A Hit Is Not a Verdict: What the EU's OFAC Ruling Means for Sanctions Screening

When a sanctions screening platform is configured to test every name against well over a thousand watchlists, it is rarely described as a failure of compliance. It is described as thoroughness. The instinct runs deep across the financial system: more lists mean more coverage, more coverage means less risk, and less risk means a defensible position. Yet on 11 June 2026 the Court of Justice of the European Union exposed the flaw in that instinct, and it did so through the smallest of cases.

In Case C-81/24, Jenec, the Court ruled that an EU bank cannot refuse a consumer a basic payment account solely because that consumer appears on a list maintained by the US Office of Foreign Assets Control. The listing may inform a risk assessment. It cannot substitute for one. The judgment is narrow on its facts and structural in its reach, because it identifies the precise point at which screening stops being risk-based and starts manufacturing the very risk it claims to manage.

The long reach of a foreign sanctions list

The tension Jenec resolves has been building for years. OFAC's designations carry extraterritorial force far beyond US borders, because few institutions can afford to lose access to US dollar clearing or US correspondent relationships. The practical result is that a United States listing has often functioned, inside European compliance teams, as though it were binding EU law. It is not. The European Union has long resisted the automatic domestic effect of third-country measures, most visibly through the Blocking Regulation, Council Regulation (EC) No 2271/96, amended by Commission Delegated Regulation (EU) 2018/1100 to counter the United States' reimposition of sanctions on Iran. That instrument signalled a clear position: foreign sanctions do not enter the EU legal order by default.

The Court of Justice has reinforced that position in its own case law. In Bank Melli, Case C-124/20, decided by the Grand Chamber in December 2021, the Court interpreted the Blocking Regulation to constrain how far EU operators may defer to US sanctions. Jenec now extends the same resistance into the heart of anti-money laundering practice. The thread connecting the two is consistent: a measure adopted by a third country does not, of itself, dictate the legal position within the Union. The convenience of treating it as though it does has a cost the European framework will now exact.

A single sanctions listing, a refused account

The facts are almost mundane. As the Court of Justice set out in its press release of 11 June 2026, a Slovenian bank, Nova Kreditna Banka Maribor, later acquired by the OTP Group, refused in 2022 to open a payment account with basic features for a consumer identified in the proceedings as LH. The reason was his inclusion on the OFAC list. The bank, the Court noted, acted to fulfil the obligations it understood Slovenian anti-money laundering legislation to impose.

The backdrop sharpened the stakes. The Court recorded that LH had never been convicted of the offence giving rise to his OFAC listing, and that he was subject to no restrictive measure imposed by the United Nations, the European Union, or Slovenia. The Slovenian court referred a single question to Luxembourg: does Article 16(4) of Directive 2014/92, read with the Fourth Anti-Money Laundering Directive 2015/849, allow a Member State to require banks to refuse a basic payment account solely because a person is listed by OFAC? The answer would turn on what a sanctions hit actually means in law.

A third-country list is not a binding measure

The Court's reasoning rests on a distinction that screening configurations routinely erase. An OFAC designation is an act of a United States authority. A restrictive measure adopted by the United Nations, the European Union, or a Member State is binding law within the Union. The two are not interchangeable, and the Court declined to treat them as such.

Directive 2015/849, the Court held, does not provide that inclusion on an OFAC list automatically prohibits a bank from entering into a business relationship. The same holds for any comparable list issued by a third country. This is not a licence to ignore OFAC. A bank exposed to US dollar clearing or US correspondent relationships has obvious reasons to attend to it. The Court of Justice accepted as much. But the listing must pass through the risk-based framework EU law already requires. It cannot short-circuit that framework and dictate an outcome.

The list is not the risk

Here lies the wider lesson, and it reaches well beyond one Slovenian account. Jenec concerned a single OFAC listing, but its reasoning is not confined to OFAC. The Court treated the listing as a third-country measure with no automatic binding force in EU law, and that logic holds for every comparable list a screening engine ingests. A bank cannot refuse an account because a customer appears on a list somewhere in the world. The reason for refusal must be an assessed and unmanageable risk, not the mere fact of a match.

This is where scale bites. Screening platforms now reach a remarkable breadth: World-Check One, one of the most widely used tools in the sector, screens against around 1,446 watchlists. Most carry no binding force in EU law. Under Jenec, a hit on any of them sits in exactly the position the OFAC hit occupied, a factor to be weighed, never a verdict to be enforced. The obligation the ruling confirms is to assess each such hit individually. The temptation it exposes is to automate the refusal instead, because assessing every match across more than 1,400 lists is operationally punishing and a blanket rule is not. That convenience is precisely the breach the Court forbids.

That is not a risk-based approach. It is the opposite. A risk-based approach demands that an institution identify the risks specific to a customer, a geography, a product, and a channel, then calibrate its response to what it finds. Indiscriminate screening does none of this. The more lists an engine consumes, the more false positives it generates, the more alerts overwhelm the analysts meant to clear them, and the more often a legitimate customer is refused on the strength of a coincidence. Jenec is that failure made visible. A consumer was denied essential banking not because an assessment found unmanageable risk, but because a list returned a match and the system did the rest.

Proportionality reaches the product itself

The judgment carries a further point worth dwelling on. The Court observed that the limited nature of a basic payment account may reduce the money laundering and terrorist financing risk it carries. Such an account is not a private banking relationship, a trade finance facility, or a complex cross-border structure. Its functionality is constrained, and its risk profile may be constrained with it.

This locates proportionality not only in the response but in the product. The same customer may present a manageable risk in a basic account and an unmanageable one in a correspondent relationship. A hit that would justify refusing the latter does not automatically justify refusing the former. The Court did not declare basic accounts risk-free. It expressly preserved the right to refuse where an individual assessment concludes that the risk cannot be managed through proportionate measures. What it removed was the shortcut.

Control effectiveness, not control existence

For firms, the operational lesson is precise. The existence of a screening control proves nothing. A bank can screen against every list in the world and still fail, because screening is the beginning of the obligation, not its discharge. The directive asks what the institution did with the hit, not merely whether it generated one.

A defensible policy must distinguish between binding sanctions obligations under EU, UN, or national law and non-EU lists that function as risk indicators rather than legal prohibitions. It must document how a third-country listing is weighed, when enhanced due diligence is triggered, and on what basis a refusal can be justified. The screening result, the risk assessment, and the decision must form a single reasoned chain. Where that chain is missing, the institution holds a control that exists on paper and fails in law. This is the familiar gap between audit comfort and operational realism, and mass list ingestion sits squarely on the wrong side of it.

Implications for firms

The reassessment is twofold. First, firms should ask not how many lists they screen against, but which lists carry binding force, which carry evidential weight, and which carry neither. The number is not the answer. A screening universe assembled for the appearance of thoroughness is not the same as one designed for risk, and tuning that universe to risk rather than expanding it for comfort is now a matter of legal exposure as much as operational efficiency.

Second, firms should ensure that the trail behind any refusal can withstand scrutiny. The lawful refusal is not the one that cites a list. It is the one that records an individual assessment, identifies why the risk cannot be managed proportionately, and explains the conclusion in terms a regulator or a court could test. There is a tension compliance leaders will recognise. The institution most exposed to US enforcement has the strongest incentive to over-screen, and Jenec now penalises over-screening within the EU just as enforcement penalises under-screening elsewhere. The resolution is not to pick a side. It is to assess.

Conclusion

The deeper lesson of Jenec is that thoroughness and discipline are not the same thing. Screening against everything feels safe, yet it dissolves the judgement the law exists to demand and produces the very outcome, exclusion without cause, that regulators and courts will not accept. The list tells a firm where to look. It does not tell the firm what it found. An OFAC listing is a fact to be weighed, not a verdict to be enforced. The reflex was never compliance. The assessment is.

Are you confident that every list you screen against earns its place, or are you mistaking volume for diligence?

At OpusDatum, we help firms move from the comfort of comprehensive screening to the discipline of risk-based screening. We review list governance, alert calibration, and the connection between screening output and documented decisions, so that controls demonstrate effectiveness rather than mere existence.

To review your screening framework against the standard Jenec sets, contact us.