Showing posts with label AML. Show all posts
Showing posts with label AML. Show all posts

Sunday, 30 May 2021

Lithuania: Supervisory Challenges on (Non Bank) PI & EMI Payment Activity in Centrolink

Hang On, Speedy

As highlighted in the previous post, following explosive growth, in 2020 non bank PI & EMI accounted for
  • 86% of the number of transactions in Centrolink

  • 69% of the total value of all transactions, and

  • represented 87% of Centrolink participants.

What are the specific risk characteristics of PI & EMI business that pose challenges for the authorities?

  1. Explosive growth in number and aggregate value of transactions

  2. Non bank entities predominate

  3. Centrolink transactions are now primarily “offshore” business in two senses:

    • In the majority of cases, both sides of the payment are “outside” Lithuania, e.g., the by-order party and the beneficiary

    • Up to 70% of PI & EMI clients are from offshore centers

  1. Customer vetting may be inadequate given “remote” CDD (customer due diligence)

  2. Centrolink is an attractive gateway to 36 countries in Europe.

  3. Risk issues thus transcend Lithuania’s borders.

I don’t need to say much about the issue of explosive growth.

The more trees in the forest, the harder to find Robin or any other hoods.

As regards non bank FI’s perceived greater risk, some general comments.

The failure of a large bank or group of banks poses a systemic risk to the financial system and economy.

In contrast the failure of a money exchange firm or a payments processor (think PI or EMI) is likely to have much less of an impact.

As a result, banks are more strictly regulated and more strictly monitored than other FIs.

Non-bank FI policies and procedures, internal control systems, etc. are often less rigorous and less rigorously implemented.

Part of this is due to less developed and onerous regulations on them. No need to have as elaborate structures as banks.

Economics and size also have an impact.

The fact that monitoring is often “lighter” can also play a role: no one is watching.

We can use the 2020 Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing (NRA) to assess the risks outlined above.

Page numbers below refer to the NRA unless another document is cited.

Let’s start by looking at potential weaknesses in PI/EMI policies and procedures and implementation thereof.

Weakness in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring

According to the NRA (page 38)

Due to the fact that many of the clients are non-resident or from offshore countries, the companies have difficulties to identify the clients in reliable and independent sources. The due diligence and transaction monitoring systems are less effective than the ones used in the banking sector, as most of the businesses are new and focus on increasing clients’ portfolio instead of AML/CFT regulatory compliance. Most institutions have not yet performed organization-wide risks assessments to identify the risks based on five factors (geographies, customers, products or services, delivery channels, other qualitative risks). Next to that, not all institutions perform the retrospective transaction monitoring.


Wide ranging deficiencies across a critical set of control areas.

Suspiciously” Low Volumes of Suspicious Transaction Reports (STRs)

The data in the annual reports of the Ministry of Interior’s Financial Crimes Investigate Service Money Laundering and Terrorist Financing Prevention Board (ML&TFPB) is more detailed and current than that in the NRA. So I’ll use that information.

Here is a link to the 2018 Annual Report. Here is the 2019 Annual Report.

And here is the 2020 Annual Report.

The tables below are based on data from these three reports.

If you know anything about STRs, you’ve probably heard that FI’s prepare these primarily for CYA purposes and generate excessive numbers that overwhelm the authorities’ ability to make use of them.

These statements are often correct.

So why am I focused on the number of STRs?

I’m not.

Rather I want to compare 

  • STRs from the PI & EMI sector to that from banks and  
  • STRs of each sector as percentage of transactions processed by that sector.

When a particular segment of FI’s has a relatively low number of STRs or scores low on the above two metrics, it’s not unreasonable to assume that that segment’s transaction monitoring procedures are less than robust.

If a particular institution scores low on all three measures, that’s also a red flag in most cases.

These metrics are not conclusive. There may be very good reasons for differences.

At first blush the data seems to show definite progress. The PI & EMI sector is filing more reports. Fantastic growth! 2020 is more than 18x 2018.




Their percentage of total STRs is increasing smartly.




But as a percent of the number of transactions not so good.



As a percentage of transaction made, in 2020 banks submitted 3.5x the number of STRs that the PI & EMI institutions did!

As outlined above, the PI & EMI sector certainly appears to be conducting more risky business than the banks.

