Giters

bkmoovio / customers

Customer registry supporting Know Your Customer (KYC), Customer Identification Program (CIP), and OFAC checks

Home Page:https://moov.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

moov-io/customers

GoDoc Build Status Coverage Status Go Report Card Apache 2 licensed

The Customers project focuses on solving authentic identification of humans who are legally able to hold and transfer currency within the US. Primarily this project solves Know Your Customer (KYC), Customer Identification Program (CIP), Office of Foreign Asset Control (OFAC) checks and verification workflows to comply with US federal law and ensure authentic transfers. Also, Customers has an objective to be a service for detailed due diligence on individuals and companies for Financial Institutions and services in a modernized and extensible way.

Docs: docs.moov.io | api docs

Project Status

Moov Customers is under active development, so please star the project if you are interested in its progress. We are developing an extensible HTTP API for interactions along with an OpenAPI specification file for generating clients for integration projects.

Deployment

You can download our docker image moov/customers from Docker Hub or use this repository. No configuration is required to serve on :8087 and metrics at :9097/metrics in Prometheus format.

Configuration

The following environmental variables can be set to configure behavior in Accounts.

Environmental Variable Description Default
HTTPS_CERT_FILE Filepath containing a certificate (or intermediate chain) to be served by the HTTP server. Requires all traffic be over secure HTTP. Empty
HTTPS_KEY_FILE Filepath of a private key matching the leaf certificate from HTTPS_CERT_FILE. Empty
OFAC_ENDPOINT HTTP address for OFAC interaction, defaults to Kubernetes inside clusters and local dev otherwise. Kubernetes DNS
OFAC_MATCH_THRESHOLD Percent match against OFAC data that's required for paygate to block a transaction. 0.90
DATABASE_TYPE Which database option to use (Options: sqlite, mysql) Default: sqlite

Storage

Based on DATABASE_TYPE the following environment variables will be read to configure connections for a specific database.

MySQL
  • MYSQL_ADDRESS: TCP address for connecting to the mysql server. (example: tcp(hostname:3306))
  • MYSQL_DATABASE: Name of database to connect into.
  • MYSQL_PASSWORD: Password of user account for authentication.
  • MYSQL_USER: Username used for authentication,

Refer to the mysql driver documentation for connection parameters.

  • MYSQL_TIMEOUT: Timeout parameter specified on (DSN) data source name. (Default: 30s)
SQLite
  • SQLITE_DB_PATH: Local filepath location for the customers SQLite database. (Default: customers.db)

Refer to the sqlite driver documentation for connection parameters.

Document Storage

The following environment variables control which backend service is initialized for Document persistence. These all follow a similar "blob storage" API provided by a library that Google build and maintains.

  • BUCKET_NAME: The name of the bucket to use. Must be created outside of Customers if using a cloud provider. Make sure proper access and encryption controls are setup on this bucket to prevent exposure or unauthorized access. Example: ./storage/ (For file type backends)
  • CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.
AWS S3 Storage

For more information see the Go Cloud Development Kit docs for s3blob. Use CLOUD_PROVIDER=aws to read the following environmental variables:

  • AWS_REGION: Amazon region name of where the bucket exists.
  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY: Standard AWS access credentials used by applications.
Google Cloud Storage

For more information see the Go Cloud Development Kit docs for gcsblob. Google's auth uses the standard service account authorization when deploying services. Use CLOUD_PROVIDER=gcp to read the following environmental variables:

  • GOOGLE_APPLICATION_CREDENTIALS: A filepath to the GCP service account json file.
Local filesystem Storage

For more information see the Go Cloud Development Kit docs for fileblob. This is the default if no other provider is specified. Use CLOUD_PROVIDER=file to read the following environmental variables:

  • FILEBLOB_BASE_URL: A filepath for storage on local disk. (Default: ./storage/)
  • FILEBLOB_HMAC_SECRET: HMAC secret value used to sign URLs. You MUST change this for production usage! (Default: secret)

Social Security Number (SSN) Storage

  • CLOUD_PROVIDER: Provider name which determines which of the following environmental variables are used to initialize Customer's persistence.
Local storage
  • SECRETS_LOCAL_BASE64_KEY: A base64 encoded key used to encrypt and decrypt secrets in memory. This value needs to look like base64key://value where value is a 32 byte random key.
Google Cloud Storage
  • SECRETS_GCP_KEY_RESOURCE_ID: A Google Cloud resource ID used to interact with their Key Management Service (KMS). This value has the form projects/MYPROJECT/locations/MYLOCATION/keyRings/MYKEYRING/cryptoKeys/MYKEY and their documentation has more details.
Vault storage
  • VAULT_SERVER_TOKEN: A Vault generated value used to authenticate. See the Hashicorp Vault documentation for more details.
  • VAULT_SERVER_URL: A URL for accessing the vault instance. In production environments this should be an HTTPS (TLS) secured connection.

Customer Approval

Currently approval of Customers is represented by the status field of a Customer and can have the following values: Deceased, Rejected, None (Default), ReviewRequired, KYC, OFAC, and CIP. These values can only be changed via the "admin" endpoints exposed in Customers. Admin endpoints are served from Customer's admin port (9097). Approvals (updates to a Customer status) can only be done manually, but we are aiming for automated approval. In order for a Customer to be approved into OFAC or higher there must be an OFAC search performed without positive matches and CIP requires a valid Social Security Number (SSN).

Getting Help

channel info
Project Documentation Our project documentation available online.
Google Group moov-users The Moov users Google group is for contributors other people contributing to the Moov project. You can join them without a google account by sending an email to moov-users+subscribe@googlegroups.com. After receiving the join-request message, you can simply reply to that to confirm the subscription.
Twitter @moov_io You can follow Moov.IO's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories.
GitHub Issue If you are able to reproduce an problem please open a GitHub Issue under the specific project that caused the error.
moov-io slack Join our slack channel (#customers) to have an interactive discussion about the development of the project. Request an invite to the slack channel

Contributing

Yes please! Please review our Contributing guide and Code of Conduct to get started!

Note: This project uses Go Modules, which requires Go 1.11 or higher, but we ship the vendor directory in our repository.

License

Apache License 2.0 See LICENSE for details.

About

Customer registry supporting Know Your Customer (KYC), Customer Identification Program (CIP), and OFAC checks

https://moov.io

License:Apache License 2.0

Languages

Language:Go 96.8%Language:Shell 2.0%Language:Makefile 1.0%Language:Dockerfile 0.2%