Actually, for financial accounts, I agree with Romeo - use the full URL in the 'When URL contains' field. The shorter way I used is to avoid having to worry about multiple instances, and/or the host changing something minor, Mine would usually keepo working, while Romeo's way would require you to account for the change every time.
But, as I said, it is much more secure as far as preventing phishing scams goes.
And no, the 'Use this URL' is never assumed - if you leave it blank, then it is using a BLANK URL to calculate the password. So, if you left it blank for all of your accounts, then none of them are using the URL to calculate the password.
Not really a major security risk, but it is important that you understand that it does work this way.