The new whistleblower provisions in the Corporations Act commenced on 1 July 20191.
In short, the amendments provide protection to "Eligible Whistleblowers" who report "Disclosable Matters" to "Eligible Recipients" within the entity concerned, or to ASIC or APRA. The provisions apply to all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities2.
While that date is still a few months away, ASIC's draft Regulatory Guide3 illustrates that there is quite a bit involved in meeting the requirement. There is also a significant advantage for relevant entities to have a compliant Whistleblower Policy in place before that time, given that the new whistleblower legislation already applies and that the courts are expressly authorised to have regard to whether an entity has a Whistleblower Policy in place, and the extent to which it has been given effect in practice, in determining compensation for breaches.
The draft Regulatory Guide includes valuable detail of what ASIC expects to see in the Whistleblower Policy. For those entities which do not yet have a compliant Policy in place, that will provide significant assistance on how it should be prepared and implemented. For those that do, it should provide additional guidance on how the document might be enhanced.
As to the core elements of the new whistleblower legislation, the draft Regulatory Guide provides a range of useful information.
The whistleblower legislation provides protection for "information the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances". The Policy should explain that that would capture information relating to potentially unlawful conduct (eg. breaches of relevant legislation), but then go on to provide an outline of other protected matters that are not unlawful in themselves. ASIC provides the following examples of this second category of matters:
Following this lead, the draft Regulatory Guide recommends that the Whistleblower Policy include its own examples of disclosures that would be protected within the relevant entity's business. ASIC provides a list of matters that might be included, such as theft, violence, fraud and bribery.
As to matters that would not qualify for protection, the Whistleblower Policy should explain the extent to which "personal work-related grievances" are not covered and, as a matter of good practice, refer readers to any separate process in place for raising such grievances, for instance with the entity's Human Resources department.
ASIC does not prescribe which of an entity's internal functions should receive its whistleblower reports, though it does recommend as a matter of good practice that the whistleblower investigation officer (who would receive the reports):
ASIC's expectation is that it be "robust", which suggests a significant level of detail. It recognises, though, that the Policy should be aligned to the nature, size, scale and complexity of the entity's business. What is needed for a large and complex business, in terms of the nature of disclosures caught and the processes required to protect those disclosures across the entity's different business segments, would likely not be required for smaller and simpler businesses.
ASIC also requires the Policy to be "clear", so it should be written in a way which is easy to understand and free of jargon. Given the content required in the Policy, which will inevitably stretch to quite a few pages, some thought should also be given to how it will be most easily navigated by its readers.
Finally, ASIC makes a point that the Whistleblower Policy should be written using a "positive tone and language that encourages the disclosure of wrongdoing". It notes, for instance, that it could include a statement discouraging false reporting, but that must not be done in a way which would deter staff from making disclosures. Provided a discloser has "reasonable grounds" for their views, they will remain protected despite the matter not ultimately being proved.
Based on that view, it would be prudent for the Whistleblower Policy to be put to the entity's Board or an appropriate Board Committee for approval, along with appropriate reporting on its implementation and operation.
The link to ASIC's draft Regulatory Guide and Consultation Paper can be found at:
For more information on the new whistleblower requirements or any aspect of this article, please contact insurance advisory principal, Mathew Kaley.
1 Refer to the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, which was passed on 19 February 2019 and received Royal Assent on 12 March 2019
2 Though note that ASIC is consulting on whether public companies that are small not-for-profits or charities should be excluded.
3 ASIC Consultation Paper 321 Whistleblower Policies and draft Regulatory Guide dated 7 August 2019