ASIC gives guidance on whistleblower policies

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Andrew Gray, Ruth Rosedale and Caitlin Babington

With the 1 January 2020 deadline approaching for compliance with the whistleblower policy requirements of the corporate whistleblower regime (see our earlier article here), the Australian Securities & Investments Commission (ASIC) has published Regulatory Guide 270 "Whistleblower Policies" (Regulatory Guide) to assist entities establish a policy that complies with legislative requirements.

ASIC expectations

Section 1317AI of the Corporations Act 2001 (Cth) requires all (i) public companies; (ii) large proprietary companies; and (iii) proprietary companies that are trustees of registrable superannuation entities to have a whistleblower policy and make it available to their officers and employees. Section 1317AI(5) prescribes mandatory content requirements for the policy.

The Regulatory Guide includes requirements and recommendations for whistleblower policies that exceed the mandatory content requirements prescribed by the Corporations Act and will require attention by organisations, including those who have recently amended their policies to align to the revised laws.

The Regulatory Guide gives mandatory guidance on matters that must be addressed by an organisation establishing a whistleblower policy as well as helpful, non-mandatory good practice content examples and tips. It also addresses how ASIC will exercise specific powers under the Corporations Act, its interpretation of the law and its expectations on the steps an organisation should be taking to comply with its obligations.

Interestingly, as part of an increasing trend by regulators to focus on Board responsibility, the Regulatory Guide makes ASIC's view clear that ultimate responsibility for an entity's whistleblower policy and its implementation rests with the Board. The Regulatory Guide expresses ASIC's view that an entity's board (either directly or through its Audit or Risk Committee) must ensure that broader trends, themes and/or risks that emerge as a consequence of an entity's disclosure regime are addressed and mitigated as part of an entity's broader risk management and corporate governance framework, additionally the Board (or Audit or Risk Committee) should receive periodic reporting on the effectiveness of the policy.

In doing so, ASIC recognises there is no one-size-fits all approach to whistleblower policies and their implementation but that it expects organisations to establish a whistleblower policy which is aligned to the size and complexity of the business, is supported by processes to deal with disclosures and uses a positive tone to encourage disclosure.

The Regulatory Guide also indicates that ASIC will conduct periodic surveillance activities to ensure compliance with the whistleblower protection laws (including the policy requirement) and will pursue non-compliance in line with their enforcement approach and operational priorities.

Key mandatory elements

The mandatory requirements identified by ASIC for inclusion in whistleblower policies are set out below.

Corporations Act

ASIC regulatory guidance

Purpose of the policy


The policy must contain a brief explanation about its purpose.

Who the policy applies to


The policy must specify who is an eligible whistleblower and the criteria to qualify for protection

Disclosable matters


The policy must:

  • identify the types of wrongdoing which can be reported under the policy based on the entities specific business operations and practices. (RG 270.48) and may include conduct which does not breach a particular law – for example conduct which might indicate a systemic issue the relevant regulator should know about or business behaviour and practices that may cause consumer harm.
  • note that disclosures which are not about disclosable matters may have protection under other legislation such as the Fair Work Act 2009 (Cth) (RG 270.49). The Regulatory Guide indicates that "an entity may choose to establish a whistleblower policy that covers a broader range of concerns (eg breaches of the entity's code of conduct as part of the entity's 'speak up culture'). However, the policy must clearly explain that disclosers who submit reports about issues and concerns will not be able to access the whistleblower protections under the Corporations Act (or the Taxation Administration Act, where applicable) (see Note 1 to RG270.49)
  • state that disclosable matters may not be conduct which contravenes a law (RG 270.56) and that a discloser can still qualify for protection even if their disclosure turns out to be incorrect. (RG 270.57)
  • identify disclosures about personal work-place grievances which still qualify for protection. (RG 270.62)

Who can receive a disclosure


The policy must identify who can receive a protected disclosure including legal practitioners and details for public interest and emergency disclosures. The policy must include information about who a discloser can contact to obtain additional information before making a disclosure.

