Having worked on some other serious financial applications (www.bmwusa.com and a fully-automated trading system), I am certain that the Bank of America app is well analyzed and protected with extra security features across the service layer. Communication that crosses the service layer also crosses a security boundary. When a security boundary is crossed, you must assume that every call is a potentially intrusion attempt. A zone where real security comes into play. Here are some actions to take and decisions to make when writing service apps that I wrote for the Microsoft Developer Network (MSDN) back in 2011: http://www.pursuitofgreatdesign.com/2011/08/why-use-decision-framework.html. When security is paramount, you should consider taking multiple countermeasures for each threat so that if one of the countermeasures is compromised or misconfigured, others are still in place to protect against the threat.
Whatever you decide, make sure that you protect the service boundary. The service protector pattern could also help. Another option: use a message processing layer that can immediately deny and log offending messages; that is, where each message is analyzed before it is allowed to pass through to application code. This way, every message is guaranteed to be analyzed.