New whistleblower laws: ASIC consults on whistleblower policy requirements

21 August 2019
Siobhan Mulcahy, Partner, Melbourne Steven Troeth, Partner, Melbourne

We recently published a comprehensive guide to the new obligations for employers and the expanded protections for whistleblowers, under Australia’s revised corporate whistleblowing regime.

That regime commenced operation on 1 July 2019 and creates a significant compliance burden for all companies, including the requirement for some companies to have a whistleblower policy.


Who must have a whistleblower policy?

Under the new whistleblower regime:

  • public companies;
  • large proprietary companies – those who meet at least two of the following criteria: consolidated revenue of $50M or more, consolidated assets of $25M or more, or 100 or more employees (these thresholds themselves have recently changed) ; and
  • corporate trustees of registrable superannuation entities,

must implement a whistleblower policy by 1 January 2020. All companies must otherwise comply with the new whistleblower obligations.

Where a company grows and then qualifies as a large proprietary company during a financial year, it must have a whistleblower policy and make it available to its officers and employees within six months after the end of that financial year.


What must be covered in a whistleblower policy?

For relevant companies their whistleblower policy must contain information about:

  • the protections available to whistleblowers;
  • how and to whom an individual can make a disclosure;
  • how the company will support and protect whistleblowers from detriment;
  • how investigations into a disclosure will proceed;
  • how the company will ensure fair treatment of employees who are mentioned in whistleblower disclosures; and
  • how the policy will be made available to officers and employees of the company.

The policy should also include information about the protections provided in the equivalent tax whistleblower regime.

Additional matters to be included in a policy may be prescribed by regulation. This is designed to ensure that policies can be required to adapt to developments in whistleblower protections and remedies in the future.


ASIC’s proposed guidance

ASIC has recently published a consultation paper and draft regulatory guide seeking feedback on its proposed guidance to companies on the matters to be covered by a policy and what ASIC considers to be good practice guide on establishing, implementing and maintaining a policy. Copies of that consultation paper and draft regulatory guide can be found here. ASIC is seeking comments on that draft guidance by 18 September 2019.

ASIC considers that its guidance is consistent with research on whistleblower management, which indicates that while having a policy plays a critical role, having a policy is not enough unless it is implemented consistently and applied throughout the company in practice. As such the guidance is intended to provide companies with a potential structure from which they can develop their own robust policy.

The draft regulatory guide contains both further detail as to how a company can meet its mandatory policy obligations, together with recommendations as to “good practice”. Those good practice recommendations are not strictly mandatory, but they provide a clear indication of what ASIC expects from a whistleblower policy, how ASIC will interpret the new whistleblower obligations, and the issues ASIC will consider when carrying out its enforcement role in respect of the whistleblower protections.


The good practice guidance includes that:

  • the purpose of the policy should be explained, together with a statement about the importance of disclosures to the company’s overall risk management and corporate governance framework;
  • the policy should include a list of the types of disclosures which are covered by the policy, based on the company’s business operations, practices and organisational structure and set up;
  • due to varying whistleblowing legislation across countries, multinational companies should consider whether it be more appropriate to establish, implement and maintain a standalone whistleblowing policy for their Australian operations;
  • the policy should include examples of disclosures that would be covered by the protections and which relate specifically to the company’s own business operations and practices. Some examples include illegal conduct; fraud, money laundering or misappropriation of funds; offering or accepting a bribe; financial irregularities; they to comply with all breach of a legal or regulatory requirement; and engaging in or threatening to engage in detrimental conduct against the person who has or may make a disclosure;
  • the policy can encourage employees and external disclosers to make a disclosure to the company in the first instance;
  • companies should include a statement discouraging false reporting, but in doing so they should ensure that the tone and language does not unintentionally deter people from making disclosures;
  • the policy should explain the circumstances when a disclosure about a personal work-related grievances will qualify for protection, and how an employee can internally raise personal work-related grievances and other types of issues or concerns that are not covered by the whistleblower protections;
  • companies should outline the key roles and responsibilities under the policy, including a key contact point, the role of the Board, and the role of employees who may be eligible recipients; and
  • smaller companies, particularly those with a limited number of employees, should consider authorising an independent whistleblower service provider to receive disclosures and consider engaging third-party service providers to help investigate any disclosures made.

ASIC expects companies to take steps to ensure that there whistleblower policy is widely disseminated to, and easily accessible by, its officers and employees. ASIC has stated that a company should, for example:

  • hold staff briefing sessions and/or smaller team meetings;
  • make the policy accessible on the staff intranet or other communication platform;
  • post information on staff noticeboards;
  • set out the policy in an employee handbook or similar; and
  • incorporate the policy in employee induction information packs and training for new starters.

Presumably at least some of those steps should be undertaken prior to the implementation of the policy itself and prior to 1 January 2020.


Not-for-profit companies or charities

The requirement to have a whistleblower policy was not extended more broadly to all companies, regardless of type or size, so as to avoid creating a disproportionate regulatory burden. As part of its consultation process, ASIC is also seeking views on whether public companies that are small, not-for-profit companies or charities should be exempted from the requirement to have a policy.

Gadens can assist organisations to comply with the new whistleblower provisions, including by reviewing existing whistleblowing policies or drafting new policies, and conducting training for employees on the new protections.

Legal Insight | Proprietary company changes – are you still “large”?

Authored by Brett Feltham.

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch