Regulated financial compliance stack: identity verification, KYC/AML, sanctions screening, transaction monitoring, payment compliance, and multi-jurisdiction regulatory frameworks.
Zero external dependencies. Standard library only.
go build -o complianced ./cmd/complianced/
JUMIO_API_TOKEN=... COMPLIANCE_API_KEY=... ./complianced
ββββββββββββββββββββ
β complianced β
β :8091 β
ββββββββββ¬ββββββββββ
β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β β β
βββββββ΄ββββββ βββββββ΄ββββββ βββββββ΄ββββββ
β IDV β β AML β β Payments β
β Providers β β Screening β βCompliance β
βββββββ¬ββββββ βββββββ¬ββββββ βββββββ¬ββββββ
β β β
ββββββΌβββββ βββββΌββββ βββββΌββββ
β β β β β β β β β
Jumio Onfido Plaid OFAC EU PEP Travel CTR Stablecoin
SDN HMT Rule Validation
Extends the hanzoai/iam idv/ provider pattern. Consumed by luxfi/broker and luxfi/bank.
Provider interface with factory pattern. Each provider implements initiate, status check, and webhook parsing.
| Provider | API | Features |
|---|---|---|
| Jumio | Netverify v4 | ID + selfie, liveness, document verification |
| Onfido | v3.6 | Applicant, check, SDK token, watchlist screening |
| Plaid | Identity Verification | Session-based IDV, bank-linked identity |
All providers support HMAC-SHA256 webhook signature validation.
Full application lifecycle with multi-provider KYC verification.
Application status flow:
draft β pending β pending_kyc β approved
β rejected
KYC status flow:
not_started β pending β verified
β failed
Application model includes: identity, address, tax info, regulatory disclosures, employment, financial profile, account preferences, documents, and admin review fields.
Screening checks applicants against:
- OFAC SDN list (US Treasury)
- EU consolidated sanctions
- UK HM Treasury sanctions
- PEP (Politically Exposed Persons) databases
- Adverse media
Match types: exact, fuzzy (Levenshtein distance), partial. Risk scoring: low, medium, high, critical.
Transaction monitoring rules engine:
- Single transaction amount limits
- Daily aggregate limits
- Velocity checks (too many transactions in time window)
- Geographic risk (high-risk country detection)
- Structuring/smurfing pattern detection
Alert lifecycle: open β investigating β escalated β closed/filed.
| Jurisdiction | Regulator | Key Requirements |
|---|---|---|
| USA | FinCEN, SEC, FINRA | BSA (CIP, CTR $10k+, SAR), suitability, accredited investor |
| UK | FCA | Registration, 5AMLD CDD/EDD, HM Treasury sanctions |
| Isle of Man | IOMFSA | Designated Business, AML/CFT Code 2019, source of wealth/funds |
Each jurisdiction defines: requirements, application validation rules, and transaction limits.
Travel Rule (FATF Recommendation 16): originator and beneficiary information required for transfers over $3,000.
CTR detection: flags transactions at or above $10,000 for Currency Transaction Report filing.
Stablecoin validation: token allowlists, per-jurisdiction policies, address risk scoring (chain analysis integration point).
| Entity | Registration | Net Capital | Key Rules |
|---|---|---|---|
| ATS | SEC Reg ATS, Form ATS-N | $250,000 | Rule 300-303 |
| Broker-Dealer | SEC/FINRA/SIPC | $250,000 | Rule 15c3-1 |
| Transfer Agent | SEC Rule 17Ad | $25,000 | Form TA-1/TA-2 |
| MSB | FinCEN, state MTLs | Varies | CTR/SAR filing |
Routes incoming webhooks to the correct provider handler. Features:
- HMAC-SHA256 signature validation per provider
- Idempotency tracking (event deduplication)
- Configurable retry with max attempts
- Dead letter queue for failed webhooks
Base URL: http://localhost:8091/v1
Auth: X-Api-Key header (skip for /healthz and webhook endpoints).
