Federal banking regulators on Wednesday fined Citigroup $400 million for failing to address “significant” risk and compliance failures.

The Office of the Comptroller of the Currency (OCC) and the Federal Reserve each issued orders outlining steps the South Dakota-based bank should take to rectify “long-standing” deficiencies in generating and evaluating its customer data, as well as weaknesses and deficiencies in its risk management programs and internal controls.

“For several years, the Bank has failed to implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program commensurate with the Bank’s size, complexity, and risk profile,” the OCC wrote in its consent order. The agency also identified a number of “unsafe and unsound” practices in those areas and concluded the bank is not adequately monitoring its compliance with federal banking regulations.

The Federal Reserve also issued a related cease and desist order to Citigroup on Wednesday that addressed many of the same issues.

As part of the OCC’s order, Citigroup must seek the agency’s non-objection before making “significant new acquisitions.” The OCC could impose additional business restrictions or even require changes in senior management “should the bank not make timely, sufficient progress in complying with the order,” the agency said in a press release.

To properly address the deficiencies, the OCC ordered the bank to beef up its risk and compliance program to “ensure a robust staffing model that provides for ongoing monitoring of the Bank’s aggregate staffing for the risk management related functions in the front-line units, independent risk management functions, and internal audit function, including addressing the number, skill, and expertise gaps, and dual roles and matrix reporting as identified.”

In a statement, Citigroup said it is “disappointed that we have fallen short of our regulators’ expectations, and we are fully committed to thoroughly addressing the issues identified in the Consent Orders.”

The bank pledged to spend $1 billion over several years to transform its risk and control environment, calling addressing shortcomings identified by regulators “a strategic priority.”

“We recognize that substantial improvement is still required to meet the standards we have set for ourselves and that our regulators expect of us,” Citigroup said.

The OCC has ordered Citigroup to create a compliance committee with five members, a majority of whom should be members of the board of directors and none of whom should be employees or officers of the bank. Within 120 days, the committee will have to submit a report to the board of directors detailing how the bank is addressing reporting of data quality “that includes metrics that are accurate and meaningful”; a description of corrective actions needed to achieve compliance; the specific corrective actions undertaken; and the results and status of those corrective actions. The report will be submitted to the board, and then to the OCC examiner overseeing Citigroup’s case.

The committee will also have to produce individual reports: a consent order action plan; a data governance gap analysis report; an enterprise-wide risk management plan; a compliance risk management plan; and analyses of the bank’s capital planning and reporting and internal controls.

Citigroup has run afoul of regulators a number of times in recent years, including a $70 million fine handed down by the OCC in late 2017 for anti-money laundering deficiencies. Just last month, the Commodity Futures Trading Commission fined three Citibank affiliates $4.5 million for deleting audio files that were under subpoena.