EU Court Rules: Proper Individual ML/TF/PF Risk Assessment Required – OFAC Listing Alone Is Not Enough

The following is a newsletter authored by Mathew Beale, Co-Founder & CEO, www.itrackaml.com

EU Court Rules: Proper Individual ML/TF/PF Risk Assessment Required – OFAC Listing Alone Is Not Enough

One story - 3 views

• 📖 SPEED READ
• 📖 HIGHLIGHTS  
• 📖 LONG DETAILED READ - THE FULL STORY AND ANALYSIS FOR COMPLIANCE OFFICERS IN NON-US JURISDICTIONS  

📖 SPEED READ

The Court has made it clear that an OFAC listing alone is not sufficient grounds for refusing a basic payment account. A proper individual customer ML/TF/PF risk assessment is required.

However, the judgment does not reduce the risk of US secondary sanctions.

For LEGAL PERSONS (e.g., banks, TCSPs, family offices, and other financial institutions) in Jersey, Mauritius, and other international financial centres, exposure to structures and structuring, USD clearing, Correspondent banking, etc. remains separate and often decisive.

Compliance teams now need a robust, well-documented dual-assessment capability.

This is exactly what ITRACKAML delivers.

ITRACKAML provides structured individual ML/TF/PF assessments while explicitly evaluating US secondary sanctions risk — helping you make defensible decisions and strengthen protection against both regulatory and commercial exposure.

If your current processes still rely on basic screening or manual reviews, do not wait for the gap to widen further 👉 Book a demo of ITRACKAML today: Mathew Beale, mathew@itrackaml.com

📖 HIGHLIGHTS  

EU Court Ruling on OFAC Listings Sends a Clear Message: Robust, Individual Customer Risk Assessment is No Longer Optional

The Jenec Judgment (Case C-81/24) – 11 June 2026

On 11 June 2026, the Court of Justice of the European Union delivered a significant ruling that every compliance professional should study closely.

In the Jenec case, a Slovenian bank refused to open a basic payment account for a customer solely because his name appeared on a US OFAC sanctions list. The customer had never been convicted of the underlying offence and was not subject to any UN, EU, or Slovenian sanctions. The CJEU ruled that the mere inclusion on an OFAC list is not, by itself, sufficient grounds to refuse a basic payment account.

The Court was unequivocal:

• "The mere inclusion of a customer's name on the OFAC list, or on any other list of that type drawn up by a third country, does not automatically prohibit a bank from establishing a business relationship with that customer. Such a refusal is possible only following an individual assessment, carried out by the bank, of the risk of money laundering and terrorist financing."

This decision reinforces the risk-based approach at the heart of FATF standards, the EU's Payment Accounts Directive, and AML/CFT rules worldwide. Blanket, list-based de-risking is no longer defensible.

The Critical Nuance Most People Missed

While the ruling is a victory for the risk-based approach and financial inclusion on the ML/TF/PF side, it does not remove or reduce US secondary sanctions and correspondent banking risk.

For LEGAL PERSONS (e.g., banks, TCSPs, family offices, and other financial institutions) in Jersey, Mauritius, and other international financial centres, US secondary sanctions remain a separate, material, and often decisive risk. The United States can still penalise non-US persons for "significant transactions" or material support to SDNs, particularly where USD clearing or correspondent relationships are involved.

In practice, many institutions will still decline or heavily restrict relationships with OFAC-listed individuals after completing a proper ML/TF/PF assessment. Still, now they must be able to demonstrate that they conducted a genuine, documented dual assessment.

Why This Ruling Makes Robust Customer Risk Assessment (CRA) Essential

The Jenec judgment exposes the dangers of simplistic or outdated approaches:

• Treating an OFAC hit as an automatic "no" can now expose firms to regulatory criticism or complaints in jurisdictions that follow (or are influenced by) the EU/FATF risk-based model.
• Failing to document why risk cannot be managed proportionately properly leaves institutions vulnerable.
• Ignoring or under-assessing US secondary sanctions exposure while focusing only on local ML/TF/PF rules creates hidden but potentially catastrophic commercial and regulatory risk.

