Project Documentation
·
API Endpoints (Admin Endpoints)
·
API Guide
·
Community
·
Blog
Moov's mission is to give developers an easy way to create and integrate bank processing into their own software products. Our open source projects are each focused on solving a single responsibility in financial services and designed around performance, scalability, and ease of use.
Moov Watchman offers download, parse, and search functions over numerous trade sanction lists from the United States, agencies, and nonprofits for complying with regional laws. Also included is a web UI and an async webhook notification service to initiate processes on remote systems.
Lists included in search are:
- US Treasury - Office of Foreign Assets Control
- Specially Designated Nationals
- Includes SDN, SDN Alternative Names, SDN Addresses
- Specially Designated Nationals
- United States Consolidated Screening List
- Department of Commerce – Bureau of Industry and Security
- Department of State – Bureau of International Security and Non-proliferation
- Department of State – Directorate of Defense Trade Controls
- ITAR Debarred (DTC)
- Department of the Treasury – Office of Foreign Assets Control
- Department of the Treasury – Office of Foreign Assets Control
- EU - Consolidated Sanctions List
- NOTE: it is recommended to create your own europa.eu account and then access the EU Financial Sanctions Files
- Use the token described under the "Show settings for crawler/robot" section
- NOTE: it is recommended to create your own europa.eu account and then access the EU Financial Sanctions Files
- UK - OFSI Sactions List
- UK - Sanctions List (Disabled by default)
All United States, UK and European Union companies are required to comply with various regulations and sanction lists (such as the US Patriot Act requiring compliance with the BIS Denied Persons List).
- Project status
- Usage
- Useful resources
- Getting help
- Supported and tested platforms
- Contributing
- Related projects
Moov Watchman is actively used in multiple production environments. Please star the project if you are interested in its progress. If you have layers above Watchman to simplify tasks, perform business operations, or found bugs we would appreciate an issue or pull request. Thanks!
The Watchman project implements an HTTP server and Go library for searching, parsing, and downloading lists. We also have an example of the webhook service. Below, you can find a detailed list of features offered by Watchman:
- Download OFAC, BIS Denied Persons List (DPL), and various other data sources on startup
- Admin endpoint to manually refresh OFAC and DPL data
- Index data for searches
- Async searches and notifications (webhooks)
- Manual overrides to mark a
Company
orCustomer
asunsafe
(blocked) orexception
(never blocked). - Library for OFAC and BIS DPL data to download and parse their custom files
We publish a public Docker image moov/watchman
from Docker Hub or use this repository. No configuration is required to serve on :8084
and metrics at :9094/metrics
in Prometheus format. We also have Docker images for OpenShift published as quay.io/moov/watchman
. Lastly, we offer a moov/watchman:static
Docker image with files from 2019. This image can be useful for faster local testing or consistent results.
Pull & start the Docker image:
docker pull moov/watchman:latest
docker run -p 8084:8084 -p 9094:9094 moov/watchman:latest
Get information about a company using their entity ID:
curl "localhost:8084/ofac/companies/13374"
{
"id":"13374",
"sdn":{
"entityID":"13374",
"sdnName":"SYRONICS",
"sdnType":"",
"program":[
"NPWMD"
],
"title":"",
"callSign":"",
"vesselType":"",
"tonnage":"",
"grossRegisteredTonnage":"",
"vesselFlag":"",
"vesselOwner":"",
"remarks":""
},
"addresses":[
{
"entityID":"13374",
"addressID":"21360",
"address":"Kaboon Street, PO Box 5966",
"cityStateProvincePostalCode":"Damascus",
"country":"Syria",
"addressRemarks":""
}
],
"alts":[
{
"entityID":"13374",
"alternateID":"15056",
"alternateType":"aka",
"alternateName":"SYRIAN ARAB CO. FOR ELECTRONIC INDUSTRIES",
"alternateRemarks":""
}
],
"comments":null,
"status":null
}
To get started in a hosted environment you can deploy this project to the Google Cloud Platform.