It’s, therefore, not unreasonable to expect that would have a higher percent than they do.

Their actual performance confirms NRA’s assessment of weakness in the PI/EMI AML/CFT.

Let’s turn to a feature in regulations that poses a risk.

Remote KYC/CDD Allowed for PI and EMI Licensees (page 38)

PI and EMI licensees are allowed to conduct “remote” know your customer/customer due diligence.

That is, the client need not be present in Lithuania. Approval is by review of documents submitted.

This is an even greater KYC issue because PI and EMI entities’ clients are primarily non residents.

And up to 70% of them are from offshore centers. (page 38).

That is a rather large red flag.

Adding to the risk is the fact that 97% of the value of all EMI and PI transactions in 2019 was conducted for legal entities not natural persons. (page 6 of the 2019 PI and EMI Activity Review).

Positively identifying the UBOs of private companies is a difficult endeavour, even more so for those formed in offshore jurisdictions.

In contrast, Lithuanian banks have been de-risking their exposure to foreign clients by reducing foreign client relationships and deposits.

As of 2020, Lithuanian banks had the lowest percentage of foreign corporate and natural person customers’ deposits in the Baltic region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7 and 8).

Risks Associated with SEPA

Based on the average amount of 2020 Centrolink transactions (banks Euros 3,841 and the PI & EMI institutions Euros 1,423) and the ACH/BACS-like nature of Centrolink, you might well wonder if there is a real risk of significant illicit transactions.

To the first point, these are arithmetic averages. There could quite well be some fairly large value transactions among the 95.2 million total transactions processed in 2020.

To the second, while Centrolink processes Direct Debits and Direct Credits—that are likely to be small “ticket” items—it also processes payments similar to typical bank transfers.

There are two types of these transfers:

  1. A SEPA Instant Credit Transfer subject to a SEPA system limit of Euros 100,000 for each separate transaction. With promised completion (delivery to the beneficiary’s bank) 10 seconds after release! Note this timing doesn’t apply in all 36 of SEPA countries.

  2. A SEPA Credit Transfer subject to a SEPA system limit of Euros 999,999,999,99. These transactions are completed at the earliest next business day after receipt.

Each bank sets its own SICT and SCT limit for each customer both for individual as well as aggregate transactions. That would include Centrolink DP’s for IDP’s they accepted as clients.

SCT limits of Euros 1 billion are likely to be rare indeed. And not just in Lithuania.

SCIT and SCT “straight” payments and likely transactions limits make it possible to move significant amounts through Centrolink into the SEPA.

Monitoring systems to detect suspicious transactions would therefore be in competition with the creativity of illicit actors to disguise them. 

The offshore nature of Lithuania payment activity makes this a harder “race”.

Wednesday, 6 November 2019

IMF FSAP Technical Note on the AML/CFT Regime in France

More than just Tracfin Covered by FSAP

Last week the IMF released its Technical Note- Anti-Money Laundering and Combating the Financing of Terrorism Regime in France undertaken as part of the 2019 FSAP for France.

What’s a FSAP? All you’re likely to want to know courtesy of the IMF.

There are many interesting points in this publication.

  1. An analysis of the current state of France’s AML/CTF regime.

  2. Identification of areas for improvement. An interesting topic as we mostly focus on non OECD jurisdictions' shortcomings and recommendations for improvement.

  3. Statistics related to inspection and enforcement (Tables 2 through 7 on page 3.  AA found these and the accompanying discussions the most interesting.  Regulations are one thing. They provide the basis for action. But inspections and enforcement measures are clearly more important in assessing actual implementation.

Some further thoughts and observations.

First, it's important to understand that banks have an incentive to file STRs.  One of the best defenses against enforcement actions is to demonstrate that one’s institution has a robust AML/TF system.

If a bank files no STRs and one of its customers is found to be a money launderer or terrorist financier, it has less of an argument than if it has filed 100 reports.

So increases in STRs are not necessarily related to increased illegal activity.  Note the “not necessarily” caveat.

Second, those seeking to conduct illicit financial transactions will look for weak points, e.g., industries and geographies not inspected by the relevant bodies. You can see some familiar industries mentioned here where increased efforts are recommended.

France’s Overseas Territories (Table 2) may be such a geographical vulnerability.

That being said, it should be fairly easy for regulators to spot individual financial transactions or aggregate flows of transactions which exceed normal economic activity.

