
This Week in Compliance: When a Name on a List Stopped Being a Decision — 12–18 June 2026
For years, compliance teams have treated a hit against a list — a high-risk-country list, a sanctions list, a watchlist — as a decision in itself. This week three developments across the UK and EU pushed in the opposite direction, whether the question is enhanced due diligence, sanctions screening requirements, or the firm-level framework that has to produce a defensible decision: a court ruled that an OFAC listing alone cannot justify refusing a bank account, the UK narrowed when mandatory enhanced due diligence is triggered, and the FCA pulled a payments firm out of the market for a financial-crime framework that could not actually decide anything. The list is becoming an input, not a verdict.
The compliance burden has not shrunk this week. It has moved. The instruction running through all three stories is the same — the work is no longer "did you check the list" but "can you prove you assessed the risk" — and the term that ties them together is risk assessment. Before this is a screening problem, it is an evidence-and-identity problem.
Sanctions screening requirements after Jenec: a list hit is an input, not a verdict
On 11 June 2026 the Court of Justice of the European Union delivered its judgment in Case C-81/24 (Jenec), arising from a Slovenian reference under the EU Payment Accounts Directive. The Court ruled that the mere inclusion of a consumer on a US OFAC sanctions list is not, by itself, sufficient grounds for an EU bank to refuse a basic payment account. Restricting that right is lawful only after an individual, case-by-case money-laundering and terrorist-financing risk assessment; an OFAC listing may be weighed as one factor, but a refusal stands only where the bank can show it cannot manage the risk through proportionate measures.
This raises the evidentiary bar on every sanctions-screening operation. A name match against a shared sanctions list is no longer a reason to auto-decline; the institution must run and document an individualised assessment of the matched person. For screening teams working through volumes of false positives against shared name lists, the ruling makes "we matched a name" insufficient and "we assessed the person" mandatory. A sanctions-list match is not a decision. It is the start of one.
The cost of Jenec is not more screening. It is more evidence per match. The firm must be able to reconstruct, for each retained or refused customer, what it knew, how it weighed the listing, and why its conclusion was proportionate. That is an identity-resolution and recordkeeping problem before it is a screening one — a defensible sanctions risk assessment depends on reliably establishing who the matched person actually is, because a name on a list and a name on a customer file are not the same evidence. Due diligence against designated persons now has to survive that test on a per-case basis, not as a policy.
Enhanced due diligence requirements move from geography to risk
The UK Parliament approved the Money Laundering and Terrorist Financing (Amendment) Regulations 2026 the week of 12 June 2026, with the changes coming into force on 30 June 2026. They narrow the mandatory enhanced due diligence obligation under regulation 33(b): mandatory EDD now applies only to jurisdictions subject to a FATF Call for Action — currently Iran, North Korea and Myanmar — replacing the broader "high-risk third country" trigger. The Regulations, laid in draft on 25 March 2026, also substitute the term "FATF Call for Action Country" for "high-risk third country" and refine the transaction trigger in regulation 33 so it bites where a transaction is unusually complex or unusually large.
This is the same shift as Jenec, written into statute: from geography-as-trigger to risk-as-trigger. Firms that ran a blanket EDD rule against a long list of high-risk third countries now have to make a defensible, case-by-case judgement and evidence it. A shorter list is not a lighter obligation. The compliance burden moves from "apply the list" to "justify the decision," and a justified decision needs a record.
This connects to the control point that recurs across all three stories: a risk assessment is only worth what you can later show. Once the mandatory geographic trigger narrows, more cases fall into the firm's own risk-based discretion under regulation 33 — which means more customer due diligence decisions a supervisor can later ask the firm to defend. This is the difference between process and evidence: the reform rewards firms that can produce the underlying identity and decision record on demand, and exposes those that were relying on the list to do the thinking for them.