| Method | Path | Description |
|---|---|---|
| POST | /v1/applications |
Create application |
| GET | /v1/applications/{id} |
Get application |
| PATCH | /v1/applications/{id} |
Update (draft save) |
| POST | /v1/applications/{id}/submit |
Submit for review |
| GET | /v1/applications |
List applications (?status=) |
| GET | /v1/applications/stats |
Application statistics |
| Method | Path | Description |
|---|---|---|
| POST | /v1/kyc/verify |
Initiate KYC verification |
| GET | /v1/kyc/status/{verificationId} |
Check verification status |
| GET | /v1/kyc/application/{applicationId} |
Verifications for application |
| POST | /v1/kyc/webhook/{provider} |
Receive provider webhooks (no auth) |
| Method | Path | Description |
|---|---|---|
| POST | /v1/aml/screen |
Screen individual against sanctions/PEP |
| POST | /v1/aml/monitor |
Monitor transaction |
| GET | /v1/aml/alerts |
List alerts (?status=) |
| Method | Path | Description |
|---|---|---|
| POST | /v1/payments/validate |
Validate payin/payout compliance |
| GET | /v1/regulatory/{jurisdiction} |
Get jurisdiction requirements |
| Method | Path | Description |
|---|---|---|
| GET | /healthz |
Health check (no auth) |
| GET | /v1/providers |
List registered IDV providers |
| Variable | Default | Description |
|---|---|---|
COMPLIANCE_LISTEN |
:8091 |
HTTP listen address |
COMPLIANCE_API_KEY |
β | API key for authenticated endpoints |
KYC_DEFAULT_PROVIDER |
first registered | Default IDV provider |
IDV Provider credentials β set for each provider:
| Provider | Variables |
|---|---|
| Jumio | JUMIO_API_TOKEN, JUMIO_API_SECRET, JUMIO_WEBHOOK_SECRET |
| Onfido | ONFIDO_API_TOKEN, ONFIDO_WEBHOOK_SECRET |
| Plaid | PLAID_CLIENT_ID, PLAID_SECRET, PLAID_WEBHOOK_SECRET |
make build # Build binary
make test # Run tests (173 tests across 7 packages)
make test-race # Run with race detector (0 data races)
make lint # go vet
make docker # Build Docker image
make docker-push # Push to ghcr.iodocker build --platform linux/amd64 -t ghcr.io/luxfi/compliance:latest .
docker run -p 8091:8091 \
-e COMPLIANCE_API_KEY=your-key \
-e JUMIO_API_TOKEN=... \
-e JUMIO_API_SECRET=... \
ghcr.io/luxfi/compliance:latestImage: ghcr.io/luxfi/compliance β 6.8 MB, alpine-based, healthcheck on /healthz.
import (
"github.com/luxfi/compliance/pkg/kyc"
"github.com/luxfi/compliance/pkg/idv"
"github.com/luxfi/compliance/pkg/aml"
)
svc := kyc.NewService()
svc.RegisterProvider(idv.NewJumio(idv.JumioConfig{...}))import { ComplianceModule } from '@luxbank/compliance'
// In NestJS app.module.ts
ComplianceModule.forRoot({
baseUrl: process.env.COMPLIANCE_BASE_URL || 'http://compliance:8091',
apiKey: process.env.COMPLIANCE_API_KEY || '',
})
// Inject anywhere
constructor(private readonly compliance: ComplianceService) {}
await compliance.initiateKYC(applicationId, 'jumio')The @luxbank/compliance TypeScript SDK lives in luxfi/bank/pkg/compliance.
compliance/
βββ cmd/complianced/ Standalone HTTP server
βββ pkg/
β βββ idv/ Identity verification providers
β β βββ provider.go Provider interface + registry
β β βββ jumio.go Jumio Netverify v4
β β βββ onfido.go Onfido v3.6
β β βββ plaid.go Plaid Identity Verification
β βββ kyc/ KYC orchestration
β β βββ kyc.go Service (multi-provider, webhooks)
β β βββ application.go Application model + store
β βββ aml/ AML compliance
β β βββ screening.go Sanctions/PEP screening
β β βββ monitoring.go Transaction monitoring rules
β βββ regulatory/ Jurisdiction framework
β β βββ jurisdiction.go Interface + factory
β β βββ usa.go FinCEN/SEC/FINRA rules
β β βββ uk.go FCA/5AMLD rules
β β βββ iom.go IOMFSA rules
β βββ payments/ Payment compliance
β β βββ compliance.go Travel rule, CTR, validation
β β βββ stablecoin.go Token policies, address risk
β βββ entity/ Regulated entity types
β β βββ entity.go ATS, BD, TA, MSB definitions
β βββ webhook/ Unified webhook handler
β βββ handler.go Routing, sig validation, idempotency
βββ Dockerfile
βββ Makefile
βββ go.mod Zero external dependencies
| Module | Purpose |
|---|---|
| luxfi/broker | Multi-venue trading router, settlement engine |
| luxfi/bank | Customer apps, payments, admin dashboard |
| hanzoai/iam | Identity and access management (base idv/ pattern) |
| hanzoai/commerce | Payment processors (Plaid Link, Braintree, Stripe) |
Copyright 2024-2026 Lux Partners Limited. All rights reserved.