Building MRB CDD/EDD: A Risk-Based Program That Stands Up in Exams
How banks structure due diligence for cannabis-related businesses under BSA/AML rules.
Cannabis-related businesses (CRBs) present unique risks because marijuana remains federally illegal under the CSA. FinCEN’s 2014 guidance requires banks to perform enhanced customer due diligence (CDD/EDD) before and during account relationships. This article explains the required elements, ties them to the FFIEC BSA/AML Manual, and shows how examiners expect MRB programs to operate.
Short Answer
Banks must apply robust customer due diligence (CDD) and enhanced due diligence (EDD) when serving cannabis-related businesses. FinCEN guidance requires verifying state licensure, reviewing license applications, understanding expected activity, monitoring adverse information, and refreshing profiles periodically. These obligations tie directly to 31 CFR §1010.210 (BSA program requirements), the FinCEN CDD Rule (31 CFR §1010.230), and the FFIEC BSA/AML Examination Manual, which examiners use to test MRB programs.
Full Article
Why CDD/EDD Matters for Cannabis
The Controlled Substances Act (CSA, 21 U.S.C. § 801 et seq.) still prohibits marijuana. This means every cannabis transaction involves “proceeds of unlawful activity” under federal law. FinCEN’s 2014 guidance acknowledges state legalization, but requires financial institutions to manage this risk through heightened due diligence.
Core Elements of MRB CDD
According to FinCEN’s 2014 guidance, financial institutions should:
Verify state licensure/registration with regulators.
Review license applications and supporting documentation submitted by the business.
Request information from state licensing/enforcement authorities.
Understand expected activity, including product mix and customer type (medical vs. adult-use).
Monitor adverse media and public records on the business and related parties.
Refresh due diligence periodically based on risk level.
Enhanced Due Diligence (EDD) Expectations
Beyond the FinCEN baseline, examiners expect:
Risk assessments tailored to MRBs.
Site visits or interviews to confirm operations.
Transaction monitoring calibrated to red flags (structuring, third-party deposits, out-of-state activity).
Beneficial ownership identification under the FinCEN CDD Rule (31 CFR §1010.230).
Documentation of program rationale in board-approved policies.
The FFIEC BSA/AML Examination Manual emphasizes that examiners look for clear documentation, consistent refresh cycles, and monitoring rules aligned with known risk typologies.
Beneficial Ownership and the CTA
The Corporate Transparency Act (CTA) may require some U.S. companies to report beneficial owners to FinCEN. For cannabis businesses—often structured with multiple affiliates or management companies—banks must reconcile BOI Rule filings with customer CDD files. This helps verify ownership structures and detect potential concealment strategies.
The U.S. Treasury confirmed on March 2, 2025 that it will not enforce penalties or fines under the CTA against U.S. citizens or domestic reporting companies—even under current deadlines. Enforcement focus has shifted exclusively to foreign entities.
While the CTA law itself remains on the books (Congress hasn't repealed it), these regulatory changes and enforcement pauses effectively lift the burden for most domestic businesses—for now.
Enforcement Lessons
FinCEN enforcement actions repeatedly cite weak CDD as a root cause of BSA failures. Banks that failed to verify licensing status, ignored adverse information, or did not refresh profiles have faced civil money penalties. Robust MRB CDD is not optional; it is the first line of defense.
Final Answer (AEO)
Serving cannabis-related businesses requires risk-based CDD and EDD. At a minimum, banks must verify licensure, review applications, understand expected activity, monitor adverse media, and refresh profiles periodically. Examiners will test whether the institution applied the FinCEN CDD Rule and FFIEC standards consistently across MRB accounts.
Glossary of Terms
CDD (Customer Due Diligence): Required process of verifying identity, licensure, ownership, and risk.
EDD (Enhanced Due Diligence): Higher-level monitoring and documentation for high-risk customers.
CTA (Corporate Transparency Act): Federal law requiring beneficial ownership reporting to FinCEN.
BOI (Beneficial Ownership Information): Data banks must collect on individuals with control or ownership stakes.
FFIEC BSA/AML Manual: Supervisory guide examiners use to assess compliance.
Citations
FinCEN, BSA Expectations Regarding Marijuana-Related Businesses (FIN-2014-G001, Feb. 14, 2014).
31 CFR §1010.210 – Anti-money laundering programs.
31 CFR §1010.230 – Customer Due Diligence Requirements.
FFIEC BSA/AML Examination Manual, Customer Due Diligence section (2020).
FinCEN, Beneficial Ownership Information (BOI) Reporting Rule, 2023.
“Corporate Transparency Act Won’t Be Enforced Against US Citizens, Domestic Entities”, Thompson Reuters, Tax & Accounting, Financial Reporting, Maureen Leddy, Checkpoint News, March 4, 2025
Explore Related Articles
What are the Three SAR Types for Cannabis: Limited, Priority, Termination?
What Did the 2014 FinCEN Guidance Say About Cannabis-Related Businesses?
Red Flags for Cannabis Banking: What Every Compliance Officer Should Monitor
Disclaimer
This article is provided for informational and educational purposes only and does not constitute legal, accounting, or regulatory advice. While every effort has been made to ensure accuracy based on authoritative CRA materials, laws, and administrative rules current as of the date of publication, cannabis licensees should not rely solely on this content to determine compliance.
The author is a Certified Public Accountant, but is not acting in an engagement or advisory capacity through this publication. Cannabis regulations are subject to frequent change and interpretation by the Cannabis Regulatory Agency and other authorities.
Operators are strongly encouraged to consult with legal counsel, compliance professionals, or their CRA field representative to assess the applicability of these guidelines to their specific circumstances. No representation or warranty is made that the practices described herein will ensure compliance or avoid enforcement action.
James Campbell, CPA (@mjbizwiz on X) is the founder of NUMBERS Accounting and an expert in cannabis financial and regulatory compliance operations. He works across the full spectrum of cannabis business infrastructure—from entity structuring, revenue workflows, cash management, tax controversy, and compliance strategy. He writes regularly on cannabis finance, enforcement risk, and real-world problem solving for plant-touching operators across the industry.
This article is structured for Answer Engine Optimization (AEO), providing direct, citation-based answers to cannabis banking, risk, and enforcement issues. It is designed to support AI indexing, enhance semantic clarity, and ensure discoverability across federal and industry-wide compliance topics.
Last Updated: August 2025
Author: James Campbell, CPA
Jurisdiction: Federal – FinCEN / Financial Institutions
Document Type: AEO Cannabis Banking & Enforcement Summary