moov-io / watchman

AML/CTF/KYC/OFAC Search of global watchlist and sanctions
https://moov-io.github.io/watchman/
Apache License 2.0
338 stars 89 forks source link
aml bis bis-denied-persons cip csl ctf dpl hacktoberfest kyc ofac sanction-lists sanctions sectoral-sanctions-identifications

Moov Banner Logo

Project Documentation · API Endpoints (Admin Endpoints) · API Guide · Community · Blog

GoDoc Build Status Coverage Status Go Report Card Repo Size Apache 2 License Slack Channel Docker Pulls GitHub Stars Twitter

moov-io/watchman

Moov's mission is to give developers an easy way to create and integrate bank processing into their own software products. Our open source projects are each focused on solving a single responsibility in financial services and designed around performance, scalability, and ease of use.

Moov Watchman offers download, parse, and search functions over numerous trade sanction lists from the United States, agencies, and nonprofits for complying with regional laws. Also included is a web UI and an async webhook notification service to initiate processes on remote systems.

Lists included in search are:

All United States, UK and European Union companies are required to comply with various regulations and sanction lists (such as the US Patriot Act requiring compliance with the BIS Denied Persons List).

Table of contents

Project status

Moov Watchman is actively used in multiple production environments. Please star the project if you are interested in its progress. If you have layers above Watchman to simplify tasks, perform business operations, or found bugs we would appreciate an issue or pull request. Thanks!

Usage

The Watchman project implements an HTTP server and Go library for searching, parsing, and downloading lists. Below, you can find a detailed list of features offered by Watchman:

Docker

We publish a public Docker image moov/watchman from Docker Hub or use this repository. No configuration is required to serve on :8084 and metrics at :9094/metrics in Prometheus format. We also have Docker images for OpenShift published as quay.io/moov/watchman. Lastly, we offer a moov/watchman:static Docker image with files from 2019. This image can be useful for faster local testing or consistent results.

Pull & start the Docker image:

docker pull moov/watchman:latest
docker run -p 8084:8084 -p 9094:9094 moov/watchman:latest

Get information about a company using their entity ID:

curl "localhost:8084/ofac/companies/13374"
{
   "id":"13374",
   "sdn":{
      "entityID":"13374",
      "sdnName":"SYRONICS",
      "sdnType":"",
      "program":[
         "NPWMD"
      ],
      "title":"",
      "callSign":"",
      "vesselType":"",
      "tonnage":"",
      "grossRegisteredTonnage":"",
      "vesselFlag":"",
      "vesselOwner":"",
      "remarks":""
   },
   "addresses":[
      {
         "entityID":"13374",
         "addressID":"21360",
         "address":"Kaboon Street, PO Box 5966",
         "cityStateProvincePostalCode":"Damascus",
         "country":"Syria",
         "addressRemarks":""
      }
   ],
   "alts":[
      {
         "entityID":"13374",
         "alternateID":"15056",
         "alternateType":"aka",
         "alternateName":"SYRIAN ARAB CO. FOR ELECTRONIC INDUSTRIES",
         "alternateRemarks":""
      }
   ],
   "comments":null,
   "status":null
}

Google Cloud Run

To get started in a hosted environment you can deploy this project to the Google Cloud Platform.

From your Google Cloud dashboard create a new project and call it:

moov-watchman-demo

Enable the Container Registry API for your project and associate a billing account if needed. Then, open the Cloud Shell terminal and run the following Docker commands, substituting your unique project ID:

docker pull moov/watchman
docker tag moov/watchman gcr.io/<PROJECT-ID>/watchman
docker push gcr.io/<PROJECT-ID>/watchman

Deploy the container to Cloud Run:

gcloud run deploy --image gcr.io/<PROJECT-ID>/watchman --port 8084

Select your target platform to 1, service name to watchman, and region to the one closest to you (enable Google API service if a prompt appears). Upon a successful build you will be given a URL where the API has been deployed:

https://YOUR-WATCHMAN-APP-URL.a.run.app

Now you can ping the server:

curl https://YOUR-WATCHMAN-APP-URL.a.run.app/ping

You should get this response:

PONG

Configuration settings

Environmental Variable Description Default
DATA_REFRESH_INTERVAL Interval for data redownload and reparse. off disables this refreshing. 12h
INITIAL_DATA_DIRECTORY Directory filepath with initial files to use instead of downloading. Periodic downloads will replace the initial files. Empty
SEARCH_MAX_WORKERS Maximum number of goroutines used for search. 1024
ADJACENT_SIMILARITY_POSITIONS How many nearby words to search for highest max similarly score. 3
EXACT_MATCH_FAVORITISM Extra weighting assigned to exact matches. 0.0
DISABLE_PHONETIC_FILTERING Force scoring search terms against every indexed record. false
LENGTH_DIFFERENCE_CUTOFF_FACTOR Minimum ratio for the length of two matching tokens, before they score is penalised. 0.9
LENGTH_DIFFERENCE_PENALTY_WEIGHT Weight of penalty applied to scores when two matching tokens have different lengths. 0.3
DIFFERENT_LETTER_PENALTY_WEIGHT Weight of penalty applied to scores when two matching tokens begin with different letters. 0.9
UNMATCHED_INDEX_TOKEN_WEIGHT Weight of penalty applied to scores when part of the indexed name isn't matched. 0.15
JARO_WINKLER_BOOST_THRESHOLD Jaro-Winkler boost threshold. 0.7
JARO_WINKLER_PREFIX_SIZE Jaro-Winkler prefix size. 4
LOG_FORMAT Format for logging lines to be written as. Options: json, plain - Default: plain
LOG_LEVEL Level of logging to emit. Options: trace, info - Default: info
BASE_PATH HTTP path to serve API and web UI from. /
HTTP_BIND_ADDRESS Address to bind HTTP server on. This overrides the command-line flag -http.addr. Default: :8084
HTTP_ADMIN_BIND_ADDRESS Address to bind admin HTTP server on. This overrides the command-line flag -admin.addr. Default: :9094
HTTPS_CERT_FILE Filepath containing a certificate (or intermediate chain) to be served by the HTTP server. Requires all traffic be over secure HTTP. Empty
HTTPS_KEY_FILE Filepath of a private key matching the leaf certificate from HTTPS_CERT_FILE. Empty
DISABLE_WEB_UI Skip serving and setup of the web UI. Default: false
WEB_ROOT Directory to serve web UI from. Default: webui/
WEBHOOK_MAX_WORKERS Maximum number of workers processing webhooks. Default: 10
DOWNLOAD_WEBHOOK_URL Optional webhook URL called when data downloads / refreshes occur. Empty
DOWNLOAD_WEBHOOK_AUTH_TOKEN Optional Authorization header included on download webhooks. Empty

