If the OFAC service has a failure getting the sanctions list it will exit with a failure. I'm not sure this is the most ideal behavior.

Maybe it should keep trying? Maybe it can try from some back up locations? Not sure the best behavior but crashing does not seem ideal.

(Note: we are not currently persisting the DB. So maybe this is a problem only on initial run when db is created?)

We should replace the existing demo at moov.io/ofac/ with our new web UI. This involves shifting how that site is deployed and removes the auth requirement, but we should be able to do so in a straightforward way.

We should write a quick app that handles OFAC webhooks, it can just print out the retrieved data, but provides an example for users of this app.

Right now Reader calls ReadAll() (from encoding/csv.Reader), but there's a proposed change to switch to Read(). Either way we should ideally cap the max bytes/lines read so we don't DOS ourselves.

The Office of Financial Sanctions Implementation (OFSI) publishes a list of all those subject to financial sanctions imposed by the UK which it keeps updated.

Financial sanctions targets

Even though we can return results quickly we should cap the response sizes so as to not overburden clients (and ourselves).

10 results sounds like a good default limit, with 100 as a hard max.

If the name and address query parameters are provided we should rank against both to help callers filter if requested.

The Treasury's UI also calculates the score used with the phonetic based algorithm Soundex.
https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/fuzzy_logic.aspx

This algo should be supported as well and incorporated into the overall search score.

Remove replaceNull function

There are some other lists we need to monitor. Would be great if this software handled them as well:

1. The UN Consolidated Sanctions List:
   https://www.un.org/securitycouncil/content/un-sc-consolidated-list

2. The UK sanctions list:
   https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets/consolidated-list-of-targets

3. The EU sanctions list:
   https://webgate.ec.europa.eu/europeaid/fsd/fsf#!/files

The third one is slightly annoying because you to create credentials to access the list.

The treasury site where this service downloads info is not the greatest about being always available.

Recently, a retry mechanism was added. This may have helped in some cases. However, we still see a lot of failures.

The big problem we have is that when it can not load the data the container dies. In our docker-compose environment we have nginx running in front of it and the container then kills our nginx container which means we have to restart the whole damn thing.

(This will be a little less of a problem in production because we could just leave old containers up until new containers successfully launch and load the data.)

At least in our sandbox environment it would be nice if we could load these files initially from disk. Then worse case the data is not fresh - but at least the container is up and running.

We need to handle all search params (right now it's just req.Address). This needs to be done so we search across the metadata provided in each OFAC entry.

This includes the following fields/params: .City, .State, .Providence, .Zip, .Country

I assume searching the SDN entry for whatever is in City, State, Providence and Zip (as separate searches?) would be a good start.

I'm not exactly sure how to correlate Country though. Often records are part of the "IRAN" or "CUBA" sanction program, or shows up in the remarks column.

I realized this when reading over an OFAC settlement for shipping to Iran.

When a possible match occurs (above 85%) an endpoint should show the watch-list data that matched and the resulting score.
The endpoint should allow the possible match result to be marked as unsafe or add an exception to avoid repeat matches of the same entry.

unsafe the customer/company can no longer make payments

exception the customer/company had a false positive. An exception

and exception should include the time, optional note, and ideally the user that made that decision.

A standalone instance of this app needs to download the OFAC files on its own and should refresh that copy after N hours. (N is configurable and likely defaults to 24h) This allows someone to start our app without the need for external dependencies and keeps the information up to date.

We can keep the files in temp storage close to the app. When the app restarts it can check the modification time of the files and if the files are too old download them again. This would help to prevent repeated downloads if the app is in a crash loop.

After reading the flat files we might want to persist the structured data in a database to allow for better queries, full text, etc. I think a SQL solution would be the best and we can start with sqlite since our other apps use that.

The spec for CSV files isn't too bad and can probably be directly mapped to a few tables. ent_num is used to join the tables together.

