This article was written by Andrew Gray, Ruth Rosedale and Caitlin Babington
With the 1 January 2020 deadline approaching for compliance with the whistleblower policy requirements of the corporate whistleblower regime (see our earlier article here), the Australian Securities & Investments Commission (ASIC) has published Regulatory Guide 270 "Whistleblower Policies" (Regulatory Guide) to assist entities establish a policy that complies with legislative requirements.
ASIC expectations
Section 1317AI of the Corporations Act 2001 (Cth) requires all (i) public companies; (ii) large proprietary companies; and (iii) proprietary companies that are trustees of registrable superannuation entities to have a whistleblower policy and make it available to their officers and employees. Section 1317AI(5) prescribes mandatory content requirements for the policy.
The Regulatory Guide includes requirements and recommendations for whistleblower policies that exceed the mandatory content requirements prescribed by the Corporations Act and will require attention by organisations, including those who have recently amended their policies to align to the revised laws.
The Regulatory Guide gives mandatory guidance on matters that must be addressed by an organisation establishing a whistleblower policy as well as helpful, non-mandatory good practice content examples and tips. It also addresses how ASIC will exercise specific powers under the Corporations Act, its interpretation of the law and its expectations on the steps an organisation should be taking to comply with its obligations.
Interestingly, as part of an increasing trend by regulators to focus on Board responsibility, the Regulatory Guide makes ASIC's view clear that ultimate responsibility for an entity's whistleblower policy and its implementation rests with the Board. The Regulatory Guide expresses ASIC's view that an entity's board (either directly or through its Audit or Risk Committee) must ensure that broader trends, themes and/or risks that emerge as a consequence of an entity's disclosure regime are addressed and mitigated as part of an entity's broader risk management and corporate governance framework, additionally the Board (or Audit or Risk Committee) should receive periodic reporting on the effectiveness of the policy.
In doing so, ASIC recognises there is no one-size-fits all approach to whistleblower policies and their implementation but that it expects organisations to establish a whistleblower policy which is aligned to the size and complexity of the business, is supported by processes to deal with disclosures and uses a positive tone to encourage disclosure.
The Regulatory Guide also indicates that ASIC will conduct periodic surveillance activities to ensure compliance with the whistleblower protection laws (including the policy requirement) and will pursue non-compliance in line with their enforcement approach and operational priorities.
Key mandatory elements
The mandatory requirements identified by ASIC for inclusion in whistleblower policies are set out below.
Corporations Act |
ASIC regulatory guidance |
Purpose of the policy s.1317AI |
The policy must contain a brief explanation about its purpose. |
Who the policy applies to s.1317AI(5)(a) |
The policy must specify who is an eligible whistleblower and the criteria to qualify for protection
|
Disclosable matters s.1317AI(5)(a) |
The policy must:
|
Who can receive a disclosure s.1317AI(5)(b) |
The policy must identify who can receive a protected disclosure including legal practitioners and details for public interest and emergency disclosures. The policy must include information about who a discloser can contact to obtain additional information before making a disclosure. |
Making a disclosure s.1317AI(5)(b) |
The policy must:
|
Legal protections s.1317AI(5)(a) |
The policy must:
|
Support and practical protection for disclosers s.1317AI(5)(c) |
The policy must specify the measures place for protecting disclosers including in respect of protecting their identity. |
Investigations s. 1317AI(5)(d) |
The policy must:
|
Fair treatment of individuals mentioned in a disclosure s.1317AI(5)(e) |
The policy must include information about how the entity will ensure the fair treatment of individuals mentioned in a disclosure including a person who is the subject of a disclosure. |
Publication of policy |
The policy must detail how it will be made available and disseminated (eg through training to employees). |
The above list is not exhaustive, and the full Regulatory Guide should be consulted to ensure all requirements have been met by your organisation (find the Regulatory Guide here).
Above and beyond wrap up
Organisations should also be alert to the fact that the Regulatory Guide includes guidance that goes above and beyond the requirements of the Corporations Act. Although most of this guidance is non-mandatory, it does reflect ASIC's expectations as to better practice in this area.
We have identified the key aspects of the Regulatory Guide which deviate from current market practice for whistleblower policies or the requirements of the Corporations Act below. These are the areas of the Regulatory Guide which we expect are most likely to require additional attention by entities required to implement a whistleblower policy.
