The cannabis industry, like any other industry, is susceptible to fraud.
With the continued restrictions surrounding banking and the cannabis industry, most financial activities occur outside of the banking system. As a result, the cannabis industry still primarily operates on a cash-only system, which significantly elevates the risk due to the potential for fraud. Additionally, the products being sold and the accessibility to large volumes of cash help foster an environment ripe with opportunity for “bad actors,” such as a rogue employee.
Internal fraud risks:
Cash fraud
- Larceny – theft of cash already recorded on the books (e.g., taking cash from the register or reversing a cash transaction to attempt to hide the theft)
- Skimming – theft of cash not yet recorded on the books
Financial fraud
- Financial statement fraud – inflated revenues and unreported expenses
- Labor/payroll – undocumented workers, off-the-books labor
- Tax fraud – underreporting of revenue, 280E issues, etc.
Fraud can exist across many spectrums and is not limited to internal fraud:
Investment fraud
Fraudsters may try to use media overage about the legalization of marijuana to promote an investment scam. Look out for these signs of fraud:
- Unlicensed, unregistered sellers
- Guaranteed returns
- Unsolicited offers
Licensing fraud
Any potential investor, consultant or adviser who claims to have the ability to guarantee a license. This type of fraud also creates a significant criminal exposure related to commercial bribery and public corruption (e.g., the ability to fraudulently obtain licenses and permits.)
Cybersecurity risk
The cannabis industry is an increasingly vulnerable target for cyberattacks (data breaches, business email compromises, ransomware, etc.). Many companies within the industry may not have a mature information technology department or a strong information technology control environment.
Further, the perception exists that cannabis businesses are flush with cash and can easily afford to pay to retrieve their data. Additionally, they house personally identifiable information (PII) including photo IDs, addresses and protected health information.
Laboratory testing fraud
Laboratories across the country have been suspended or fined for manipulating potency results, having deficient procedures for detecting contaminants like mold, or faking those contaminant tests altogether.
Establishing an effective internal control environment can not only help deter fraud but can also mitigate criminal exposure. When compliance failures occur, the Department of Justice (DOJ) examines several factors when determining whether to pursue prosecution against an organization, and almost all of the factors surround the adequacy and effectiveness or the organization's compliance program and whether management enforced the program.
To expand on the former, the Justice Manual instructs prosecutors to consider whether a program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” The DOJ will consider whether the company has analyzed and addressed the varying risks presented (the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients, charitable and political donations, etc.). A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, the federal government will examine whether the company has engaged in meaningful efforts to review its compliance program and ensure that it does not become stale.
Compliance and strong internal controls for the cannabis industry are increasingly important due to the nature of its business, operating environment and the more complex regulatory environment, among other factors. If you have questions about preventing fraud, or to help learn how Baker Tilly Value Architects™ can help, contact our team.