Feature Compliance Strategy
Restricted Business Due Diligence: Questions to Ask Before You Approve Cannabis, Weapons, Adult, Gambling, or Crypto Customers
A practitioner's due diligence checklist for fintechs evaluating five high-risk business categories — the questions that determine whether a restricted customer is manageable or a liability.
Table of Contents
Your AUP has a prohibited list and a restricted list. The list isn’t where the compliance risk lives.
The risk is in what happens after a restricted customer submits their application. What do you actually ask? What do you verify — and how? What makes a licensed cannabis dispensary approvable when a look-alike operation in the next state isn’t?
Most compliance teams avoid this question until they’re staring at a specific application with a deal on the line. By then, the pressure is on and the analysis is rushed.
Here’s a practical due diligence framework for the five categories that generate the most exceptions, escalations, and sponsor bank calls: cannabis, weapons/FFL dealers, adult content, gambling, and crypto.
TL;DR
- Restricted businesses require documented CDD before approval — a policy line saying “restricted, approval required” is not a compliance program
- For cannabis: FinCEN FIN-2014-G001 requires ongoing SAR filing even for fully licensed, state-compliant operators — this is mandatory, not discretionary
- For weapons/FFL: the Federal Firearms License is just the baseline; PayPal, Square, and Stripe decline entirely — confirm sponsor bank appetite before you approve anything
- For gambling, adult, and crypto: the key question is whether the platform facilitates the restricted activity directly — if yes, you carry the compliance obligations for that facilitation
- Every restricted approval needs a documented exception memo, not just an onboarding checkbox
The Framework Question: What Transactions Touch Your Platform?
Before diving into category-specific questions, one analytical lens applies across all five categories:
Does the platform facilitate the restricted activity directly, or is the restricted activity incidental to the customer’s business?
A licensed cannabis retailer accepting payments for legal cannabis sales means your platform is facilitating cannabis transactions — and you carry the FinCEN SAR obligations that come with that.
An investor who holds equity in cannabis companies and needs a corporate account to manage dividends isn’t necessarily asking your platform to facilitate cannabis transactions. The fund flow matters, not just the customer’s industry.
This distinction drives the due diligence questions. The same customer could be approvable or prohibited depending on what they’re asking your platform to do.
Cannabis: Required Due Diligence Under FinCEN FIN-2014-G001
Cannabis remains Schedule I federally, which means serving cannabis-related businesses creates federal compliance exposure regardless of state licensing. FinCEN’s guidance FIN-2014-G001, issued in February 2014 and still operative, requires financial institutions — including fintechs operating as MSBs or through bank partners — to conduct specific CDD and file SARs on an ongoing basis.
The 2014 guidance created three SAR types: Marijuana Limited (licensed, state-compliant, no suspicious activity), Marijuana Priority (potential violation of Cole Memo enforcement priorities), and Marijuana Termination (ending the relationship due to suspicious activity). Filing Marijuana Limited SARs is mandatory every reporting period even when the customer appears fully compliant.
Cannabis CDD Questions
| Question | Why It Matters |
|---|---|
| Is the business licensed by the applicable state authority? Provide license number and confirm with the state | FinCEN requires license verification before service begins — and ongoing monitoring for license validity |
| What license type? (cultivator, processor, dispensary, delivery, testing) | Each type has a different risk profile and fund flow — a testing lab has different transactions than a dispensary |
| What % of revenue is marijuana vs. hemp/CBD vs. ancillary products? | Hemp has different SAR obligations post-2018 Farm Bill; co-mingled revenue complicates ongoing compliance |
| Who are the beneficial owners (>25%), and are they licensed where required? | Unlicensed owners in a licensed entity is a Marijuana Priority SAR trigger |
| Does the business operate delivery or multi-state distribution? | Interstate commerce can implicate federal trafficking risk even for state-licensed operators |
| What is the expected transaction size range and monthly volume? | Establishes the monitoring baseline; spikes above normal are SAR triggers |
Before approving any cannabis business, confirm your sponsor bank supports cannabis customers. Many do not. Approving cannabis customers without sponsor bank authorization creates both an AML finding and a debanking risk.
Weapons/FFL Dealers: The Federal License Is Baseline
Firearms dealers are classified as high-risk by most processors due to regulatory complexity, chargeback exposure, and policy exclusions from mainstream processors. As FFL payment processing guidance for 2026 confirms, PayPal, Square, and Stripe decline firearms transactions entirely — most FFL dealers need specialized processors or sponsor banks with explicit firearms programs.
