Creating a Cannabis Compliance Program: Where to Start

We have previously discussed the need to redefine “compliance” in the cannabis industry. The industry needs to consider law that may apply to businesses that is not discussed or is otherwise absent from state and local cannabis regulations. Businesses ought to consider other sources of law including, but not limited to:

• Federal Trade Commission (“FTC”) Act
• Telephone Consumer Protection Act (“TCPA”)
• Health and Safety Regulations
• Privacy and Data Law
• Securities Law

After establishing a baseline understanding of the “universe” of law the industry must comply with, the question often becomes:

Where should a cannabis start in building a compliance program?

Cannabis companies should start with a risk assessment. Risk assessments are a compliance staple in many other industries and represent the first step towards creating a compliance program in the cannabis industry. A business must first establish the risk it faces to know what to address in its compliance program, after all.

A risk assessment is not a mechanical exercise wherein a cannabis business simply lists out all the risks it may face, however. Put another way, all risk is not created equal. Risk assessments should zero in on the most serious risks and their likelihood of occurring and associated punishment or other exposure. To get the ball rolling, the following five questions should be considered:

1. Who will be responsible for implementing and monitoring the compliance program?
2. Which cannabis license(s) will the business hold and what is the associated regulatory landscape?
3. Is it a private or public company?
4. How many employees?
5. Does the intended location present any unique safety and/or security issues?

After a business considers risk from a high level, it should consult state and local cannabis regulations. While regulations typically have sections devoted to individual license types, entrepreneurs should read through regulations in their entirety since there are often sections that apply to all licensees.

Businesses also should search far and wide for any disciplinary guidelines published by state or local regulators. Disciplinary guidelines are typically either included within a jurisdiction’s regulations or published as a stand-alone document. For example, the California Bureau of Cannabis Control’s disciplinary guidelines establish a three tier disciplinary structure and provide a list of compliance violations and the tier they fall into. The higher the tier, the more serious the punishment a licensee may face. Seek out the most serious compliance violations in your jurisdiction and craft your compliance program accordingly.

Compliance inspection checklists should also be requested at the state and local level in an effort to prioritize compliance concerns. State and local inspectors will often be provided with a checklist that outlines what an inspector should be on the lookout for when inspecting a licensee’s operations. While they are not always available, inspection checklists can be invaluable in assessing risk.

Risk assessments are skipped all too often by companies attempting to craft cannabis compliance programs. Do not be one of them. Think of risk assessments in the same way a writer thinks about organizing and outlining key points and issues before they start writing a book or article. Most of us (author included) have personally experienced the positive impact that this approach can have: think about the difference in work product when comparing a research paper written the night before it was due vs. a paper that was thought through and outlined before pen was put to paper. Similarly, taking time to assess risk before putting a compliance together will result in businesses receiving a better “grade” from state and local compliance inspectors in the long term. 

© RYAN T. KOCOT, ESQ. 2020

DISCLAIMER: THIS INFORMATION IS STRICTLY EDUCATIONAL AND DOES NOT CONSTITUTE LEGAL ADVICE.