Is this plan feasible and is it secure? To me, it looks secure since Im not storing private keys.
I will ignore the fact that most users are simply incapable to safely generate themselves a HD seed phrase, I will jump directly to two possible problems:
1. Working with a seed phrase online, what could go wrong? (/s)
* local malware can detect and steal that
* phishing sites looking similar to yours could steal the seed phrase
* unsafely generated seed could get in others' hands
* users who don't know what they do will store their HD seed unsafely and lose it or others get hands on it
==> all these users will most probably blame
you if their coins get stolen
2. The users have the HD seed. They buy bitcoins with stolen cards. As soon as the bitcoins arrive to their wallet they send those coins further away to be sure (even if you'd store a copy of the seed those coins would go somewhere you cannot touch). Then the rightful owner try to chargeback.
==> if you're not careful enough, with this system you can easily end up giving bitcoins for free to some scammers.
With number 1, I think of my online banking - I need to have my phone, user id and password to get in. If you think of user id + password as the same as a seed phrase, cant something similar be used here (eg 3d secure by sending an OTP to the user's phone)?
With 2, this isnt really a problem unique to a Bitcoin exchange though - people try this all the time purchasing stuff with stolen cards. Most acquirers have really good fraud detection. Or am I not considering something here?