The $1,000/Hour Hold: A Manifesto Against the Companies That Steal Your Time and Call It "Service"
By Tony Greenberg | The Technologist's Guide to Trust, Tech, Life and Society
I'm a tough customer. I admit it. Takes one to know one.
I wrote those words fifteen years ago in an article called "Why Good Service Is All About Trust." I meant every syllable then, and I mean it more violently now — because in 2026, service hasn't gotten better. It's gotten automated, outsourced, fragmented across four simultaneous channels, and wrapped in a security blanket that protects everyone except the customer.
Here's what happened to me this week. I sent a $300 Zelle payment to the wrong number. I caught it within 60 seconds. I canceled it. I resent it to the correct number. Total elapsed time: one minute. A typo, corrected in real time — the most basic, recognizable pattern in digital payments.
Citibank's fraud algorithm saw two $300 transactions one minute apart and treated me like a money launderer. Locked my account. Sent me an email telling me to call 1-833-782-1456 with "Letter Code 4100." The person I owed? Still unpaid. Not because I didn't try, but because my bank decided that my self-correction looked like a crime.
Now here's where it gets beautiful. In order to unlock my own money, Citi wanted me to call a phone number, navigate a menu tree designed by someone who hates humans, wait on hold for somewhere between 30 and 90 minutes, reach a representative in an overseas call center who's reading from a script they didn't write, and then — the pièce de résistance — verify my identity by answering security questions from a banking relationship that started forty years ago. What was your first pet's name? What street did you live on in 1986? Who was your third-grade teacher?
I don't remember. Nobody remembers. And you know what? It doesn't matter. Because while I'm sitting on hold trying to recall whether my childhood dog was "Biscuit" or "Buddy," my phone is already biometrically authenticated by the same bank through their own app. They verified me with my face thirty seconds ago. But apparently my face isn't good enough for the fraud department. They need to hear my voice say "Biscuit" into a phone while elevator music plays.
This is not security. This is theater.
I Am Not Alone. Neither Are You.
In January 2025, NBC News reported that hundreds of Citibank customers simultaneously received fraud alerts and experienced extended hold times, with many locked out of their own accounts entirely. Citi's spokesperson called it "technical issues." Customers called it something else.
On Trustpilot, Citibank carries overwhelmingly negative reviews. The pattern is identical to mine: legitimate transaction flagged, account locked, told to call, held for 30 to 60 minutes, asked to verify decades-old information, and frequently still unresolved after multiple calls. One customer described being asked to share their bank PIN aloud while a Citi representative in an overseas call center listened in. When they declined for obvious security reasons and asked for a text verification instead, they were told: no other options. Another customer found that Citi's system "couldn't send a text" to their phone — but the website texted them a verification code fifteen minutes later.
In 2024, the New York Attorney General sued Citibank, alleging the bank failed to deploy adequate security, responded ineffectively to fraud alerts, and misled consumers — costing New Yorkers millions. The CFPB has taken multiple enforcement actions against Citi, ordering nearly $50 million in consumer relief.
American Express? Same circus, different tent. Over 5,000 complaints on Trustpilot. Platinum Card members — people paying $695 a year for "premium service" — reporting that after calling ten separate times, they're told nothing can be done. Customers spending "several afternoons" just trying to activate replacement cards before giving up entirely and canceling. The DOJ hit Amex with a $108.7 million civil penalty in January 2025 for deceptive practices. And their fraud resolution process? You guessed it: call us.
I've been an Amex member since 1984. Over the past six months, every time they've needed to reach me, they've blasted alerts across four channels simultaneously — text, email, call, push notification — each pointing in a different direction. The result isn't security. It's chaos. I don't know which alert is current, which I've already addressed, or which channel to respond through. I end up spending more time sorting through their overlapping communications than resolving the actual issue.
The Big Lie: "For Your Security"
Here's what these banks tell you: We require a phone call for your security.
Here's the truth: there is no regulation that requires a phone call.
The Bank Secrecy Act, the USA PATRIOT Act, FinCEN's KYC (Know Your Customer) requirements — they all mandate identity verification. They require "reasonable" methods. Nowhere in any of these regulations does it say you must call a 1-800 number and listen to hold music for 45 minutes.
The industry itself has moved overwhelmingly to digital verification. Biometric authentication. One-time passwords via SMS. Encrypted secure messaging. Device fingerprinting. Behavioral analytics. These aren't experimental technologies — they're standard, and your bank already uses every single one of them. Every time you open your banking app with your face or fingerprint, you've completed a KYC-compliant identity verification that is more secure than any phone call.
And here's the delicious irony: Citi's own fraud alerts warn customers that scammers spoof phone numbers. They literally tell you not to trust incoming calls claiming to be from your bank. Then they require you to call them on the phone to resolve fraud alerts. They are demanding you use the one channel they've told you is compromised.
The phone call isn't for your security. It's for their workflow. Their internal systems were built around phone-based ticket resolution decades ago, and they've never bothered to update them. You sitting on hold for 45 minutes isn't a security protocol — it's a design failure they've rebranded as a feature.
The 2FA Hamster Wheel
And while we're here, let's talk about two-factor authentication — the other time tax disguised as security.
