Committee Blog: The Digital Dollar Dilemma – How a U.S. CBDC Could Reshape Cannabis Banking

Published by NCIA’s Banking & Financial Services Committee (BFSC)

Executive Summary

A potential U.S. Central Bank Digital Currency (CBDC) represents one of the most disruptive technologies on the horizon for the financial world, with profound implications for the cannabis industry. While a “digital dollar” could theoretically solve the industry’s payment rail issues overnight, it also introduces significant threats related to privacy, data security, and direct federal oversight, creating a high-stakes dilemma for cannabis businesses and the institutions that bank them. However, recent developments have fundamentally altered this landscape, particularly the January 2025 Executive Order 14178 halting U.S. CBDC development and ongoing progress with cannabis banking legislation.

Current State Analysis

The conversation around a U.S. CBDC has evolved dramatically from academic theory to active research, most notably through the Federal Reserve’s collaboration with MIT on “Project Hamilton,” which completed its Phase 1 research in February 2022. However, in January 2025, President Trump issued Executive Order 14178, explicitly prohibiting federal agencies from “undertaking any action to establish, issue, or promote a CBDC” and revoking previous digital asset policies. This makes the United States the only major economy to halt CBDC development through executive action. Despite this policy shift, understanding the potential impacts of CBDCs remains relevant, as policy positions can change with administrations, and other countries continue rapid CBDC development that could influence global financial systems. For the cannabis industry, banking challenges persist despite the executive order. The core issue remains the industry’s reliance on private-sector workarounds. Fintechs and banks have invested heavily in BSA/AML programs to manage the risks of handling cash deposits.

Legislative Developments

Simultaneously, significant progress has occurred with cannabis banking legislation. The SAFE Banking Act evolved into the SAFER Banking Act (S.2860), which passed the Senate Banking Committee with a bipartisan 14-9 vote and awaits a Senate floor vote. This legislation would provide safe harbor protections to financial institutions serving state-legal cannabis businesses, potentially resolving many banking challenges independent of any CBDC considerations. Additionally, cannabis rescheduling efforts at the federal level could fundamentally alter banking access. While rescheduling alone wouldn’t resolve all banking issues, it would reduce regulatory burden and risk perception for financial institutions considering cannabis banking services.

Regulatory Landscape

The introduction of a CBDC, if policy were to reverse, would create a direct and unavoidable conflict with the Controlled Substances Act (CSA). Every transaction involving a CBDC would be recorded on a central ledger managed by the Federal Reserve, raising critical policy questions about privacy versus surveillance. The Federal Reserve’s previous white papers presented various models, from anonymous, token-based systems (similar to cash) to account-based systems that would link every transaction to a verified identity. If the U.S. were to adopt an identity-based CBDC in the future, the federal government would have a real- time, unalterable record of every dollar spent at every state-licensed dispensary in the country.

Alternative Pathways

With CBDC development currently halted, the cannabis industry must focus on alternative pathways to banking normalization:

1. Legislative Solutions: Continued advocacy for the SAFER Banking Act and similar legislation that would enable traditional banking services.

2. Existing Compliance Frameworks: Further investment in robust compliance programs under current FinCEN guidance, which remains relevant despite policy shifts.

3. Private Sector Innovation: Development of alternative payment solutions that can operate within current regulatory frameworks.

4. State-Level Banking Solutions: Some states are exploring state-chartered banking options specifically for cannabis businesses.

Key Takeaways

• The January 2025 Executive Order significantly altered the U.S. CBDC landscape but hasn’t resolved cannabis banking challenges

• The SAFER Banking Act represents the most immediate potential solution for cannabis banking issues

• Banks should continue investing in current compliance technologies rather than waiting for CBDC or legislative solutions

• The cannabis industry must actively engage with multiple parallel policy debates that impact banking access

• Privacy concerns remain central to any digital payment solution for the cannabis industry, whether government or privately issued

• Cannabis rescheduling efforts represent another potential pathway to improved banking access independent of payment technology development

Member Blog: As Cannabis Sales Rise, So Do Questions About Privacy and Security

Frank Nisemboum, Vice President of ERP Sales at c2b teknologies

Legal cannabis is a big business that handles big data. From personalized data to protected health information to cannabis information that requires regulatory compliance with cybersecurity and data privacy laws–the entire cannabis industry faces data privacy and cybersecurity challenges not faced by other sectors.

But wait, other sectors have to navigate data concerns, too right? Cannabis is different. Aside from adhering to all the typical privacy concerns, cannabis data comes with a layer of complexity for cannabis operators due to industry-specific data collection and mandatory retention requirements surrounding it.