When a financial crime compliance framework cannot produce an evidenced decision
On 4 June 2026 the FCA required Euro Exchange Securities UK Limited, an e-money and payments firm, to cease carrying out any regulated electronic money or payment services, and interim managers were appointed by the court. On 11 June 2026 the High Court confirmed the appointment of special administrators from Teneo. The FCA cited serious, systemic weaknesses in the firm's financial-crime framework and safeguarding arrangements, alongside ownership and governance concerns, and described it as the first case of its kind in the payments sector.
The two earlier stories redefine what an adequate risk decision looks like. This is the supervisory consequence when the underlying framework cannot make one. A regulator no longer accepts a paper framework; it expects a financial crime compliance framework that can actually produce evidenced risk assessment outcomes on identity and money flow, and it will remove from the system a firm that cannot. A framework that cannot evidence a decision is not a framework. It is a document.
The three stories tie together here. Jenec and the UK reform both demand a defensible, person-level decision against the same pressures of money laundering and terrorist financing; Euro Exchange shows the cost of a framework that cannot generate one. The common failure mode is identical across all three — treating a list, or a policy document, as a substitute for an evidenced assessment of a real person. The safeguarding and governance findings are the fresh detail in this case, but the underlying lesson is the one the whole week has been teaching.
The thread, and what comes next
Across three jurisdictions and three instruments, the same instruction landed this week: a name on a list is not a decision; an evidenced, individual risk assessment is. The common control point is proof. Each development raises the evidentiary bar on what a firm must be able to show, per person, about who it onboarded and why it reached the conclusion it did.
The harder that bar gets, the more the foundation of every individual risk assessment — knowing, verifiably, who the person actually is — matters. None of this week's news is something Verifyo performs. We do not run a bank's sanctions risk assessment, we do not perform ongoing transaction monitoring, and we do not continuously re-screen against live sanctions lists. The layer we work on at Verifyo sits underneath that decision: a reusable Zero-Knowledge KYC attestation that lets a platform establish, and prove, that an onboarded person was identity-verified and screened at verification time — without that platform holding the underlying documents. The attestation is the verifiable starting point for the risk decision a firm now has to evidence. It is not the risk decision itself.
The calendar points the same way. The MiCA transitional cliff on 1 July 2026 and the continuing build-out of AMLA's supervisory regime — including the shape of ongoing customer due diligence AMLA expects obliged entities to perform — both push toward individualised, evidenced compliance over list-based gating. The reflex that treated a name on a list as a verdict is being retired one ruling, one statute, and one enforcement action at a time.
Sources
- Court of Justice of the European Union. Press release No 84/2026 — Judgment in Case C-81/24 (Jenec). 11 June 2026. https://curia.europa.eu/site/upload/docs/application/pdf/2026-06/cp260084en.pdf
- InfoCuria — Court of Justice of the European Union. Case C-81/24 case file. 11 June 2026. https://infocuria.curia.europa.eu/tabs/redirect/juris/liste.jsf?language=en&td=ALL&num=C-81%2F24
- legislation.gov.uk. The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 (UK Statutory Instrument). 2026. https://www.legislation.gov.uk/ukdsi/2026/9780348281743
- ICAEW. Parliament approves AML reform package. June 2026. https://www.icaew.com/regulation/regulatory-news/regulatory-news-2026-06/parliament-approves-aml-reform-package
- Financial Conduct Authority. Court orders appointment of special administrators for Euro Exchange Securities UK Limited. 11 June 2026 (updated 15 June 2026). https://www.fca.org.uk/news/press-releases/court-orders-appointment-special-administrators-euro-exchange-securities-uk-limited
- Financial Conduct Authority. FCA imposes requirements on Euro Exchange Securities UK Limited and interim managers appointed by the Court. 5 June 2026. https://www.fca.org.uk/news/press-releases/fca-imposes-requirements-euro-exchange-securities-uk-limited-and-interim-managers-appointed-court
Want to learn more?
Explore our other articles and stay up to date with the latest in zero-knowledge KYC and identity verification.
Browse all articles