compliance: Kraken unable to receive requested source-of-funds documents

My name's Tom and I'm a full-time compliance officer.

I have now encountered, with at least four firms, the following pattern: a firm asks for source-of-funds documents.  They may say you can send them via their web site -- but you can't.  They ask you to send them by plain-text email, apparently not caring about the systematic leakage thus performed.  They may, hilariously, declare their receiving address "secure", as tho this makes it so.

The best case is that the firm simply accepts the documents on paper to their normal post address.  This was the case with Nidwaldner Kantonalbank.  Sadly, firms are dropping the ability to handle paper post properly, but without developing any competence in handling of electronic documents to compensate.

An extreme example, with which I'm currently struggling, is Kraken, the digital currency exchange.  Despite its warts, it somewhat works, and they have so far put out the money, which is an important part of the service.

As part of a current project to diversify somewhat into real estate, I liquidated several housy sized tranches of Monero (the only one I've tried beside Bitcoin -- and I do not recommend).  They basically worked.  Apart from Kraken's query, these tranches have generated at least three source-of-funds enquiries downstream, which may or may not be complete (they don't tend to tell you "that's okay now", you just have to interpret a period of silence as being that).  But the funds are there.

For the purposes of this, we assume an ssl-protected upload facility on their web site is "good enough", and compares favourably, in terms of systematic leakage during transmission, to plain-text email (you have to start somewhere).

Kraken, and within my experience this is so far unique to Kraken, bizarrely allows you to upload one single source-of-funds document via their web site.  If you upload another one, it replaces the previous one.  Imagine the retard farm where they came up with that.

Their initial request dates from May 6, and looked like:

Hello Tom, REMOVED here from the Kraken funding team.

As part of the normal compliance routine on transactional activities, our

banking partner is requesting a Proof of Source of Funds of your income.

Please provide the following information:

1) Your current employment/income situation, if possible please include the name

and website of the (employer) company or business.

2) A document that shows your income/how the transacted funds have been

generated; this can be a tax document/statement, bank statement, sales contracts

or invoices, or any other official document that shows your income (e.g. salary,

benefits, inheritance, etc.).

If the funds have been generated by **crypto currency holdings** over a longer

period of time, point 2) can be replaced by a signed wallet address(es) and/or

exchange statements proving the early purchases of your coins or tokens, if

available.

How to sign a Bitcoin wallet address is explained on this page (note that the

specific instructions may differ based on your wallet software):

https://coinguides.org/sign-verify-bitcoin-address/

**The source of funds documentation should (at a minimum) cover the full amount

of your transactions.**

If you're planning to send additional higher transfers in the near future, these

amounts should also be  covered by your provided documentation.

Please attach your Proof of Source of Funds in a response to this email. Once we

receive this document, we will pass it along to our banking partner for their

review.

Thanks for your cooperation.

Please let us know if you have any questions, and we look forward to your reply.

Regards,

REMOVED

Kraken Support

The main issue with this is the criminally-negligent instruction to "attach your Proof of Source of Funds in a response to your email", thus guaranteeing the leak of notionally confidential documents.

I initially asked to be able to send the documents by post, which is the easiest fallback: 

Date: Tue, 17 May 2022 [..]

To: Kraken Support <support@kraken.com>

Subject: Re: Kraken Support: Regarding your recent transaction(s)

It is unacceptable to request these confidential documents by

plain-text email.

Failing a secure upload facility on your web site, please give

me a postal address, and I will send the documents in the post.

The assumptions underlying the "questions" are quite ridiculous,

but I can indeed provide proof of source documents.

I am travelling for the next several weeks, and I am not going

to be bullied into dropping everything for this.  So you can

be patient, and I will attend to this administrative imposition

in due course, when I am back at the office.

  kind regards, Tom Jones.

They responded with this:

Hello Tom,

Thanks for getting back to us.

You can upload the source of funds documentation via your Kraken account. Please

find below the instructions:

1) Login to your Kraken account

2) Navigate to Settings tab

3) Click Documents

4) Click Upload

5) Upload the SOF documents. Make sure they meet our technical parameters.

6) Reply to this email letting us know it's done.

Please note that the source of funds documentation should (at a minimum) cover

the full amount of your transactions.

We await for your reply. Let us know if you have any questions.

Regards,

REMOVED

Kraken Support

Note their use of the plural in "SOF documents" (SOF presumably stands for source of funds).  As already mentioned, their web site only allows the upload of a single file.  Not a single file at a time.  A single file is allowed to exist, as part of your account, and this single file is your "source of funds" file.  No, I'm not shitting you.  I wish I were shitting you.

Skipping over some reminders from them while I travelled, we get to this from me on July 7:

Hi,

I just went to upload the source of funds documents.

I uploaded the first one, a summary of my XMR buyin.  However,

after doing that, the ability to upload further documents

apparently disappeared from the "Account Documents" web

interface.

Is it supposed to be possible to upload multiple documents here --

and if so, how?

  kind regards, Tom Jones.

Naively, I am still enquiring about how I would upload the multiple documents.

Date: Thu, 07 Jul 2022 [..]