Compliance teams now need a CRA capability that can do two things simultaneously and defensibly:

1. Conduct and document a proper, individual ML/TF/PF risk assessment (treating OFAC and similar third-country lists as an important input, not an automatic trigger).
2. Separately and explicitly assess and document US secondary sanctions and correspondent banking risk.

This is exactly what a robust, modern Customer Risk Assessment platform is designed to deliver.

How ITRACKAML Supports the Dual Assessment Approach the Market Now Requires

ITRACKAML helps compliance teams go beyond tick-box screening and implement a nuanced, evidence-based, fully documented process that regulators and correspondent banks increasingly expect.

Key capabilities include:

• Nuanced sanctions integration   OFAC and other third-country lists feed into risk models as elevated factors rather than hard blocks (except where local/UN sanctions create automatic prohibitions).
• Structured individual ML/TF/PF risk assessment workflows prompting assessors to consider the nature and basis of any designation, absence of local sanctions or convictions, product risk (e.g., complex structures, basic vs full services), and available mitigating controls.
• Dedicated US secondary sanctions and correspondent risk module helping teams explicitly evaluate and document exposure through USD clearing, correspondent relationships, transaction patterns, and SDN categories.
• Comprehensive audit trails and decision documentation ensuring that both the ML/TF/PF assessment and the US sanctions overlay are clearly recorded, supporting regulatory examinations, correspondent bank due diligence questionnaires, and internal governance.
• Risk appetite alignment and mitigation planning enabling firms to determine whether residual risk (after mitigation) is acceptable, taking both ML/TF/PF and US enforcement/reputational risks into account.

Firms using ITRACKAML can show they followed the spirit of the CJEU ruling on ML/TF/PF while managing the US sanctions overlay, which often remains the deciding commercial factor.

The Bottom Line

The Jenec ruling is not just an EU story. This signals the end of simplistic, list-driven de-risking and the rise of sophisticated, documented, individual risk assessments that properly weigh all relevant factors, including US extraterritorial risk.

Organisations that continue to rely on basic screening tools or manual processes will face increased regulatory scrutiny and greater exposure to U.S. sanctions.

ITRACKAML gives compliance teams the CRA tools they need to navigate this new reality with confidence.

Ready to strengthen your customer risk assessment framework? Contact us today to arrange a demonstration of ITRACKAML and see how it can help your team conduct defensible dual assessments in line with FATF principles and emerging regulatory expectations. 👉 Book a demo of ITRACKAML today: Mathew Beale, mathew@itrackaml.com

📖 LONG DETAILED READ - THE FULL STORY AND ANALYSIS FOR COMPLIANCE OFFICERS IN NON-US JURISDICTIONS  

 EU says OFAC listings alone do not justify ACCOUNT REFUSAL, although OFAC risk remains decisive for non-US persons.

INTRODUCTION

• On 11 June 2026, the Court of Justice of the European Union delivered its judgment in Case C-81/24 (Jenec).
• The Court ruled that the mere inclusion of an individual on a US OFAC sanctions list is not, by itself, sufficient grounds for an EU bank to refuse to open a basic payment account.

EU law

1. EU law grants legally resident consumers a right to a basic payment account, and this right may only be restricted following an individual, case-by-case assessment of money laundering and terrorist financing (ML/TF) risk.
2. An OFAC listing may be taken into account as one relevant factor in that assessment, but it does not justify an automatic refusal.
3. This judgment is an important clarification of EU law.
4. However, it is critical to understand its limited scope. You are not required to follow the CJEU judgment.