From your Google Cloud dashboard create a new project and call it:
moov-watchman-demo
Enable the Container Registry API for your project and associate a billing account if needed. Then, open the Cloud Shell terminal and run the following Docker commands, substituting your unique project ID:
docker pull moov/watchman
docker tag moov/watchman gcr.io/<PROJECT-ID>/watchman
docker push gcr.io/<PROJECT-ID>/watchman
Deploy the container to Cloud Run:
gcloud run deploy --image gcr.io/<PROJECT-ID>/watchman --port 8084
Select your target platform to 1
, service name to watchman
, and region to the one closest to you (enable Google API service if a prompt appears). Upon a successful build you will be given a URL where the API has been deployed:
https://YOUR-WATCHMAN-APP-URL.a.run.app
Now you can ping the server:
curl https://YOUR-WATCHMAN-APP-URL.a.run.app/ping
You should get this response:
PONG
Environmental Variable | Description | Default |
---|---|---|
DATA_REFRESH_INTERVAL |
Interval for data redownload and reparse. off disables this refreshing. |
12h |
INITIAL_DATA_DIRECTORY |
Directory filepath with initial files to use instead of downloading. Periodic downloads will replace the initial files. | Empty |
EXACT_MATCH_FAVORITISM |
Extra weighting assigned to exact matches. | 0.0 |
JARO_WINKLER_BOOST_THRESHOLD |
Jaro-Winkler boost threshold. | 0.7 |
JARO_WINKLER_PREFIX_SIZE |
Jaro-Winkler prefix size. | 4 |
WEBHOOK_BATCH_SIZE |
How many watches to read from database per batch of async searches. | 100 |
LOG_FORMAT |
Format for logging lines to be written as. | Options: json , plain - Default: plain |
LOG_LEVEL |
Level of logging to emit. | Options: trace , info - Default: info |
BASE_PATH |
HTTP path to serve API and web UI from. | / |
HTTP_BIND_ADDRESS |
Address to bind HTTP server on. This overrides the command-line flag -http.addr . |
Default: :8084 |
HTTP_ADMIN_BIND_ADDRESS |
Address to bind admin HTTP server on. This overrides the command-line flag -admin.addr . |
Default: :9094 |
HTTPS_CERT_FILE |
Filepath containing a certificate (or intermediate chain) to be served by the HTTP server. Requires all traffic be over secure HTTP. | Empty |
HTTPS_KEY_FILE |
Filepath of a private key matching the leaf certificate from HTTPS_CERT_FILE . |
Empty |
DATABASE_TYPE |
Which database option to use (Options: sqlite , mysql ). |
Default: sqlite |
WEB_ROOT |
Directory to serve web UI from. | Default: webui/ |
WEBHOOK_MAX_WORKERS |
Maximum number of workers processing webhooks. | Default: 10 |
DOWNLOAD_WEBHOOK_URL |
Optional webhook URL called when data downloads / refreshes occur. | Empty |
DOWNLOAD_WEBHOOK_AUTH_TOKEN |
Optional Authorization header included on download webhooks. |
Empty |
Environmental Variable | Description | Default |
---|---|---|
OFAC_DOWNLOAD_TEMPLATE |
HTTP address for downloading raw OFAC files. | https://www.treasury.gov/ofac/downloads/%s |
DPL_DOWNLOAD_TEMPLATE |
HTTP address for downloading the DPL. | https://www.bis.doc.gov/dpl/%s |
EU_CSL_DOWNLOAD_URL |
Use an alternate URL for downloading EU Consolidated Screening List | Subresource of webgate.ec.europa.eu |
UK_CSL_DOWNLOAD_URL |
Use an alternate URL for downloading UK Consolidated Screening List | Subresource of www.gov.uk |
UK_SANCTIONS_LIST_URL |
Use an alternate URL for downloading UK Sanctions List | Subresource of www.gov.uk |
WITH_UK_SANCTIONS_LIST |
Download and parse the UK Sanctions List on startup. | Default: false |
US_CSL_DOWNLOAD_URL |
Use an alternate URL for downloading US Consolidated Screening List | Subresource of api.trade.gov |
CSL_DOWNLOAD_TEMPLATE |
Same as US_CSL_DOWNLOAD_URL |
|
KEEP_STOPWORDS |
Boolean to keep stopwords in names. | false |
DEBUG_NAME_PIPELINE |
Boolean to print debug messages for each name (SDN, SSI) processing step. | false |
Based on DATABASE_TYPE
, the following environmental variables will be read to configure connections for a specific database.
MYSQL_ADDRESS
: TCP address for connecting to the MySQL server. (example:tcp(hostname:3306)
)MYSQL_DATABASE
: Name of database to connect into.MYSQL_PASSWORD
: Password of user account for authentication.MYSQL_USER
: Username used for authentication.
Refer to the MySQL driver documentation for connection parameters.
MYSQL_TIMEOUT
: Timeout parameter specified on (DSN) data source name. (Default:30s
)
SQLITE_DB_PATH
: Local filepath location for the SQLite database. (Default:watchman.db
)
Refer to the SQLite driver documentation for connection parameters.
