Are we talking about stock exchange,like glbse, or currency exchange, like mt gox and tradehill?
The more I think about it, it should really be an across the board for standard for any site that deals with bitcoins.
The finance industry is going to be bound by PCI one day and something similar should happen for bit coin sites.
A simple e-mail notification when BTC withdrawal address is changed, and lock on withdrawing funds for at least 24 hours after address change, would be nice too (BTCGuild's method)
I'd like to have to have an option of having a code sent to my mobile with a code in it to activate the withdraw. Make the mobile number unchangeable after registration. Only way to change it is when the account has zero balances. Even if the account is hacked, good luck withdrawing.
Mobile TANS are probably the most secure (barring MITM attacks) but this is something that should come into play. You could also consider the VIP solution from Verisign but that would have a significant cost.