FORMAT SDN CSV

Main table, text file name SDN.CSV

Column
sequence Column name  Type     Size  Description
-------- ------------ -------  ----  ---------------------
1        ent_num     number          unique record
                                     identifier/unique
                                     listing identifier
2        SDN_Name     text     350   name of SDN
3        SDN_Type     text     12    type of SDN
4        Program      text     50    sanctions program name
5        Title        text     200   title of an individual
6        Call_Sign    text     8     vessel call sign
7        Vess_type    text     25    vessel type
8        Tonnage      text     14    vessel tonnage
9        GRT          text     8     gross registered tonnage
10       Vess_flag    text     40    vessel flag
11       Vess_owner   text     150   vessel owner
12       Remarks      text     1000  remarks on SDN*

Address table, text file name ADD.CSV

Column
sequence Column name  Type     Size  Description
-------- ------------ -------  ----  ---------------------
1        Ent_num      number         link to unique listing
2        Add_num      number         unique record identifier
3        Address      text     750   street address of SDN
4        City/				text     116   city, state/province, zip/postal code
         State/Province/
         Postal Code
5        Country      text     250   country of address
6        Add_remarks  text     200   remarks on address

Alternate identity table, text file name ALT.CSV

Column
sequence Column name  Type     Size  Description
-------- ------------ -------  ----  ---------------------
1        ent_num      number         link to unique listing
2        alt_num      number         unique record identifier
3        alt_type     text     8     type of alternate identity
                                     (aka, fka, nka)
4        alt_name     text     350   alternate identity name
5        alt_remarks  text     200   remarks on alternate identity

#95 adds BIS Denied Person's List (DPL) data into OFAC search endpoints. The admin endpoint is currently /ofac/refresh, but we should rename it as /data/refresh since the underlying code updates DPL data as well.

For the time being we should support both endpoints so we don't break backword compatibility.

Stop words are typically useless words in sentences and are also the most frequent. They're excluded because the verb, noun, adjectives, etc contain information which the speaker weights more heavily over these grammatical nuances.

There's a Go library which looks to be setup for removing and ranking strings according to a language's common stop words. We'd need to add support for Jaro Winkler.

https://github.com/bbalet/stopwords / LevenshteinDistance

From their docs:

Am I required to screen for weak aliases (AKAs)?

OFAC's regulations do not explicitly require any specific screening regime. Financial institutions and others must make screening choices based on their circumstances and compliance approach. As a general matter, though, OFAC does not expect that persons will screen for weak AKAs, but expects that such AKAs may be used to help determine whether a hit arising from other information is accurate.

Will I be penalized for processing an unauthorized transaction
involving a weak alias (AKA)?

A person who processes an unauthorized transaction involving an SDN has violated U.S. law and may be subject to an enforcement action. Generally speaking, however, if (i) the only sanctions reference in the transaction is a weak AKA, (ii) the person involved in the processing had no other reason to know that the transaction involved an SDN or was otherwise in violation of U.S. law, and (iii) the person maintains a rigorous risk-based compliance program, OFAC will not issue a civil penalty against an individual or entity for processing such a transaction.

The Bureau of Industry and Security (BIS) of the U.S. Department of Commerce is responsible for the regulation of exports for national security, foreign policy, and nonproliferation reasons, as well as the enforcement of those regulations. The BIS Denied Persons List (formerly known as the Denial Orders List or the DOL List) lists individuals who have been denied export privileges in whole or in part. BIS Denied Person list is a key list to be scanned against in order to comply with the USA PATRIOT Act.

In addition to enforcing the Export Administration Regulations (EAR), BIS export compliance administers several restricted party lists that apply to export and reexport transactions. BIS maintains three restricted party lists: the Denied Persons List, the Entity List and the Unverified List.

BIS lists, which change frequently, include:

• BIS Denied Persons List download
  The BIS Denied Persons List includes the names of individuals and companies that have been denied export privileges by BIS, usually due to a violation of U.S. export control laws. U.S. persons and companies are generally prohibited from engaging in export transactions with parties named on the Denied Persons List.

• BIS Entity List
  The BIS Entity List identifies the names of companies, individuals, government agencies and research institutions that trigger export and reexport license requirements. U.S. companies need to ensure that the appropriate export licenses are in place before proceeding with transactions with parties on the BIS Entity List.