Making a disclosure


The policy must:

  • include a range of internal and external disclosure options, allowing for disclosures to be made anonymously and or confidentially, securely and outside of business hours. (RG 270.80)
  • the policy must state that a discloser can choose to remain anonymous while making a disclosure, over the course of the investigation and after the investigation is finalised. It should state that a discloser can refuse to answer questions that they feel could reveal their identity at any time, including during follow-up conversations. In addition, it should include a suggestion that a discloser who wishes to remain anonymous should maintain ongoing two-way communication with the entity, so the entity can ask follow-up questions or provide feedback. (RG 270.84)
  • include information about how a discloser can lodge a complaint with the entity about a breach of confidentiality. It should also state that a discloser may lodge a complaint with a regulator, such as ASIC, APRA or the ATO, for investigation. (RG 270.94)
  • include examples of how the entity will in practice protect the confidentiality of a discloser's identity, such as redacting personal information. (RG 270.108)

Legal protections


The policy must:

  • provide details of the legal protections available for persons who qualify for protection as a whistleblower.
  • provide examples of detrimental conduct prohibited under the law, and examples of what is not detrimental conduct. (RG 270.98 and 270.100)
  • set out how the entity will, in practice, protect disclosures from detriment, such as the management training which will be undertaken, or by allowing duties to be performed from another location. (RG 270.109)

Support and practical protection for disclosers


The policy must specify the measures place for protecting disclosers including in respect of protecting their identity.


s. 1317AI(5)(d)

The policy must:

  • include timeframes for how the entity will handle and investigate disclosures (RG 270.112).
  • state the discloser will be provided with regular updates if the discloser can be contacted (including through anonymous channels). The policy should acknowledge the frequency and timeframe may vary depending on the nature of the disclosure. (RG 270.121)

Fair treatment of individuals mentioned in a disclosure


The policy must include information about how the entity will ensure the fair treatment of individuals mentioned in a disclosure including a person who is the subject of a disclosure.

Publication of policy

The policy must detail how it will be made available and disseminated (eg through training to employees).

The above list is not exhaustive, and the full Regulatory Guide should be consulted to ensure all requirements have been met by your organisation (find the Regulatory Guide here).

Above and beyond wrap up

Organisations should also be alert to the fact that the Regulatory Guide includes guidance that goes above and beyond the requirements of the Corporations Act. Although most of this guidance is non-mandatory, it does reflect ASIC's expectations as to better practice in this area.

We have identified the key aspects of the Regulatory Guide which deviate from current market practice for whistleblower policies or the requirements of the Corporations Act below. These are the areas of the Regulatory Guide which we expect are most likely to require additional attention by entities required to implement a whistleblower policy.

Corporations Act

ASIC regulatory guidance


An entity should make its policy available on its external website (RG 270.138). This is consistent with the requirements of the ASX Corporate Governance Principles (4th edition) for listed companies but does go beyond the Corporations Act which only require the policy be made available to the entity's officers and employees. The Regulatory Guide states that the externally published policy may exclude information that would not be useful or relevant to external disclosers.

Differentiating between matters which do and do not qualify for protection

The Regulatory Guide indicates that where an entity has adopted a policy which adopts a broader range of protected reports under its whistleblower policy as part of its speak up culture it will be required to distinguish between reports which qualify for protection under the legislative provisions and reports that do not qualify for protection.


As noted above, the policy should include commentary in respect of how anonymous whistleblowers may communicate their concerns (see RG 270.84)

Monitoring and reporting

The Regulatory Guide provides that entities need to have mechanisms in place for monitoring the effectiveness of their whistleblower policy and ensuring compliance with legal obligations. It is suggested entities set up arrangements to ensure the Board (or the Audit or Risk Committee) are kept informed on a periodic basis and that there are mechanisms to escalate matters to the Board (or the Audit or Risk Committee.) (RG 270.150 – 270.157)

Other standards and guidelines

ASIC expects an entity to consider "other standards and guidelines to ensure its whistleblower policy, processes and procedures incorporate current developments in preventing and responding to misconduct". (RG 270.34)

External reporting channels

The policy must include external disclosure options (eg the company auditor). The Regulatory Guide does not mandate the use of an external third party whistleblower hotline but does suggest this may be a useful channel.

Detrimental conduct

The policy should provide examples of detrimental conduct but also examples of actions that are not detrimental conduct. Examples of non-detrimental conduct include administrative or management action but an entity "should ensure a discloser understands the reasons for the administrative or management action". [RG 270.101]. The policy should also state a discloser may seek independent legal advice or contact a regulator if they believe they have suffered detriment.