From: "REMOVED (Kraken Support)" <support@kraken.com>

To: [..]

Subject: [Kraken Support] Re: Regarding your recent transaction(s)

----------------------------------------------

REMOVED, Jul 7, 2022, [..]

Hello Tom,

Thank you for getting back to us.

Can you please merge all the documents and upload all together? I just failed

the uploaded document so you will be able to upload the new merged one.

Please let us know once it is done so we can check it.

Regards,

REMOVED

Kraken Support

They want me to embark on an IT project to put all the documents into a single file.  I'm still not shitting you.

Date: Mon, 11 Jul 2022 [..]

From: Tom Jones <REMOVED>

To: Kraken Support <support@kraken.com>

Subject: Re: [Kraken Support] Re: Regarding your recent transaction(s)

I'm going to interpret this as a joke, and you can tell me either

 (i) your postal address, to which I will send the documents on

     paper; or

 (ii) how to upload multiple documents via your web site

Alternatively, the single document that your interface allowed me

to upload so far may be sufficient for you to close this false

accusation of money laundering.

  kind regards, Tom Jones.

It's not going well, but it would be easy to rescue the situation by simply cooperating on receiving the documents by post.  Let's see if they do so:

From: "REMOVED3 (Kraken Support)" <support@kraken.com>

To: Kraken User <REMOVED>

Subject: [Kraken Support] Re: Regarding your recent transaction(s)

Reply-To: Kraken Support <support@kraken.com>

[..]

Hello Tom,

This is not a joke and no one has accused you of money laundering.  This is a

standard compliance request from our banking partner.

It is not possible to send us documents via postal mail.  There are two ways to

submit your source of funds documents:

1. Reply to this email with a standard .PDF/.JPEG/.PNG file.  You can use a

password protected file and provide us the password by creating a second and

separate email request.

2. Via the secure upload form on your Kraken account but this only allows the

upload of one file so you would need to merge your files in order to use this

method.

Please let us know if you have any additional questions.

Regards,

REMOVED3

Kraken Support

That's a no.  They are not going to cooperate on receiving them by post.  For good measure, they throw in a further suggestion of leaking via plain-text email, which is objectionable.

From: Tom Jones <REMOVED>

To: Kraken Support <support@kraken.com>

Subject: Re: [Kraken Support] Re: Regarding your recent transaction(s)

You are trying my patience.

If you ask me again to submit confidential documents by plain-text

email, I will file a criminal complaint against you for criminal negligence

in the jurisdiction in which you are incorporated.

There is no reason not to allow submission of paper documents in

the post.  Technologically, this works.  If you are so incompetent

you can not accept (more than one) documents via your web site,

this is a good fallback option.  Your "banking partner" and

any relevant regulators should know that you're making it impossible

to submit the documents you ask for.

I am not going to fart about, for days on end, coaxing multiple

documents into a single PDF, when everyone else's document

submission mechanism, whether by post or web site, allows

submission of multiple documents.  I appreciate that to some

extent you get to "set me homework", as part of this whole

compliance crap, but there is a limit to what homework you

can set me, beyond which the absurdity is so obvious, that any

reasonable regulator or law enforcement will see that you are

making it impossible.  If you ask me to jump around on one leg

with a bucket on my head, as part of "compliance", I am also

not doing that.  You fucking clowns.

The simplest way to proceed is to just GIVE ME THE POSTAL ADDRESS

and I will send the documents by registered post.

Capiche?

  regards, Tom Jones.

Admittedly, this is not the most diplomatic correspondence I have ever engaged in.  Fortunately, Kraken are thick-skinned enough not to take offence.  Unfortunately, they are so thick-skinned that none of the points get thru.

Date: Tue, 12 Jul 2022 10:27:18 +0000

From: "REMOVED4 (Kraken Support)" <support@kraken.com>

To: Kraken User <REMOVED>

Subject: [Kraken Support] Re: Regarding your recent transaction(s)

REMOVED4, Jul 12, 2022, 03:27 PDT

Hello Tom,

We are understand your concern about privacy. Protecting client information is

of the utmost importance at Kraken, and we take exhaustive measures to ensure

that our clients’ privacy is upheld to the fullest extent possible. You may

refer to our privacy policy for more details.

We assure that the document are only for purpose of providing our funding

provider Bank Frick to comply with banking partner's request. As per REMOVED3's

explanation, this is standard compliance request from Bank Frick. Each bank has

their own policy on managing and verifying the transfer they process, it's very

customary for them to do so. Therefore, when the bank requests the source of

funds of certain transfer, we will have to contact our client for this document.

If you feel uncomfortable to send us the document directly via this email,

secure ways to upload your documents are as following:

- You should merge all document into one .pdf file and upload into your Kraken

account

- Or send your documents via our secure form here.

- Or send the document to our email payments@kraken.com.  This email is limited

access and only our managers are able to access this email.

- Lastly, send our support team encrypted messages and attachments, please see

our guide on How to contact Kraken Support team using PGP/GPG email encryption.

We appreciate your understanding and cooperate on this matter.

Please let us know if you have any other concerns.

