News & Legal Updates

When OFAC Meets Cypriot and EU Banking Law: Can Banks Refuse a Payment Account with Basic Features After Jenec?

1 Jul 2026

designer

By Associate Partner Pavlos Mundis and trainee lawyer Irene Savvidou

Facts of the Case

    On 11th June 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Jenec (C‑81/24), an important ruling concerning the legal effects (or limits) of a sanctions lists issued by third countries. In brief, the matter arose after a credit institution in Slovenia refused to open a payment account with basic features for an individual because his name appeared on the sanctions list maintained by the US Office of Foreign Assets Control (OFAC)

    The Slovenian credit institution considered that opening such an account would be contrary to its internal policies, which were designed to ensure compliance with Slovenian anti-money laundering requirements. However, the consumer had not been convicted of the alleged underlying offence and had not been designated under any sanctions regime imposed by the United Nations (UN), the European Union (EU), or under domestic sanctions legislation. As a result, the consumer brought proceedings before the Slovenian courts, seeking an order requiring the credit institution to open a payment account with basic features.

    The Slovenian court referred four (4) questions to the CJEU for a preliminary ruling. The first question was the principal question and, in view of the Court’s answer to that first question, it was not necessary to address the remaining questions.

    The principal question was whether a credit institution may refuse to open a payment account with basic features solely on the basis that the consumer is included in a sanctions list adopted by a third country (i.e. not an EU or UN list).

    The Legal Framework

    Pursuant to Article 16(2) of Directive 2014/92/EU on payment accounts (the Payment Accounts Directive or PAD), every consumer legally resident in the EU has the right to open and use a payment account with basic features. In addition, Article 16(4) of the PAD provides that Member States must ensure that credit institutions refuse an application for a payment account with basic features where opening such an account would result in an infringement of the provisions on the prevention of money laundering and the countering of terrorist financing laid down in Directive 2005/60/EC.

    The CJEU Findings

    The CJEU held in essence, as follows:

    OFAC Listing as a Risk Factor

    As a matter of EU law, inclusion on the OFAC list or any other list of that type drawn up by a third country, cannot, in and of itself, constitute a sufficient basis for the automatic refusal to open a payment account with basic features. Although such inclusion may legitimately be taken into consideration, it must be assessed as one factor within a broader, individualised evaluation of the money laundering and terrorist financing risks associated with the particular consumer.

    Individualised Risk Assessment

    The credit institution is required to undertake an individualised assessment of the money laundering and terrorist financing risks associated with the specific consumer, having regard to the consumer’s particular circumstances and the nature of the proposed business relationship.

    Proportionality

    In assessing proportionality, the CJEU acknowledged that the very nature of a payment account with basic features, given its limited uses, reduces the money laundering or terrorist financing risk connected with the opening of such an account. Following an individualised assessment, however, a credit institution may nevertheless conclude that it is unable effectively to manage, through measures proportionate to its nature and size, the money laundering or terrorist financing risk connected with the proposed business relationship. In such circumstances, a refusal may be justified, provided that the conclusion is based on the risks identified in respect of the relevant consumer and not merely on inclusion in a third-country sanctions list.

    No Automatic Exclusion

    By way of conclusion on the first question, the CJEU held that Article 16(4) of Directive 2014/92/EU, read in conjunction with Directive (EU) 2015/849, precludes a refusal to open a payment account with basic features where that refusal is based solely on the fact that the consumer is included in a sanctions list adopted by a third country. Such refusal may be justified only where the credit institution has carried out an individualised assessment of the money laundering or terrorist financing risk connected with the intended business relationship.

    Why the Judgment Matters

    The judgment is significant in that it reconciles the EU right of access to a payment account with basic features with the continuing obligation of credit institutions to manage AML/CFT risks. Its practical importance lies in confirming that access may not be denied through automatic exclusionary policies based solely on third-country sanctions listings, while preserving the possibility of refusal where this is supported by a properly documented, proportionate, and individualised risk assessment.

    Consequences for EU Credit Institutions

    For EU credit institutions, including Cypriot credit institutions, the principal practical consequence of the Jenec judgment is the need to ensure that account-opening, sanctions-screening and AML/CFT procedures do not operate mechanically by treating third-country sanctions listings as automatic grounds for refusal.

    Accordingly, EU credit institutions, including Cypriot credit institutions, should review any internal policies or procedures that may result in the automatic rejection of an application for a payment account with basic features solely because the consumer is listed on a third-country sanctions list.

    Where designation on a third-country sanctions list is identified as a risk factor, enhanced due diligence should be considered before access to a payment account with basic features is denied. Consistently with theJenec judgment, refusal will be justified only where the credit institution can demonstrate that the identified risks cannot be effectively managed through proportionate due diligence measures.

    Accordingly, where a refusal to open a payment account with basic features is challenged, EU credit institutions should be in a position to substantiate the basis on which the decision was taken. Internal records should demonstrate that the refusal resulted from a properly documented, proportionate and individualised assessment of the relevant AML/CFT risks, rather than from the consumer’s automatic exclusion by reason only of inclusion on a third-country sanctions list.