In analyzing RMB flows in Africa attributed by SWIFT RMB Tracker to the Republic of South Africa three years ago  it didn’t take AA very long to find easily available information that indicated that it was highly likely that a good portion of these transactions were from other African countries not just the RSA alone.

AA also identified an outsize RMB transaction in Mauritius which didn’t seem to fit normal commercial activity.  And AA does not have access to the information that national regulators have, some of which is acquired through clandestine means.

That being said, for some unknown reason, massive transaction flows through the branch of a Danish bank is Estonia flew under the radar both at the bank’s HO and at regulators in both Estonia and Denmark.

On very good authority it is said, “There is always enough light for one who wishes to see”.  هناك دائما ما يكفي من الضوء لمن يرغب في رؤية

Friday, 16 December 2016

Misleading Report about UAE Central Bank “Changes” to AML Regulations

Another cold Dubai December and to top it off AA's Biggles' hat was at the cleaners.
If you’re like AA, you might have been confused when you read WAM’s 14 December 2016  (Arabic version here) article or others in the media that the Central Bank of the UAE had amended three paragraphs in Circular 24/2000.

Without any explanation or context provided, a reader might conclude that the CB UAE has only recently moved to prohibit the opening of numbered or anonymous accounts or require fairly standard CDD on customers. 

If you read the article in Gulf News yesterday, that's certainly the impression you'd get from the article's subtitle:  "New rule strictly prohibits the opening of accounts with assumed names or numbers, among others".

If true, this would represent a serious shortcoming in the UAE’s AML/CFT efforts.
However, it’s not the case. 

The 2000 Circular already contained such requirements.  Article 4 in that Circular is quite unequivocal, e.g. "يمنع منعا باتا فتح حسابات ".  The English version is similarly strict.
So what’s going on?

The three articles are being amended to permit reliance on UAE national ID cards as proof of an individual's identity.  The 2000 Circular only permitted the use of passports. 
Someone at WAM or CBUAE missed the bus by not including this information.

AA did not. 
Ever since the fateful day pictured above, AA has been doubly careful or at least tried to be.

Wednesday, 23 November 2016

AMF Study: Bank De-Risking in the Arab Region -- Big Deal or Not?

AA: As Usual on Top of the Story.  It Looks a Lot Scarier Up Here. 


In an earlier post I outlined why the Hong Kong Monetary Authority's appeals to its banks to "manage correspondent risks" rather than "de-risk" were likely to fall on deaf ears.

Today I’d like to continue exploration of that topic by looking at September 2016 Arab Monetary Fund/IMF/IBRD study Withdrawal of Correspondent Banking Relationships (CBRs) in the Arab Region”.

Context – Survey Coverage
The report is based on a survey of 216 banks in Algeria, Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Mauritania, Morocco, Oman, Palestine, Qatar, KSA, Sudan, Tunisia, UAE, and Yemen.  One country was excluded from “some analysis” as it is “perceived as a high risk area”. AA is guessing Yemen, though it is not the only “high risk” name in the list.   
  
Details

Apparent Modest Impact
  1. 55% of the banks surveyed did not experience any problems with closure of CBRS.  1% did not respond. 5% reported an increase in CBRs. 
  2. Only 39% (84 out of 216 banks) had CBRs terminated. 
  3. Of this latter group roughly 63% (53 banks) found replacement CBRs, and another 17% (14 banks) developed “workarounds”.  Perhaps an indication that all correspondents are not de-risking?
  4. Only 20% (17 banks or 8% of the 216 banks surveyed) did not find a solution.   
On this basis, it doesn’t seem that de-risking in MENA is a major problem at least at the macro level.

Two caveats.   

First, “limitations” in the survey (see below) preclude making a definitive assessment on impact as well as on the motive(s) for de-risking.  

Second, the number of accounts closed increased over the survey period 2012-2015 (Figure 5), indicating that affected banks are increasingly being disconnected from international finance.         

Primary De-Risking Banks

As expected US banks were the main de-riskers followed by the UK and Germany. Interestingly of the ten countries’ banks named as de-riskers, banks in Saudi were in 4th place and the UAE in 8th place AED and SAR accounts were closed. It’s not clear from the survey if the UAE and Saudi banks are solely responsible for the closures. 

