The deal sat in escalation for three weeks. Sales had a contract ready. The prospect — a legitimate investment firm — had funds flowing from a weapons manufacturer as part of a portfolio transaction. Legal confirmed the underlying business was legal. Sales said compliance was being paranoid. Compliance couldn’t get a decision from anyone senior enough to make the call.

The prospect went to a competitor. Sales was furious. Compliance got blamed for killing a clean deal.

The actual problem wasn’t compliance paranoia. It was that nobody had built the process that would have resolved this in three business days instead of three weeks — with documentation that protected everyone and a named approver who knew it was their call to make.

TL;DR

• The FFIEC and a 2022 five-agency Joint Statement both say no customer type is automatically prohibited — high risk means more documentation, not automatic rejection
• TD Bank’s $3B AML resolution found a culture that prioritized revenue over compliance for a decade; Silvergate’s $63M SEC action found $1 trillion in unmonitored transactions for crypto-exchange clients
• Compliance delays kill deals when escalation SLAs aren’t defined and documentation requirements are ambiguous — both are fixable structural problems, not inherent conflicts
• Pre-screening before sales invests heavily, written escalation timelines, and senior sign-off for elevated risk converts the “sales vs. compliance” fight into a predictable process
• The goal isn’t a compliance veto over every deal — it’s documented evidence that the right questions were asked and answered before onboarding

The False Choice, and Where It Comes From

The sales-vs-compliance framing is a management failure, not an inherent conflict. It persists because organizations don’t build the structures that would make it irrelevant.

KPI misalignment. Sales is measured on revenue, pipeline velocity, and accounts opened. Compliance is measured on findings, escalations, and exam readiness. Nobody is formally measured on “the high-risk customer review completed in three business days with full documentation.” That metric doesn’t appear in anyone’s performance review — so nobody owns the process that would produce it.

Documentation requirements are undefined. When sales asks “what does compliance need?” and the answer is “it depends,” the review clock starts but nobody knows when it ends. Every request for additional documentation looks like delay rather than diligence. The review becomes indefinite, and sales weaponizes the ambiguity in every escalation.

Compliance enters too late. By the time EDD requirements surface, the deal psychology has already shifted to “how do we fix this?” rather than “should we proceed?” A relationship manager who’s spent three weeks building a relationship doesn’t want to hear that the business type requires enhanced diligence with a 10-business-day timeline. Pre-screening — a quick compliance review of the business type and transaction profile before sales invests heavily — resolves this. Most programs don’t do it.

The Actual Regulatory Position

Before building the framework, it helps to know what the regulations actually require — because the assumption that “high-risk means prohibited” is driving a significant portion of the conflict.

The FFIEC BSA/AML Examination Manual is explicit: financial institutions are “neither prohibited nor discouraged from providing banking services to any specific class or type of customer.” The regulatory expectation is Enhanced Due Diligence and ongoing monitoring — not categorical refusal.

A 2022 Interagency Joint Statement from the OCC, Federal Reserve, FDIC, FinCEN, and NCUA reinforced this directly. The agencies stated that “no customer type presents a single level of uniform risk” and that institutions “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type.” They specifically cautioned against labeling entire categories as high-risk and applying uniform excessive burden — or worse, refusing service — without individual relationship risk assessment.

The FinCEN CDD Final Rule (effective 2018) codifies the four-pillar CDD framework: customer identification and verification, beneficial ownership identification, understanding the nature and purpose of the customer relationship, and risk-based ongoing monitoring. The word “based” is doing significant work in that last pillar — monitoring intensity should scale to the actual risk profile of the specific relationship, not the industry category label.

The compliance officer who says “we can’t do this” to every elevated-risk customer is not being cautious. They are bypassing the risk-based analysis the framework requires. The correct output is “we can do this, and here are the conditions and controls” — or “we can’t manage this specific risk profile with available controls.” The analysis should reach a conclusion, not a permanent pause.

The Enforcement Record: When Sales Wins for a Decade

The FinCEN consent order against TD Bank (October 2024) is the clearest large-scale documentation of what happens when commercial interests consistently override compliance infrastructure.

FinCEN found that TD Bank’s internal culture “prioritized growth and revenue over compliance and risk management.” AML controls were chronically underfunded under an internal “flat cost paradigm” — a budget mandate preventing AML spending increases. The transaction monitoring system excluded significant transaction categories. The bank failed to file SARs on over $1.5 billion in suspicious transactions connected to narcotics trafficking, human trafficking, and shell company funnel accounts. The total resolution: $3 billion — a $1.3 billion FinCEN penalty (the largest ever assessed against a depository institution), $1.8 billion to the DOJ, and $450 million to the OCC. A prior 2013 enforcement action produced no durable remediation.

Silvergate Bank built its entire business model around serving crypto exchanges through its Silvergate Exchange Network (SEN). The SEC found that for most of 2021 and 2022, Silvergate had not applied automated AML monitoring to SEN — its core product — and failed to monitor approximately $1 trillion in transactions. When FTX collapsed in November 2022, Silvergate staff were able to identify $9 billion in suspicious transfers in under a week. The detection capability existed; the monitoring had simply not been applied to the highest-risk customer segment. The SEC, Federal Reserve, and California DFPI settled for $63 million in July 2024. Silvergate voluntarily liquidated.

The Federal Reserve’s cease-and-desist against Evolve Bank & Trust in June 2024 cited failure to maintain an effective risk management framework for its fintech partnerships. Evolve was barred from onboarding new fintech partners or launching new products without prior Federal Reserve approval — a total commercial hold imposed because the bank’s oversight of its fintech partner customer base lagged the pace of its own growth.