Weapons/FFL CDD Questions
| Question | Why It Matters |
|---|---|
| Does the dealer hold a current FFL? Provide FFL number, type, and expiration date | ATF requirement; service without FFL verification creates direct legal exposure |
| What FFL type? (Type 01 dealer, Type 07 manufacturer, Type 03 C&R collector) | Different types authorize different transactions — a C&R collector can’t operate as a retail dealer |
| What MCC is being applied? | Correct coding (MCC 5999 or 5941) is required; miscoding violates card network rules |
| What % of sales are online vs. in-person? | Online gun sales require transfer through a local FFL at delivery — adds fulfillment compliance complexity |
| Does the dealer conduct NICS background checks for all firearm transfers? | Brady Act requirement — dealers bypassing NICS create criminal exposure that can implicate payment facilitators |
| Are any products National Firearms Act items? (suppressors, short-barrel rifles, full-auto) | NFA items require federal registration and tax stamp; signals a higher-complexity compliance environment |
Adult Content: Facilitation Risk and Performer Age Verification
Adult content businesses range from licensed subscription platforms to individual creators. The compliance risk centers on two questions: is the content legal in the relevant jurisdictions, and does the platform have verifiable age verification for participants — not just viewers?
FOSTA-SESTA (2018) created federal liability for platforms that knowingly facilitate sex trafficking. While it targets illegal activity, not legal adult content, it significantly raised the compliance stakes for fintechs processing payments in this space: inadequate controls create platform liability exposure, not just policy violations.
Adult Content CDD Questions
| Question | Why It Matters |
|---|---|
| What type of adult business? (subscription platform, individual creator, live streaming, production) | Each has a different regulatory exposure and fund flow |
| What is the age verification process for content creators and performers? | Performer age verification is a legal requirement, not a preference; absence signals serious compliance failure |
| What jurisdiction(s) is the business licensed or registered in? | Some jurisdictions require specific licensing for adult content businesses |
| What is the historical chargeback rate? | Adult content has elevated chargeback exposure; card network thresholds apply regardless of content legality |
| Has the business been terminated by a previous payment processor, and for what reason? | Prior termination for fraud differs materially from termination due to processor policy |
| What content moderation controls exist for prohibited material? | Platform liability exposure depends on how effectively illegal content is detected and removed |
Mastercard’s BRAM program and Visa merchant compliance requirements mandate specific controls for adult content. Confirm your sponsor bank has an active adult content merchant program before proceeding to any approval.
Gambling: UIGEA Compliance and State Licensing
The Unlawful Internet Gambling Enforcement Act (UIGEA) prohibits processing payments for unlawful internet gambling. The key word is “unlawful” — which requires state-by-state analysis. As of 2026, online sports betting is legal in roughly 30 states, online casino gaming in approximately 7 states, and online poker in fewer still. The Nevada Gaming Control Board issued updated guidance in January 2026 for licensees operating across multiple jurisdictions, reflecting continued regulatory evolution.
Gambling CDD Questions
| Question | Why It Matters |
|---|---|
| Is the operator licensed in each jurisdiction where it accepts real-money wagers? | Unlicensed operation triggers UIGEA — serving an unlicensed operator creates direct federal exposure |
| Is the product real-money wagering or social gaming with no cash prize? | Social games are generally not covered by UIGEA; real-money games require jurisdiction-by-jurisdiction analysis |
| What % of players are US-based, and which states? | Players in states where online gambling is illegal create exposure even for a licensed operator |
| What payment methods fund player accounts? Credit card, ACH, crypto? | Credit card funding of gambling raises additional network compliance questions — some card networks restrict gambling MCCs for credit products |
| Does the operator have a responsible gambling program with self-exclusion capability? | State licensing typically requires this; absence signals broader compliance immaturity |
| What AML program and SAR filing history does the operator have? | High-volume, high-velocity gambling transactions require robust AML controls |
Crypto: MSB Registration, AML Programs, and GENIUS Act Status
The GENIUS Act’s enactment in 2025 established a federal framework for payment stablecoin issuers. Most other crypto entities continue under existing BSA/MSB requirements. Regardless of entity type, crypto business customers require substantial due diligence — and the history of debanking in this sector means stable banking relationships are both a compliance signal and a commercial concern.