    In addition, pursuant to Article 16(7) of the PAD and section 17(12) of the Cypriot Law on the Comparability of Fees, Switching Payment Accounts and Access to Payment Accounts, Law 64(I)/2017, a credit institution must, following its decision, notify the consumer in writing and free of charge of any refusal and of the specific reasons for that refusal, unless such notification would be contrary to the objectives of national security, public order, or the Cypriot Prevention and Combating of Money Laundering from Illegal Activities Law.

    This creates a further practical tension between the obligation to provide reasons capable of demonstrating that an individualised assessment was undertaken and the parallel obligation not to disclose information which may amount to tipping off under the applicable AML framework, including Article 39 of the AML Directive and Article 48 of the Cypriot Prevention and Combating of Money Laundering from Illegal Activities Law of 2007, Law 188(I)/2007. The mere recording, or carefully framed communication, of a risk-based refusal should not necessarily constitute tipping off. However, the position may be different where the reasoning discloses, expressly or by implication, that a suspicious transaction report has been filed, that an internal suspicion has been escalated to the competent authority, or that an investigation is being contemplated or carried out.

    Credit institutions should therefore exercise caution as to the content of any written reasoning. Accordingly, while sufficient information should be recorded and, where appropriate, provided to enable verification that an individualised assessment was undertaken, credit institutions must avoid disclosing information that could amount to tipping off.

    In practical terms, the decision-making process should therefore be capable of showing both why refusal was necessary and why the reasons communicated to the consumer did not compromise the institution’s AML/CFT obligations.

    Potential tension between EU credit institutions and U.S. Correspondent banks

    Although the Jenec judgment clarifies the position under EU law, it does not address the separate practical and regulatory implications that may arise from an EU credit institution’s reliance on U.S. correspondent banking relationships. Nor does the judgment suggest that OFAC designations are irrelevant. Rather, its effect is to preclude the automatic treatment of a third-country sanctions designation as determinative, without an individualised assessment of the relevant AML/CFT risks.

    The judgment does not, however, eliminate the commercial and regulatory risks arising from the U.S. financial system. For EU credit institutions, including Cypriot credit institutions, involved in U.S. dollar clearing, correspondent banking with U.S. institutions, U.S. capital markets, or operating through U.S. branches or subsidiaries, the principal concern may remain exposure to secondary sanctions and broader OFAC enforcement risk. In practice, U.S. correspondent banks may impose restrictions or terminate relationships where customers or transactions create exposure to OFAC sanctions risk. As a result, even where EU law does not permit an automatic refusal of a payment account with basic features, the institution may still need to manage its correspondent banking exposure in a proportionate and risk-based manner.

    Although the CJEU’s judgment in Jenec does not interpret Regulation (EC) No 2271/96 the EU Blocking Regulation[1], both operate against a broader EU policy background concerned with limiting the effects of extraterritorial third-country sanctions on EU operators. The Jenec judgment reinforces, in a distinct context, the principle that third-country sanctions regimes, including OFAC listings, should not automatically determine the conduct of EU credit institutions. In that respect, it may be viewed as broadly consistent with the objectives of the EU Blocking Regulation, although the judgment itself is grounded in the PAD and the EU AML framework rather than in the Blocking Regulation.

    Possible risk-mitigation measures may include enhanced due diligence, senior-level approval for decisions involving OFAC-listed individuals, and the ring-fencing of U.S. exposure, for example by limiting the account to euro-denominated services and restricting U.S. dollar payments, transactions with a U.S. nexus, or the use of U.S. correspondent banks. The appropriateness of any such measures should depend on the specific risk assessment carried out in relation to the consumer and the intended business relationship.

    The Jenec judgment did not determine whether, or to what extent, such measures would be sufficient in all cases. Future litigation or regulatory guidance may further clarify how EU credit institutions should balance the right of access to a payment account with basic features with the practical constraints arising from correspondent banking relationships and exposure to third-country sanctions regimes.

    Conclusion

    The Jenec judgment confirms that inclusion on an OFAC or other third-country sanctions list cannot, in itself, justify the refusal to open a payment account with basic features. EU credit institutions must instead be able to demonstrate that any refusal is grounded in a concrete, proportionate and individualised assessment of the relevant money laundering and terrorist financing risks, and that those risks cannot be effectively managed through appropriate due diligence measures. For Cypriot and other EU credit institutions, the judgment therefore calls for careful review of internal account-opening, sanctions-screening and AML/CFT procedures, particularly where existing policies may produce automatic rejection outcomes.

    At the same time, the judgment does not remove the practical difficulties arising from U.S. dollar clearing, correspondent banking relationships and potential exposure to secondary sanctions or wider OFAC enforcement risk. The central challenge for EU and Cypriot credit institutions will be to reconcile the right of access to a payment account with basic features under EU law with the continuing need to manage sanctions, AML/CFT and correspondent banking risk in a documented, proportionate and defensible manner.

    Our firm advises clients on the legal and practical implications of these issues, including AML/CFT compliance, correspondent banking exposure and the implementation of proportionate, risk-based policies consistent with EU and Cypriot law.


    [1] This regulation seeks to protect EU operators from the extraterritorial application of certain third-country laws, including specified U.S. sanctions measures, by restricting compliance with those laws and limiting the recognition or enforcement of related foreign decisions within the EU.

    Other Articles

    Menu

    Menu