APRA has accepted an Enforceable Undertaking from Commonwealth Bank, having determined the bank's operational risk management framework "worked better on paper than in practice."
Releasing the final report of its prudential inquiry into CBA, the regulator said it identified a "complex interplay of organisational and cultural factors at work", demonstrating a common theme that CBA's financial success dulled its senses to signals of a deteriorating risk profile.
The findings have seen APRA accept an EU to establish a framework by which CBA will address the full set of recommendations in a timely manner.
Until then, APRA has applied a $1 billion add-on to the bank's operational risk capital requirement; this equates to 29 basis points of Common Equity Tier 1 capital and reduces CBA's standing CET1 ratio from 10.4% to 10.1%.
The regulator said the dulling was particularly apparent in CBA's management of non-financial risks, such as its operational, compliance and conduct risks, APRA said.
The report reads: "These risks were neither clearly understood nor owned, the frameworks for managing them were cumbersome and incomplete, and senior leadership was slow to recognise, and address, emerging threats to CBA's reputation. The consequences of this slowness were not grasped."
In response, CBA chief executive Matt Comyn said change starts with acknowledging mistakes and apologised to customers, staff, regulators, shareholders and the Australian community.
"We will make the necessary changes to become a better bank and we will be transparent about our progress. This includes establishing a much higher level of accountability and consequence for our actions and the impact we have on customers. This starts with me," he said.
APRA said CBA demonstrated inadequate oversight and challenge by the board and its committees of emerging non-financial risks and a lack of clarity of around accountabilities, including a lack of ownership of key risks by executives.
The bank showed weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in subsequent management and resolution. This was linked to CBA's "overly complex and bureaucratic decision-making processes that favoured collaboration over timely and effective outcomes and slowed the detection of risk failings."
An under-resourced compliance team added to the risk, as did a remuneration framework with little sting for senior managers and above when poor risk or customer outcomes materialised. APRA also highlighted that, until recently CBA offered incentives to staff despite positive customer outcomes not always resulting.
APRA said CBA showed prominent cultural issues including a widespread sense of complacency, a reactive stance in dealing with risks, insularity and failure to learn from experiences and mistakes. An overly collegial and collaborative working environment which lacked constructive criticism, timely decision-making and a focus on outcomes was also identified.
APRA chairman Wayne Byres said the findings show CBA's governance, culture and accountability frameworks and practices require considerable improvement. He also highlighted a concern that, despite CBA taking steps to address the issues, the same issues could hinder an effective response.
"CBA is a well-capitalised and financially sound institution but CBA itself had acknowledged shortcomings in governance, culture and accountability ahead of this Inquiry. The comprehensive review, and set of recommendations set out by the panel, provides CBA with a clear path towards restoring its public standing," Byres said.
CBA chair Catherine Livingstone said: "Addressing the findings of the report is a key focus for the board and management to ensure that our governance, culture and accountability frameworks and practices are significantly improved and meet the high standards expected of us."
She added that changes have been underway throughout 2017 at both the board and operational levels, including a board renewal.
"Together they represent a significant change program and the APRA report provides us with a clear roadmap for the hard work still ahead of us," she said.
"We understand the scale of change which is necessary and its seriousness in order for us to become a better, stronger bank for our customers, staff, regulators and shareholders."
CBA will report to APRA by 30 June 2018 on how these findings have been reflected in the remuneration of both current and past executives.