Web Authorization Protocol A. Agarwal Internet-Draft Skyfire Systems Inc. Intended status: Standards Track M. Jones Expires: 20 January 2027 Self-Issued Consulting N. Ali Experian 19 July 2026 Anti-Money Laundering Methods Values draft-skyfire-oauth-aml-methods-00 Abstract Financial regulations require application of Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) methods in many jurisdictions worldwide. This specification defines a claim and values for declaring what AML/CFT methods were employed. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://skyfire- xyz.github.io/draft-skyfire-oauth-aml-methods/draft-skyfire-oauth- aml-methods.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-skyfire-oauth-aml-methods/. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (mailto:oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Subscribe at https://www.ietf.org/mailman/listinfo/oauth/. Source for this draft and an issue tracker can be found at https://github.com/skyfire-xyz/draft-skyfire-oauth-aml-methods. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Agarwal, et al. Expires 20 January 2027 [Page 1] Internet-Draft Anti-Money Laundering Methods Values July 2026 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 20 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Anti-Money Laundering Methods . . . . . . . . . . . . . . . . 3 3.1. "aml" (Anti-Money Laundering Methods) Claim . . . . . . . 3 3.2. Anti-Money Laundering Method Values . . . . . . . . . . . 4 3.2.1. "ofac" (OFAC Compliance) Method . . . . . . . . . . . 4 3.2.2. "sanc" (Sanctions Screening) Method . . . . . . . . . 4 3.2.3. "watch" (Watchlist Screening) Method . . . . . . . . 4 3.2.4. "pep" (Politically Exposed Persons Screening) Method . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.5. "adv" (Adverse Media Screening) Method . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6.1. JSON Web Token Claims Registration . . . . . . . . . . . 4 6.1.1. "aml" Claim . . . . . . . . . . . . . . . . . . . . . 4 6.2. Anti-Money Laundering Methods Registry . . . . . . . . . 5 6.2.1. Registration Template . . . . . . . . . . . . . . . . 6 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . 8 Document History . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Agarwal, et al. Expires 20 January 2027 [Page 2] Internet-Draft Anti-Money Laundering Methods Values July 2026 1. Introduction Compliance to Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) regulations is required in many jurisdictions worldwide. This specification defines the Anti-Money Laundering Methods (aml) claim and values for it for declaring what Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) methods were employed. It also creates a registry for Anti- Money Laundering Methods Values and initializes the registry with the values defined in this specification. While this claim and values are general purpose and can be used in any JSON Web Token (JWT) [RFC7519], one use case for them is use in KYAPay tokens [I-D.skyfire-oauth-kyapay-token]. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Anti-Money Laundering Methods This section defines the "aml" (Anti-Money Laundering Methods) claim and values used with it to indicate that particular Anti-Money Laundering/Countering the Financing of Terrorism methods were used. In many ways, this parallels the "amr" (Authentication Methods References) claim defined in [OpenID.Core]. Like "amr", "aml" is a JWT claim whose value is an array that lists a set of methods that were used, in this case, as anti-money laundering methods, rather than authentication method references. 3.1. "aml" (Anti-Money Laundering Methods) Claim The "aml" (Anti-Money Laundering Methods) claim is a JSON array of case-sensitive strings that are identifiers for anti-money laundering methods used. For instance, values might indicate that both sanctions screening and watchlist screening methods were used. Values used in the "aml" claim SHOULD be from those registered in the IANA "Anti-Money Laundering Methods" registry established by Section 6.2; parties using this claim will need to agree upon the meanings of any unregistered values used, which may be context specific. Agarwal, et al. Expires 20 January 2027 [Page 3] Internet-Draft Anti-Money Laundering Methods Values July 2026 3.2. Anti-Money Laundering Method Values The following Anti-Money Laundering Method values are defined by this specification. 3.2.1. "ofac" (OFAC Compliance) Method ofac: OFAC Compliance, as described in [OFAC] 3.2.2. "sanc" (Sanctions Screening) Method sanc: Sanctions Screening, as described in [Sanctions] 3.2.3. "watch" (Watchlist Screening) Method watch: Watchlist Screening, as described in [Watchlist] 3.2.4. "pep" (Politically Exposed Persons Screening) Method pep: Politically Exposed Persons Screening, as described in [PEPs] 3.2.5. "adv" (Adverse Media Screening) Method adv: Adverse Media Screening, as described in [AdverseMedia] 4. Security Considerations The security considerations defined in JSON Web Token (JWT) [RFC7519] apply to this specification. 5. Privacy Considerations The privacy considerations defined in JSON Web Token (JWT) [RFC7519] apply to this specification. 6. IANA Considerations 6.1. JSON Web Token Claims Registration This specification registers the following Claim in the IANA "JSON Web Token Claims" [IANA.JWT.Claims] established by [RFC7519]. 