I'm another voice recommending that you sit down with someone who works in security :)
For instance, right now what's to prevent someone brute-forcing login and password combinations?
Likewise, even if it is the user's fault for having lax password security, for something that involves direct money transfer, it'd be nice if you could send a warning or block an account if it's accessed from, say, Russia when it's always previously been accessed from the States.
Also, what if Heroku gets hacked, or has a undisclosed security hole, or someone bribes one of their employees? You can't protect against everything, but what can you do to minimize the risk?
To add to mootothemax's post, non-repudiation is often important in financial systems. This is the ability, if a user comes to you and says "It wasn't me that made these transactions, so they're invalid," that you have the ability to argue whether they did or did not make those transactions. At a minimum, this probably means logging IPs like mootothemax suggests.