Yes. Additionally, if your bank is at all competent, they will enforce rate limits that prohibit online guessing attacks. If an attacker has your bank password hash to perform an offline attack, it's reasonable to assume they also owned the rest of the bank and have a copy of any session cookies, "security" answers, etc. you provided, and probably don't need the password. If a site has been compromised, the site has been compromised. Unique passwords are the best way to contain the damage.