6.1.1. "aml" Claim * Claim Name: aml * Claim Description: Anti-Money Laundering Methods Agarwal, et al. Expires 20 January 2027 [Page 4] Internet-Draft Anti-Money Laundering Methods Values July 2026 * Change Controller: Michael B. Jones - michael_b_jones@hotmail.com * Reference: Section 3.1 of this specification 6.2. Anti-Money Laundering Methods Registry This specification establishes the IANA "Anti-Money Laundering Methods" registry for aml claim array element values. The registry records the Anti-Money Laundering Method value and a reference to the specification that defines it. This specification registers the Anti-Money Laundering Method values defined in Section 3.2. Values are registered on an Expert Review [RFC5226] basis after a three-week review period on the mailing list, on the advice of one or more Designated Experts. To increase potential interoperability, the Designated Experts are requested to encourage registrants to provide the location of a publicly accessible specification defining the values being registered, so that their intended usage can be more easily understood. Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register Anti-Money Laundering Method value: example"). Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the iesg@ietf.org (mailto:iesg@ietf.org) mailing list) for resolution. IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list. It is suggested that the same Designated Experts evaluate these registration requests as those who evaluate registration requests for the IANA "Authentication Method Reference Values" registry [IANA.AMR]. Criteria that should be applied by the Designated Experts include determining whether the proposed registration duplicates existing functionality; whether it is likely to be of general applicability or whether it is useful only for a single application; whether the value is actually being used; and whether the registration description is clear. Agarwal, et al. Expires 20 January 2027 [Page 5] Internet-Draft Anti-Money Laundering Methods Values July 2026 6.2.1. Registration Template Anti-Money Laundering Method Name: The name requested (e.g., "sanc") for the authentication method or family of closely related authentication methods. Because a core goal of this specification is for the resulting representations to be compact, it is RECOMMENDED that the name be short -- that is, not to exceed 8 characters without a compelling reason to do so. To facilitate interoperability, the name must use only printable ASCII characters excluding double quote ('"') and backslash ('\') (the Unicode characters with code points U+0021, U+0023 through U+005B, and U+005D through U+007E). This name is case sensitive. Names may not match other registered names in a case-insensitive manner unless the Designated Experts state that there is a compelling reason to allow an exception. Anti-Money Laundering Method Description: Brief description of the Anti-Money Laundering Method (e.g., "Watchlist Screening"). Change Controller: For Standards Track RFCs, state "IETF". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included. Specification Document(s): Reference to the document or documents that specify the parameter, preferably including URIs that can be used to retrieve copies of the documents. An indication of the relevant sections may also be included but is not required. 6.2.2. Initial Registry Contents 6.2.2.1. "ofac" Method * Anti-Money Laundering Method Name: ofac * Anti-Money Laundering Method Description: OFAC Compliance * Change Controller: IETF * Reference: Section 3.2.1 of this specification 6.2.2.2. "sanc" Method * Anti-Money Laundering Method Name: sanc * Anti-Money Laundering Method Description: Sanctions Screening * Change Controller: IETF Agarwal, et al. Expires 20 January 2027 [Page 6] Internet-Draft Anti-Money Laundering Methods Values July 2026 * Reference: Section 3.2.2 of this specification 6.2.2.3. "watch" Method * Anti-Money Laundering Method Name: watch * Anti-Money Laundering Method Description: Watchlist Screening * Change Controller: IETF * Reference: Section 3.2.3 of this specification 6.2.2.4. "pep" Method * Anti-Money Laundering Method Name: pep * Anti-Money Laundering Method Description: Politically Exposed Persons Screening * Change Controller: IETF * Reference: Section 3.2.4 of this specification 6.2.2.5. "adv" Method * Anti-Money Laundering Method Name: adv * Anti-Money Laundering Method Description: Adverse Media Screening * Change Controller: IETF * Reference: Section 3.2.5 of this specification 7. References 7.1. Normative References [AdverseMedia] Thomson Reuters, "Adverse media screening: An overview", May 2025, . [OFAC] Office of Foreign Assets Control, U.S. Department of the Treasury, "Starting an OFAC Compliance Program", January 2015, . Agarwal, et al. Expires 20 January 2027 [Page 7] Internet-Draft Anti-Money Laundering Methods Values July 2026 [PEPs] Moody's, "Identifying Politically Exposed Persons (PEPs) and their associates", . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [Sanctions] Swift, "Why sanctions screening is critical for financial institutions", . [Watchlist] persona, "What is watchlist screening? A complete guide", January 2026, . 7.2. Informative References [I-D.skyfire-oauth-kyapay-token] Agarwal, A. and M. B. Jones, "KYAPay Token", Work in Progress, Internet-Draft, draft-skyfire-oauth-kyapay- token-00, 5 July 2026, . [IANA.AMR] IANA, "Authentication Method Reference Values", . [IANA.JWT.Claims] IANA, "JSON Web Token Claims", . Agarwal, et al. Expires 20 January 2027 [Page 8] Internet-Draft Anti-Money Laundering Methods Values July 2026 [OpenID.Core] Sakimura, N., Bradley, J., Jones, M. B., Medeiros, B. de., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", 15 December 2023, . [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, DOI 10.17487/RFC5226, May 2008, . Document History [[ to be removed by the RFC Editor before publication as an RFC ]] -00 * Initial draft. Authors' Addresses Ankit Agarwal Skyfire Systems Inc. Email: ankit_agarwal@yahoo.com URI: https://skyfire.xyz Michael B. Jones Self-Issued Consulting Email: michael_b_jones@hotmail.com URI: https://self-issued.info/ Nash Ali Experian Email: nash.ali@experian.com Agarwal, et al. Expires 20 January 2027 [Page 9]