OFAC

5. The ruling
   1. Only addresses obligations under EU law regarding ML/TF/PF risk assessment and the right to a basic payment account.
   2. Does not protect non-US LEGAL PERSONS (e.g. banks, TCSPs, family offices and other financial institutions) from the risk of US secondary sanctions.
6. US secondary sanctions and extraterritorial enforcement risk remain a separate and often decisive factor.
7. The United States can impose sanctions on non-US persons and financial institutions for
   1. Engaging in significant transactions or providing material support to certain Specially Designated Nationals (SDNs), even where there is limited or no direct US nexus.
   2. For LEGAL PERSONS (e.g. banks, TCSPs, family offices and other financial institutions) in jurisdictions such as Jersey, Mauritius and other international financial centres, the most significant exposure typically arises through:
      1. USD clearing
      2. Correspondent banking relationships.
      3. Structures And Structuring

COMPLIANCE RISK

• Consequently, compliance teams must continue to treat US secondary sanctions and correspondent banking risk as a separate, material risk that is not removed or reduced by the CJEU ruling.

DUAL ASSESSMENT:

• The recommended approach is therefore a dual assessment:
  • Conduct a proper, documented individual ML/TF/PF risk assessment (in line with FATF standards and the spirit of the CJEU judgment),

§  treating US OFAC and similar third-country lists as an important input [HIGHER] rather than an automatic "no".

• • Separately and explicitly

§  Assess and document the US secondary sanctions and correspondent banking risk.

• • In many cases,

§  The US risk will remain the deciding factor,

§ Even where the ML/TF/PF risk could theoretically be managed.

• This dual approach
  • Is consistent with FATF Recommendations,
  • Supports financial inclusion where risk can genuinely be managed, and
  • Helps reduce the risk of regulatory criticism or reputational damage on either the ML/TF/PF or US sanctions front.

EU Court Rules: Mere Inclusion on a US OFAC Sanctions List Is Not Enough to Refuse a Basic Bank Account

Luxembourg / Brussels – 12 June 2026

• In a significant ruling for LEGAL PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) and consumers across the European Union, the Court of Justice of the European Union (CJEU) has held that a person's inclusion on a US Office of Foreign Assets Control (OFAC) sanctions list, by itself,
• does not justify a bank's refusal to open a basic payment account.
• The judgment in Case C-81/24 (known as Jenec) arose from a 2022 case in Slovenia.
  • had never been convicted of the underlying offence and
  • was not subject to any sanctions imposed by the United Nations, the European Union, or Slovenia.
• A consumer, referred to as "LH", applied to open a PAYMENT ACCOUNT WITH BASIC FEATURES at a Slovenian bank (Nova Kreditna Banka Maribor, later part of the OTP Group).
• The bank refused solely because his name appeared on the US OFAC list.
• The individual

Key quotes from the judgement

• "The mere inclusion of a customer's name on the OFAC list, or on any other list of that type drawn up by a third country, does not automatically prohibit a bank from establishing a business relationship with that customer."
• "Such a refusal is possible only following an individual assessment, carried out by the bank, of the risk of money laundering and terrorist financing."

The Court's Clear Message

• The CJEU confirmed that every consumer legally resident in the EU has a right to open and use a payment account with basic features under the Payment Accounts Directive (Directive 2014/92/EU).
• This right can only be restricted where opening the account would breach anti-money laundering and counter-terrorist financing (AML/CFT) rules (primarily Directive (EU) 2015/849 – the 4th AML Directive).
• Crucially, the Court stated:
• "The mere inclusion of a customer's name on the OFAC list, or on any other list of that type drawn up by a third country,
• Does not automatically prohibit a bank from establishing a business relationship with that customer."
• However, the listing can be taken into account as one relevant factor during an individual, case-by-case assessment of money laundering and terrorist financing risk.
• Even then, refusal is only lawful if the bank can demonstrate that it cannot effectively manage the risk through measures proportionate to its nature and size.
• The limited functionality of basic accounts (no overdraft, restricted to essential payment services) inherently lowers the ML/TF/PF risk, the Court noted.

Why This Ruling Matters

• This decision reinforces the risk-based approach at the heart of EU (and global) AML/CFT rules.
• It prevents blanket, automatic de-risking based solely on foreign sanctions lists and protects financial inclusion as a core objective of the Payment Accounts Directive.
• LEGAL PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) can no longer cite "he's on the OFAC list" as a complete justification.
• They must now show they have genuinely assessed the specific risks and concluded that adequate mitigation is impossible.

