Proposed new guidance from ASIC on whistleblower policies


Amendments to the whistleblower protection regime under the Corporations Act 2001 (Cth) (Corporations Act) recently took effect on 1 July 2019. The purpose of these amendments is to expand the protections for certain whistleblowers in Australia’s corporate sector and encourage more disclosures of wrongdoing.

The amendments also require certain entities to have a whistleblower policy and make this available to its officers and employees. ASIC has provided draft guidance on what it expects whistleblower policies to include and has sought consultation on this proposed guidance.

This paper sets out a summary of the new whistleblower protection regime and discusses ASIC’s proposed guidance in relation to whistleblower policies.

Corporations Act amendments

The revised whistleblower protection regime in Part 9.4AAA of the Corporations Act sets out when an individual (known as the ‘discloser’) qualifies for protection under the regime.

At a high level, to qualify for protection under the regime, the discloser must:

  1. be an eligible whistleblower in relation to a regulated entity;
  2. make the disclosure to a regulator or an eligible recipient; and
  3. the disclosure includes information where there are reasonable grounds to suspect that the information concerns:
  4. misconduct or an improper state of affairs in relation to the company or entity (or a related body corporate); or
  5. certain illegal conduct.

Please refer to the table of definitions at the end of this article.

The implications of these broad definitions are that persons outside of the entity (like contractors, consultants, auditors or lawyers, as well as any of their relatives) are able to make disclosures and receive the protections under this revised regime.

There are also limited situations where an eligible whistleblower can receive protection under this regime where an emergency or public interest disclosure is made to a journalist or a member of Parliament (of any of the Commonwealth, a State or Territory) where there has been a prior disclosure to a regulator. Emergency disclosures can relate to a substantial and imminent danger to the health or safety of one or more persons or to the natural environment.

It should be noted that work-related grievances such as interpersonal conflicts, employment matters, or matters which have implications for the discloser personally, do not form part of this regime.

Protections for whistleblowers under the Corporations Act

As part of the revised regime, the protections that eligible whistleblowers have when making disclosures include:

  • confidentiality of the identity of the discloser;
  • immunity from civil, criminal or administrative liability (including disciplinary actions) for making the disclosure. This includes immunity from contractual and other remedies (including confidentiality) which may be exercised against the discloser; and
  • such disclosures which qualify for protection are inadmissible in criminal proceedings (other than proceedings in respect of false disclosures); and
  • rights to compensation for detrimental conduct (actual or threatened) from their disclosure. Detrimental conduct is defined broadly, and examples include dismissal, injury (including psychological harm), damage to property, reputation, demotion or discrimination.

The protection of the identity of the disclosure is a paramount obligation that arises under these new provisions. Entities subject to this new whistleblower regime will need to ensure that they have processes in place to protect the confidentiality of the discloser. Any person that has obtained the identity of the whistleblower or identifying information are caught by these provisions. A breach of these provisions is a criminal offence and may also incur civil penalties.

As an example, if a whistleblower makes a disclosure to a director of a company, any internal investigations that are conducted using the disclosed information must be de-identified so that the whistleblower remains anonymous. This includes where the information is given to the board or senior management. If individuals involved in investigating the disclosed matters inadvertently disclose information that may identify the whistleblower, this will be a breach of the whistleblower regime.

There are some limited exceptions where the identity of the whistleblower can be disclosed, such as disclosures to a regulator, to a lawyer for legal advice, where the discloser consents, or where reasonably necessary (other than the identity of the discloser) to conduct an internal investigation.

ASIC’s proposed guidance on whistleblower policies

In addition to the expanded protections set out above, the new amendments require public, large proprietary and superannuation trustees to have a whistleblower policy in place by 1 January 2020. The policy should set out the whistleblower protection regime, how disclosures can be made as well as how the company will investigate disclosures and protect whistleblowers.

Small proprietary companies do not need a whistleblower policy but are still caught under the regime (discussed above) in relation to protection of whistleblowers.

In addition to the legal requirements for whistleblower policies under the Corporations Act, ASIC has set out in its draft guidance that it expects policies to include the following:

  • explain the purpose of its whistleblower policy;
  • set out the criteria for a discloser to qualify for protection as a whistleblower under the Corporations Act;
  • explain that disclosures that do not qualify for protection under the Corporations Act are not covered by its whistleblower policy;
  • explain that disclosures that relate solely to personal work-related grievances do not fall under its whistleblower policy;
  • explain the circumstances when a disclosure about a personal work-related grievance qualifies for protection;
  • outline the steps the entity will take after it receives a disclosure and explain that each disclosure will be assessed by the entity to determine whether it falls within its whistleblower policy; and
  • ensure the confidentiality of its disclosure handling and investigation process.

The draft guidance also includes good practice guidance for entities to include in whistleblower policies such as examples of disclosures that may qualify for protection which relate specifically to the entity’s business operations, how disclosures that are not otherwise covered by the revised whistleblower protections (e.g. personal work-related grievances) may be dealt with by the entity, and how an entity can protect a discloser’s identity in investigations. Although this guidance is non-mandatory, it provides ways in which entities can give full effect to the policy of the revised whistleblower protections.

What entities need to do

All companies, banks, insurers and superannuation entities should be aware of the expanded whistleblower protections which are now in force. These entities should have internal processes in place to ensure that it is able to comply with this updated regime, particularly with the protection of any potential disclosers’ identities.

From 1 January 2020, all public companies, large proprietary companies and superannuation trustees must have a whistleblower policy in place and make it available to their officers and employees by that date. It is unlikely that existing whistleblower policies will meet these updated requirements.

ASIC’s consultation on their proposed guidance on whistleblower policies closed on 18 September 2019 and it is expected that ASIC will release its final regulatory guide in October 2019. In the meantime, entities should start preparing a whistleblower policy in anticipation of final guidance being released by ASIC.

For further information, please contact Anand Sundaraj, Bob Ker, Sean Coleman or Johnson Pang.

Eligible Whistleblower  An eligible whistleblower includes any of the following:
– an employee or officer;
– an associate of the entity (within its meaning under the Corporations Act);
– an independent contractor who supplies goods or services to the entity, whether paid or unpaid (or an employee of that independent contractor);
– a superannuation entity’s trustee, custodian or investment manager (or any of their employees, officers or independent contractors); and
– relatives and dependants of any of the above
Regulated Entity
A regulated entity includes any of the following:
– all companies (proprietary or public);
– banks;
– insurers; and
– superannuation entities.
Eligible Recipient
An eligible recipient includes any of the following:
– an officer or senior manager;
– an auditor or member of the audit team; and
– a trustee (or a director of a corporate trustee) of a superannuation entity
– Australian Securities & Investments Commission (ASIC);
– Australian Prudential Regulation Authority (APRA); or
– Certain Commonwealth authorities later prescribed for these purposes
Illegal Conduct
Conduct that constitutes offences under any of the following:
– the Corporations Act;
– the ASIC Act;
– the Banking Act;
– the Financial Sector (Collection of Data) Act;
– the Insurance Act;
– the Life Insurance Act;
– the National Consumer Credit Protection Act;
– the Superannuation Industry (Supervision) Act;
– instruments made under any of the Acts above.
Conduct that:
– constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment