As a former Fintrac regulator overseeing compliance for the eastern region of Canada, I routinely conducted examinations to ensure that the licensee was complying with the regulations I was commissioned to oversee. In the best-case scenario, the examination resulted in no compliance enforcement action; the compliance obligations were satisfactorily met. At the other end of spectrum, significant deficiencies were uncovered during the examination and I had to consider imposing an enforcement action. While the best outcome is what licensees strive for, most examinations will result in corrective measures to be implemented.
Regulators have several tools in their toolkit of enforcement options to encourage the licensee to reach compliance. When an enforcement action is imminent, the regulator must decide which enforcement option will produce the desired regulatory outcome: compliance. When making this determination, major consideration is given to the health of the program, the history of non-compliance, the licensee’s commitment to compliance, likelihood of re-occurrence and the severity of harm done. I would evaluate, among other things, if the licensee had previous non-compliance that was highlighted in the past and the actions taken (if any) to resolve them. If harm was caused or economic benefit gained, I would evaluate if the licensee completely failed to meet their requirements, or only in part.
The most effective way to avoid a compliance enforcement action is to have a formal risk program that includes a robust compliance management program. Not only is it a valuable tool in identifying highest priority risks so the most appropriate controls can be put in place to mitigate them, but it also shows the regulator the company’s intent to comply. This can mean the difference between a successful compliance exam or a compliance enforcement action. A well-designed risk program will assign responsibility to trained individuals to manage the risk, implement activities that will assess the adequacy and effectiveness of controls and will demonstrate to the regulator that the company can mitigate the risk into the future. If the risk program is running as intended, regulatory issues will be detected, and corrective measures implemented before a regulatory inspection is conducted. In cases where non-compliance is found by the regulator, the company can show that the risk program was instituted in good faith and it should be a consideration when the non-compliance is evaluated.
Two License Suspensions, One Reinstated
In September 2018, Agrima Botanicals Corp. had their licenses partially suspended after an inspection revealed that in addition to not meeting recordkeeping and compliance requirements, “unauthorized activities” with cannabis took place both before and after the company was issued licenses under the Access to Cannabis for Medical Purposes Regulations (ACMPR) and Narcotic Control Regulation. Agrima Botanicals Corp. appealed the suspension but was unable to provide Health Canada with a satisfactory response to lift the suspension. Agrima Botanicals Corp. had a history of non-compliance and while earlier issues were corrected, a few months later their license was revoked because they were unable to demonstrate to Health Canada that the license suspension was unfounded and that the identified issues were resolved.
In February 2019, Bonify Holdings Corp’s license was suspended after it was discovered that cannabis was purchased from the illicit market and sold to the public. As a response to the suspension, select senior management were terminated and the services of a consulting firm were engaged to implement the necessary corrective measures. After 10 months of restructuring the company culture, embedding this formalized change in the policies and procedures and showing Health Canada their intent to comply, their license was reinstated. Bonify Holding’s Corp actions formalized and implemented in a risk-based compliance program denotes their commitment to complying with the regulations.
Both licensees had the opportunity to resolve the uncovered issues, but only one was successful in having their license re-instated. This is proof in point that having a formalized compliance program reinforced by a tone from the top demonstrates a high level of voluntary compliance.
Prove You Can Manage Your Risks
When a regulator is determining an appropriate enforcement action, major consideration is given to whether the company had implemented a compliance program that is effective and working as intended at the time of the offense, as well as at the time of the charging decision. Non-compliance in and of itself does not mean that the company had a weak compliance program; however, to prove that the company can bring themselves back into compliance, they must demonstrate their ability to manage this risk going forward. A formalized risk management structure demonstrates to the regulator that the company is likely to achieve the desired regulatory goals.
Regulators look for transparency in the licensee’s compliance activities and in cases of non-compliance, having a formalized risk program creates a defendable position for the company as it demonstrates intent to comply. A company that has a culture of risk embedded in their day-to-day operations, uses a risk-based approach to detect and mitigate the highest priority risks, and implements assurance activities that assess the efficiency and effectiveness of the mitigating strategies has a huge impact when the regulatory authority reviews the fact set of a case. A formalized risk program denotes a commitment to compliance and is strong evidence that the company did everything it could do to prevent non-compliance.
Don’t leave your company defenseless to enforcement actions and download ACCCE’s customizable Risk Program Template.
The Association of Certified Commercial Cannabis Experts (ACCCE) is dedicated to advancing the professional knowledge and skills of those committed to commercial cannabis risk management.
Click here for more information on how ACCCE can help our members at commercial cannabis businesses.