FCPA enforcement actions run the gamut of fact patterns and structured resolutions. We are in the midst of a transformation in the overall settlement environment with an expected increase in individual prosecutions.

On the one side, we have a tough and comprehensive DOJ and SEC settlement against VimpelCom. The conduct within VimpelCom was pervasive and occurred at every level of the company, including the board. What is missing from the VimpelCom enforcement action is the prosecution of individual officers. There is not much difference from such prosecutions in the past where DOJ failed to prosecute relevant and culpable individuals.

I only point this out so that everyone is clear that DOJ expects to prosecute individuals, in the future, in these types of cases. We can expect to read about large corporate fines and criminal prosecutions of individuals. The Yates Memo and numerous statements reflect DOJ’s renewed commitment.

On the other extreme of the FCPA enforcement landscape is the corporate and individual settlements reached by the SEC. So far this year, we have seen corporate and individual prosecutions against a company and an individual where the individual’s conduct forms the basis for the company’s liability. SAP is one example, and recently Nordion’s settlement is another example.

Nordion settled with the SEC for a penalty of $375,000, while the individual, Mikhail Gourevitch, a former employee, settled approximately $178,000. Gourevitch’s bribery scheme involved the hiring of a third party in Russia to assist Nordion in obtaining Russian approval of TheraSphere, a treatment for liver cancer. In securing such approval, and promoting the sale of the treatment, Gourevitch paid bribes to Russian officials through payments made to the agent. Gourevitch himself also profited from kickbacks earned from the transactions.

The conduct occurred over a long time period, ending ultimately in 2011. However, there is no indication that anyone in Nordion other than Gourevitch participated in the bribery scheme.

Gourevitch’s conduct, however, did not occur in a vacuum. Nordion had a minimal anti-corruption compliance program, did not subject the third party to any due diligence and of course, did not monitor any of the third-party agent’s activities.

Additionally, Nordion’s internal controls were deficient in that they paid the agent’s invoices without verification of services provided and with little regard to the amount of money being spent.

All of these facts are pretty much common fare in these types of enforcement actions – an individual engages in a bribery scheme and the company fails to implement controls to monitor for such activity.

The question essentially becomes – if the company had adequate controls, would Gourlevitch have been able to engage in the bribery scheme? It is interesting to think about such a scenario. From a broader perspective, the question is whether Gourevitch was a “rogue employee” such that it would be unfair to impose liability or in this case a non-admission settlement when there was nothing more the company could have done?

I have generally nixed the idea of a “rogue” employee because misconduct is rarely, if ever, the sole result of a single actor. Companies that have adequate controls will normally prevent and detect any wrongdoing, but we have to be realistic about such situations.

Nordion (and SAP) raise this question as the SEC continues to bring settlement actions where a company is forced to pay the price for individual misconduct. My suspicion is that the resolution of Nordion does not present all of the relevant facts about other actors – such as direct reports, supervisors, and other actors in the company who failed to act or ignored clear warning signs of Gourlevitch’s bribery scheme. When considered in this more realistic light, the SEC’s action against Nordion (and SAP) is more than justified.