Have you ever wondered why banks go to such great lengths to confirm your identity? When you open an account you give the bank your social security number, your driver’s license, your address, your source of income… what’s next? You probably expect them to ask for a blood sample. Rest assured, your blood is not needed. But why do they need the rest?

Banks are required by law to acquire this information from you before they can allow you to be their customer. This is known as “Known Your Customer” regulations.

KYC: a brief definition

Know Your Customer (KYC) is a legal policy for financial institutions. Generally, these providers are companies that move or store funds. The federal government requires these companies to acquire specific customer information to prevent criminal activity. This can include identity theft, fraud, money laundering, and the financing of terrorism efforts.

The information necessary to follow this legal policy depends on the customer, transaction, and the specific financial institution. For instance, an individual will generally provide a driver’s license or a passport. A company, on the other hand, will provide its Articles of Incorporation, its business license, a trust instrument and more. Depending on the products the financial institution offers, the information varies in degree.

Why do financial institutions need to do this in the first place?

In short, to prevent criminal activity. In 1970 Congress passed the Bank Secrecy Act which, among other regulations, required banks to form and develop internal policies, procedures and controls to prevent the funding of criminal activity. Then, in 2001 Congress passed the Patriot Act, which included provisions to prevent the funding of terrorist activity. 

The laws governing KYC regulations broadly define the entities who must comply. For instance, the term “financial institution” includes trust companies, credit unions, securities brokers, mutual funds, travel agencies and more. Even the term “bank” includes commercial banks, private banks, savings and loan associations and any organization chartered under banking laws. Thus “financial institution” will include “banks” for the purposes of this article.  

The broad reach is to help the federal government prevent criminal activity. Many of the requirements, however, align with financial institutions’ best interests. KYC laws and regulations prevent financial institutions from inadvertently participating in illegal schemes. Further, in complying with these legal requirements, financial institutions can prevent online scams, fraud, and other malfeasance related risks. While compliance with KYC regulations is in a financial institution’s best interest, noncompliance has serious repercussions.

For instance, last year banks in the U.S. were fined over $11 billion for violating these federal laws. 

Though these regulations are stringent and heavily enforced, they allow banks to develop their own policies and procedures to conform to KYC policy.

What are financial institutions required to do?

KYC requirements are key to the federal government’s anti-money laundering efforts. The Bank Secrecy Act and the Patriot Act require financial institutions to form and develop internal policies to effectively prevent funds being used for criminal activity. KYC requirements under these laws have two components, a Customer Identification Program (CIP) and Customer Due Diligence (CDD).

A CIP requires financial institutions to collect, verify, and keep records on customer identification, as well as screen customers against terrorist watch lists. 

CDD requires policies and procedures to assesses the risk profile of each customer for possible money laundering or other illegal activities. 

If during a CDD procedure a financial institution detects suspicious activity, it must file a Suspicious Activity Report (SAR). For instance, a financial institution would file a SAR if a single customer made a cash payment of $10,000 or more. SARs are filed with the Financial Crimes Enforcement Network (FinCEN), an agency within the treasury department that enforces AML laws and sets requirements for banks to comply with KYC.

While this seems like extensive regulation, companies are left to provide their own methods of complying with these goals. Typical guidelines include:

  1. A customer acceptance policy for background checks and identity confirmation.
  2. A CIP tailored to the type of financial services provided.
  3. Monitoring of transactions.
  4. Risk management to ensure adherence and compliance.

Customers thus supply personal information to their financial institution to secure their transactions and allow the institution to remain compliant with regulations. 

How does this affect Cannabis Dispensaries?

Since financial institutions are required to collect information on customers and report suspicious activity to FinCEN, cannabis dispensaries are very high-maintenance and risky customers.

Cannabis dispensaries are caught in a difficult position due to the current conflict of law. Most states allow medical and recreational cannabis dispensaries. However, cannabis is still a schedule I substance under the Controlled Substances Act, meaning the production and sale of cannabis is largely prohibited. While the federal government and various state governments sort out this issue, cannabis dispensaries are caught in the middle. 

The difficult status of cannabis limits banking options for related businesses. This causes many unnecessary problems. These businesses are exposed to increased risks because they must deal with vast amounts of cash, which increases the risk of robbery and difficulty in paying other entities who don’t accept cash. Many businesses must hire armored trucks to transport funds. Further, businesses who must deal with cash are more readily exploited for criminal purposes, such as money laundering. 

Why do KYC requirements negatively impact cannabis businesses?

Just because cannabis is a controlled substance does not mean financial institutions cannot accept cannabis dispensary money. The real issues are managing logistics and risks to financial institutions. 

KYC requirements help the federal government track illegal activity and part of this scheme is the requirement of SARs. As mentioned above, SARs must be filed when financial institutions detect illegal activity. Since cannabis is a schedule I controlled substance, and federal law prohibits schedule I controlled substances from being produced and distributed, the anti-money laundering laws deem any related funds as illegal. Thus, financial institutions with cannabis clients must file SARs for every transaction they perform. 

In 2014, FinCEN tried to help by issuing guidance on this. The guidance allowed financial institutions to work with cannabis businesses, describing how banks may do business with cannabis dispensaries without triggering enforcement by FinCEN. But in order to do so, financial institutions are required to perform more due diligence, resulting in a heavy burden on those involved. 

To comply, financial institutions must conduct extensive and ongoing CDD for cannabis dispensaries, requiring more resources than normal due diligence for other customers. Financial institutions must also continuously file SARs as they continue to serve cannabis dispensaries. Further, financial institutions have extra CDD for cannabis dispensaries, like verifying the business does not sell to minors and ensuring products do not enter a state that prohibits cannabis.

Under FinCEN regulations, there are three types of SARs for cannabis dispensaries. 

  1. SARs for transactions that do not violate state law or federal policy, 
  2. SARs for transactions that might violate state law, and 
  3. SARs when terminating the relationship to avoid implicating the financial institution in federal crimes. 

This all must be judged by the bank itself, which is a further burden and risk. Red flags for SARs can be extremely difficult for banks to assess and monitor because they require a high degree of information from customers. A misjudgment by a bank could result in criminal penalties. 

Fortunately for cannabis dispensaries, the number of financial institutions serving them seems to be growing. In 2018, roughly 500 financial institutions served these businesses. In 2019, that number grew to around 700 financial institutions, and in 2020 it remained at around 700. Yet, this amount remains largely inadequate to serve the growing industry. 

Cannabis businesses cope with the limited banking options by using cryptocurrency, purchasing ATMs, using management companies, or using “closed-loop” systems. Indeed, some literally bury their money in the ground. 


Providing financial services to cannabis dispensaries is a drastically important role in the industry and can be done with proper compliance and efficient information procedures. financial institutions with cannabis dispensary customers are keeping the industry alive. Until there is a change in federal regulation of cannabis or banking, the industry will rely on these companies. 

DISCLAIMER: this article is for informational purposes only and is not legal advice. Nor should it be relied on as legal advice. Readers seeking to act upon this information are urged to seek their own legal advice.