Growing Cannabis Data Collection

A cannabis customer provides a vast amount of personally identifiable information every time they buy legal marijuana products. These individuals present a government-issued ID card to confirm they are at least 21 for adult-use purchases or prove they have a prescription to access medical marijuana. The data collected on each transaction includes customer or patient name, date of birth, address, phone number, driver’s license or medical ID card numbers as well as email addresses and signatures.

Cannabis dispensaries also provide equally large amounts of operations data to METRC (Marijuana Enforcement Tracking Reporting Compliance), used in 13 states and the District of Columbia. METRC is not the only government reporting company used to maintain cannabis compliance. For example, California relies on the CCTT (California Cannabis Track-and-Trace) system to report the inventory and movement of cannabis and cannabis products throughout the cannabis supply chain.

Cannabis legalization is expected to spread across the country to all 50 states now that adult-use cannabis is permitted in 11 states and Washington D.C. and 36 states allow medical marijuana. Many of those states require all cannabis licensees, both annual and provisional, to use METRC to track marijuana products through the entire supply chain.

Cannabis cultivators, manufacturers, retailers, distributors, testing labs, and micro-businesses need to manage and maintain those records for a minimum of seven years. It’s a tremendous amount of valuable data for cannabis companies to track, the precious data cybercriminals and hackers seek out, including combinations of protected personal and health data like social security numbers and diagnoses with supplemental information like addresses, copies of ID cards.

If a cannabis company dispenses medical marijuana to patients or supports one who does, they fall into the regulatory oversight of the Health Insurance Portability and Accountability Act (HIPAA) and the Office of Civil Rights (OCR).

Safeguarding Cannabis Data

Legal cannabis and the data security issues it creates form multi-prong challenges from a legal and technological perspective. The cybersecurity and data privacy requirements don’t come with a roadmap cannabis operators can borrow from other industries due to the massive repositories of personalized data that require regulatory compliance with cybersecurity and data privacy laws.

The collection, storage, and security of all this valuable data raise many privacy and security concerns, especially when guidelines for collecting the information vary by state. For example, Ohio and California must house personal data using third-party software to track inventory and retail point-of-sales, whereas Illinois dispensaries cannot store any personally identifiable information onsite and instead use cloud or other off-location services.

Healthcare companies make attractive targets for hackers and often suffer data breach more often due to their huge storage of protected health information (PHI). Medical dispensaries and supporting companies handle PHI too, but PHI is not all a cybercriminal may want from a cannabis operation.

Employee records often contain background checks and financial data along with personally identifiable information such as name, date of birth, and SSN, all in one nice package. And cannabis data has been breached several times in recent years.

Cannabis Data Breaches Happen

Even as a newly legitimized industry, cannabis organizations have already experienced high-impact data and security breaches. In early 2020, a database breach that impacted almost 30,000 people connected to the marijuana industry resulting from an unsecured Amazon S3 data storage bucket was reported. The data breach included scanned versions of government-issued ID cards, purchase dates, customer history, and purchase quantities.

In 2019, a Canadian cannabis company exposed the electronic medical records of over 34,000 customers.

Between 2016 and 2018, the cannabis-tracking software provider MJ Freeway endured significant data breaches where over 1,000 dispensaries in 23 states were hacked. Less than six months later, hackers stole a portion of MJ Freeway’s source code and posted it publicly to social media.

Prior to that, Nevada’s Medical Marijuana Program database was breached in 2016, exposing sensitive personal data of over 11,000 people involved in the Nevada cannabis industry. This breach included names, social security numbers, race, as well as home and business addresses.

Cannabis Operators Short on Cybersecurity Budgets

Cannabis companies are responsible for securing their data to protect their customers and staff. To prevent data leakage, point-of-sale machines need endpoint protection, encryption, secure backups with proper network segmentation.

Unfortunately, some cannabis organizations fall short of installing appropriate cybersecurity measures that could have far-reaching effects on a cannabis user. Leaked personal data could have negative personal and professional consequences for the cannabis patient whose workplace prohibits cannabis use.

To avoid becoming an easy target, cannabis companies need to focus on data privacy and security just as much marketing and sales. The penalties from having a customer or employee’s personally identifiable information and cannabis-related data exposed can be too expensive to ignore and fail to give confidence that their data is secure.

Vice President of ERP Sales, Frank Nisemboum, is a trusted advisor at c2b teknologies who has guided organizations of all sizes enabling them to establish a technology presence and expand their business through technology. His proven ability to analyze the current and future plans of a company and work with team members to subsequently bring technology solutions to the organization result in improved processes and controls that assure continued growth and profitability.

