[josu]

Coinbase can easily take care of this. They can have a small reserve and sell the bitcoin as soon as the transaction is published/sent to the mempool. No need to wait for any confirmations. If the transaction happens to be fraudulent†, they just buy the bitcoin back and realize the earning/loss (in the long run they will tend to even out).

†Not sure what the attack vectors are here.

[sf_rob]

If they're interested in taking on the counterparty risk they could do this, but when the mempool is flooded you can replace pending transactions with new transactions with a higher fee (called "Replace by Fee").

[JustAnotherPat]

but they don't seem to convert to fiat (at least from this article or the demo), so it's irrelevant.