R25. Government Operations, Finance.
R25-21. Medical Cannabis Payment Provider Standards.
R25-21-1. Purpose and Authority.
(1) Purpose. This rule establishes the functional, technical and other standards a payment provider must meet in order to be approved to conduct financial transactions for Utah cannabis-related businesses.
(2) Authority. This rule is enacted under the authority of Subsection 26-61a-603(2)(a).
Terms used in this rule are defined in Section 26-61a-102.
(1) "Utah MRB" means any cannabis production establishment, medical cannabis pharmacy, or home delivery medical cannabis pharmacy licensed within the State in accordance with the Utah Medical Cannabis Act.
(2) "Bank" means any federal or state chartered and regulated depository financial institution.
(3) "Bank of First Deposit" means the first Bank that receives funds from Utah MRB related transactions.
R25-21-3. Payment Provider Standards.
(1) Prerequisite to consideration of a Payment Provider under this rule, a Utah MRB must provide the Division of Finance and State Treasurer documentation associated with the Payment Provider in accordance with Subsection 26-61a-603(1).
(2) A Payment Provider must provide certification signed by an officer of the Bank of First Deposit acknowledging that the Payment Provider is facilitating cannabis-related transactions legal under Utah law on behalf of a Utah MRB.
(3) A Payment Provider must provide certification from the Bank of First Deposit that data transmitted to the bank is adequate and transparent for the following regulatory requirements:
(a) Certification as to Know Your Customer (KYC) compliance pursuant to the Federal USA Patriot Act, Public Law 107-56.
(b) Certification as to due diligence pursuant to the Federal Department of Treasury, Financial Crimes Enforcement Network (FinCEN) guidance given in FIN-2014-G001, "BSA Expectations Regarding Marijuana-Related Businesses," Issued February 14, 2014.
(4) A Payment Provider must provide certification and supporting documentation that Automated Clearing House (ACH) transactions are compliant with National Automated Clearing House Association (NACHA) Rules and Operating Guidelines.
(5) The Payment Card Industry Data Security Standards (PCI-DSS) comprise the security framework the Division of Finance will use to evaluate information security of payment provider solutions. A Payment Provider must provide PCI-DSS assessments, as applicable, including:
(a) PA-DSS certification for devices with a signature from a Payment Application Qualified Security Assessor (PA-QSA); and
(b) PCI-DSS Report on Compliance with a signature from a Qualified Security Assessor (QSA).
(6) A Payment Provider facilitating cash transfers to a Utah MRB's Bank must:
(a) certify that the Payment Provider supplies detailed records of cash transfers to Utah MRBs and their respective Banks;
(b) provide written policies and procedures that demonstrate that the Payment Provider adequately protects the safety of Utah MRB employees and the Payment Provider's drivers; and
(c) certify that the Payment Provider supplies data sufficient for Suspicious Activity Report (SAR) for cash transfers to Bank of First Deposit.
R25-21-4. Approved Payment Providers.
(1) A Payment Provider must submit evidence of compliance with Section R25-21-3 to the Department of Government Operations, Division of Finance for consideration for approval and on an annual basis thereafter.
(2) A Payment Provider must notify the Division of Finance within 30 days of any changes in information reported for compliance to this rule. If required, time to cure non-compliance will be assigned by the Division of Finance upon notification.
(3) Failure to comply with paragraph (2) will result in automatic removal from the approved Payment Provider list.
(4) A Payment Provider that is removed from the approved Payment Provider list may appeal to the Director of the Division of Finance for reinstatement subject to administrative Rule R25-2.
(5) A list of approved Payment Providers is available at finance.utah.gov/cannabispaymentproviders.
KEY: marijuana, medical cannabis, payment provider
Date of Enactment or Last Substantive Amendment: September 7, 2020
Authorizing, and Implemented or Interpreted Law: 26-61a-603(2)(a)