When Watchman sends a webhook to your application, the body will contain a JSON representation of the Company or Customer model as the body to a POST request. You can see an example in Go.
An Authorization
header will also be sent with the authToken
provided when setting up the watch. Clients should verify this token to ensure authenticated communication.
Webhook notifications are run after the OFAC data is successfully refreshed, which is determined by the DATA_REFRESH_INTERVAL
environmental variable.
Moov Watchman supports sending a webhook when the underlying data is refreshed. The body will be the count of entities indexed for each list. The body will be in JSON format and the same schema as the manual data refresh endpoint.
Moov Watchman supports sending a webhook periodically when a specific Company or Customer is to be watched. This is designed to update another system about an OFAC entry's sanction status.
Moov Watchman supports sending a webhook periodically with a free-form name of a Company or Customer. This allows external applications to be notified when an entity matching that name is added to the OFAC list. The match percentage will be included in the JSON payload.
http_response_duration_seconds
: A histogram of HTTP response timings.last_data_refresh_success
: Unix timestamp of when data was last refreshed successfully.last_data_refresh_count
: Count of records for a given sanction or entity list.match_percentages
A histogram which holds the match percentages with a label (type
) of searches.type
: Can be address, q, remarksID, name, altName
mysql_connections
: Number of MySQL connections and their statuses.sqlite_connections
: Number of SQLite connections and their statuses.
By design, Watchman does not persist (save) any data about the search queries or actions created. The only storage occurs in memory of the process and upon restart Watchman will have no files or data saved. Also, no in-memory encryption of the data is performed.
This project uses Go Modules and Go v1.18 or newer. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.
$ [email protected]:moov-io/watchman.git
# Pull down into the Go Module cache
$ go get -u github.com/moov-io/watchman
$ go doc github.com/moov-io/watchman/client Search
Using our in-browser utility, you can instantly perform advanced Watchman searches. Simply fill search fields and generate a detailed report that includes match percentage, alternative names, effective/expiration dates, IDs, addresses, and other useful information. This tool is particularly useful for completing quick searches with the aid of a intuitive interface.
OFAC requires annual reports of blocked entities and offers guidance for this report. Section 31 C.F.R. § 501.603(b)(2) requires this annual report.
- OFAC Sanctions Search Page
- Subscribe for OFAC email updates
- When should I call the OFAC Hotline?
- BIS Denied Persons List with Denied US Export Privileges (DPL)
- BIS Entity List
- Sectoral Sanctions Identifications (SSI)
- US Sanctions Search FAQ
We maintain a runbook for common issues and configuration options. Also, if you've encountered a security issue please contact us at [email protected]
.
channel | info |
---|---|
Project Documentation | Our project documentation available online. |
Twitter @moov | You can follow Moov.io's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories. |
GitHub Issue | If you are able to reproduce a problem please open a GitHub Issue under the specific project that caused the error. |
moov-io slack | Join our slack channel to have an interactive discussion about the development of the project. |
- 64-bit Linux (Ubuntu, Debian), macOS, and Windows
Note: 32-bit platforms have known issues and are not supported.
Yes please! Please review our Contributing guide and Code of Conduct to get started! Checkout our issues for first time contributors for something to help out with.
This project uses Go Modules and Go v1.18 or newer. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.
To make a release of ach simply open a pull request with CHANGELOG.md
and version.go
updated with the next version number and details. You'll also need to push the tag (i.e. git push origin v1.0.0
) to origin in order for CI to make the release.
We maintain a comprehensive suite of unit tests and recommend table-driven testing when a particular function warrants several very similar test cases. To run all test files in the current directory, use go test
. Current overall coverage can be found on Codecov.
As part of Moov's initiative to offer open source fintech infrastructure, we have a large collection of active projects you may find useful:
-
Moov Fed implements utility services for searching the United States Federal Reserve System such as ABA routing numbers, financial institution name lookup, and FedACH and Fedwire routing information.
-
Moov Image Cash Letter implements Image Cash Letter (ICL) files used for Check21, X.9 or check truncation files for exchange and remote deposit in the U.S.
-
Moov Wire implements an interface to write files for the Fedwire Funds Service, a real-time gross settlement funds transfer system operated by the United States Federal Reserve Banks.
-
Moov ACH provides ACH file generation and parsing, supporting all Standard Entry Codes for the primary method of money movement throughout the United States.
-
Moov Metro 2 provides a way to easily read, create, and validate Metro 2 format, which is used for consumer credit history reporting by the United States credit bureaus.
Apache License 2.0 - See LICENSE for details.