Responsibility for outsourcing

The Regulatory Guide reinforces that entities remain responsible for meeting their legal obligations for outsourced functions, including confidentiality obligations. Entities will need to ensure appropriate due diligence is undertaken before engaging a third-party provider and that their services are monitored. (RG 270.72 – non mandatory).

Disclosures to parliamentarians and journalists

The Regulatory Guide provides a policy must state disclosures can be made to parliamentarians and journalists and must:

  • include further detail on the requirements of a public interest disclosure and emergency disclosure. (RG 270.75 and 270.76)
  • state that discloser should contact an independent legal adviser before making a public interest disclosure or an emergency disclosure. (RG 270.78)

Disclosures to legal practitioners

The Regulatory Guide indicates several times that the policy should highlight that a disclosure made to a legal practitioner for the purpose of obtaining legal advice or legal representation in relation to the whistleblower provisions are protected and the desirability of obtaining legal advice in connection with making a protected disclosure.

Handling a disclosure

The Regulatory Guide provides an entity's policy must outline the key steps it will take after receiving a disclosure. It should also state that the entity will need to asses each disclosure to determine whether it qualifies for protection and whether a formal in-depth investigation is required. (RG 270.115 – 270.116). The policy should highlight how information relating to the discloser's identity will be handled (RG 270.118) and acknowledge the limitations to the entity's investigation process where it is not able to contact the discloser (RG 270.119).

Keeping the discloser informed

The requirement for the policy to indicate timeframes for updates and details of the investigation process go beyond what is required by the legislation.

Documenting and reporting

The Regulatory Guide provides that a policy must outline how the findings from an investigation will be documented and reported to the people with oversight of the policy, whilst maintaining confidentiality. In addition, a policy should indicate the information the discloser will receive at the end of the investigation (RG 270.123).


The Regulatory Guide indicates that training on whistleblower policies should be given to all employees of an organisation. In particular, that an entity should:

  • conduct upfront and ongoing education and training regarding its whistleblower policy, processes and procedures. (RG 270.131)
  • ensure all levels of management, particularly line managers, receive appropriate training in how to effectively deal with disclosures.
  • provide specialist training for eligible recipients on processes and procedures for receiving and handling disclosures, including training relating to confidentiality and the prohibitions against detrimental conduct. (RG 270.134)

The Regulatory Guide suggests as a practical tip that the training may also cover how the whistleblower policy interacts with other policies (eg bullying and harassment).

The Regulatory Guide suggests that for Australian entities with overseas-based related entities, appropriate training should be provided to people in any overseas-based operations (RG 270.136). The Regulatory Guide indicates this is required because "disclosures made to an entity's overseas based entities and their officers and employees, may qualify for protection". The practicality of providing this training to employees of overseas-based entities particularly in a large group of companies which are not headquartered in Australia is highly questionable.

Reviewing and monitoring effectiveness

The Regulatory Guide provides guidance on better practice for entities to review and monitor the effectiveness of their policy including the type of information that could be reported to the board or audit or risk committee.


What you need to do now

For those organisations who:

  • are yet to put their whistleblower policy in place, the Regulatory Guide will provide a useful tool to help establish a policy that not only meets the legislative requirements of the Corporations Act but incorporates ASIC's guidance on what it considers to be sound corporate governance practices;
  • have already rolled out their whistleblower policy and governance framework, there is still time before 1 January 2020 to review the Regulatory Guide to ensure the policy meets the mandatory content identified by ASIC and consider the inclusion of non-mandatory content as a matter of good governance.


APRA has released its proposed new remuneration disclosure and reporting requirements for APRA-regulated entities for consultation. This article explores the key features of the new and enhanced disclosure requirements proposed by APRA.

12 August 2022

Offshore wind farms are one step closer in Australia following an announcement from the Federal Government on Friday.

11 August 2022

On 2 August 2022, the Aged Care and Other Legislation Amendment (Royal Commission Response) Bill 2022 was passed (Aged Care Bill), introducing important regulatory changes to Australia’s aged care sector. The Bill makes numerous legislative amendments, including to the Aged Care Act 1997 (Cth) (Aged Care Act) and the Aged Care (Transitional Provisions) Act 1997 (Cth) (Transitional Provisions Act), and responds to various recommendations made by the Royal Commission into Aged Care Quality and Safety (Royal Commission) Final Report (Report). The Report identified the provision of substandard aged care services and perceived systemic failures in the aged care sector.[1]

08 August 2022