Analysis for Compliance Officers in Non-US Jurisdictions  

• Although this is an EU ruling interpreting EU Directives, it carries significant persuasive weight and practical implications for compliance professionals in international financial centres such as Jersey and Mauritius, as well as elsewhere outside the US.
• The judgment does not bind these jurisdictions, but they operate under FATF-aligned risk-based frameworks and face similar pressures from US correspondent banks and OFAC exposure.

1. Scope: Not Legally Binding, But Highly Relevant

• Jersey (Crown Dependency) primarily implements UK sanctions regimes and has its own robust AML/CFT framework under the Proceeds of Crime (Jersey) Law 1999 and related regulations. It does not have an identical "right to a basic bank account" statute, but consumer protection and fair-treatment expectations still exist.
• Mauritius follows FATF standards through its Financial Intelligence and Anti-Money Laundering Act and related regulations. It actively courts international business while maintaining strong correspondent banking relationships (especially USD clearing).
• The CJEU's reasoning aligns closely with the FATF Recommendations (particularly R.1 on the risk-based approach and R.10 on customer due diligence). Refusing based on a single data point (a foreign list) without an individual assessment is inconsistent with the risk-based approach both Jersey and Mauritius regulators expect.

2. Key Takeaways for Your AML/CFT Programme

OFAC screening remains essential, but its weight must be calibrated:

• OFAC hits should trigger enhanced due diligence (EDD), not automatic rejection.
• Assess the nature and basis of the designation. Was it for serious criminality with credible evidence, or a broader/older listing without local equivalent (e.g. no UN/EU/UK/Jersey/Mauritius sanctions)?
• The Court explicitly noted the absence of conviction or local sanctions as relevant context.
• For basic or low-risk products (everyday current accounts, basic payment services), the inherent risk is lower exactly as the CJEU highlighted.
• Document why the account's limited features reduce ML/TF/PF exposure.

Document the individual risk assessment rigorously:

• What specific ML/TF/PF risks does this customer pose?
• What mitigating controls can be applied (transaction monitoring rules, source of funds/wealth checks, periodic reviews, limits)?
• If refusing: clearly articulate why the risk cannot be managed proportionately. Vague references to "OFAC listing" will no longer suffice and could expose the firm to regulatory criticism or complaints.

3. Practical Realities in Jersey & Mauritius (Including US Secondary Sanctions Risk)

• Even where local law permits the relationship after a proper risk assessment, commercial and correspondent banking realities often push LEGAL PERSONS (e.g. banks, TCSPs, family offices and other financial institutions) toward caution.

US secondary sanctions and extraterritorial risk remain a separate and often decisive factor.

• The CJEU ruling only addresses obligations under EU law regarding ML/TF/PF risk assessment and the right to a basic payment account.
• It does not protect non-US LEGAL PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) from US secondary sanctions risk.

Key points for compliance teams:

• US primary sanctions mainly apply to US persons.
• However, secondary sanctions allow the US to act against non-US legal PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) for engaging in "significant transactions" or providing material support to certain SDNs even with limited or no direct US nexus.
• The most common exposure for LEGAL PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) in Jersey, Mauritius and similar centres comes through USD clearing.
• Most USD transactions are ultimately cleared through US financial institutions. OFAC can view processing (or facilitating) transactions involving an OFAC SDN as causing a US person to violate sanctions.
• OFAC has increasingly designated or penalised non-US financial institutions (including LEGAL PERSONS (e.g. banks, TCSPs, family officers and other financial institutions) in Europe, Switzerland, the Middle East, and Asia) for sanctions-related activity.
• Losing access to USD correspondent banking or being added to the SDN list yourself is often far more damaging than a local regulatory fine.
• Reputational risk with US correspondent banks is also very real; many US banks apply their own strict OFAC policies and will terminate relationships where they perceive unacceptable exposure.

