You probably need to hire a consultant and a skilled attorney. These are not products you pull out of a box and hope you have yourselves legally covered.
From a compliance standpoint, I encourage you to read FFIEC Supplement to Authentication in an Internet Banking Environment. It addresses the risks associated with offering these products.
Institutions are expected to educate their customers about the risks of viruses and establish log-in processes that are reasonably designed to prevent unauthorized access. You may also want to consider how you will monitor activity to identify unusual behavior that is potentially fraudulent. As Randy states, any agreements should be reviewed by bank counsel.
From a BSA perspective, consider how you are going to monitor activity to determine if it is reasonable based on your customers' risk profiles. Although the product is primarily for payroll, will you permit customers to debit consumer accounts? If so, you should have a process in place to monitor returns to ensure that your originators are not originating fraudulent transactions. Also consider how you will manage OFAC risks for these transactions.