Your systems could easily be spoofed upon a database breach. I believe you should take a look at forms of verification to prove where the transaction is from and who it is to. The server should also have a method of proving it allowed the transaction within the system. Otherwise once a hacker gets inside they will have a hayday with your money. Other things to think about adding are systems such as solvency ensurer.
In my system I use private keys that are generated on the browser. The users use them when making requests so that their requests can not be faked
by another person. Their requests are also usable once unless they sign again and send a new signature.

You should really take a look at reworking your whole account structure.