Crypto Business CDD Questions
| Question | Why It Matters |
|---|---|
| Is the entity registered with FinCEN as an MSB? Provide registration number | Most crypto exchanges and money transmitters must register; unregistered operation is an immediate red flag |
| What state money transmitter licenses (MTLs) does it hold? | Crypto money transmission across state lines requires MTLs; operating without required licenses creates regulatory exposure |
| Who is the BSA Officer, and is there a documented AML program? | FinCEN requires crypto MSBs to maintain AML programs with designated compliance personnel |
| What OFAC screening procedures does the entity use, and at what frequency? | Inadequate screening has generated enforcement actions in 2024–2025 |
| What jurisdictions are its customers in? Any FATF high-risk or EU blacklisted countries? | Geographic concentration in high-risk jurisdictions significantly amplifies AML/BSA exposure |
| How many banking relationships has the entity held in the past 3 years, and why did any terminate? | Repeated debanking signals sponsor bank risk appetite conflicts worth understanding before approval |
| Is the entity a covered stablecoin issuer under the GENIUS Act? If so, what are its reserve composition and audit frequency? | Post-GENIUS Act obligations affect risk profile and ongoing monitoring requirements |
Red Flags That Elevate a Restricted Business to Prohibited
Certain indicators override the category analysis and should trigger a prohibited determination regardless of business type:
Can’t verify licensure. If the customer claims to be licensed but can’t produce documentation, or the license can’t be confirmed through the relevant state or federal authority, stop.
Fund flow inconsistent with the stated business model. A cannabis retailer receiving large offshore wire transfers, or a firearms dealer with transaction volumes that dwarf comparable retail operations, warrants explanation.
Sponsor bank exclusion. If your sponsor bank doesn’t support the category, your approval is meaningless — and potentially a program violation that triggers sponsor bank RFIs. The bank partner AUP alignment guide covers how to map internal AUP categories to bank partner rules before approvals happen.
Prior processor termination for AML, fraud, or compliance reasons. Require a written explanation, verify it where possible, and document your independent assessment.
Activity beyond the original approved use case. A customer approved for firearms accessories who later processes high-capacity magazine subscriptions has materially shifted their risk profile — ongoing AUP monitoring exists to catch this.
So What?
Every restricted business approval needs a documented exception memo — not just a checkbox in the onboarding system. The memo covers: customer identity, activity and fund flow description, prohibited/restricted analysis, controls applied, monitoring triggers, approver chain, sponsor bank pre-clearance status, and exit triggers that revoke approval.
Your Acceptable Use Policy template provides the policy structure and three-tier decision table. This post provides the due diligence interrogatory for the five categories that generate the most approval decisions. The KYC Policy Template covers identity verification. The SAR filing template covers what happens when ongoing monitoring surfaces suspicious activity from a restricted customer you’ve already onboarded.
The Compliance Essentials bundle includes policy templates across data privacy, incident response, BCP/DR, and SOC 2 for teams building multi-domain compliance programs without starting from blank pages.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ FAQ
Frequently asked questions.
What makes a business 'restricted' vs 'prohibited' for a fintech?
Does a fintech need to file SARs on cannabis business customers?
What do you need to verify for a weapons/FFL dealer customer?
Can a fintech platform support online gambling operators?
What questions should you ask a crypto business customer during due diligence?
What red flags should elevate a restricted business to prohibited?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Compliance Essentials
Multi-domain compliance coverage: data privacy, incident response, BCP/DR, and SOC 2 — 43% off.
◆ Keep reading
Related posts.
Compliance Strategy
Acceptable Use Policy Template for Fintechs: Prohibited, Restricted, and Enhanced-Review Customers
A structural template for fintech acceptable use policies — covering the seven sections every AUP needs, a three-tier decision table, an approval path for restricted customers, and monitoring triggers that hold up to sponsor bank and examiner scrutiny.
May 17, 2026
Compliance Strategy
How to Build a KRI Task Force: Owners, Functional Leads, and Board Reporting That Actually Works
KRI programs fail when analysts assign ownership bottom-up. Here's how to build a top-down KRI task force with functional leads, board reporting rules, and accountability structures that examiners and audit committees actually accept.
May 16, 2026
Compliance Strategy
Who Should Own the Contingency Funding Plan? Treasury, Finance, Risk, and the Review-and-Challenge Model
Practical guide to CFP ownership: who drafts, who challenges, who approves. Three-lines-of-defense roles, board oversight, and what examiners expect after SR 10-6 and the 2023 addendum.
May 15, 2026
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights practitioners actually read.
Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.
◆ Practitioners from banks, fintechs, and asset managers · Delivered weekly