I see a fair number of questions pop up here where folks ask about what they need to do to make a web app secure, but security for a financial site is on a whole different level. With all due respect, if you never seriously worked on security then you're in way over your head. This sounds harsh, but it is quite easy to create an insecure system, and quite hard to create a secure one. Any talk of specific technologies would be premature before you have a good grasp of the issues; start reading here:
https://coderanch.com/how-to/java/SecurityFaq. It has a section on web apps (and everything that it contains would be relevant), but a lot of the other things as well. Don't even think about working on the real site before you can explain what XSS and SQL injection are, and have created an unprotected example web app that was vulnerable to those, and you were successful in exploiting that vulnerability, and then patched it. And finally, don't start working on the site at all until the security architecture is in place - security is something you can't bolt on later, it needs to be baked in from the beginning. I realize all this sounds discouraging, but security is a serious and complicated subject, not just another "feature" that can be added at will, or without a good understanding of the issues.
Lastly, since you said that this is a bank-like site, you need to ascertain whether the organization needs to comply with
PCIDSS (which adds a whole different level of requirements, including administrative and organizational changes).