48 hours. What happens when trust meets verification?
On 11 June 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Jenec (C‑81/24, LH v OTP banka), answering for the first time whether inclusion on the U.S. Office of Foreign Assets Control (OFAC) sanctions list can, by itself, justify refusal of a basic payment account under EU law.
The case arose after a Slovenian bank, Nova Kreditna banka Maribor (now OTP banka), refused to open a basic payment account and even blocked a payment transaction, solely because the customer, identified as LH, appeared on an OFAC list, despite the absence of any conviction or EU, UN or Slovenian restrictive measures against him.
The referring court in Maribor asked whether Article 16(4) of Directive 2014/92/EU (Payment Accounts Directive) and Article 48 of the EU Charter allowed such an automatic refusal when the only risk indicator was a U.S. listing.
After an Opinion from Advocate General de la Tour in September 2025, the CJEU has now confirmed that EU banks cannot treat third‑country lists as an automatic bar to access: they must still respect the EU‑level right of legally resident consumers to a payment account with basic features, subject only to a properly grounded AML/CFT assessment.
The CJEU ruling that changes AML compliance in Europe
What exactly did the Court decide?
The CJEU interprets Article 16(4) of Directive 2014/92/EU together with Directive 2015/849 (4th AMLD as amended), and holds that Member States may not require banks to refuse a basic payment account “for the sole reason” that the consumer is included on a sanctions list imposed by a third country.
The only narrow exception is where the bank has carried out “an individual assessment of the risk of money laundering or terrorist financing connected with the intended business relationship” and concludes that it cannot manage that risk effectively with measures proportionate to its nature and size.
In practical terms, the Court draws three hard lines:
- Inclusion on OFAC or another third‑country list is not a per se breach of EU AML law and does not automatically trigger the prohibition in Article 16(4).
- A bank must first apply the risk‑based framework of Directive 2015/849: identify risks (Article 8), apply customer due diligence (Article 13), and, where necessary, enhanced due diligence (Articles 18-24).
- Only if the bank, after assessing all relevant risk factors, reasonably concludes that it cannot manage the risk even with enhanced controls, may it rely on Article 16(4) PAD to refuse the account.
The judgment also stresses that the “basic payment account” itself is structurally low‑risk: it covers essential services such as deposits, cash withdrawals and standard payment instruments, which inherently limit complex layering or large‑scale value transfers.
That feature weighs against blanket refusals and reinforces the Court’s view that financial inclusion is part of the legislative design, not a soft policy preference.
How did AG de la Tour frame the problem?
In his Opinion of 4 September 2025, Advocate General de la Tour framed the central question bluntly: “how can the right to a bank account be reconciled with anti‑money‑laundering rules when the only “red flag” is a third‑country sanctions listing without any EU, UN or national measures?”
He emphasized that:
- Directive 2014/92/EU creates a right to a basic payment account for all legally resident consumers, including asylum seekers and persons without a fixed address, and allows refusals only in specific, narrowly construed circumstances.
- Directive 2015/849 embeds a holistic, risk‑based approach: isolated risk indicators cannot, by themselves, move a relationship into a “high‑risk” category unless EU or national law expressly says so.
- The European Banking Authority’s (EBA) 2021 AML risk‑factor guidelines treat sources like sanctions lists and adverse media as elements in a broader reputation‑risk assessment but warn against “de‑risking” entire customer categories and call for care to avoid unduly denying access to basic financial services.
The Advocate General therefore proposed that a bank cannot refuse a basic payment account solely because the customer appears on OFAC, unless national law has explicitly chosen a stricter rule – and even then subject to EU‑law limits. The Court largely tracks this reasoning but makes clear that, in the absence of specific national legislation, EU directives themselves bar an automatic refusal and require case‑by‑case analysis.
Case study: LH v OTP banka
The facts of LH’s case illustrate how risk‑based AML can slide into blanket de‑risking. In 2017, after LH attempted to pay a petrol‑station bill from his wife’s account, the bank blocked the transaction once his personal data had been entered, citing enhanced measures adopted to comply with the Slovenian Law on the Prevention of Money Laundering and Terrorist Financing and internal instructions to avoid collaboration with clients on EU, UN, OFAC or internal lists.
Later, in 2022, LH personally requested a basic payment account; the branch employee told him the system could not open such an account, and he never received a written refusal within the 10‑business‑day deadline required by Slovenian law implementing the Payment Accounts Directive. Meanwhile, domestic criminal proceedings against him had been closed in 2015, and he had no conviction worldwide, nor any EU, UN or Slovenian sanctions. The Slovenian government confirmed that it had not adopted stricter AML rules, making OFAC inclusion itself a bar to business relationships.
Against that backdrop, the CJEU concludes that OTP’s refusal-based only on OFAC-“overstepped the limits of EU law” because it failed to show any inability to satisfy customer‑due‑diligence requirements under Article 13 of Directive 2015/849 or to manage the risk via enhanced measures. The risk‑based approach cannot be reduced to one binary data point from a foreign authority.
What compliance teams must take from this judgment
For EU banks and payment institutions
- Rewrite sanctions and onboarding policies. Replace any automatic “no‑go” rules that treat OFAC or other third‑country listings as a standalone bar to basic accounts with policies that require a documented, holistic risk assessment and explicit proportionality analysis.
- Map local law “stricter rules”. Confirm whether national implementation texts or guidance in each Member State explicitly treat third‑country lists as higher‑risk indicators or triggers; where they do not, align practices with Jenec and the EBA guidelines.
- Leverage basic accounts as a risk‑tool. Use basic payment accounts as a controlled channel for higher‑risk customers, with lower limits, restricted functionality, and enhanced transaction monitoring rather than outright exclusion, consistent with EBA’s view that basic products can reduce abuse and make anomalies more visible.
For corporates and individuals facing foreign listings
- Challenge blanket refusals. Where access to a basic EU account is denied solely on the basis of OFAC, gather documentation showing lack of EU/UN/national sanctions, closure of domestic criminal files, and the narrow, low‑risk nature of the requested product to support complaints to national regulators or litigation based on Jenec.
- Document your own risk‑mitigation measures. Provide banks with structured information-sources of funds, business rationale, existing monitoring by other institutions-to feed their risk assessment and reduce their residual risk perception.
- Consider parallel strategies. In complex cases, seek both legal remedies in the Member State courts and regulatory engagement with supervisors who now have clear CJEU guidance to push back against over‑compliant de‑risking.
For investigators and compliance teams
- Treat third‑country lists as evidence, not verdicts. Integrate OFAC and similar lists into multi‑source risk‑intelligence frameworks alongside EU sanctions databases, criminal‑records checks and open‑source intelligence, but ensure decisions can be justified without relying on a single foreign datapoint.
- Preserve traceability. Design monitoring on basic accounts for listed customers to maximize evidential value: clear rule‑sets, ticketing for alerts, escalation paths, and retention policies that support later investigative or court use.
- Update playbooks and training. Incorporate the Jenec judgment into sanctions and AML training, emphasizing the difference between justified enhanced monitoring and unlawful categorical exclusions.