Whatever legal departement you have at hand, get them involved. Financial transactions involving more than one party will inevitably lead to lawsuits, and you want the legal departement to take the blame instead of taking the blame yourself. Things to consider:

• Where is the data sink? At which point does your client consider the transaction to be in your hands? You want to make sure that you give out the positive acknowledgement only after you've passed on the data to the next system for processing. This is not always possible, and then your system runs the risk of confirming transactions it has no chance to pass onwards.
• How easy is it for one client (or bad employee, in conjunction with a well-paying client) to fake data for the/another client? HTTPS (or SSL) should be the minimum here to prevent sniffing. If it's not possible to convince the customer otherwise, see that you get the appropriate disclaimers signed in paper and that you document when you advised them, preferrably in paper too.
• Really think about where your system is the authority on things and where not. Consider using a directory (LDAP) instead of managing the data yourself. If you manage the data yourself, you open up your system to synch-lag - if an user is disabled in the main directory she might still have/gain access to your application, which I consider bad.