Corporations Act |
ASIC regulatory guidance |
Accessibility |
An entity should make its policy available on its external website (RG 270.138). This is consistent with the requirements of the ASX Corporate Governance Principles (4th edition) for listed companies but does go beyond the Corporations Act which only require the policy be made available to the entity's officers and employees. The Regulatory Guide states that the externally published policy may exclude information that would not be useful or relevant to external disclosers. |
Differentiating between matters which do and do not qualify for protection |
The Regulatory Guide indicates that where an entity has adopted a policy which adopts a broader range of protected reports under its whistleblower policy as part of its speak up culture it will be required to distinguish between reports which qualify for protection under the legislative provisions and reports that do not qualify for protection.
|
Anonymity |
As noted above, the policy should include commentary in respect of how anonymous whistleblowers may communicate their concerns (see RG 270.84) |
Monitoring and reporting |
The Regulatory Guide provides that entities need to have mechanisms in place for monitoring the effectiveness of their whistleblower policy and ensuring compliance with legal obligations. It is suggested entities set up arrangements to ensure the Board (or the Audit or Risk Committee) are kept informed on a periodic basis and that there are mechanisms to escalate matters to the Board (or the Audit or Risk Committee.) (RG 270.150 – 270.157) |
Other standards and guidelines |
ASIC expects an entity to consider "other standards and guidelines to ensure its whistleblower policy, processes and procedures incorporate current developments in preventing and responding to misconduct". (RG 270.34) |
External reporting channels |
The policy must include external disclosure options (eg the company auditor). The Regulatory Guide does not mandate the use of an external third party whistleblower hotline but does suggest this may be a useful channel. |
Detrimental conduct |
The policy should provide examples of detrimental conduct but also examples of actions that are not detrimental conduct. Examples of non-detrimental conduct include administrative or management action but an entity "should ensure a discloser understands the reasons for the administrative or management action". [RG 270.101]. The policy should also state a discloser may seek independent legal advice or contact a regulator if they believe they have suffered detriment. |
Responsibility for outsourcing |
The Regulatory Guide reinforces that entities remain responsible for meeting their legal obligations for outsourced functions, including confidentiality obligations. Entities will need to ensure appropriate due diligence is undertaken before engaging a third-party provider and that their services are monitored. (RG 270.72 – non mandatory). |
Disclosures to parliamentarians and journalists |
The Regulatory Guide provides a policy must state disclosures can be made to parliamentarians and journalists and must:
|
Disclosures to legal practitioners |
The Regulatory Guide indicates several times that the policy should highlight that a disclosure made to a legal practitioner for the purpose of obtaining legal advice or legal representation in relation to the whistleblower provisions are protected and the desirability of obtaining legal advice in connection with making a protected disclosure. |
Handling a disclosure |
The Regulatory Guide provides an entity's policy must outline the key steps it will take after receiving a disclosure. It should also state that the entity will need to asses each disclosure to determine whether it qualifies for protection and whether a formal in-depth investigation is required. (RG 270.115 – 270.116). The policy should highlight how information relating to the discloser's identity will be handled (RG 270.118) and acknowledge the limitations to the entity's investigation process where it is not able to contact the discloser (RG 270.119). |
Keeping the discloser informed |
The requirement for the policy to indicate timeframes for updates and details of the investigation process go beyond what is required by the legislation. |
Documenting and reporting |
The Regulatory Guide provides that a policy must outline how the findings from an investigation will be documented and reported to the people with oversight of the policy, whilst maintaining confidentiality. In addition, a policy should indicate the information the discloser will receive at the end of the investigation (RG 270.123). |
Training |
The Regulatory Guide indicates that training on whistleblower policies should be given to all employees of an organisation. In particular, that an entity should:
The Regulatory Guide suggests as a practical tip that the training may also cover how the whistleblower policy interacts with other policies (eg bullying and harassment).
The Regulatory Guide suggests that for Australian entities with overseas-based related entities, appropriate training should be provided to people in any overseas-based operations (RG 270.136). The Regulatory Guide indicates this is required because "disclosures made to an entity's overseas based entities and their officers and employees, may qualify for protection". The practicality of providing this training to employees of overseas-based entities particularly in a large group of companies which are not headquartered in Australia is highly questionable. |
Reviewing and monitoring effectiveness |
The Regulatory Guide provides guidance on better practice for entities to review and monitor the effectiveness of their policy including the type of information that could be reported to the board or audit or risk committee. |
What you need to do now
For those organisations who:
- are yet to put their whistleblower policy in place, the Regulatory Guide will provide a useful tool to help establish a policy that not only meets the legislative requirements of the Corporations Act but incorporates ASIC's guidance on what it considers to be sound corporate governance practices;
- have already rolled out their whistleblower policy and governance framework, there is still time before 1 January 2020 to review the Regulatory Guide to ensure the policy meets the mandatory content identified by ASIC and consider the inclusion of non-mandatory content as a matter of good governance.