Clean as a Whistle: ‘Compliance Gaps’ in Whistleblower Policies and Programs Should be Addressed Now, to Avoid Regulator Action in 2022

Australia’s mandatory laws for corporate whistleblowing policies mark their second anniversary this month. As ASIC flags its intention to target non-compliance in 2022, companies should be taking a close look at the extent to which their whistleblower policies and programs do – or do not – comply with legal requirements.

Whistleblower regime: applicable to a broad range of entities

A strong whistleblower regime is vital to a corporate culture of accountability and integrity. Robust whistleblowing procedures and systems are a necessary component in ensuring a safe and lawful workplace, and in protecting an entity, its employees and the broader community from corporate misconduct. They play an important role in mitigating against an entity’s exposure to loss, liability and reputational damage that can arise by reason of both (a) any corporate or employee misconduct, and (b) any breaches of Australia’s strict whistleblower protection laws by the organisation or any of its employees.

The expanded whistleblower laws under Part 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act) protect disclosures (including those made anonymously) of information where there are reasonable grounds to suspect misconduct or impropriety.[1] These laws apply to all companies registered in Australia, and a broad range of other entities (including foreign corporations, ADIs, insurers and superannuation funds, among others). An ‘eligible whistleblower’ can be any of an entity’s current or former officers, employees, associates or suppliers, and any of those persons’ respective spouses, relatives or dependants. The categories of ‘eligible recipients’ are also broad, including persons specifically granted such authority, as well as any of an entity’s officers, senior managers, auditors and actuaries, ASIC, APRA, and other prescribed persons. Disclosures may also be protected if they are made to legal practitioners, members of Parliament or journalists in certain circumstances.

There are significant ramifications for an entity if a whistleblower’s disclosure qualifies for protection under Part 9.4AAA. Civil and criminal penalties apply to breaches of the protections. Notably, it is a criminal offence to disclose a whistleblower’s identity (or information likely to lead to their identification), in the absence of consent or other exemptions. Victimising a whistleblower, and threatening to cause them detriment, are also criminal offences. Where a breach of whistleblower protection laws occurs, courts are empowered to order individuals and their employers to pay compensation to the whistleblower, or take other remedial steps. Civil penalties can also be sought by ASIC – to the order of $1.11 million or three times the benefit obtained and detriment avoided (for individuals), or, if greater, 10% of annual turnover, capped at $555 million (for companies).

Whistleblower policies: mandatory for all public and large proprietary companies

Since 1 January 2020, three types of companies have been required by s 1317AI of the Corporations Act to have a whistleblowing policy that complies with that provision, and to make this available to their officers and employees:

1. All public companies. (An exemption applies to not-for-profits structured as public companies limited by guarantee, for so long as their consolidated revenue for each financial year is less than $1 million.[2])
2. All ‘large proprietary companies’ – meaning any company (including its controlled entities, if any) which satisfies two or more of the following criteria at the end of a financial year: (i) consolidated revenue of $50 million or more; (ii) consolidated gross assets of $25 million or more; and (iii) 100 or more employees.[3]
3. All corporate trustees of registrable superannuation entities.

This month marks two years since the introduction of this statutory requirement. While the disruptions of COVID-19 have seen such policies, or their review, slip further down priority lists and board agendas for many companies, it is important to appreciate that failure to hold a compliant policy is an offence of strict liability.

For companies not subject to the statutory requirement to hold a whistleblower policy, but which are nevertheless subject to the whistleblower laws of Part 9.4AAA, a whistleblower policy can serve as a useful tool in managing legal and risk obligations, and is considered best practice from a governance perspective.

‘Compliance gap’ in mandatory whistleblower policies

ASIC recently signalled its focus on companies who have a statutory requirement to implement a compliant whistleblower policy, but who fall short in doing so. It has uncovered a ‘compliance gap’ between the full legal requirements set out in s 1317AI, and company policies in practice. In a sample review conducted by ASIC of 102 whistleblower policies across organisations and sectors, it found the majority to be deficient. Highlighting its concerns, ASIC sent an open letter to Australian CEOs in October 2021.^[4] This letter, and a subsequent speech by ASIC Commissioner Sean Hughes in November 2021, were intended as ASIC’s call to action, urging CEOs, officers and senior managers to check whether their policies are fully compliant, and asking them to carefully update these policies where they are lacking.[5]

The most prevalent issues of concern for ASIC were policies with ‘unclear, incomplete or inaccurate information’ about how potential whistleblowers can make a qualifying disclosure, and about the protections available. Common examples included:

• Failing to list all categories of people to whom a whistleblower can make a disclosure in order to qualify for protection under Part 9.4AAA. Many policies incorrectly only identified the company’s preferred or internal reporting channels, rather than all protected channels available by law. This issue affected nearly half of the policies reviewed.
• Referring to obsolete requirements which applied prior to the changes to whistleblowing laws in 2019. For example, some policies required whistleblowers to identify themselves (whereas whistleblowers may now choose to remain anonymous), or erroneously stated that disclosures must be made in good faith or without malice to qualify for protection under Part 9.4AAA.[6] Other policies encouraged individuals to speak with their managers in the first instance, without clarifying that these discussions may not qualify for whistleblower protection. 40% of policies failed to fully reflect the threshold for protection under the reformed whistleblowing regime in Part 9.4AAA.
• Inaccurately describing one or more of the rights and protections for whistleblowers. For example, policies failed to identify or explain all protections (such as rights to confidentiality, compensation and other remedies), or to explain that these protections are available under the law. Around a third of policies suffered from such deficiencies.
• Omitting oversight mechanisms for monitoring the effectiveness of the whistleblower policy. While not a factor legally required under s 1317AI, ASIC expressed its concern that such oversight arrangements were often lacking, suggesting a ‘set and forget’ attitude. Nearly a third of policies failed to state whether the company had implemented oversight mechanisms.

ASIC’s regulatory focus in 2022 – whistleblower policies, systems and processes

In 2022, ASIC will continue to monitor compliance with whistleblower policy requirements, and will conduct a further review of such policies as adopted in practice. It has emphasised that it will draw upon its full range of regulatory tools, including enforcement action, where it identifies instances of non-compliance.[7]

A further key ‘priority’ for ASIC in 2022 is the implementation and supervision of whistleblower programs.[8] ASIC intends to examine how entities incorporate systems and processes for properly handling whistleblower disclosures, check how whistleblowing is used to address misconduct or other internal issues, and assess the level of board and executive oversight of whistleblowing programs. Ahead of this targeted focus, it has urged companies to take a good look at their existing systems, processes and oversight mechanisms, and check whether they fully and adequately give effect to the Part 9.4AAA regime.[9]

Such systems and processes also serve a useful evidentiary purpose in any proceedings which are commenced against an entity seeking civil penalties, whistleblower compensation, or other remedies. They can assist in showing that an employer took reasonable steps to ensure that its employees upheld whistleblower protection laws, and reasonable steps to ensure that its employees avoided engaging in detrimental or victimising conduct towards whistleblowers.

Next steps

Now is an opportune time for companies to get their house in order. Companies subject to the mandatory requirement to hold a whistleblower policy should ensure that their policy is fully compliant. More broadly, all entities subject to the Part 9.4AAA whistleblowing regime should review whether they have a robust and complete whistleblower implementation and oversight program. The review of a company’s whistleblower program should consider how any internal and external investigations are to be conducted, and how legal professional privilege, confidentiality, privacy and data protection will be maintained.

Aside from avoiding adverse attention from the corporate regulator in the year ahead, this will assist companies in asserting strong messaging, checks and balances for responsible corporate behaviour, and put companies in good stead to deal with any fraud, illegality, misconduct or impropriety that is brought to light.

[1] Whistleblowing reforms were made to the Corporations Act and other legislation by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth), with effect from 1 July 2019.

[2] ASIC Corporations (Whistleblower Policies) Instrument 2019/1146.

[3] S 45A(3) of the Corporations Act and the Corporations Amendment (Proprietary Company Thresholds) Regulations 2019 (Cth). Where a company has met the definition of a ‘large proprietary company’ in any financial year, it must hold a compliant whistleblower policy on and from the date which is 6 months after that financial year, under s 1317AI(2).

[4] ASIC, ‘21-267MR ASIC calls on Australian CEOs to review whistleblower policies’ (Media Release, 13 October 2021); ‘Letter to CEOs on Whistleblower Policies’, 13 October 2021.

[5] Sean Hughes, ‘Whistleblower policies and the compliance gap’ (Speech at the Third Australian National Whistleblowing Symposium, ASIC, 11 November 2021) (‘S Hughes, Whistleblower Speech’).

[6] A whistleblower is now required to have ‘reasonable grounds to suspect’ misconduct or impropriety. Only matters within the whistleblower’s own knowledge are relevant to the question of whether they had ‘reasonable grounds to suspect’: Quinlan v ERM Power Ltd & Ors [2021] QSC 35 at [37] (Bowskill J).

[7] S Hughes, Whistleblower Speech.

[8] Ibid; ASIC Corporate Plan 2021-2025, Focus 2021-22.

[9] ASIC’s Regulatory Guide 270: Whistleblower policies (November 2019) provides guidance on whistleblower policies and implementation. The ASX’s Corporate Governance Principles and Recommendations (4th Edition) contain further suggestions for listed entities. ISO 37002:2021 Whistleblowing management systems – Guidelines published in 2021 by the International Organization for Standardization also provides assistance, but care should be taken where this standard diverges from requirements under Australian law.