List configurations

Environmental Variable Description Default
OFAC_DOWNLOAD_TEMPLATE HTTP address for downloading raw OFAC files. https://www.treasury.gov/ofac/downloads/%s
DPL_DOWNLOAD_TEMPLATE HTTP address for downloading the DPL. https://www.bis.doc.gov/dpl/%s
EU_CSL_DOWNLOAD_URL Use an alternate URL for downloading EU Consolidated Screening List Subresource of webgate.ec.europa.eu
WITH_EU_SCREENING_LIST Download and parse the EU Consolidated Screening List Default: true
WITH_UK_CSL_SANCTIONS_LIST Download and parse the UK CSL Sanctions List on startup. Default: true
UK_CSL_DOWNLOAD_URL Use an alternate URL for downloading UK Consolidated Screening List Subresource of www.gov.uk
UK_SANCTIONS_LIST_URL Use an alternate URL for downloading UK Sanctions List Subresource of www.gov.uk
WITH_UK_SANCTIONS_LIST Download and parse the UK Sanctions List on startup. Default: false
US_CSL_DOWNLOAD_URL Use an alternate URL for downloading US Consolidated Screening List Subresource of api.trade.gov
CSL_DOWNLOAD_TEMPLATE Same as US_CSL_DOWNLOAD_URL
KEEP_STOPWORDS Boolean to keep stopwords in names. false
DEBUG_NAME_PIPELINE Boolean to print debug messages for each name (SDN, SSI) processing step. false
Downloads

Moov Watchman supports sending a webhook (POST HTTP Request) when the underlying data is refreshed. The body will be the count of entities indexed for each list. The body will be in JSON format and the same schema as the manual data refresh endpoint.

Watching a specific customer or company by ID

Moov Watchman supports sending a webhook periodically when a specific Company or Customer is to be watched. This is designed to update another system about an OFAC entry's sanction status.

Watching a customer or company name

Moov Watchman supports sending a webhook periodically with a free-form name of a Company or Customer. This allows external applications to be notified when an entity matching that name is added to the OFAC list. The match percentage will be included in the JSON payload.

Prometheus metrics

Data persistence

By design, Watchman does not persist (save) any data about the search queries or actions created. The only storage occurs in memory of the process and upon restart Watchman will have no files or data saved. Also, no in-memory encryption of the data is performed.

Go library

This project uses Go Modules and Go v1.18 or newer. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.

$ git@github.com:moov-io/watchman.git

# Pull down into the Go Module cache
$ go get -u github.com/moov-io/watchman

$ go doc github.com/moov-io/watchman/client Search

In-browser Watchman search

Using our in-browser utility, you can instantly perform advanced Watchman searches. Simply fill search fields and generate a detailed report that includes match percentage, alternative names, effective/expiration dates, IDs, addresses, and other useful information. This tool is particularly useful for completing quick searches with the aid of a intuitive interface.

Reporting blocks to OFAC

OFAC requires annual reports of blocked entities and offers guidance for this report. Section 31 C.F.R. § 501.603(b)(2) requires this annual report.

Useful resources

Getting help

We maintain a runbook for common issues and configuration options. Also, if you've encountered a security issue please contact us at security@moov.io.

channel info
Project Documentation Our project documentation available online.
Twitter @moov You can follow Moov.io's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories.
GitHub Issue If you are able to reproduce a problem please open a GitHub Issue under the specific project that caused the error.
moov-io slack Join our slack channel to have an interactive discussion about the development of the project.

Supported and tested platforms

Note: 32-bit platforms have known issues and are not supported.

Contributing

Yes please! Please review our Contributing guide and Code of Conduct to get started! Checkout our issues for first time contributors for something to help out with.

This project uses Go Modules and Go v1.18 or newer. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.

Releasing

To make a release of ach simply open a pull request with CHANGELOG.md and version.go updated with the next version number and details. You'll also need to push the tag (i.e. git push origin v1.0.0) to origin in order for CI to make the release.

Testing

We maintain a comprehensive suite of unit tests and recommend table-driven testing when a particular function warrants several very similar test cases. To run all test files in the current directory, use go test. Current overall coverage can be found on Codecov.

Related projects

As part of Moov's initiative to offer open source fintech infrastructure, we have a large collection of active projects you may find useful:

License

Apache License 2.0 - See LICENSE for details.