It doesn't seem unreasonable to assume that they were at least partially responsible. If so, an intriguing but unanswered question.  Were their actions motivated by these banks’ own concerns or local regulations? Or are they defensive measures to prevent their foreign correspondents from “de-risking” them?

Survey “Limitations”

As outlined below, these limitations lessen the survey’s utility. Presumably some of this reflects a conscious decision to avoid creating a knock-on effect and potentially worsening the situation by providing too much public information.

Now to the limitations.

The size and location of the affected banks is not disclosed.  If major banks are being de-risked, the impact is likely to be greater than if smaller banks are.  If the de-risking is focused on one or two countries, then what appears to be manageable problem is not –at least for the affected countries.

It’s highly likely that correspondents did not provide a concrete reason for terminating a CBR. But rather used such words as “strategic review of our business”, “change in focus”. If you ever have had to let people go or were on the receiving end yourself, you know that these events are couched in euphemisms like “downsizing”. One doesn’t fire an employee.  Rather his or her position is “eliminated”.  Nothing personal there at all.  We’d love to have you but we don’t have a “position” for you.  The same with closure of accounts. 

If the reason for the firing or closure of an account is not directly “personal” or concrete, it’s hard for the affected party to mount an objection.  How do you argue your case?  Do you really expect the institution to change its board-approved strategy so you get to retain your job or account?    
  
To get around this likely scenario, survey respondents were asked to ascribe motives to the termination of CBRs.  The survey provides 16 possible “drivers” of the decision to terminate CBRs.  Respondents were free to select more than one and were asked to rank them from 1 to 16--which AA takes as an invitation to rank all of them.  Thankfully not every respondent did.  There were some 234 votes from the 84 banks.  Only 17% of the maximum possible number of responses.
  
There are two problems though.   

First, respondents are not only being asked to read their correspondents’ minds, but also to do so with a high degree of precision.

Second, many of the drivers are similar.  One might well need an electron microscope to parse these in any practical sense.  This compounds the dubious first assumption of mind reading skills.

Some examples of similar/duplicative motives.  Note the numbering below follows the rankings on pages 11-12 in the report.
  
  1. Driver 1 (overall risk appetite) seems to include Driver 4 (change in sovereign risk rating).  As to 4, if indeed it is an accurate assessment, then shouldn’t all banks in Country X be affected more or less at least by the same correspondent? Thus, one would find that all or most banks in Country X had their CBRs terminated.   If that’s not the case (and the AMF has the data), then this Driver should be excluded.    
  2. There are 10 Drivers related to regulatory reasons. Drivers 2, 5, 6, 8, 9, 11, 12, 14, 15, and 16 overlap to a large extent on AML/CFT, though those aren’t the only regulatory issues mentioned. It boggles AA’s mind that the survey constructor thought that participants would be able to provide such granular assessments of what their correspondents’ motives were.      
Third, it also seems (note that caveat) that in ranking drivers no adjustment was made for this overlap.   The summary puts AML/CFT in fifth place.  This seems based Driver 5 being in fifth place by number of “votes” while ignoring the votes for all the other AML/CFT related drivers. 
  
I think it would have been better to have a few very broad primary motives, e.g., credit, profitability, regulatory, refusal/failure to provide requested information.  Participants could have then been asked to ascribe a percentage to each.  This more limited menu probably would be not only easier but more appropriate given the inherent limitations of mind reading. 
  
Follow-up questions could have been used to attempt to parse sub-drivers with economy in options.  For example, was refusal/failure to provide requested information due to regulatory impediments (bank secrecy) or internal bank decision?  Were regulatory concerns focused on AML/CFT, sanctions, or other (e.g. FACTA)? 

Interestingly Driver 16 and part of Driver 8 consist of failures by the respondent bank to provide sufficient AML information, in which case one might argue that the correspondent was obliged by regulation to terminate the CBR or decided failure indicated not only bad faith but probable bad behavior.    The same with Driver 15 imposition of sanctions.  DPAs would be another example.

This is an important point.  If the correspondent is "forced" to withdraw services, this is not "de-risking" but compliance. Focusing a question on this issue would be most helpful.  

The survey noted that banks that found replacement CBRs or developed workarounds faced increased costs, but no data is provided on the relative increase in costs.

All this being said there is useful information in the study. 

