Following a whirlwind of regulatory developments in the United States over the past several weeks, compliance officers may have already forgotten about some of most significant cases of 2016.

Once again, another year ended without any shortage of real-life examples showcasing corporate wrongdoing of the most egregious kind, many of which repeat the same ethics and compliance failures seen year over year—from middle managers and senior executives that neither practice nor value ethical behavior to paying bribes to win contracts to brazenly falsifying books and records in an attempt to pull the wool over the eyes of regulators.

Below is our list of the top five biggest ethics and compliance failures of the past year and the lessons they impart.

#5 Wells Fargo. As has been widely reported, banking giant Wells Fargo in September 2016 was hit with $185 million in fines by various authorities—including a record $100 million fine by the Consumer Financial Protection Bureau—after thousands of Wells Fargo employees illegally and secretively opened two million unauthorized deposit and credit card accounts, dating back to 2011.

To focus on Wells Fargo’s lack of internal controls to ascertain the validity of these accounts would be to focus on only part of the problem. Sound internal controls potentially could have reduced the scope of the problem, not the problem itself.

The root cause: unreasonable sales targets and a compensation incentive program put in place by the bank’s management that fostered a meet-sales-goals-at-all-costs culture. To “fix” the problem after it was caught, the global banking and financial services holding company fired 5,300 employees for opening these accounts, even as senior management refused to accept any accountability.

During congressional testimony when a panel of livid senators drilled former Wells Fargo CEO John Stumpf about Wells Fargo’s corporate culture, U.S. Senator Bob Menendez (D-N.J.) put it most poignantly when he said, “This isn’t the result of 5,300 bad apples. This is the work and result of sowing seeds that rotted the entire orchard.”

Similar to Enron before its demise, Wells Fargo has a fantastically impressive Code of Conduct, called its “Vision and Values” statement, which has been revised since suffering such reputational damage. Specifically, the brochure goes into great detail about the importance of accountability, ethics, corporate culture, valuing and supporting its “team members as a competitive advantage,” and more.

For other companies that don’t want to become the focus of a regulatory or congressional investigation, they may want to take a page from the hard-learned lessons of Wells Fargo: “Our values should anchor every product and service we provide and every channel we operate. If we can’t link what we do to one of our values, we should ask ourselves why we’re doing it. It’s that simple.”

#4 Teva. Teva Pharmaceutical Industries and its wholly owned Russian subsidiary, Teva, in December 2016 entered into resolutions with the SEC and Department of Justice and agreed to pay more than $519 million in total fines and penalties to settle parallel civil and criminal charges for paying bribes to foreign government officials in Russia, Ukraine, and Mexico.

One particularly disturbing aspect of this case is the way in which some of Teva’s compliance officers encouraged the bribery. In one example, at a meeting of the company’s compliance team that oversaw Teva Mexico, while discussing whether the compliance department would approve certain payments, the regional compliance officer expressed an opinion that the role of compliance “will be [to] not interfere with the ultimate decision made by business heads.”

Around this same time, the regional compliance officer also “emphasized that the compliance program, current local policy, and sales and marketing guidelines were not relevant for the [Latin America] region and were to be ignored,” according to the deferred prosecution agreement that Teva reached with the Department of Justice.

Since that action, Teva said it has completely transformed its governance program and processes on every level, including terminating relevant employees and problematic business relationships with third parties, overhauling the management of several subsidiaries, and ceasing operations in several countries.

Similar to Compliance Week’s top five ethics and compliance failures of 2015, many of the most significant cases of 2016 share the same broad elements: a toxic culture that poisons the company to its core; senior executives and managers who don’t value ethics or integrity; and an overall attitude that bribery and corruption is merely a cost of doing business.

Nonetheless, this case highlights several of the same key themes described in the other enforcement actions detailed below. These missteps include putting in place a paper anti-corruption compliance program and nothing more; failing to conduct due diligence and not requiring third parties to certify compliance with anti-corruption policies; creating false books and records in an attempt to conceal illegal payments; and not having in place adequate internal controls.

#3 VimpelCom. Amsterdam-based telecommunications company VimpelCom and its wholly owned Uzbek subsidiary, Unitel, in February 2016 entered into resolutions with the U.S. Department of Justice and agreed to pay more than $795 million in total fines and penalties—one of the largest Foreign Corrupt Practices Act enforcement actions of all time.

Between 2006 and 2012, VimpelCom and Unitel, through various executives and employees, paid more than $114 million in bribery payments to an Uzbek government official to enter and continue operating in the Uzbek telecommunications market. The companies structured and concealed the bribes through various payments to a shell company that certain VimpelCom and Unitel management knew was beneficially owned by the foreign official.

What makes the case one of the worst ethics and compliance failures of 2016 is the brazen way in which management attempted to conceal and disguise the bribery scheme by falsifying its books and records, classifying payments as equity transactions, consulting and repudiation agreements, and reseller transactions. In that aspect, this case represents a blatant disregard for both anti-corruption laws and an anti-corruption compliance program.