Recommended approach:

• Maintain robust OFAC screening as part of your risk-rating methodology.
• Create clear internal guidance distinguishing between:
  • Automatic prohibitions (UN/EU/UK/Jersey/Mauritius sanctions follow local law strictly).
  • Risk factors (OFAC and other third-country lists feed into EDD and risk rating, but do not automatically trigger refusal).

• Conduct two distinct assessments and document both:

1.  ML/TF/PF risk (individual assessment per FATF / local rules / CJEU principles).

2.  US secondary sanctions and correspondent banking risk.

• For higher-risk customers on OFAC lists where you decide to proceed, implement enhanced ongoing monitoring and consider whether the relationship fits your overall risk appetite (including US exposure).
• Review your customer acceptance and exit policies to ensure they require genuine individual assessment rather than pure list-based rules.

In practice, many LEGAL PERSONS (e.g. banks, TCSPs, family offices and other financial institutions) in Jersey, Mauritius, and similar jurisdictions still conclude that US secondary sanctions and correspondent banking risk cannot be adequately mitigated and therefore decline or heavily restrict the relationship even after completing a positive ML/TF/PF risk assessment.

4. Opportunity, Not Just Risk

• This judgment encourages a more nuanced, evidence-based compliance culture.
• It pushes firms away from blunt "tick-box" de-risking toward genuine risk management, which is ultimately what regulators in Jersey (Jersey Financial Services Commission) and Mauritius (Financial Services Commission / Bank of Mauritius) expect under their risk-based supervisory models.

Firms that update their policies now to reflect this balanced approach (including proper documentation of both ML/TF/PF and US sanctions risk) will be better positioned for:

• Regulatory examinations
• Correspondent bank due diligence questionnaires
• Potential future litigation or customer complaints

Bottom line for compliance officers outside the US/EU:

• You are not required to follow the CJEU judgment, but you would be wise to align with its spirit on the ML/TF/PF side.
• At the same time, you must continue to treat US secondary sanctions and correspondent banking risk as a separate, material risk that is not removed by the ruling.
• Treat US OFAC (and similar third-country lists) as an important input into a documented, individual ML/TF/PF risk assessment, never as an automatic "no", while also explicitly assessing and documenting US sanctions exposure. In many cases, the US risk will remain the deciding factor.
• This dual approach is consistent with FATF standards, supports financial inclusion where risk can genuinely be managed, and reduces the risk of regulatory or reputational issues on either side.

Ready to strengthen your customer risk assessment framework? Contact us today to arrange a demonstration of ITRACKAML and see how it can help your team conduct defensible dual assessments in line with FATF principles and emerging regulatory expectations. 👉 Book a demo of ITRACKAML today: Mathew Beale, mathew@itrackaml.com

Disclaimer

This article is for informational purposes only and does not constitute legal advice. Compliance policies should be reviewed with qualified local counsel and in light of your specific regulatory obligations and risk appetite.

Sources

1. Official CJEU Press Release (Best Primary Source)

Direct PDF link: https://curia.europa.eu/site/upload/docs/application/pdf/2026-06/cp260084en.pdf

Full verbatim text

PRESS RELEASE No 84/26 = Luxembourg, 11 June 2026 = Judgment of the Court in Case C-81/24 | [Jenec]

Banking services: inclusion on a United States sanctions list is not sufficient, on its own, for a refusal to open an account

Such a refusal is possible only following an individual assessment by the bank of the risk of money laundering and terrorist financing.

In 2022, a Slovenian bank refused to open a basic payment account for a consumer because he was on a sanctions list maintained by the US Office of Foreign Assets Control (OFAC). The Bank, in so doing, intended to fulfil the obligations set out in Slovenian legislation on the prevention of money laundering and terrorist financing.

However, that consumer has never been convicted of the criminal offence giving rise to his inclusion on the OFAC list. He is likewise not subject to any sanction imposed by the United Nations, the European Union or Slovenia. He therefore brought an action before the Slovenian courts to compel the bank to open such an account for him.