Hopefully, it will serve as a basis for further examination of this issue with perhaps answers to some of the above open items as well as a fine tuning of questions.


There's an Occasion Every Day!

One quibble.  There’s always at least one and usually more with AA.
1.3 Hence, the “de-risking” phenomenon involves financial institutions’ practices of terminating or restricting business relationships with clients or categories of clients to avoid rather than manage risks. It is a misconception to characterize “de-risking” exclusively as an anti-money laundering/ combatting terrorism financing issue. In fact, “de-risking” can be the result of various drivers, such as concerns about profitability, prudential requirements, anxiety after the global financial crisis, and reputational risk.
  
The AMF is right to indicate that the motives for “de-risking” don’t relate solely to AML/CFT.  Sanctions and other regulations are important as well.

I’d argue that termination of unprofitable relationships is not “de-risking” nor is restructuring/eliminating lines of business to meet prudential regulations (increases in capital charges).  That’s simply common business sense.  If one can’t make a profit selling a good or providing a service, one stops doing so if there is no way to increase pricing or lower costs sufficiently. 

No doubt many of the small CBRs being tossed do not meet internal ROA targets and would require massive increases in pricing to do so.  At some point too banks like any business need to focus on key LOBs and customers.  “80% of the revenue comes from …”  If you've been around long enough, you know the last bit to that sentence and the business strategy it supports.  "Dabbling" or "hobbies" (my mentor’s descriptive terms) divert resources and attention from more profitable customers and LOBs.

Also it’s not clear to me how anxiety is playing a role.

Clearly any regulatory/prudential anxiety is already covered by those topics. 

If there are concerns about credit quality, then measures theoretically could be put in place to cover these.  Pay against receipt of funds only (no overdrafts), require cash collateral for residual risks (check deposits bouncing, for example), and increase pricing for the additional special handling required. 

But, if a relationship is marginally profitable, what's the point of all of this when the time and effort might be spent on other customers or LOBs where real money could be made?  And when 100% of the risks are unlikely to be covered despite all the elaborate risk management? 

But let's assume a correspondent exerts the effort. At this point, “risk management” might result in making an offer that can’t be accepted, equivalent to withdrawal of CBR. No doubt sparking the argument that “risk management” of this sort was really disguised “de-risking”.    

Friday, 23 September 2016

Bank De-Risking Likely to Trump Calls for Financial Inclusion

For Some Activities Risk Avoidance Makes More Sense Than Risk Management

On September 8th, the Hong Kong Monetary Authority (HKMA) issued a circular to the CEOs of all Authorized (financial) Institutions (AIs) in the HKSAR (Hong Kong Special Administrative Region) entitled “De-risking and Financial Inclusion”.
The circular sets forth the HKMA’s expectations (read “instructions”) that AIs adopt a risk based approach (RBA) to implementing anti-money laundering AML) and countering the financing of terrorism (CFT) regulations and cease the practice of de-risking, that is refusing to open or maintain accounts for certain customers.

As outlined below, the HKMA is rowing against some very powerful tides.  The circular is unlikely to have the stated desired effect.

Some quotes from the circular to set the stage for this post.  I’ve added boldface to highlight certain points. 

Noting the progressive tightening of AML regulations over recent years the HKMA states “While it is important to ensure that AML/CFT controls are sufficiently robust and comply with all the relevant regulatory requirements, the HKMA expects AIs to adopt a risk-based approach (RBA) and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses to have access to basic banking services.”  

In a similar vein, the HKMA defines “de-risking” as “The phenomenon of banks declining or discontinuing business relationships with customers or categories of customers to avoid, rather than manage, the risk involved.

On the subject of an RBA, the HKMA makes the following points: 

