Rescheduling marijuana: Progress, but not a green light

In May 2024, after a review by the U.S. Department of Health and Human Services, the Drug Enforcement Agency issued a proposed rule that would reclassify marijuana from a Schedule I narcotic to Schedule III under the Controlled Substances Act (CSA). This historic shift would recognize its medical use and remove its classification alongside drugs like heroin and LSD.

In August 2025, the Trump administration confirmed reviewing the rescheduling proposal, with a final decision expected soon. President Trump acknowledged conflicting perspectives, stating, “I’ve heard great things having to do with medical [use]... and bad things having to do with just about everything else.”

But even if marijuana is rescheduled, it will remain federally regulated. For financial institutions, this means the 2014 FinCEN guidance remains in effect. Rescheduling may reduce stigma, but it does not equate to legalization and doesn’t resolve the core banking challenges.

What this means for financial institutions and their clients

The conflict between state legalization and federal prohibition puts banks and credit unions in a difficult position. Many serve communities with growing marijuana-related businesses (MRBs) that need access to basic financial services. Yet without federal protection, offering those services remains risky and complex.

The compliance burden is significant for institutions choosing to bank MRBs or exposed indirectly through ancillary clients, like landlords, vendors, or service providers. Enhanced due diligence and robust ongoing monitoring remain critical components of a sound marijuana safe banking program.

Clients, meanwhile, face limited access to financial services. The result is often increased reliance on cash, which raises fraud, theft, and money laundering risks. To stay compliant and prepared, institutions must take a risk-based approach that addresses marijuana exposure through policies, staffing, and controls tailored to current and emerging threats.

How scammers target older adults

Criminals executing sextortion scams use sophisticated tactics that take advantage of the emotional, digital, and social vulnerabilities of older adults. These include:

• Preying on loneliness or grief: Scammers identify recent widows or widowers by scanning online obituaries or public posts. They initiate contact under the guise of companionship.
• Romance scams on digital platforms: Many scams begin on dating apps, social media, or text messaging. Initial messages may seem innocent or friendly, but quickly turn flirtatious.
• The "wrong number" trick: A scammer pretends to text the wrong number. If the recipient responds, the conversation escalates into a manufactured romantic interest.
• Fake profiles and video calls: Scammers use images of attractive individuals, often stolen or computer-generated, and may encourage victims to engage in private chats. Some use deepfake technology or screen recordings to fabricate compromising content.
• Phishing links and malware: Clicking on suspicious links can give scammers access to the victim's device, camera, or personal files. Older adults with limited cybersecurity protections are particularly vulnerable.

These methods exploit both emotional trust and gaps in digital literacy. Increasingly, these scams are not random acts. Many are carried out by transnational organized crime groups that share victim information and target retirement communities or individuals identified through data breaches.

Why the delay matters to financial institutions

Even though the delay offers breathing room, it is still recommended that financial institutions begin preparing. Once implemented, the rule will influence how they work with investment adviser clients and bring greater alignment in compliance expectations across the industry. While banks and credit unions are not the primary targets of the rule, it will likely impact their compliance priorities, especially in customer due diligence (CDD) and coordinated financial crime prevention, assuming an effective date is eventually set.

This pause is a chance to get ahead of the ripple effects. Institutions should be ready for:

•  Requests for closer collaboration from adviser clients
•  More consistent application of CDD standards
•  Heightened regulatory scrutiny once the rule takes effect

Acting now can help avoid last-minute disruptions, prevent operational bottlenecks, reduce compliance risk, and position banks and credit unions for smoother coordination with investment adviser clients when deadlines return.

We recommend that banks and credit unions prioritize the following actions for eventual compliance:

• Update policies and procedures: Review and revise AML/CFT policies to address the specific risks and compliance expectations tied to investment adviser relationships. Document procedures for onboarding these clients, including when to apply enhanced due diligence, how to verify beneficial ownership information, and escalation steps when unusual or suspicious activity is detected. Ensure these policies are consistent across business lines so retail and commercial teams follow the same standards.

• Evaluate technology readiness: Work with your AML software provider and core system vendor to confirm that existing platforms can handle expanded monitoring rules, higher volumes of alerts, and any additional data points associated with investment adviser accounts. Consider testing automated scenarios now to identify gaps in detection logic or reporting capabilities. Build in time for any needed upgrades, integrations, or workflow adjustments before the rule’s compliance date.

• Train compliance and frontline staff: Develop targeted training for employees on how investment adviser business models operate and the unique risks they may present. Include case studies on common red flags such as layered transactions, unexplained transfers between client accounts, or the use of complex corporate structures. Reinforce escalation and SAR filing procedures, especially as the FinCEN Investment Advisor Rule delay concludes and expectations increase.

