A majority of websites for major financial institutions in the United States failed based web security testing and privacy analysis audits.

The non-profit Online Trust Alliance (OTA)—a part of the Internet Society that promotes “business practices and technologies to enhance online trust and the vitality of ecommerce and online services”—ran anonymous audits of more than 1,000 websites, during which it found the surprising lack of security for users of banking sites.

Read: Millennials And Money: How Fintech Will Help Lower The Risks In A Cashless Society

While banking sites should be among sites that utilize the highest level of security, the Online Trust Alliance’s annual Online Trust Audit handed out failing grades to 65 percent of the top 100 financial institutions in the U.S.

Just 27 of the top 100 qualified for “Honor Roll” status—which requires scoring 80 percent or higher overall in the OTA’s analysis with no failures in any one of the three core categories, including consumer protection, site security and privacy. Last year, 55 percent of banking sites made the Honor Roll.

According to OTA’s analysis, financial sites failed because of the “increased number of data breaches, observed site security vulnerabilities and inadequate privacy disclosures” that plagued the sites over the last year. As a result, no banking site appeared in the top 50 most secure sites.

The drop off in security on financial websites comes as most sites are on the rise. Fifty-two percent of the 1,000 sites tested by OTA qualified for Honor Roll status, a five percent improvement from 2016.

Read: Is Online Banking Safe? Websites For Top Financial Institutions Are Littered With Third-Party Trackers

The analysis from OTA has not gone without challenge from financial institutions. The American Bankers Association (ABA) has questioned the results, and ABA Senior Vice President of payments and cybersecurity policy Doug Johnson told NBC that banks “absolutely take privacy and security very seriously.”

According to the ABA, the analysis from OTA overestimates the number of banks that suffered data breaches in the past year. It is worth noting that ABA itself suffered from a hack that resulted in a data breach in 2015.

Structure Security Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Photo: Newsweek Media Group

The results also weren’t all bad for banking sites. The industry led the way in EV SSL certification, which ensures that all communications taking place on a site are secure and can’t be intercepted by third parties. The sites also tested the lowest in number of XSS and iframe vulnerabilities that can be exploited by malicious actors.

Still, the industry lagged behind much of the web in overall security, which is sure to raise red flags for consumers as they trust online services more and more with sensitive information and transactions.

The analysis from OTA comes just weeks after a study conducted by online privacy company eBlocker found ten of the top financial institutions operating in the U.S. have third-party trackers on their website that can record a surprising amount of information, including personal information typed into forms or even account balances.