OFAC Is a Risk Factor, Not a Decision: What the CJEU's Jenec Ruling Changes About CDD Documentation
Analysis of CJEU Case C-81/24 (Jenec), decided 11 June 2026, which held that an OFAC listing cannot automatically justify refusing a basic payment account under EU AML law. Confirms the legal requirement for documented individual risk assessment, not list-matching, as the basis for CDD decisions. Implications for management companies, TCSPs, and fund administrators.
A compliance officer at a Luxembourg management company runs a screening check on a prospective investor. The system flags an OFAC hit. The officer closes the file and moves on.
That workflow is not enough under EU law. It may never have been. But after the Court of Justice of the European Union delivered its judgment in Case C-81/24 (Jenec) on 11 June 2026, the gap between what many firms do and what the law requires has become formally visible.
The Judgment and What It Says
The CJEU ruled that a bank cannot automatically refuse to open a basic payment account solely because an applicant appears on the OFAC list. The judgment in Jenec arose from a Slovenian case: a consumer was denied a basic payment account because his name appeared on a list maintained by the US Treasury Office of Foreign Assets Control. He had not been convicted of any offence. No EU, UN, or Slovenian restrictive measure had been imposed on him. The bank's compliance system produced a hit; the account was refused.
The Court held that this was not consistent with EU AML/CFT law. OFAC is a United States authority. Its lists are not binding EU restrictive measures. A third-country sanctions listing "may nevertheless constitute one of the relevant factors which the bank is required to take into account during an individual assessment of the risk of money laundering and terrorist financing." It is not a substitute for that assessment.
The deeper finding, one the judgment makes precisely clear, is that the risk-based approach built into Directive 2015/849 requires a reasoned, evidence-grounded, individualized decision. A screening hit starts a process. It does not end one.
What Screening Tools Are Actually For
Most firms have this backwards. Sanctions and PEP screening tools are increasingly marketed as compliance solutions. They flag names. Compliance teams check flags. The flag rate becomes a proxy for compliance effectiveness. What is missing from this picture is the thing the law actually requires: an assessment of why the specific risk posed by the specific customer in the specific business relationship is or is not manageable.
The CJEU's analysis draws directly on the structure of Directive 2015/849. That directive requires obliged entities to assess customers against a set of factors: nature of the customer, geographic exposure, type of product or service, expected transaction patterns, purpose of the relationship, source of funds and wealth where relevant. These factors are assessed together. The output of a screening tool is one input into that process.
The relevant question after a screening hit is therefore not "is this person on a list?" but "given this hit and everything else we know about this customer, what is the risk level, and can we manage it with appropriate controls?" The answer has to be documented. It has to reference the specific facts of the case. A note that says "OFAC hit -- declined" is not an AML decision. It is a log entry.
The Stakes for Fund Administrators and TCSPs
This ruling lands directly inside the operational workflow of management companies, fund administrators, and TCSPs.
These firms do not serve retail depositors seeking basic payment accounts. But they conduct customer due diligence on investors, beneficial owners, underlying entities, and third-party service providers. In each case, the legal standard is the same: individualized assessment, proportionate to risk, documented against the specific facts.
Fund administrators in Luxembourg serve international investor bases. Clients from higher-risk jurisdictions appear regularly. Beneficial ownership structures route through multiple layers. Some clients will appear on OFAC lists, third-country watch lists, adverse media sources, or PEP databases. Under the AMLR framework applicable from July 2027, these are inputs into a CDD decision, not the decision itself.
TCSPs managing entity structures for Mauritius-domiciled funds face the same challenge. Their clients include international holding companies, trusts, and funds connected to markets where political exposure and watchlist presence are common. If a TCSP's CDD process terminates at the screening output without documented individual analysis, it is not meeting the EU or FSC risk-based standard. After Jenec, that gap is a legal finding waiting to happen.
For management companies under CSSF supervision, the BWRA and client risk scoring frameworks already anticipate this. AMLA's 2026 supervisory work programme has placed CDD quality, individualized risk scoring, and audit-trail completeness at the center of its supervisory methodology. The Jenec ruling is now an additional reference point confirming the direction.
What "Individual Assessment" Actually Requires
Producing an individual assessment is not a documentation exercise. It is a data problem.
An individual CDD assessment for a higher-risk client requires: a risk score reflecting specific factors assessed at onboarding; documented evidence supporting each factor, including identity verification, beneficial ownership resolution, source of funds determination, and geographic risk classification; a clear record of who made the decision, on what basis, and with what supporting materials; and a monitoring flag that triggers review if circumstances change.
This cannot be produced from a folder of PDFs. A risk score written into a Word document is not searchable, not versionable, not auditable against the evidence it claims to rest on, and not reproducible when a supervisor asks to see how the decision was reached. An automated screening hit attached to a flat client record is not an individual assessment. It is a screenshot.
The firms that can produce genuine individual assessments are those whose CDD data exists as structured, queryable, and attributable records. Each field in the client record is connected to its source document. The risk score is calculated from stored attributes, not written by hand. The decision log is timestamped and linked to the evidence that justified it. When a supervisor or court asks how a refusal or acceptance decision was reached, the firm can reproduce the reasoning from structured data.
That infrastructure is not primarily a compliance tool. It is the architecture of a CDD process that is legally defensible across all the frameworks now converging: AMLR, AMLA's supervisory standards, FATF mutual evaluation criteria, and CJEU case law.
The Position
The Jenec ruling does not change the law. It clarifies what the law has always required: that AML/CFT risk decisions be made through individual assessment, not through automated substitution.
What it changes is the visibility of the gap. For years, compliance teams have operated as though a clean screening run, a PDF sign-off, and a filed form constituted due diligence. That is not what Directive 2015/849 or the AMLR requires. It is not what AMLA's supervisory methodology will accept. And it is not, as of 11 June 2026, what the Court of Justice of the EU will recognize as legally sufficient.
The firms that have already built structured CDD processes, where screening outputs feed into documented individual assessments rather than replacing them, are ahead of this. The firms still running list-based compliance as a checklist have been given a formal signal that their processes are not adequate.
That signal has a case number: C-81/24.