moov | Watchman

Agent Sanctions Screening — Getting Started

Enable agent sanctions checks in 5 minutes

You already run Watchman for sanctions screening. Today your team searches manually via the REST API or web UI. With MCP enabled, your AI agents can do the same searches — automatically, at scale, with every result digitally signed.

What changes: two config flags. What stays the same: everything else. Same Watchman, same OFAC data, same search capabilities. Your agents just call MCP instead of REST.

Getting Started

Enable MCP in Watchman config

Add two lines to the Watchman config file.

30 seconds

Restart Watchman

Watchman loads OFAC SDN data automatically on startup. No manual data download needed.

10 seconds

Agent calls the MCP endpoint

One POST request. JSON body with the entity name. That's the entire integration.

1 line of code

Agent gets a signed result

Response includes OFAC matches + MCPS digital signature. Agent can verify the result wasn't tampered with.

Automatic

Total time: under 5 minutes. No new accounts. No new vendors. No certificates. Just your existing Watchman instance.

Step 1 — Config

Add this to the Watchman config file:

MCP:
  Enabled: true
  Signing:
    Enabled: true

That's it. Two flags. MCP enables the agent endpoint. Signing enables MCPS so every response is digitally signed.

Step 2 — Restart Watchman

./watchman

Watchman downloads the latest OFAC SDN list automatically on startup. No manual steps.

Step 3 — Agent makes a sanctions check

Today, a human searches Watchman via REST:

# How customers search today (REST API)
GET /v2/search?name=AL+QAIDA&type=business&limit=10

With MCP enabled, an AI agent does the same search — but via the MCP protocol, and gets a signed response:

# How agents search (MCP endpoint)
curl -X POST https://watchman.yourcompany.com/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "search_entities",
      "arguments": {
        "request": {
          "name": "AL QAIDA",
          "entityType": "business"
        },
        "limit": 3
      }
    }
  }'

What agents can search

The MCP endpoint supports the same full entity model as the REST API:

Field	Example
Name	`"name": "John Smith"`
Entity type	`"entityType": "person"` / `"business"` / `"organization"` / `"vessel"` / `"aircraft"`
Person details	birthDate, gender, titles, government IDs
Business details	altNames, created date, dissolved date
Addresses	Street, city, country, postal code
Contact	Email addresses, phone numbers, fax, websites
Crypto addresses	Currency + address (e.g. BTC wallet screening)
Source ID	Search by specific SDN entity ID

Same data, same matching engine, same OFAC/EU/UK HMT lists. The only difference: the MCP response is digitally signed.

Real-World Example: Agent Processes Vendor Payments

A community bank uses moov for payments. Their accounts payable agent needs to pay 200 vendors this week. Before each payment, the agent screens the vendor against OFAC.

Simple check — just a name

Most sanctions checks are this simple. The agent has a vendor name and screens it before releasing payment:

# Agent screens vendor before payment
{
  "request": { "name": "Ahmed Hassan Trading Co", "entityType": "business" },
  "limit": 5
}

Detailed check — more data, better match

When the agent has more information, it sends richer data for higher match accuracy:

# Agent screens a person with full details
{
  "request": {
    "name": "Mohammed Al-Rahman",
    "entityType": "person",
    "person": {
      "name": "Mohammed Al-Rahman",
      "birthDate": "1975-06-15",
      "gender": "male"
    },
    "addresses": [
      { "country": "SY", "city": "Damascus" }
    ]
  },
  "limit": 5
}

Crypto wallet check

Screening a crypto address before processing a transfer:

# Agent screens a Bitcoin wallet
{
  "request": {
    "name": "Unknown sender",
    "cryptoAddresses": [
      { "currency": "BTC", "address": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa" }
    ]
  }
}

The agent's decision flow

Agent picks up next payment from queue

Vendor: "Ahmed Hassan Trading Co" — $12,400 wire transfer

Agent screens vendor via Watchman MCP

POST /mcp with vendor name and entity type

Watchman returns signed result

Match score, entity details, SDN ID, programs — all MCPS signed

✓

No match → agent releases payment

Signed "clear" result stored as audit evidence

✗

Match found → agent blocks payment and alerts compliance

Signed "match" result with entity details, score, and SDN programs sent to compliance team for review

200 vendors screened in seconds. Every result signed. Every decision auditable. No human touched the queue.

Step 4 — Signed response

Watchman returns the screening result wrapped in an MCPS envelope:

{
  "mcps_version": "1.0",
  "signature": "a0db3873515099c11e91ed12...",
  "nonce": "e103bc16c8f1a65e...",
  "timestamp": 1776675949,
  "message": {
    "entities": [
      {
        "name": "AL QA'IDA",
        "sourceList": "us_ofac",
        "sourceID": "6366",
        "match": 0.81,
        "sourceData": {
          "program": ["FTO", "SDGT"]
        }
      }
    ]
  }
}

The signature covers the entire response. If anyone modifies the result — changes a match score, removes an entity, alters a program code — the signature breaks. The agent can verify this with one function call.

What changes vs what stays the same

	Before (REST)	After (MCP)
Who searches	Human via API or web UI	AI agent via MCP
Search capability	Name, type, address, IDs	Same — full entity model
Sanctions data	OFAC SDN, auto-refreshed	Same — 18,000+ entities
Response format	Plain JSON	MCPS signed JSON — tamper-proof
Replay protection	None	Unique nonce + timestamp per response
Audit evidence	Log files	Signed responses — non-repudiable
Infrastructure	Watchman	Same Watchman — no new services
Authentication	Network-level (firewall/VPN)	Same — no new auth required
Cost	Free	Free — open source

What you don't need

❌

No certificates

For sanctions checks, a standard API call is all you need. No CA setup, no certs.

❌

No new service

Runs inside your existing Watchman. No sidecar, no proxy, no separate container.

❌

No vendor dependency

Open source. No API keys from a third party. No usage limits. No phone-home.

❌

No data to manage

OFAC SDN data downloads automatically on startup and refreshes every 12 hours.

When you're ready for more

Sanctions checks are the starting point. When your agents start moving money — ACH transfers, card issuing, payouts — you can add agent identity and trust scoring through moov's AgentPass integration:

Capability	What it does	Status
Agent Identity	Each agent carries a verifiable certificate — proves who it is on every call	Coming Soon
Trust Scoring	Agents earn trust through behaviour — higher trust = higher transaction limits	Coming Soon
Spend Controls	Per-agent transaction limits enforced by trust level	Coming Soon
Anomaly Detection	Unusual agent behaviour detected and flagged in real time	Coming Soon

The path: Start with signed sanctions checks (available now) → add agent identity when moving money → full trust scoring and spend controls for production agent payments.

Zero friction to start. Agent identity when you need it. Full agent security when you scale.