Western Union’s $586 million settlement with the DOJ and FTC in 2017 documents the earliest version of the same pattern. Western Union’s Corporate Security team identified agent locations facilitating human smuggling funds and recommended an agent suspension policy in 2004. Western Union did not implement it — because those agents were profitable. Over the subsequent decade, the known compliance risk was tolerated for commercial reasons until DOJ made it inescapable. The cost of the commercial decision eventually exceeded both the revenue protected and the cost of the compliance program that wasn’t built.

The pattern is consistent across all of these cases: not a single bad actor, but a sustained institutional culture where the commercial interest was permitted to prevail over compliance infrastructure. The regulatory cost — in each case — materially exceeded the revenue that was protected in the process.

The Framework That Resolves the Conflict

Pre-Screening Before Sales Invests

The highest-leverage structural change is moving compliance awareness to the earliest stage of the sales cycle — before a relationship develops and before deal economics create pressure.

A simple intake form takes a prospective customer through a 10-minute pre-screen: business type, transaction types, counterparty structure, geographic exposure, and licensing status. Compliance reviews the form, flags whether the business type triggers EDD, and specifies exactly what documentation the review will require. Sales knows the timeline before investing three weeks in the relationship.

Pre-screening doesn’t slow sales down. It converts compliance surprises — which kill timelines — into known process steps that can be planned for. A prospect who hears “this business type requires an EDD review; we need these five documents and the timeline is 7 business days from receipt of complete documentation” on day one is very different from a prospect who hears the same thing on day 22 after a term sheet is signed.

Written Escalation SLAs

Define the review timeline in writing, anchored to document completeness rather than calendar submission. The common failure is that SLA clocks run from the date of escalation regardless of whether the documentation package is complete. Every gap in the package creates a pause-and-restart cycle that looks, to sales, like indefinite delay.

A workable structure:

“Complete submission” requires a definition — a documentation checklist sent to sales at pre-screening specifying exactly what compliance needs. If a document is missing, the clock pauses with written notification to sales. If the package is complete, the clock runs. The SLA is a commitment compliance makes; the documentation checklist is the condition sales has to meet to start the clock.

Approval Levels Matched to Risk

Sales and compliance agree in advance on who has authority to approve, condition, or decline each risk tier. This removes the “nobody can make the call” dynamic that turns three-business-day reviews into three-week escalations.

Standard EDD decisions: relationship manager’s supervisor plus compliance officer. These are known customer types with established documentation requirements and monitoring controls. They should not require a C-suite decision.

Elevated EDD decisions — PEPs, customers with prior SAR activity, industries where your bank partner has signaled sensitivity: senior compliance officer or designated risk committee. Named approver, documented rationale, written conditions.

Complex structures and categories requiring bank partner pre-clearance: CCO and/or formal risk committee. Bank partner alignment should be confirmed before, not after, internal approval — a customer your sponsor bank won’t support isn’t a winnable deal regardless of how your internal review resolves.

The approval is documented. The exception memo format is the right structure: customer name, business activity, fund flow, restricted-category analysis, controls, monitoring commitment, approvers, exit triggers. Not a casual email approval chain, but a written record that answers the examiner’s question: “how did you decide to onboard this customer?”

Non-Negotiable Stop Rules

Some categories require a full stop regardless of deal size or relationship history. These need to be written into the prohibited and restricted categories framework and communicated to sales as institutional constraints, not compliance opinions:

• Customers with active sanctions designations
• Customers operating in jurisdictions your bank partner prohibits
• Customers where the transaction review reveals activity inconsistent with the stated business purpose
• Customers where source-of-funds documentation cannot be obtained or verified at all

A written stop rule removes the “judgment call” that commercial pressure tends to win. If the category is documented as a hard stop, the compliance officer isn’t making a personal risk call — they’re applying a policy that sales leadership and senior management already agreed to. The conflict about whether to proceed doesn’t happen, because the answer is already documented.

What Good Looks Like

A relationship manager who brings a deal with a complex counterparty — an investment firm receiving funds from a weapons manufacturer, a licensed cannabis multi-state operator, a crypto exchange with offshore account concentration — should be able to do this:

1. Submit the pre-screening form with the business type and preliminary transaction description.
2. Receive a documentation checklist and a clear statement of whether the business type triggers EDD within 24 hours.
3. Submit complete documentation.
4. Receive a decision — approved, approved with conditions, or declined — within the stated SLA.
5. If approved, receive a written approval specifying the ongoing monitoring requirements and exit triggers.

The relationship manager’s job is to bring deals and provide documentation compliance needs. Compliance’s job is to analyze the risk profile, specify required controls, and reach a decision within the SLA. The acceptable use policy defines what you’ll accept. The escalation framework defines how you decide. The documentation defines what you defend when an examiner or your bank partner asks how the decision was made.

That’s not compliance blocking sales. That’s compliance making deals sustainable.

So What?

The deal that sat in escalation for three weeks could have resolved in three business days with a written SLA, a pre-screening intake, and a named senior approver. The prospect probably would have waited three days. Three weeks exceeded their patience and their alternatives.

The enforcement record — TD Bank’s $3 billion, Silvergate’s voluntary liquidation, Evolve Bank’s commercial hold — represents the opposite failure mode: years of commercial pressure overriding compliance infrastructure until the regulatory cost exceeded any rational accounting of the revenue that was protected.

Both failures are structural, not personal. Building a process that gives compliance the tools to say yes quickly — with the documentation to back it up — is the alternative to the years-long fight that ends in either lost deals or lost charters.