• BIS Unverified List
  This list includes the names of foreign parties that BIS have been unable to conduct a pre-license check or post-shipment verification. Potential transactions with parties on the Unverified List are a “red flag” that must be addressed and resolved before proceeding with the export.

Adding BIS Denied Persons list expands the scope of this project from OFAC to identity verification. Competitive products in the market that are sold as OFAC checks usually include additional public lists that augment the OFAC check by starting with the OFAC’s SDN lsit and then searching

• BIS Denied Persons
• FBI’s Most Wanted List
• Debarred Parties list
• Death Master File

All lists are used to help verify the identity of the sending or receiving company

The Entity List specifies the license requirements that it imposes on each listed person. Those license requirements are independent of, and in addition to, license requirements imposed elsewhere in the EAR.

The Entity List is part of the Consolidated Screening List (CSL)
api.trade.gov/consolidated_screening_list

We need to experiment a bit and work out parsers for all for file types.

We need to periodically refresh the OFAC data downloaded. I'm unsure if there's a specific maximum set of OFAC standards, but offering an override via environmental variable is also needed. (Example: OFAC_REFRESH_INTERVAL=240m)

This would use the same underlying download/index logic as #9

Currently, all data is stored in SQLLite in memory. Customers, Companies, and the event log should be configured to be stored in a restart persistent data stores such as MySQL or Postgres.

OFAC's server should expose a Prometheus gauge for the last unix timestamp that data was successfully refreshed. This can be used with an alert pretty easily. (example below)

groups:
 - name: ./ofac.rules
   rules:
    - alert: OFACStaleData
      expr: (now() - ofac_data_last_refresh) < 60*60*12 # 12 hours ago
      for: 1h
      labels:
        severity: warning
      annotations:
        description: "OFAC stale data, last refresh {{ humanizeTimestamp $value }}"

When providing the &sdnType=entity filter no results are returned. This is a bit confusing as "not individuals" are called entities from OFAC, so we need to handle them the same.

From OFAC:

"Entity would be the category for company or organization. You can type in the name in the name search box to perform the search via the link to this search engine: https://sanctionssearch.ofac.treas.gov/ Thank you."

Using this service (or the example available at https://moov.io/ofac/) does not match results from the treasury's official SDN search at https://sanctionssearch.ofac.treas.gov/.

This service returns way too many unrelated results with a high match value. For example, searching "George Bush" returns an 89% match to "George Habbash", 88% match to "George Haswani", 84% match to "George Chiweshe":

However, searching the same name with an 80% fuzzy match threshold on the Treasury's own OFAC search website yields no results:

I love the open source fintech toolbox. Unfortunately these tools are not high enough quality to use in production at a financial institution today. I look forward to helping to improve the library.

Thanks!

We need to support TLS in our HTTP server. This protects requests from inspection along the various network paths and routing. It's also required as part of several guidelines and audit requirements.

This issue is to discuss the API workings and how other Moov services talk with ofac.

I'm going to propose the endpoints are written like auth and paygate, which is along these lines with their routing logic defined nearby (file-wise). The go-kit endpoints are okay, but casting to and from interface{} has drawbacks.

The endpoint specifics are over in #1, so I'm not going to discuss that here.

Authentication works the following way in paygate:

An HTTP call like GET /v1/depositories/:id with a cookie or OAuth token will hit our LB (traefik) and a "forward auth" call gets made from traefik to our auth service. The cookie or OAuth token is checked, and if valid '200 OK' is returned to traefik. Only on that '200 OK' is the actual request proxied to paygate (or in this case ofac).

I'd like to setup the ofac API in a similar way. It removes the need for the app to care about auth and can be enforced pretty easily. (We can move that logic into a shared library.)

Finding an HTTP address for paygate -> ach interactions is easy enough for local dev and kubernetes so let's re-use that logic.

The custom client in paygate's pkg/achclient was needed because our generated go client assumes too much about hitting api.moov.io and LB routing. We needed specific service-to-service interaction ignoring that. We might need the same for ofac, but I'd like to try generating and importing an OpenAPI spec from ofac's source tree in our main api.moov.io OpenAPI spec.

