+357 25 800 000
·
info@demetriades.com
·
Mon - Fri 08:00-17:00
Get In Touch

CJEU clarifies the interaction between AML obligations and the right to a basic payment account

Case C-81/24, LH v OTP banka d.d. (Judgment of 11 June 2026)

Introduction

On 11 June 2026, the Court of Justice of the European Union (“CJEU”) delivered an important judgment on the relationship between consumers’ right to access a payment account with basic features and the anti-money laundering (“AML”) obligations imposed on credit institutions.

In Case C-81/24, LH v OTP banka d.d., the Court held that Article 16(4) of Directive 2014/92 does not permit Member States to require credit institutions to refuse an application for a payment account with basic features solely because the applicant is included on a sanctions list maintained by a third country. Instead, institutions must carry out an individual assessment of the money laundering and terrorist financing risks associated with the proposed business relationship. A refusal is justified only where those risks cannot be effectively managed through measures proportionate to the institution’s nature and size.

The judgment provides important guidance on how the EU AML framework interacts with consumers’ right to access essential banking services.

Background

The proceedings arose after a Slovenian bank refused to open a payment account with basic features for an individual whose name appeared on a sanctions list maintained by the United States Office of Foreign Assets Control (OFAC). Although the applicant had never been convicted of the relevant criminal offence and was not subject to restrictive measures imposed by the United Nations, the European Union or Slovenia, the bank refused the application.

The Slovenian court referred questions to the CJEU concerning the interpretation of Directive 2014/92/EU on payment accounts and Directive (EU) 2015/849 on the prevention of money laundering and terrorist financing. Having answered the first question, the Court found it unnecessary to address the remaining questions concerning the absence of criminal convictions or the presumption of innocence.

The legal framework

Directive 2014/92 grants consumers legally resident in the European Union the right to open and use a payment account with basic features. However, Article 16(4) requires Member States to ensure that credit institutions refuse an application where opening the account would result in an infringement of the AML provisions contained in Directive 2015/849.

The Court also recalled that Recital 34 of Directive 2014/92 makes clear that AML legislation must not be used as a pretext for rejecting commercially less attractive consumers. Similarly, Recital 47 states that refusal is justified only where the consumer does not comply with AML legislation, and not because compliance procedures are considered too burdensome or costly.

Directive 2015/849 requires credit institutions to identify and verify customers, assess the risks associated with the proposed business relationship and apply customer due diligence measures proportionate to those risks. Depending on the level of risk identified, institutions may be required to apply enhanced customer due diligence.

The Court’s Judgment

Inclusion on an OFAC List does not automatically justify refusal

The central issue before the Court was whether inclusion on an OFAC sanctions list automatically justified refusing to open a payment account with basic features. The CJEU answered that question in the negative. The Court held that inclusion on an OFAC list (or on any comparable list established by a third country) may constitute a relevant risk factor in assessing money laundering and terrorist financing risks.

However, that fact alone does not automatically prevent a credit institution from establishing a business relationship. Accordingly, Article 16(4) of Directive 2014/92 does not permit Member States to require credit institutions to refuse an application solely because the applicant appears on such a list.

Instead, institutions must carry out an individual assessment of the proposed business relationship, taking into account all relevant risk factors. Where that assessment identifies a higher risk of money laundering or terrorist financing, the AML Directive requires enhanced customer due diligence. However, the Court emphasised that the identification of a higher-risk customer is not automatic and must itself result from an evidence-based assessment.

Refusal may still be justified

The Court recognised that, following an individual assessment, a credit institution may conclude that it is unable to manage effectively the identified money laundering or terrorist financing risks through measures proportionate to its nature and size, even where the proposed relationship concerns only a payment account with basic features. Only in those circumstances may a refusal be justified under Article 16(4).

The Court therefore left it to the Slovenian court to determine whether the bank had carried out the required individual assessment, taking into account all relevant risk factors beyond the applicant’s inclusion on the OFAC list, and whether the identified risks could have been managed through proportionate measures, including ongoing monitoring of the business relationship under Article 13(1)(d) of Directive 2015/849.

The nature of basic payment accounts

The Court also observed that the limited functionality of payment accounts with basic features may reduce the money laundering and terrorist financing risks associated with such accounts. Nevertheless, this remains only one element of the institution’s overall assessment and does not prevent refusal where the identified risks cannot be effectively managed.

Practical Implications

The judgment confirms that financial institutions cannot adopt blanket policies under which customers appearing on third-country sanctions or watch lists are automatically denied access to payment accounts with basic features.

Instead, institutions should ensure that:

  • sanctions screening informs, rather than replaces, the individual AML risk assessment;
  • enhanced customer due diligence is applied where justified by the identified risks;
  • decisions refusing an application are supported by a documented, evidence-based assessment of all relevant risk factors; and
  • consideration is given to whether ongoing monitoring of the business relationship would enable identified risks to be effectively managed.

Conclusion

The CJEU’s judgment confirms that inclusion on a third-country sanctions list is only one factor in the assessment required under Directive 2015/849. It cannot, by itself, justify refusing a payment account with basic features. Instead, credit institutions must carry out an individual, evidence-based assessment of the proposed business relationship and determine whether any identified money laundering or terrorist financing risks can be effectively managed through measures proportionate to their nature and size. The decision reinforces both the EU’s risk-based AML framework and the objective of ensuring access to essential banking services under Directive 2014/92. For more information please contact our Compliance team at compliance@demetriades.com or your usual contact at Chrysses Demetriades & Co LLC.