Australia’s mandatory laws for corporate whistleblowing policies mark their second anniversary this month. As ASIC flags its intention to target non-compliance in 2022, companies should be taking a close look at the extent to which their whistleblower policies and programs do – or do not – comply with legal requirements.
Whistleblower regime: applicable to a broad range of entities
A strong whistleblower regime is vital to a corporate culture of accountability and integrity. Robust whistleblowing procedures and systems are a necessary component in ensuring a safe and lawful workplace, and in protecting an entity, its employees and the broader community from corporate misconduct. They play an important role in mitigating against an entity’s exposure to loss, liability and reputational damage that can arise by reason of both (a) any corporate or employee misconduct, and (b) any breaches of Australia’s strict whistleblower protection laws by the organisation or any of its employees.
The expanded whistleblower laws under Part 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act) protect disclosures (including those made anonymously) of information where there are reasonable grounds to suspect misconduct or impropriety. These laws apply to all companies registered in Australia, and a broad range of other entities (including foreign corporations, ADIs, insurers and superannuation funds, among others). An ‘eligible whistleblower’ can be any of an entity’s current or former officers, employees, associates or suppliers, and any of those persons’ respective spouses, relatives or dependants. The categories of ‘eligible recipients’ are also broad, including persons specifically granted such authority, as well as any of an entity’s officers, senior managers, auditors and actuaries, ASIC, APRA, and other prescribed persons. Disclosures may also be protected if they are made to legal practitioners, members of Parliament or journalists in certain circumstances.
There are significant ramifications for an entity if a whistleblower’s disclosure qualifies for protection under Part 9.4AAA. Civil and criminal penalties apply to breaches of the protections. Notably, it is a criminal offence to disclose a whistleblower’s identity (or information likely to lead to their identification), in the absence of consent or other exemptions. Victimising a whistleblower, and threatening to cause them detriment, are also criminal offences. Where a breach of whistleblower protection laws occurs, courts are empowered to order individuals and their employers to pay compensation to the whistleblower, or take other remedial steps. Civil penalties can also be sought by ASIC – to the order of $1.11 million or three times the benefit obtained and detriment avoided (for individuals), or, if greater, 10% of annual turnover, capped at $555 million (for companies).
Whistleblower policies: mandatory for all public and large proprietary companies
Since 1 January 2020, three types of companies have been required by s 1317AI of the Corporations Act to have a whistleblowing policy that complies with that provision, and to make this available to their officers and employees:
This month marks two years since the introduction of this statutory requirement. While the disruptions of COVID-19 have seen such policies, or their review, slip further down priority lists and board agendas for many companies, it is important to appreciate that failure to hold a compliant policy is an offence of strict liability.
For companies not subject to the statutory requirement to hold a whistleblower policy, but which are nevertheless subject to the whistleblower laws of Part 9.4AAA, a whistleblower policy can serve as a useful tool in managing legal and risk obligations, and is considered best practice from a governance perspective.
‘Compliance gap’ in mandatory whistleblower policies
ASIC recently signalled its focus on companies who have a statutory requirement to implement a compliant whistleblower policy, but who fall short in doing so. It has uncovered a ‘compliance gap’ between the full legal requirements set out in s 1317AI, and company policies in practice. In a sample review conducted by ASIC of 102 whistleblower policies across organisations and sectors, it found the majority to be deficient. Highlighting its concerns, ASIC sent an open letter to Australian CEOs in October 2021. This letter, and a subsequent speech by ASIC Commissioner Sean Hughes in November 2021, were intended as ASIC’s call to action, urging CEOs, officers and senior managers to check whether their policies are fully compliant, and asking them to carefully update these policies where they are lacking.
The most prevalent issues of concern for ASIC were policies with ‘unclear, incomplete or inaccurate information’ about how potential whistleblowers can make a qualifying disclosure, and about the protections available. Common examples included:
ASIC’s regulatory focus in 2022 – whistleblower policies, systems and processes
In 2022, ASIC will continue to monitor compliance with whistleblower policy requirements, and will conduct a further review of such policies as adopted in practice. It has emphasised that it will draw upon its full range of regulatory tools, including enforcement action, where it identifies instances of non-compliance.
A further key ‘priority’ for ASIC in 2022 is the implementation and supervision of whistleblower programs. ASIC intends to examine how entities incorporate systems and processes for properly handling whistleblower disclosures, check how whistleblowing is used to address misconduct or other internal issues, and assess the level of board and executive oversight of whistleblowing programs. Ahead of this targeted focus, it has urged companies to take a good look at their existing systems, processes and oversight mechanisms, and check whether they fully and adequately give effect to the Part 9.4AAA regime.
Such systems and processes also serve a useful evidentiary purpose in any proceedings which are commenced against an entity seeking civil penalties, whistleblower compensation, or other remedies. They can assist in showing that an employer took reasonable steps to ensure that its employees upheld whistleblower protection laws, and reasonable steps to ensure that its employees avoided engaging in detrimental or victimising conduct towards whistleblowers.
Now is an opportune time for companies to get their house in order. Companies subject to the mandatory requirement to hold a whistleblower policy should ensure that their policy is fully compliant. More broadly, all entities subject to the Part 9.4AAA whistleblowing regime should review whether they have a robust and complete whistleblower implementation and oversight program. The review of a company’s whistleblower program should consider how any internal and external investigations are to be conducted, and how legal professional privilege, confidentiality, privacy and data protection will be maintained.
Aside from avoiding adverse attention from the corporate regulator in the year ahead, this will assist companies in asserting strong messaging, checks and balances for responsible corporate behaviour, and put companies in good stead to deal with any fraud, illegality, misconduct or impropriety that is brought to light.
 Whistleblowing reforms were made to the Corporations Act and other legislation by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth), with effect from 1 July 2019.
 ASIC Corporations (Whistleblower Policies) Instrument 2019/1146.
 S 45A(3) of the Corporations Act and the Corporations Amendment (Proprietary Company Thresholds) Regulations 2019 (Cth). Where a company has met the definition of a ‘large proprietary company’ in any financial year, it must hold a compliant whistleblower policy on and from the date which is 6 months after that financial year, under s 1317AI(2).
 ASIC, ‘21-267MR ASIC calls on Australian CEOs to review whistleblower policies’ (Media Release, 13 October 2021); ‘Letter to CEOs on Whistleblower Policies’, 13 October 2021.
 Sean Hughes, ‘Whistleblower policies and the compliance gap’ (Speech at the Third Australian National Whistleblowing Symposium, ASIC, 11 November 2021) (‘S Hughes, Whistleblower Speech’).
 A whistleblower is now required to have ‘reasonable grounds to suspect’ misconduct or impropriety. Only matters within the whistleblower’s own knowledge are relevant to the question of whether they had ‘reasonable grounds to suspect’: Quinlan v ERM Power Ltd & Ors  QSC 35 at  (Bowskill J).
 S Hughes, Whistleblower Speech.
 Ibid; ASIC Corporate Plan 2021-2025, Focus 2021-22.
 ASIC’s Regulatory Guide 270: Whistleblower policies (November 2019) provides guidance on whistleblower policies and implementation. The ASX’s Corporate Governance Principles and Recommendations (4th Edition) contain further suggestions for listed entities. ISO 37002:2021 Whistleblowing management systems – Guidelines published in 2021 by the International Organization for Standardization also provides assistance, but care should be taken where this standard diverges from requirements under Australian law.