There's some common Prometheus metrics exported by their library and I've added a few to each service. I assume ofac will have metrics to export. i.e. ofac_last_refreshed{type="sdn"} 1213212515

Increase reader.go test coverage

I thought of having an endpoint like GET /compare?s1=..&s2=...[&algorithm=soundex] which returns the similarity percentage between s1 and s2. This would allow dynamic debugging of two strings.

Would this be useful? Please comment below or vote 👍 / 👎 thanks!

Support checking the UN Consolidated Sanctions List.

The Consolidated List includes all individuals and entities subject to measures imposed by the Security Council.

United Nations Security Council Consolidated List

On GET /search we should return the highest matching results rather than just the first N that match above our threshold.

I think when the ofac site is having trouble it has bigger troubles than a retry will solve! :(

Also, I see this error when it fails:
{"caller":"main.go:135","main":"ERROR: failed to download/parse initial OFAC data: ERROR: downloading OFAC and DPL data: OFAC: problem downloading (matched=add.csv, alt.csv, sdn.csv, sdn_comments.csv missing=dpl.txt): err=\u003cnil\u003e","ts":"2019-08-07T04:40:48.491283209Z"}

Something weird is happening with the error field.

An option to load from disk or something would be nice for dev...

In commit 9844e58, the go4.org module requirement was updated to an invalid pseudo-version. In commit 6e70f24, a replace directive was added with the correct pseudo-version.

A problem is that the replace directive only applies when this is the main module, so it doesn't help other projects that try to require and use this module.

You can reproduce by doing:

$ go version
go version go1.13.4 darwin/amd64
$ cd $(mktemp -d)
$ go mod init example.com/m
go: creating new go.mod: module example.com/m
$ go get github.com/moov-io/ofac@latest
go: finding github.com/moov-io/ofac v0.11.1
go: downloading github.com/moov-io/ofac v0.11.1
go: extracting github.com/moov-io/ofac v0.11.1
go get: github.com/moov-io/[email protected] requires
	[email protected]: invalid pseudo-version: does not match version-control timestamp (2019-03-13T08:23:47Z)

The right fix would be to remove the replace directive and change the required version to be valid.

After #4 is finished we need to wire the datastore to the search endpoints. We found a similar project that does this, but we'll likely need to add custom ranking to provide a more through match.

Webhooks often have a secret token associated with them that is only handed out to the authentic caller (since webhooks are often exposed to the public internet).

See: https://developer.github.com/webhooks/securing/#setting-your-secret-token

We need to document the API endpoints. This lets us generate clients (if we used a standard like OpenAPI) and possibly integrate into our existing API spec.

One of the important filters we will need is the Type filter that lets us distinguish individuals from other types of entities. I'd be happy to add it to the UI once the search API supported this.

Keep a log of when the different sanction lists where updated and the affecting change of the new list. We should be able to retrieve a last updated date from a service along with a history of changes.

Example:

Log Entries

POST /v1/ofac/refresh, but only available on :9090 (admin HTTP server).

This would build off of work to download the files on boot. Branch diff

The consolidated list of persons, groups and entities subject to EU financial sanctions can be downloaded from Financial Sanctions Database - FSF platform accessible via the following address: https://webgate.ec.europa.eu/europeaid/fsd/fsf#!/files

In order to access the FSF platform, you need to have an "EU Login" account.
Please follow the instructions provided on the EU Login page displayed when you click on the above link.

NYSIIS is a modern algorithm for normalizing and ranking text in search. It has better comprehension across languages than algorithms like jaro-winkler, soundex, and metaphone.

https://en.wikipedia.org/wiki/New_York_State_Identification_and_Intelligence_System

Sample implementation: https://github.com/antzucaro/matchr/blob/master/nysiis.go

ofactest works fine locally, so I'm not sure the problem in Kubernetes.

$ kubectl  logs -n apps ofactest-1550773800-c4jhf  
2019/02/21 18:32:59.625924 main.go:57: Starting moov/ofactest v0.5.2
2019/02/21 18:32:59.625949 main.go:83: [INFO] using http://ofac.apps.svc.cluster.local:8080/ for address
2019/02/21 18:32:59.731940 main.go:101: [SUCCESS] ping
2019/02/21 18:32:59.733422 main.go:108: [SUCCESS] last download was: 6m41s ago
2019/02/21 18:32:59.751252 main.go:121: [SUCCESS] name search passed, query="alh"
2019/02/21 18:32:59.752313 main.go:133: [FAILURE] problem adding company watch: addCompanyWatch: 405 Method Not Allowed

Right now @wadearnold wanted to start on customer routes. We'll get to this after. This is a marker issue though.

