Every financial institution has compliance obligations. KYC procedures, transaction monitoring, suspicious activity reporting, sanctions screening — these are legal requirements, and they exist for good reasons. Legitimate compliance creates real friction: it takes time to verify identities, investigate alerts, and process enhanced due diligence. This friction is the cost of a financial system that is meaningfully harder for criminals to exploit.
But there is a pattern I have observed — in banking, in payments, in crypto, and in other licensed financial services — that deserves attention. It is the use of compliance procedures not to prevent financial crime but to serve the company’s commercial interests at the expense of its customers.
How weaponised compliance works
The mechanics are subtle. The company does not refuse to serve the customer. It does not reject the transaction. Instead, it subjects the customer to a sequence of verification requests, each of which is individually plausible, but which collectively extend the period during which the company holds the customer’s funds.
A typical pattern: the customer completes a transaction and requests disbursement. The company requests a government-issued ID. The customer provides it. A day later, the company requests a utility bill confirming the customer’s address. The customer provides it. Two days later, the company requests a bank statement. The customer provides it. Three days later, the company requests that the bank statement be notarised. And so on.
Each individual request looks like compliance diligence. The cumulative effect is that the company has held the customer’s funds for two weeks while making sequential requests that could have been made simultaneously on day one.
How to distinguish genuine compliance from theatre
The distinction matters — both for customers trying to understand what is happening to their money, and for regulators evaluating whether a company is operating in good faith.
Genuine compliance has certain characteristics. Requests are made upfront, before or at the time of the transaction, not sequentially after the company has received the funds. Requirements are disclosed in advance — in terms of service, in onboarding documentation, or in published policies. Timelines are provided and met. Responses to inquiries are substantive, not formulaic. And the same process applies consistently across comparable customers and transaction types.
Weaponised compliance looks different. Verification requests arrive one at a time, each after the previous one is satisfied. Requirements are not disclosed in advance. Timelines are vague or absent. Customer service interactions produce different explanations on each contact. And there is a conspicuous asymmetry: the company’s process for accepting funds is fast and frictionless, while its process for releasing them is slow and obstructive.
The asymmetry is the tell. If a company can accept a $50,000 wire transfer in hours but needs two weeks to verify the identity of the person it is paying, the verification is not the bottleneck.
Why it persists
Companies that engage in this pattern do so because the incentives align. Every day that customer funds sit in the company’s account generates economic value — through interest, earnings credits, or simply reduced cost of capital. The compliance framework provides built-in deniability: if anyone asks why funds are delayed, the answer is always “we are completing our compliance review.”
This is difficult for regulators to address because the individual actions all look like compliance. Each KYC request is defensible in isolation. It is only the pattern — the sequential, drip-feed approach that maximises hold time — that reveals the commercial motive.
For customers, the practical advice is straightforward: document everything, insist on a comprehensive list of requirements at the outset, establish timelines in writing, and escalate through regulatory complaint channels if the delays appear systematic rather than incidental. For regulators, the pattern is detectable through examination: compare the average time to accept funds with the average time to disburse them. If there is a persistent, unexplained gap, the compliance function may be serving the company rather than the customer.