"RBA does not require or expect a “zero failure” outcome. While AIs should take all reasonable measures to identify ML/TF risks at the account opening stage and, for existing customers, on an ongoing basis, it is unrealistic to expect that no ML/TF activities would ever occur through the banking system. AIs are not required to implement overly stringent CDD processes with a view to eliminating, ex-ante, all risks. Otherwise, such an approach would result in a large number of bona fide businesses and individuals not being able to open or maintain accounts. CDD is only one part of an effective AML/CFT regime. AIs are also required to implement a system that can monitor and detect suspicious transactions in order to report them to the relevant authorities and take the necessary mitigating measures, such as enhanced CDD."
News reports suggest that the HKMA's action was occasioned by several banks “tossing” existing customers.   Bloomberg refers to the alleged abrupt closure by HSBC of accounts of a long standing client that is an offshore fund. 
That’s borne out in the circular itself which also notes the refusal of some unnamed FIs in the HKSAR refused to accept new clients or set “onerous” requirements.  See the annex to the circular.
The HKMA’s circular follows one issued in late August by five US regulators of financial institutions in the country.  Yes, you read that right “five”.   Apparently one regulator is insufficient for the USA's financial sector.  It's that big!  That circular also contained an appeal for banks to adopt a RBA, but did not include the HKMA’s statement that it didn’t expect RBA AML/CFT to prevent all illegal transactions.  Instead the five US regulators offered the comforting thought that “the Treasury and the FBAs do not utilize a zero tolerance philosophy that mandates the strict imposition of formal enforcement action regardless of the facts and circumstances of the situation”.  

I trust like AA you find those words comforting in a particularly baffling way.  Are these regulators saying that existing regulations allow them to take formal enforcement action regardless of facts and circumstances but that they will kindly forbear from exercising these powers?  Instead might they apply strict non formal enforcement actions? On that score, what is a “strict” imposition and how does it differ from a “strict” enforcement action?  Or are they saying that existing US laws and regulations are so written that they could impose draconian penalties for a “slip or two” in compliance?  Finally, if the posture of the regulators is based on a “philosophy” and not the law, could that “philosophy” change with the next administration? If that’s the case, should banks be advised to prepare for the worst?       

The widespread use of the US dollar in both commercial and financial transactions and the propensity of the US to use that position to levy fines and impose extraterritorial requirements make US regulations and the “philosophy” of the US regulator of paramount concern to internationally active banks. 

The HKMA may have “expectations” but Hong Kong and other foreign banks are likely to be more sensitive to what the US “expects” as evidenced by its past behavior.   Thus, the HKMA’s appeal is almost certain to collide with banks’ self-interest and certain “objective conditions”.