Frank has worked in the ERP and CRM software selection, sales and consulting industry for almost 25 years. His strong ability to understand, interpret and match the needs of an organization to the right solution make him an asset to all of his clients.

c2b teknologies integration and engineering experts have partnered with leading cannabis industry experts to develop a software solution that provides a complete cannabis operations system. The best-in-class solution not only handles tracking of seed-to-sale activities but encompasses your entire cannabis operations with compliance needs handles along the way. Our passion for solving problems drives us to deliver innovative solutions for everyone we work with. Visit c2btek.com for more information.

Committee Blog: Employee Privacy Guidelines In A Time Of COVID-19

By NCIA’s Human Resources Committee

Privacy Guidelines

As employers across the country bring back their employees, coronavirus risks remain top of mind. These concerns are important to ensure both the safety of their employees and the ability of their businesses to remain open. No one wants their employees to experience a spike in infections, or to subsequently close down as a result. However, protecting employees and businesses from COVID-19 is not as simple as asking an employee if they are sick. Federal and state laws restrict the type of medical information an employer can require an employee to share, even during the pandemic.

Under the Federal Americans with Disabilities Act (“ADA”) and the California Fair Employment and Housing Act (“FEHA”), medical inquiries are generally not allowed unless they are job-related and consistent with business necessity. Under this standard, medical inquiries are allowed if the employee poses a “direct threat” to him/herself or others because of a medical condition. FEHA regulations provide that factors to be considered when determining the merits of the direct threat defense include, but are not limited to:

the duration of the risk;
the nature and severity of the potential harm;
the likelihood that potential harm will occur; and
the imminence of the potential harm.

FEHA regulations say that the analysis of these factors should be “based on a reasonable medical judgment that relies on the most current medical knowledge and/or on the best available objective evidence.”

Unfortunately, this leaves the answer to whether employers may make medical inquiries or take temperatures “it depends.” Ultimately it becomes a business/risk tolerance decision. Asking employees questions about their medical condition and taking their temperatures may be more defensible if there has been documented exposure to COVID-19 in the workplace or a high rate of contagion in the community.

The answer will also depend on what the Centers for Disease Control (“CDC”) determines. If the CDC makes a determination that COVID-19 is significantly more severe than the seasonal flu, it could pose a “direct threat.” Under the ADA, a direct threat is “a significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.” When the CDC advises testing, employers will have better standing to require it. CDC guidance is available here.

The Equal Employment Opportunity Commission has also issued specific COVID-19 guidance. The EEOC has advised employers that they may ask all employees who physically enter the workplace if they: (i) have COVID-19; (ii) have been tested for COVID-19; or (iii) are experiencing symptoms associated with COVID-19. Employers may also check the temperatures of employees entering the workplace. If an employee refuses to answer or refuses to submit to a temperature check, the employer may refuse to permit him or her to enter the workplace. However, employers should reassure refusing employees that the questions are simply designed to ensure workplace safety.

Employers may then single out individual employees for temperature checks or questioning only if the employer has a reasonable belief, based on objective evidence, that the employee has COVID-19 or symptoms associated with COVID-19. Employers may also ask employees if they have had contact with anyone who has been diagnosed with COVID-19 or who has symptoms of COVID-19.

If a manager learns that an employee has COVID-19 or symptoms associated with COVID-19, the manager may disclose this information to which employees are necessary to take action consistent with CDC guidance. As a general rule, employers should try to limit the number of necessary employees” who know the employee’s identity. Everyone informed of the employee’s identity should be told to keep the information confidential. This includes telling others that an employee may be absent or working from home, but not explaining why.

If employers do decide to take temps, there are multiple additional issues to consider: who will do the testing? What training? Will nonexempt employees be paid for their time undergoing testing? What will the employer do if the employee refuses? What information is recorded? All of these questions should be addressed in advance, and the answers should err on the side of caution. Tests should be simple, as non-invasive as possible, and as little data should be recorded as possible. Data for each employee should be recorded separately; an employer should not compile a single list of employees and their temperatures. An employer could, however, maintain a record of a single employees’ temperature of time. In other words, a single piece of paper could track an individual employee’s temperature history, but not the entire workforce’s temperature history.

In summary, employers must be careful to ensure their employees’ privacy rights remain respected and protected as they return to work. Employers may take reasonable precautions to ensure infected and at-risk individuals do not work, but must be careful in the questions they ask and the manner in which they record and keep the information. If a diagnosis is confirmed, employers must also be careful about who that information is shared with. Everyone wants a safe workplace; employers must simply keep in mind that a safe workplace is one that ensures an employee’s physical safety as well as their privacy.

NCIA’s Human Resources Committee is comprised of human resource practitioners devoted to bringing best practices to the cannabis industry. Their focus is educating and bringing awareness to misclassification of employees, promoting guidelines for employee safety, clarification on wage and hour issues in the industry and creating checklists to being a legitimate employer.