The Slovenian court referred the case to the Court of Justice. It wishes to know, inter alia, whether the bank's refusal was justified under EU law.

In response, the Court first states that any consumer legally residing in the European Union has the right to open and use a payment account with basic features. However, that right is subject to compliance with the rules relating to the prevention of money laundering and the countering of terrorism.

The mere inclusion of a customer's name on the OFAC list, or on any other such list compiled by a third country, does not automatically prohibit a bank from establishing a business relationship with that customer. That inclusion may nevertheless constitute one of the relevant factors which the bank is required to take into account during an individual assessment of the risk of money laundering and terrorist financing.

Even though the limited uses of a payment account with basic features reduce that risk, it cannot be ruled out that, following a specific assessment, the bank may find that it is unable to manage effectively, through measures proportionate to its nature and size, the risk of money laundering or terrorist financing connected with a business relationship with a person included on such a list.

Only in such a case could the refusal to open such an account be justified under EU law.

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of EU law or the validity of an EU act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court's decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice.

Key quotes  

"The mere inclusion of a customer's name on the OFAC list, or on any other list of that type drawn up by a third country, does not automatically prohibit a bank from establishing a business relationship with that customer."

"Such a refusal is possible only following an individual assessment, carried out by the bank, of the risk of money laundering and terrorist financing."

2. Original Source You Shared (SMB.gov.mt)

Direct link: https://smb.gov.mt/latest-news/judgment-of-the-court-in-case-c-81-24-the-inclusion-of-a-consumer-on-a-us-sanctions-list-is-not-enough-to-warrant-a-refusal-to-open-a-bank-account/

3. Reuters Article (Good journalistic summary)

Direct link: https://www.reuters.com/business/finance/being-us-sanctions-list-not-sufficient-refuse-eu-bank-account-court-rules-2026-06-11/

Key excerpt  

"Inclusion on a United States sanctions list is not sufficient on its own for a refusal to open a bank account in the European Union, the Court of Justice of the European Union ruled on Thursday. In 2022, a Slovenian bank… refused to open a basic account for a consumer named only as LH, who was included on a sanctions list by the U.S. Office of Foreign Assets Control (OFAC)… That consumer was not convicted of the criminal offence that led to his inclusion on the OFAC list and is not subject to sanctions imposed by the United Nations, the European Union or Slovenia…"

4. Additional Good Secondary Source (EU Law Live)

Direct link: https://eulawlive.com/court-of-justice-inclusion-on-us-sanctions-list-is-not-in-itself-sufficient-for-refusal-to-open-basic-payment-account/

Judgment of the Court in Case C-81/24 – The inclusion of a consumer on a US sanctions list is not enough to warrant a refusal to open a bank account. Posted on June 11, 2026, PRESS RELEASE No 84/26

A bank may refuse to open a basic payment account only after a case-by-case assessment of money-laundering and terrorist-financing risks.

In this case, a Slovenian bank relied on a customer's inclusion on the US OFAC list, despite the customer not being on EU/UN sanctions, to decide not to allow the customer to open a payment account with basic features. The Court held that EU residents have a right to a basic account. This right may be restricted to comply with AML/CFT requirements. Being on an OFAC list alone does not justify refusal. It can, however, be considered a factor in the bank's assessment of the consumer to determine whether it is too risky to allow the consumer to open a payment account. From that point, the refusal is lawful if the bank cannot adequately manage the assessed risk.

Posted in Posts - Latest News. https://smb.gov.mt/latest-news/judgment-of-the-court-in-case-c-81-24-the-inclusion-of-a-consumer-on-a-us-sanctions-list-is-not-enough-to-warrant-a-refusal-to-open-a-bank-account/

EU Court Rules: Proper Individual ML/TF/PF Risk Assessment Required – OFAC Listing Alone Is Not Enough

THIS newsletter is authored by Mathew Beale, Co-Founder & CEO, www.itrackaml.com