First, banks are profit oriented not public service institutions despite some manifestly absurd industry positioning / brand development advertising campaigns that are currently running. 
In other words, profit is job #1.  Financial “inclusion” like charity work is well down the list of priorities.  And is a miniscule part of activities.  Thus, despite its ad campaign running on the Bloomberg TV, Bank of America Merrill Lynch doesn’t devote a major portion of its efforts to bring clean water to folks in Africa.
Profit on an account is a function of revenues less costs.
Providing bank accounts and related services is a low margin high volume business. Contrast that with investment banking transactions where the volumes are significantly lower but the margins are immense.  
Considering only operating costs, many SME accounts at best offer marginal profitability. We’re talking about maybe tens of thousands of dollars profit per account for many accounts. 
When the costs of customer due diligence, monitoring, preparing and filing of suspicious transaction reports are included, profit is even less.  Customer due diligence (CDD) at the inception of a relationship is particularly labor intensive.  Much of the subsequent monitoring can be done via computer programs, but at the end of the day someone has to review the reports generated, decide whether to investigate further, and ultimately whether to approach the customer for more information and/or file a suspicious transaction report STR).  
On that score, banks file a good portion of their STRs for defensive (CYA) reasons.  It demonstrates they have a working compliance system.  If something untoward about a customer turns up in the future, the bank can say to the regulators “But I reported to you.  By the way you never got back to me.”  Thus, monitoring “risky” customers taken on to promote financial inclusion may trigger the need for a CYA STR even if the bank thinks the customer is "clean".  One can't be too careful because regulatory hindsight is often more than 20/20.
Fines take a potential bite out of profit.  But by increasing expenses they can also affect the capital a bank is required to maintain for operational risk under the Basel framework.  Lower Basel capital adequacy ratios can affect credit and stock ratings.  Increasing capital can lead to declines in ROE if the profits do not cover the cost of capital.  If capital cannot be increased, then the bank may have to reduce certain other activities (e.g. credit or market risk related) thus reducing income/profit.  
Second, it’s important to remember that banks are free to select or reject customers according to their own criteria.  Even in countries that have laws to prevent discrimination, banks may reject customers as long as the as criteria used are business principles-based, e.g., risk not race and are consistently applied.  Not every applicant for a new loan or new account will get one.  Not every customer with an existing loan will be granted a renewal or extension.  Similarly, not every customer with an account is guaranteed the right to retain it. So the appeal is a request not a command.
Third, there are a variety of objective conditions and not simply bloody-mindedness that are pushing banks to “de-risk”.
Chief among these are regulatory and legal risks, but there are others.
Regulatory Risks.
Billion dollar fines concentrate the minds or bankers quite sharply.  Settlements with regulators include more than fines.  Often settlements are (legally) structured as deferred prosecution agreements or DPAs.  As the name suggests, the DPA holds a sword over the head of the financial institution and compel compliance on an extraterritorial basis.
But don’t take AA’s word for it. 
Here are two 2016 quotes attributed to Assistant Attorney General Leslie Caldwell. “[w]e can require that the banks cooperate with our ongoing investigations, particularly in our investigations of individuals. We can require that such compliance programs and cooperation be implemented worldwide, rather than just in the United States. We can require periodic reporting to a court that oversees the agreements for its terms.”
Under the right circumstances, the government “will not hesitate to tear up a DPA or NPA and file criminal charges, where such action is appropriate and proportional to the breach.”
Here are some illustrative examples of DPAs.  Standard Chartered 2014 with DFS New York State The consent order triggered significant de-risking by SCB in the UAE as you may recall.  Here’s  HSBC 2012. 
So if you were a financial institution considering opening or maintaining an account relationship, would one of your key risk mitigation concerns be avoiding the risk that a regulator could suddenly be dictating how you run your business worldwide?  See the requirements in the HSBC DPA Paragraph #5.  Note not only the number of requirements but also the short leash in later points Paras 8 and 14-16. 
But as they say on late night TV.  “Wait there’s more”.
­Civil Lawsuits
Lawsuits such as that against the Arab Bank or the one in progress against HSBC, Barclays, Standard Chartered, the Royal Bank of Scotland and Credit Suisse are no doubt worrisome.  The latter suit is predicated on these banks’ admission of transferring money for Iran which the plaintiffs assert helped finance terrorist attacks against US military personnel in Iraq. There is to my knowledge no assertion that these banks actually transferred money for those attacks.  More here.  
Banks might be forgiven--particularly in light of the Arab Bank case—for questioning whether fair trials or impartial juries are available in certain jurisdictions.
Both the regulatory and legal actions highlight what is perhaps the key factor here.  Banks are subject not only to their own regulators and laws but to those of other countries.  The primary role of the US dollar in international financial transactions exposes not only major international banks but also smaller banks to US enforcement or legal actions.
Staff Risks
International banks operate in many countries.  Staff attitudes toward government regulations vary greatly.  In many countries the population treats their own government's laws and regulations as suggestions rather than binding constraints.  In some countries as a direct challenge to find a creative workaround.  An even more casual attitude often applies to laws of foreign countries.   Bank managements have to deal with the staff they have not the staff they wish they had.  In which case exposure can be neatly mitigated by not doing certain types of business or dealing with certain customers.  Eliminate discretion and one eliminates potential problems.
Recidivism Risk
If a bank is unfortunate enough to have encountered enforcement action, a further “slip” could trigger a severe response from at least one particular country, e.g., “tearing up DPAs” “filing criminal charges” as AAG Caldwell is quoted above.  Or additional fines or additional business conditions imposed.  Or even the threat of such action could cloud an institution’s stock price, customer confidence, etc.  Here’s an example.
Conclusion
When the risk reward ratio is highly skewed, the most effective risk management is risk avoidance.  
I suppose I could construct an RBA for running with scissors. But I will forgo running with scissors rather than “managing the risk” of doing so.  Simply because the potential return is dwarfed by the risk.
Banks are likely to do the same with respect to financial inclusion.   The lesson of Nogales Arizona and other similar stories of US banks closing branches on the US-side of the border with Mexico and “tossing” customers may be illustrative on this point.  Banks are likely to be much less solicitous of foreign than domestic customers. And the solicitude for domestic customers seems minimal in these cases. 
As outlined in the above press report, the US banks apparently claimed that their domestic de-risking was related to revised regulations requiring additional regulatory reporting and closure of “risky” accounts.  If you close your branch, you neatly “solve” both problems.