Couple of thoughts
If you're talking two way verification through public-private keys, you'll need some form of client for your customers to interact with, you'll also need a fairly robust key management system and a way to validate and manage when a key has been stolen.
SMS is an interesting idea for large exchanges, however if I'm going to have to jump through hurdles for each trade I might decide to go somewhere else where it's easier.
Not sure what the point is of establish a wallet for each user, the wallet should be buffered and fire walled off and not even accessible from the web server.
1) It's not PGP/GPG persay, it's just a 'key' that's used in conjunction with the SMS verification to decrypt the users information in the database.
2) We're not sure about that at the moment, but I think it's probably only going to be on purchases >$100 (or something like that) - don't quote me on that though.
3) We're not going to be using a wallet, the private keys for the coins are kept encrypted in the database, and can only be decrypted with the masterkey and the sms verification togethor.