The Customers project focuses on solving authentic identification of humans who are legally able to hold and transfer currency within the US. Primarily this project solves Know Your Customer (KYC), Customer Identification Program (CIP), Office of Foreign Asset Control (OFAC) checks and verification workflows to comply with US federal law and ensure authentic transfers. Also, Customers has an objective to be a service for detailed due diligence on individuals and companies for Financial Institutions and services in a modernized and extensible way.

FFIEC Bank Secrecy Act - Customer Identification Program

Docs: Project | API Endpoints | Admin API Endpoints

Moov Customers is under active development, so please star the project if you are interested in its progress. We are developing an extensible HTTP API for interactions along with an OpenAPI specification file for generating clients for integration projects.

Customers has a Docker Compose setup which you can run locally. This uses the latest releases of Customers and Watchman.

$ docker-compose up
Creating customers_watchman_1 ... done
Creating customers_customers_1 ... done
...
customers_1  | ts=2020-03-06T22:56:24.2184402Z caller=main.go:50 startup="Starting moov-io/customers server version v0.4.0-rc1"
customers_1  | ts=2020-03-06T22:56:24.393462Z caller=watchman.go:102 watchman="using http://watchman:8084 for Watchman address"
customers_1  | ts=2020-03-06T22:56:24.3951132Z caller=main.go:171 startup="binding to :8087 for HTTP server"

Once the systems start you can access Customers via http://localhost:8087 and Watchman's web interface or api.

You can download our docker image moov/customers from Docker Hub or use this repository. No configuration is required to serve on :8087 and metrics at :9097/metrics in Prometheus format. We also have docker images for OpenShift.

The following environmental variables can be set to configure behavior in Accounts.

The Moov Fed service is used for routing number lookup and verification.

The Moov PayGate service is used to initiate micro-deposits for account validation.

The Moov Watchman service is used for OFAC and other sanctions list searching and compliance.

Customers has an endpoint which encrypts an account number for transit to another service. This encryption is currently done with a symmetric key to the other service.

• TRANSIT_LOCAL_BASE64_KEY: A URI used to temporarily encrypt account numbers for transit over the network. This value needs to look like base64key://value where value is a base64 encoded 32 byte random key. Callers of endpoints that respond with encrypted values need this same key to decrypt.
  • Generate this key by running ./cmd/genkey/ and copying the base64key://... value

Based on DATABASE_TYPE the following environment variables will be read to configure connections for a specific database.

• MYSQL_ADDRESS: TCP address for connecting to the mysql server. (example: tcp(hostname:3306))
• MYSQL_DATABASE: Name of database to connect into.
• MYSQL_PASSWORD: Password of user account for authentication.
• MYSQL_USER: Username used for authentication,

Refer to the mysql driver documentation for connection parameters.

• MYSQL_TIMEOUT: Timeout parameter specified on (DSN) data source name. (Default: 30s)

• SQLITE_DB_PATH: Local filepath location for the customers SQLite database. (Default: customers.db)

Refer to the sqlite driver documentation for connection parameters.

The following environment variables control which backend service is initialized for Document persistence. These all follow a similar "blob storage" API provided by a library that Google build and maintains.

• BUCKET_NAME: The name of the bucket to use. Must be created outside of Customers if using a cloud provider. Make sure proper access and encryption controls are setup on this bucket to prevent exposure or unauthorized access. Example: ./storage/ (For file type backends)
• CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.

For more information see the Go Cloud Development Kit docs for s3blob. Use CLOUD_PROVIDER=aws to read the following environmental variables:

• AWS_REGION: Amazon region name of where the bucket exists.
• AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY: Standard AWS access credentials used by applications.

For more information see the Go Cloud Development Kit docs for gcsblob. Google's auth uses the standard service account authorization when deploying services. Use CLOUD_PROVIDER=gcp to read the following environmental variables:

• GOOGLE_APPLICATION_CREDENTIALS: A filepath to the GCP service account json file.

For more information see the Go Cloud Development Kit docs for fileblob. This is the default if no other provider is specified. Use CLOUD_PROVIDER=file to read the following environmental variables:

• FILEBLOB_BASE_URL: A filepath for storage on local disk. (Default: ./storage/)
• FILEBLOB_HMAC_SECRET: HMAC secret value used to sign URLs. You MUST change this for production usage! (Default: secret)

• CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.

• SECRETS_LOCAL_BASE64_KEY: A URI used to encrypt account numbers for storage in the database. This value needs to look like base64key://value where value is a base64 encoded 32 byte random key.
  • Generate this key by running ./cmd/genkey/ and copying the base64key://... value

• SECRETS_GCP_KEY_RESOURCE_ID: A Google Cloud resource ID used to interact with their Key Management Service (KMS). This value has the form projects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEY and their documentation has more details.

• VAULT_SERVER_TOKEN: A Vault generated value used to authenticate. See the Hashicorp Vault documentation for more details.
• VAULT_SERVER_URL: A URL for accessing the vault instance. In production environments this should be an HTTPS (TLS) secured connection.

Currently approval of Customers is represented by the status field of a Customer and can have the following values: Deceased, Rejected, Unknown, (Default) ReceiveOnly, Verified. These values can only be changed via the "admin" endpoints exposed in Customers. Admin endpoints are served from Customer's admin port (9097). Approvals (updates to a Customer status) can only be done manually, but we are aiming for automated approval. In order for a Customer to be approved into ReceiveOnly there needs to be an OFAC search performed without positive matches and or Verified requires a valid Social Security Number (SSN) in addition to an OFAC search.

Yes please! Please review our Contributing guide and Code of Conduct to get started!

This project uses Go Modules and uses Go 1.14 or higher. See Golang's install instructions for help setting up Go. You can download the source code and we offer tagged and released versions as well. We highly recommend you use a tagged release for production.

Apache License 2.0 See LICENSE for details.