• Refresh AML/CFT risk assessments: Update your institution’s AML/CFT risk assessment to reflect the potential impact of serving investment adviser clients. Consider how these relationships might influence customer risk ratings, monitoring thresholds, and the allocation of compliance resources. Document any changes in risk mitigation strategies so they can be communicated to regulators during examinations.

Next steps

The delay in the FinCEN Investment Advisor Rule is a limited opportunity for banks and credit unions to get ahead of future compliance demands. While the deadline has shifted, the expectation to maintain strong AML/CFT programs has not. Institutions that use this time to enhance monitoring processes, test technology, update risk assessments, and strengthen staff expertise will be well-positioned to adapt quickly when the rule takes effect. Early preparation reduces operational and regulatory risk and reinforces an institution’s role in safeguarding the U.S. financial system from illicit activity.

Understanding the scope of fraud

Financial institutions must first understand the various forms of fraud affecting their clients to deliver meaningful assistance. Some of the most prevalent methods include:

• Cybercrime attacks: Cybercrime attacks occur approximately every 11 seconds, costing organizations an average of $13 million per incident. Small businesses are especially vulnerable due to limited cybersecurity infrastructure.
• Consumer fraud: Consumer fraud takes many forms, including synthetic identity theft, spoofing, romance scams, and grandparent scams. These often target the elderly and financially inexperienced.
• Business and investment fraud schemes: Scams such as Ponzi operations, business email compromise, and wire fraud continue to result in significant losses for commercial clients.
• “Pig butchering”: A particularly alarming emerging scam is known among criminals as “pig butchering” because victims are deceived over time through emotional manipulation before being persuaded to make large financial transfers.

Each scheme can leave a trail of emotional distress and financial disruption. A thoughtful, informed approach to fraud victim support is essential to help affected individuals navigate the aftermath.

A layered approach to fraud victim support

    1. Prevention through education and technology

Preventing fraud begins with awareness. Banks and credit unions can help clients identify red flags by offering regular educational materials across digital and in-person channels. Topics include the creation of secure passwords, the identification of phishing attempts, and safe usage of peer-to-peer payment apps.

Technology also plays a pivotal role in prevention. Sophisticated fraud detection tools incorporating artificial intelligence and behavioral analytics can monitor suspicious activity in real time. Institutions can also empower their clients with biometric login, multi-factor authentication, and real-time fraud alerts.

2. Helping clients create a response plan

Helping clients prepare a response plan before fraud occurs can reduce confusion and stress if the worst happens. Encourage clients to keep a written checklist that includes how to report fraud to their financial institutions, contact information for the FTC and FBI, and steps for freezing credit with the major bureaus. The plan should also cover resetting login credentials and enabling fraud alerts. Reviewing this plan regularly gives clients confidence that they know what to do and who to call. It is a simple way to support a long-term client relationship.

3. Responding with clarity and compassion

A fast and empathetic response is critical following a fraud incident. Banks and credit unions should have clear procedures in place to support victim response plans, including measures around:

• Freezing or closing affected accounts
• Reissuing account credentials and payment cards
• Assisting with dispute processes and documentation
• Communicating directly with law enforcement when appropriate

Empowering front-line employees to handle these cases with care can help ease client anxiety and reestablish trust during a particularly vulnerable time.

4. Supporting financial recovery

While banks and credit unions often must reimburse clients for unauthorized transactions, many fraud cases involve victims being tricked into authorizing payments. In these situations, reimbursement is not always guaranteed. Still, financial institutions can support victims with the following meaningful actions:

• Assist with regulatory reporting: Help victims file official complaints with the FTC, the FBI, or Consumer Financial Protection Bureau (CFPB). These reports establish a record of the incident and contribute to broader fraud tracking efforts.
• Work with law enforcement and other financial institutions: Cooperate with authorities and peer institutions to trace stolen funds and flag suspicious accounts. Swift action can help contain damage and may lead to partial recovery.
• Provide recovery resources: Refer victims to identity theft protection services, legal aid, or nonprofit support organizations. These resources can help clients manage credit impacts and protect against future fraud.

Even when full financial recovery is impossible, these steps demonstrate a commitment to care and accountability. Institutions prioritizing fraud victim support during recovery reinforce trust and deepen client relationships.

Sustained support beyond the incident

Helping a client through the immediate fallout of fraud is the first step. Ongoing protection is key to rebuilding confidence. Financial institutions can offer continued support through:

• Identity theft monitoring
• Credit and account activity alerts
• Help with placing credit freezes
• Referrals to advocacy groups for seniors or other vulnerable individuals

Staying engaged after the crisis helps banks and credit unions show they are not just financial service providers but also long-term partners in their clients’ security and peace of mind.