When does it make sense to re-prompt a user for their password, for security reasons?

For a consumer product where a customer has an account, and receives invoices from us ($10k+), and is asked to pay those invoices using a saved payment method (bank or credit card) -- we are debating whether it makes sense to re-prompt the user for their password to finalize a payment, even if they have checked the "stay logged in" box. It could be implemented as dual login cookies -- one long term (no expiration), one short-term (30 minutes). If the short-term login session is expired, then when a key action is taken (like a payment greater than $10k), then the short-term login would need to be refreshed by entering a password.

Argument for: These are potentially large amounts of money and it seems like the conservative thing to do. Examples of this in the wild: When making admin changes on Twilio, or when changing addresses on Amazon, a password re-prompt is often required.

Argument against: Adds friction. Neither PayPal nor banks require you to do this. Why should we?

What else would you consider to make the right UX decision here?