillary) are in or out. These limits flow from the institution's capital, liquidity, staffing, and technology. A program that grows past its stated capacity is itself a finding.

Score inherent risk across the right factors

Inherent risk is the risk before controls. For cannabis, assess it across factors such as:

  • Customer type: direct (Tier 1) vs indirect (Tier 2 or Tier 3), and license category.
  • Products and services the institution offers the customer.
  • Geography: states and localities involved, and any interstate exposure.
  • Cash intensity and expected transaction volume.
  • Ownership complexity and the presence of higher-risk principals.
  • Delivery channels and use of third parties.

Assess the controls honestly

Against inherent risk, evaluate the mitigating controls: licensing verification, beneficial ownership procedures, transaction monitoring and reconciliation, SAR and CTR processes, cash logistics, staffing and training, independent testing, and compliance technology. Controls only count if they actually operate, an examiner will test whether the control described on paper functions in practice. Overstating control effectiveness is how institutions end up with unrecognized residual risk.

Measure residual risk against appetite

Residual risk is what remains after controls. Compare it to the board-approved appetite. Where residual risk exceeds appetite, the institution must strengthen controls, decline or exit relationships, or formally revise appetite, and document the decision. This comparison, done explicitly and in writing, is what transforms a risk assessment from a checklist into a governance tool.

Translate the assessment into customer risk tiers

The program-level assessment cascades into a customer risk-rating methodology that places each MRB and CRB into a tier (for example high, moderate, lower). The tier sets the intensity of due diligence, the review cadence, monitoring thresholds, and approval requirements. A high-risk cultivator with complex ownership should not be governed by the same cadence as a low-risk ancillary landscaper that derives a sliver of revenue from the industry.

Keep the assessment living and dated

A risk assessment is not a one-time document. Refresh it at least annually and after material change, entering a new state, adding plant-touching customers, a regulatory development like the 2026 rescheduling order, or rapid growth in the book. Each version should be dated, board-reviewed, and tied to the data that supports it, so the institution can show its risk understanding evolved with the business.

Frequently asked questions

What goes into a cannabis banking risk assessment?

A program-level analysis of inherent risk (customer types, geography, cash intensity, ownership complexity, volume), an evaluation of mitigating controls, a measurement of residual risk against board-approved appetite, and a customer risk-rating methodology that sets due-diligence and monitoring intensity per relationship.

How do banks set capacity limits for a cannabis program?

By tying limits to capital, liquidity, staffing, and technology: a maximum number of MRB relationships, a cap on cannabis deposits as a share of total deposits, defined geographic and business-type scope, all approved by the board. Exceeding stated capacity is itself an examination finding.

How often should a cannabis risk assessment be updated?

At least annually and after any material change, such as entering a new state, adding plant-touching customers, significant book growth, or a regulatory development like the April 2026 rescheduling order. Each version should be dated and board-reviewed.