VimpelCom serves as a reminder that financial transactions should be reviewed and approved with proper diligence and supervision. In this case, for example, although certain VimpelCom senior executives and management withheld material information concerning the $114 million in bribe payments made to the shell company, the board and outside counsel, nonetheless, failed to properly identify and verify the beneficial owner of that shell company. In evaluating significant business opportunities, boards should seek to ensure that management and its advisers have considered these issues and conducted the proper due diligence.

#2 Odebrecht/Braskem. Brazil-based global construction company Odebrecht and Brazilian petrochemical company Braskem in December 2016 pleaded guilty and agreed to pay a combined total penalty of at least $3.5 billion—the largest foreign bribery case in history to resolve charges that it paid hundreds of millions of dollars in bribes to corrupt government officials in the United States, Brazil, and Switzerland to win business.

What makes this blockbuster case one of the biggest ethics and compliance failures of 2016—beyond the size of the penalty—is the nature and seriousness of the offense, which spanned more than a decade, was directed by the highest levels of the company, occurred in multiple countries, and involved sophisticated bribery schemes through a complex network of shell companies.

The brazen nature of the wrongdoing is especially notable. As part of the scheme, Odebrecht and its co-conspirators created and funded an elaborate, secret financial structure within the company, a “Division of Structured Operations,” that operated with the sole purpose to account for and disburse bribe payments to foreign government officials and political parties.

To conceal its activities, this bribery division used a separate and off-book communications system, which Odebrecht and its co-conspirators used to communicate with one another about the bribes via secure e-mails and instant messages, using codenames and passwords, according to the Department of Justice.

Braskem’s wrongdoing—a blatant lack of compliance measures and failure to implement internal controls—was no less excusable. According to the Securities and Exchange Commission’s complaint, Braskem’s Code of Conduct expressly failed to prohibit improper payments to foreign officials or political parties or reference the FCPA.

Furthermore, Braskem’s procurement and accounts payable processes lacked adequate payment approval standards. Employees could manually add commission payments to third parties without verification of the existence of a contract and also had the ability to send the request for payment without the need for approval.

The obvious compliance lesson is not to establish a “Department of Bribery,” but assuming most well-intentioned ethics and compliance officers get that point, the Odebrecht and Braskem enforcement actions also speak to the basic importance of having a Code of Conduct that addresses improper payments, as well as a bulletproof payment approval process.

Finally, given that these guilty pleas are in connection with the massive corruption probe surrounding state-owned oil company Petrobras, dubbed “Operation Car Wash,” it seems relevant to keep in mind the old adage, “What doesn’t come out in the wash comes out in the rinse.”

#1 Unaoil investigations. Few scandals have so completely permeated an industry—both in terms of geographical reach and number of companies involved—as the bribery scandal involving Monaco-based Unaoil, which allegedly served as a middle-man for oil companies in some of the most corrupt regions of the world, including the Middle East, Central Asia, and Africa.

The massive corruption investigation surrounding Unaoil unfolded in April 2016, when Fairfax Media and The Huffington Post published a special report exposing an extensive global web of bribery and corruption, in which high-ranking bureaucrats and politicians awarded billions of dollars in government contracts in exchange for bribes paid on behalf of some of the world’s largest companies.

Companies that engaged Unaoil’s services include Eni, FMC Technologies, Halliburton, Honeywell, KBR, Petrofac, Rolls-Royce, Samsung, SBM Offshore, Siemens, Weatherford, and more. While some of these companies believed they were hiring a reputable lobbyist who would get contracts on their behalf, others knew or suspected bribery was occurring and turned a blind eye.

In either case, the Unaoil investigations showcase the importance of robust risk management and proper due diligence controls—measures that some of the Unaoil-linked companies did not appear to take. According to The Red Flag Group, an integrity risk and compliance firm that acted for several of the companies, “only one company—on one occasion—asked us to do due diligence on Unaoil,” Scott Lane, executive chairman of The Red Flag Group, wrote in a blog post.

Lane warned that too many companies are “simply collecting information about third parties—registration documents, ownership, and certificates—and not reading them. They are not piecing the story together. Rather, they are just seeing this as a process and are collecting the data required with the aim of moving through the process as quickly as possible.”

Final thoughts. Similar to Compliance Week’s top five ethics and compliance failures of 2015, many of the most significant cases of 2016 share the same broad elements: a toxic culture that poisons the company to its core; senior executives and managers who don’t value ethics or integrity; and an overall attitude that bribery and corruption is merely a cost of doing business.

A global company with thousands of employees is not ever going to have a perfect workforce, free of unethical behavior. People aren’t perfect. Rather, the ways in which senior management accepts accountability, handles unethical behavior, and, furthermore, the extent to which it justifies such behavior, may foreshadow whether a company will make next year’s list of the top ethics and compliance failures of 2017.