All Publications Publication

Jenec and the limits of automatic de-risking in EU banking law

4 min read By Kyriaki Stinga, Adonis Zachariou, Dorina Mastora

On 11 June 2026, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-81/24, Jenec, addressing the interaction between the right of access to a payment account with basic features under Directive 2014/92/EU and the anti-money laundering (AML) obligations imposed by Directive (EU) 2015/849.

The Court held that a bank may not refuse to open a payment account with basic features solely because an applicant appears on a sanctions list issued by a third country, such as the United States Office of Foreign Assets Control (OFAC). While such a designation may constitute a relevant risk factor, it does not in itself justify refusal. A decision to refuse an account must be based on an individual assessment demonstrating that the relevant AML, counter-terrorist financing or sanctions-related risks cannot be adequately managed through proportionate measures.

The Court's findings

The case concerned a consumer legally resident in the European Union who applied to open a payment account with basic features. The application was rejected because the applicant appeared on an OFAC sanctions list, despite not being subject to EU, UN or national sanctions.

The CJEU confirmed that the right to a basic payment account is not absolute and remains subject to compliance with AML/CFT obligations. However, those obligations must be applied consistently with the risk-based approach underpinning the EU AML framework. The Court rejected an automatic refusal based solely on inclusion on a third-country sanctions list, requiring instead a documented, customer-specific assessment that considers the nature of the customer, the services requested, the intended use of the account and the effectiveness of available risk mitigation measures.

The judgment is consistent with the relevant Opinion of the Advocate General, which emphasised that risk indicators, including adverse information or foreign sanctions designations, must be assessed holistically rather than treated as determinative.

Significance for the EU

The judgment reinforces the relationship between the Payment Accounts Directive (Directive 2014/92/EU) and the EU AML framework. It confirms that financial institutions remain responsible for identifying and managing financial crime risk, but that AML obligations do not permit automatic exclusion of customers where EU law grants access to a payment account with basic features.

Accordingly, a third-country sanctions designation may justify enhanced due diligence, additional information requests, enhanced monitoring or, where appropriate, refusal of the relationship. However, refusal must be supported by an individual and proportionate assessment rather than the existence of the designation alone.

Relevance for Cyprus

Jenec is particularly relevant for Cyprus, where banks operate within an increasingly robust AML and sanctions framework. Recent legislative developments include the establishment of the National Sanctions Implementation Unit under Law 150(I)/2025, the criminalisation of breaches of EU restrictive measures under Law 149(I)/2025 and the Central Bank of Cyprus's 2025 AML/CFT Directive.

These developments reinforce the obligation on financial institutions to maintain effective systems for sanctions screening, customer due diligence and ongoing transaction monitoring. At the same time, the Central Bank's AML/CFT Directive expressly discourages blanket de-risking practices and requires institutions to assess each customer relationship individually, considering whether identified risks can be managed through appropriate mitigation measures.

The principles established in Jenec are therefore consistent with the existing Cyprus regulatory framework. Where a customer is designated only under a third-country sanctions regime, such as OFAC or UK sanctions, the designation may be a significant element of the institution's risk assessment, particularly where correspondent banking, US dollar clearing or secondary sanctions exposure are relevant. Nevertheless, the designation does not remove the obligation to carry out an individual, documented and proportionate assessment before refusing access to a basic payment account.

Conclusion

The Jenec judgment confirms that the EU risk-based approach applies equally in the context of access to basic banking services. Third-country sanctions designations remain relevant risk indicators, but they do not automatically justify refusal of a payment account with basic features. Financial institutions must be able to demonstrate that any refusal is based on a documented assessment of the specific risks presented by the customer and that those risks cannot be adequately managed through proportionate measures.

For Cyprus financial institutions, the decision provides useful guidance on the application of AML and sanctions obligations within an increasingly stringent regulatory environment while reaffirming the importance of individualised, evidence-based decision-making.

Elias Neocleous & Co.
Legal Enquiry Assistant