On her last day as Federal Reserve Chairman, Janet Yellen dropped a bombshell on the embattled Wells Fargo bank.

“Responding to recent and widespread consumer abuses and other compliance breakdowns by Wells Fargo,” the Federal Reserve Board on Feb. 2 announced that it would restrict the growth of the firm until it sufficiently improves its governance and controls.

Concurrently with the Board's action, Wells Fargo will replace three current board members by April and a fourth board member by the end of the year.

In addition to the growth restriction, the Board's consent cease and desist order with Wells Fargo requires the firm to improve its governance and risk management processes, including strengthening the effectiveness of oversight by its board of directors. Until the firm makes “sufficient improvements,” it will be restricted from growing any larger than its total asset size as of the end of 2017. The Board required each current director to sign the cease and desist order.

“We cannot tolerate pervasive and persistent misconduct at any bank and the consumers harmed by Wells Fargo expect that robust and comprehensive reforms will be put in place to make certain that the abuses do not occur again,” Yellen said. "The enforcement action we are taking today will ensure that Wells Fargo will not expand until it is able to do so safely and with the protections needed to manage all of its risks and protect its customers."

“Wells Fargo pursued a business strategy that prioritized its overall growth without ensuring appropriate management of all key risks,” the statement says. “The firm did not have an effective firm-wide risk management framework in place that covered all key risks. This prevented the proper escalation of serious compliance breakdowns to the board of directors.”

In recent months, Wells Fargo has been under attack for opening 3.5 million unauthorized customer accounts and credit cards. In a separate scandal, as many as 800,000 customers were charged for car insurance that they did not need; some had their vehicles wrongfully repossessed as a result.

The Fed's action will restrict Wells Fargo's growth until its governance and risk management sufficiently improves but will not require the firm to cease current activities, including accepting customer deposits or making consumer loans.

Emphasizing the need for improved director oversight of the firm, it sent letters to each current Wells Fargo board member confirming that the firm's board of directors, during the period of compliance breakdowns, did not meet supervisory expectations. Letters were also sent to former Chairman and Chief Executive Officer John Stumpf and past lead independent director Stephen Sanger stating that their performance in those roles, in particular, did not meet the Federal Reserve's expectations.

The bank, in a Feb. 2 statement, said it will comply with the Federal Reserves demands and it “is confident it will satisfy the requirements of the consent order.”

The company will provide plans to the Federal Reserve within 60 days that detail what already has been done, and is planned, to further enhance the board’s governance oversight, and the company’s compliance and operational risk management.

“We take this order seriously and are focused on addressing all of the Federal Reserve’s concerns,” said Timothy J. Sloan, Wells Fargo’s president and chief executive officer. “It is important to note that the consent order is not related to any new matters, but to prior issues where we have already made significant progress.”

Within 60 days the company’s board will submit a plan to further enhance the board’s effectiveness in carrying out its oversight and governance of the company. It will also submit a plan to further improve the company’s firm-wide compliance and operational risk management program.

After Federal Reserve approval, the company will engage independent third parties to conduct a review to be completed no later than Sept. 30, 2018 to confirm adoption and implementation of the plans.

The asset limitation will remain in effect until third-party reviews have been completed to the satisfaction of the Federal Reserve. After removal of the limits on asset growth, a second third-party review will be conducted to assess the efficacy and sustainability of the risk management improvements.

These actions, Sloan said, have included:

Separating the roles of chairman and CEO and amending the company’s by-laws to require an independent chair.

Electing six new independent directors in 2017 as five directors retired, bringing to eight the total number of directors elected since 2015, and planned refreshment of an additional four directors in 2018, with the retirement of three of those directors occurring by the  2018 annual meeting.

Enhancing the overall capabilities and experience represented on the board, including financial services, risk management, cyber, technology, regulatory, human capital management, finance, accounting, and consumer and social responsibility.

Reviewing the board’s committee structure and leadership, amending committee charters to enhance risk oversight, and refreshing the chairs of certain key committees, including the Risk Committee and Governance and Nominating Committee.

Conducting a board self-evaluation in 2017 facilitated by Mary Jo White, a senior partner at Debevoise & Plimpton LLP and former chair of the Securities and Exchange Commission.

Centralizing critical control functions (including human resources, finance, and technology) to improve enterprise visibility, consistency and control.

Centralizing all risk management functions to accelerate the design and implementation of a fully integrated operating model for risk management.

Developing and executing plans that addressed our compliance and operational risk management programs, organizations, processes, technology and controls.

Hiring external talent for critical risk management leadership roles (chief operational risk officer, chief compliance officer and a newly created head of regulatory relations.

“While there is still more work to do, we have made significant improvements over the past year to our governance and risk management that address concerns highlighted in this consent order,” Sloan said.