A Watch represents an automated notification when OFAC data is matched, either as part of an online or async re-search. Watches let consumers of OFAC get a callback on an HTTPS endpoint.

OFAC searches are inherently messy and complicated because they interact with people's real names and/or aliases. This means there isn't a "one-size" algorithm we could apply and instead need to offer our customers with lots of options.

In short, our search endpoint(s) should be able to reflect multiple string comparison algorithms:

POST /v1/ofac/search/name?algos=levenstein,exact
[
 {
   // ...
 }
]

We should also support no algos parameter (or a value of all) to run all string comparison algorithms. All searches run across aliases and real names from the OFAC list.

The initial list of algorithms could include:

• case-insensitive and trimmed exact match
• Levenstein
• Jaro
• Jaro-Winkler
• Hamming Distance
• Soundex
• Ukkonen
• Wagner-Fischer

With many other possible algorithms,

• https://www.rosette.com/blog/overview-fuzzy-name-matching-techniques/

I think the result body for an algorithm should be:

{
  "algorithm": "hamming",
  "score": 0.95
}

• algorithm: lowercase enumeration of all algorithms.
• score: Is a normalized 0-1 percent of string match. (i.e. 0.95 -> 95% match)

Here are my initial thoughts for OFAC endpoints.

We'd serve all endpoints at https://api.moov.io/v1/ofac/

POST /companies/:id/watch
- monitor company by id

POST /companies/watch?name=...
- monitor company by name, reparsed on each search

GET /companies/:id
- get company information and matches

PUT /companies/:id
- mark company as blocked or unblocked

DELETE /companies/:id/watch
- stop watching company

DELETE /companies/watch/:watchId
- stop watching company by watchId

POST /customers/:id/watch
- monitor customer

POST /customers/watch?name=...
- monitor customer by name, re-parse on each search

GET /customers/:id
- get customer information and matches

PUT /customers/:id
- mark customer as blocked or unblocked

DELETE /customers/:id/watch
- stop watching customer

DELETE /customers/watch/:watchId
- stop watching customer name


POST /search/address
- Search for address records matching the given search criteria.

POST /search/name?k=v
- fuzzy name search
- See: https://github.com/moov-io/ofac/issues/6

POST /search/alt?k=v
- fuzzy alternate name search

POST /search/company?k=v
- fuzzy company name search


GET /sdn/:id/addresses
- get addresses for a given SDN

GET /sdn/:id/alternateNames
- get alternate names for a given SDN

GET /sdn/:id
- get SDN information

I've been trying to get ofac to work but it doesn't seem to be returning the rigth results:

1. Go to https://sanctionssearch.ofac.treas.gov/ and search name="Maduro" (the venezuelan dictator) and you will get 4 results with 100% score.
2. Go to https://moov.io/ofac/ and search "Maduro" and you won't get those 4 results but a bunch of unrelated results

Also if you search by the National ID Number you won't get any results:

1. Go to https://sanctionssearch.ofac.treas.gov/ and search ID#="5892464" and you will get the right result of "Maduro"
2. Go to https://moov.io/ofac/ and search "5892464" and just a bunch of nonsense is returned. (Also tried using a recent ofac docker image with search/q=589246)

Nonproliferation Sanctions

The ISN is part of the Consolidated Screening List (CSL)
api.trade.gov/consolidated_screening_list

The OFAC spec (for CSV) specifies the following as their null character. We should replace this with an empty string after/during reading.

null:                          -0-

The Unverified List (UVL) contains the names and addresses of foreign entities about which the Commerce Department’s Bureau of Industry and Security (BIS) has concerns. The list is in Supplement Number 6 to Part 744 of the Export Administration Regulations (EAR).

The UVL is part of the Consolidated Screening List (CSL)
api.trade.gov/consolidated_screening_list