Regards,

REMOVED4

Kraken Support

Bank Frick, huh.  There are four apparent alternatives.  The first we've already established as unacceptable.  The second is hard to interpret, as it simply says "here", but I don't know where "here" is.  Looking at this again, I see the email is a multipart/alternative (one of the Great Idiocies of Email).  My email client displays the plain-text alternative.  Who knows, maybe in the html alternative there's a link.  The alternative parts are supposed to be alternatives, so any link in the html one should be equivalently represented by including the URL as text in the plain-text part.  Just saying "here" with no URL would make them not be alternatives, if the "here" were a link in the html "alternative".  Maybe "alternate" would have been better than "alternative".  The client could switch back and forth between displaying the one and displaying the other, and you could click on the link at the right time when it's a link.

The third alternative is to send it by plain-text email.  Since they are giving other options, I guess this doesn't quite trigger my complaint to their regulator.

The fourth alternative sounds like a possibility, but again, at least in the plain-text "alternative" MIME part, there's no link, there's just a vague reference to something called "our guide on How to contact Kraken Support team using PGP/GPG email encryption", without any explanation of how to get hold of this guide.

Date: Thu, 21 Jul 2022 [..]

From: Tom Jones <REMOVED>

To: Kraken Support <support@kraken.com>

Subject: Re: [Kraken Support] Re: Regarding your recent transaction(s)

On Tue, Jul 12, 2022 at 10:27:18AM +0000, Mikara (Kraken Support) wrote:

> - Lastly, send our support team encrypted messages and attachments,

> please see our guide on How to contact Kraken Support team using

> PGP/GPG email encryption.

Where is this guide?  Can you provide a link?  Or just a description

of how I get your public keys?

  Tom.

They get back with: 

Date: Thu, 21 Jul 2022 09:34:40 +0000

From: "REMOVED (Kraken Support)" <support@kraken.com>

To: Kraken User <REMOVED>

Subject: [Kraken Support] Re: Regarding your recent transaction(s)

REMOVED, Jul 21, 2022, 02:34 PDT

Hello Tom,

Thank you for your reply.

To send our support team encrypted messages and attachments, please see our

guide on How to contact Kraken Support team using PGP/GPG email encryption.

You can download the support@kraken.com public PGP key in this article, and then

import it to your PGP/GPG program.

Encrypt your message using **plain-text PGP/GPG, not PGP/MIME**. Our support

systems do not support PGP/MIME.

Files must be encrypted _before_ being attached to an email.

Ensure that you encrypt using the support@kraken.com public key. This is the

only key to which our team has access.

Let us know if you have any questions. We look forward to your reply.

Regards,

REMOVED

Kraken Support

Again, this is full of hints at things being referenced, without being actual references.  These are "our

guide on How to contact Kraken Support team using PGP/GPG email encryption" and "this article".

At this point, the thought occurs: how do they transmit the documents to their banking partner Frick, once we've gone to all this effort to transmit them securely from me to Kraken?  Given their obsession with sending them over plain-text email, what are the odds they are just going to turn around and leak them like that once they get hold of them?

The following reminder arrived last week:

Date: Tue, 02 Aug 2022 [..]

From: "REMOVED (Kraken Support)" <support@kraken.com>

To: Kraken User <helps.orange@qok.ch>

Subject: [Kraken Support] Re: Regarding your recent transaction(s)

Hello Tom,

This email is to follow up with above request.

We still waiting for your source of funds documents. Please let us know if you

have any concerns.

I resend the guidance of using PGP email encryption:

To send our support team encrypted messages and attachments, please see our

guide on How to contact Kraken Support team using PGP/GPG email encryption.

You can download the support@kraken.com public PGP key in this article, and then

import it to your PGP/GPG program.

Encrypt your message using **plain-text PGP/GPG, not PGP/MIME**. Our support

systems do not support PGP/MIME.

Files must be encrypted _before_ being attached to an email.

Ensure that you encrypt using the support@kraken.com public key. This is the

only key to which our team has access.

Regards,

REMOVED

Kraken Support

Again, "our guide [..]" and "this article".

Date: Sat, 6 Aug 2022 [..]

From: Tom Jones <REMOVED>

To: Kraken Support <support@kraken.com>

Subject: Re: [Kraken Support] Re: Regarding your recent transaction(s)

Can you see that you are not giving me the information I need, which

is how I get hold of your public key?

You say the key is "in this article", but what does that mean here?

You do not include a URL, there is no further information inline in

your message, there are no links, and I can't locate it with google.

What do you mean by "in this article"?

Let's try this one more time.

Where / how can I get your PGP key?

  regards, Tom Jones.

When I wrote it, I still hadn't guessed it might be a multipart/alternative issue (on their part).  Neither should I have to debug their wrong email practices to get information out of them.  But the realisation may be useful in trying to progress the matter with them further.

If they would just accept by post, or had a web site that accepted multiple documents, this would all be resolved long ago, and I would be happily liquidating more assets on their exchange, generating more fees for them.  Mega clowns.

That's brought us up to date, so I guess further "progress" on this matter goes in future articles.