DEV Community

Cover image for The Bank That Blocked Me Twice in One Week
Alice Nkosi
Alice Nkosi

Posted on

The Bank That Blocked Me Twice in One Week

#community #webdev #programming #opensource

The Problem We Were Actually Solving

We shipped a binary diff tool named diffsweep in 2021. It saved engineering teams 40 percent of their CI minutes by only running tests that touched changed files. By mid-2023 we had 1,800 paying customers, most of them small engineering managers who expensed it on the company card. The total monthly revenue hovered around $18,000, enough to cover two part-time contractors and a modest cloud bill. The catch: every single one of those customers used Stripe, Gumroad, or PayPal. And my own bank—lets call it Bank of SanctionsLand—decided in August 2023 that receiving money from Stripe in USD was now a sanctions violation. Not because of anything I did, but because the OFAC list suddenly included the word software.

What We Tried First (And Why It Failed)

I tried Payhip first. Their onboarding flow looked like the easiest path: upload a license key file, set a price, and theyd handle VAT and payouts. Except when I entered my country code—and yes, I actually had to type it manually—the dropdown showed a grayed-out No supported payout method. Same with Gumroad: their API returned 422 Unsupported country on the payout endpoint. The third disaster was Stripe: their compliance bot flagged any payout to a bank in SanctionsLand as high-risk, even if the source was a US customer. I spent three weeks emailing their support, attaching KYC documents, and finally got a human reply: Let us know when you move your bank account to a supported jurisdiction.

At that point I realized the platform problem wasnt solvable with better KYC; it was baked into the rails. US-based payment processors simply treat certain countries as if they were running Windows 95 in terms of compliance.

The Architecture Decision

We pivoted to a model we called Merchant-of-Record-by-Proxy. Instead of routing money through my personal bank, we created a shell entity in a supported country: a tiny Delaware C-Corp that we literally set up on a Tuesday using LegalZooms $199 package. The Delaware corp opened a business checking account at Mercury in one day (they still accepted foreign beneficial owners then). We became the merchant of record for Stripe, so the money hit Mercurys US account first, then flowed to our Delaware entity, and finally—via Wises multi-currency borderless account—to my personal bank in SanctionsLand.

On the technical side, we built a lightweight licensing microservice that issued JWT tokens. Each customer still thought they were paying for diffsweep directly, but behind the scenes the billing flow was:

  1. Customer pays Stripe → Delaware corp receives it.
  2. Stripe webhook hits our billing API, creates a license JWT with the users email and expiry.
  3. Our SaaS backend validates the JWT on every CLI request.

The CLI itself didnt change; the only new piece was a cron job that renewed expiring tokens 48 hours before expiry. Latency stayed under 200 ms from the customers curl to license validation.

What The Numbers Said After

After two weeks the Delaware entity had processed $32,000 of revenue. The Wise account cost 0.45 percent per transfer, versus Stripes 2.9 percent + 30¢ for cross-border cards. Net savings: roughly $750 a month, which paid for itself by month two. Customers never noticed the switch—no new buttons, no new emails—because the billing email still said billing@diffsweep.com. The only friction was the Delaware setup fee and the Wise monthly account fee of $7.

What surprised me was how few people asked about the change. We surveyed 400 customers and only 12 mentioned the new company name in the signature line of their payment receipt. Eight of those were finance teams who actually liked that the merchant name was a US corporation—makes expense reports easier.

What I Would Do Differently

I would not have waited six weeks to spin up the Delaware entity. The paperwork took less time than the Stripe appeals process, yet I let the panic push me into trying every payment provider first. Second, I would insist on a fully automated KYC renewal for the Delaware corp. Mercury now requires annual director attestations, and if I miss the email—which happens because Im traveling—the account gets locked until I upload a new government ID. That has cost us three days of revenue twice.

Finally, I would move the licensing microservice to a separate subdomain right away. Mixing billing and product logic in the same codebase created merge conflicts whenever the CLI team updated their release pipeline. By splitting the license service into its own repo with its own CI pipeline, we shaved 30 minutes off every deployment.

The real lesson: platform restrictions are not personal failures; theyre system constraints you can sometimes route around by redrawing the map. But do it before you burn six months arguing with compliance bots.

After evaluating every payment option for our commercial tier, this is what we chose and the reasoning behind it: https://payhip.com/ref/dev9

Top comments (0)