I think this will require too much manual intervention to be viable. Customers not being able to withdraw their funds because they've been sent to the cold wallet makes them unhappy with the service.
You could handle withdrawals out of a float fund, without actually reconciling against the user funds until an offline process completes. This way, at most, your float is at risk, and it's your money, not the customer's.