I 2FA approximately 40 times a day. That is not an exaggeration. Every app, every bank, every platform, every SaaS tool — they all expire my session after somewhere between 15 minutes and one hour and demand I re-authenticate. On the same device. Using the same fingerprint. From the same IP address. In the same building I was sitting in when I authenticated twelve minutes ago.
Why? Because the default session timeout was set by an engineer who was optimizing for liability, not for human beings. Nobody in a product meeting ever asked: "How many times per day should a customer have to prove they're themselves before we've crossed the line from security into harassment?"
The answer, by the way, is about three. Once when you wake up, once if you switch devices, and once if something actually suspicious happens. That's it. Everything beyond that is security theater — the appearance of protection without the substance, purchased at the cost of your time and sanity.
Give me a week on a trusted device. Give me a month. Let me biometrically register my devices and then trust them until I tell you not to. The technology exists. It's been solved. You're just not implementing it because re-authentication gives your security team a metric they can put on a slide: "Users authenticated 4.2 billion times this quarter." Congratulations. You've proven that your customers are who they say they are four billion times. You haven't stopped a single breach that a device fingerprint wouldn't have caught.
The Customer's Time Has Value. Start Paying For It.
Here's my proposal, and I'm dead serious: service providers should pay customers for wasted time.
If you lock my account based on a false positive, and the only way to unlock it is a 45-minute phone call to fix your mistake — you owe me for that time. Not a courtesy credit. Not a "we apologize for the inconvenience." Cash. At a reasonable rate.
My professional time bills at $1,000 an hour. I pay you interest. I pay you fees. I pay you annual charges. That's the price of your service to me. Where's the price of my service to you? Because make no mistake — when I'm sitting on hold correcting your error, I am performing labor on your behalf. Unpaid, involuntary labor.
I pay my credit card company for the privilege of holding my money. They should not then get to hold it hostage and make me work for free to get it back.
Here's what an honest billing relationship would look like: every customer gets assigned a "time value" based on their account tier. If the bank's systems create a false positive, the clock starts. Hold time, call time, re-verification time — it all accrues. And it gets credited to your account at the end of the month. Watch how fast fraud algorithms get refined when every false positive costs the bank money instead of costing the customer time.
The Creative Movement: What I'm Actually Going to Do
This isn't just an article. This is the beginning of a campaign, and I'm inviting every customer who's ever been held hostage by their own financial institution to join it.
Step one: Digital-only communication demands. I've sent formal letters to Citibank and American Express demanding that all future communication be conducted via text, email, or secure message. No phone calls. This is filed as a formal ADA accommodation request and under California's Unruh Civil Rights Act. If they don't comply within five business days, I file with the CFPB, the OCC, and the DOJ. You can do the same. The template is at the bottom of this article.
Step two: Start billing them back. Every time a financial institution wastes your time fixing their mistake, document it. Track the minutes. Calculate your hourly rate. Submit it as a formal claim. They won't pay it — at first. But when the CFPB receives ten thousand complaints with itemized time-waste invoices attached, the regulatory conversation changes.
Step three: Demand session persistence. Write to every platform that forces you to 2FA more than three times a day on the same device and tell them: this is not security, this is harassment. Demand trusted device registration with reasonable session lengths. A week minimum. A month preferred. If your device, your biometrics, and your location haven't changed, you don't need to prove you're you again.
Step four: Name, document, and publish. Every hold time. Every false positive. Every script-reading representative who couldn't help you. Every "for your security" that was actually "for our convenience." Publish it. Tag them. File it with the CFPB. Make the cost of bad service public and permanent.
The Indentured Customer
We have somehow accepted a business model where the customer pays for the product, pays for the service, pays interest on both — and then performs free labor when the provider makes a mistake. We are indentured servants to our own financial institutions.
I pay Citi. I pay Amex. I pay my phone company, my internet provider, my SaaS subscriptions, my streaming services. I pay all of them. And every single one of them, at some point, will waste my time — and then tell me it was for my own good.
That's not service. That's a protection racket in business casual.
It is 2026. We have artificial intelligence that can write legal briefs, diagnose diseases, and generate photorealistic images from text descriptions. But we cannot — or will not — build a system that lets a bank customer confirm a legitimate transaction with an authenticated text message instead of a 45-minute phone call to a human reading from a script in a call center ten thousand miles away.
The technology isn't the problem. The incentive is.
Banks have no financial incentive to make resolution easier. Every minute you spend on hold is a minute they don't have to spend engineering a better system. Your time is free to them. Until it isn't.
Let's make it not free. Let's make every wasted minute cost them something. Let's make this the last generation of customers who sit on hold to fix someone else's mistake and say "thank you" when it's over.
I'm done saying thank you. I'm sending an invoice.
Tony Greenberg is the founder of ImpactSoul and RampRate. He has spent 25 years advising Fortune 500 companies including Microsoft, Disney, Goldman Sachs, and Nike on technology strategy. He is a loud, shocking dose of reality for companies that sell him something — and he's just getting started.
Templates for digital-only communication demands, time-waste invoicing, and CFPB complaint filing are available at tonygreenberg.com.