Corporate whistleblower programs increased focus for ASIC and boards

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

Written by Andrew Gray and Ed Slattery 

ASIC has signalled a renewed focus on compliance with corporate whistleblower laws following the completion of its review of corporate whistleblower policies by issuing an open letter to CEOs of Australian public and large proprietary companies recommending companies review their whistleblower policies and processes against the current legislative and regulatory guidance.

The letter from ASIC identifies several areas where polices examined by ASIC have been found to be lacking and provides guidance to address these weaknesses.

This article provide an overview of the whistleblower laws and looks at the guidance released by ASIC which should be considered to ensure your whistleblower policy is aligned to legal requirements and ASICs expectations.

The Whistleblower Laws

The Whistleblower Laws were first introduced in the Senate in December 2017 and, following a period of Senate Committee reporting and consultation, were introduced into the Corporations Act and Taxation Administration Act through the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2018 (Whistleblower Laws).

The explanatory materials for the new laws speak to the purpose of the legislation which “addresses gaps and uncertainties in the protections and remedies available to corporate and financial sector whistleblowers”.  It was always designed to be an expansive amendment, lowering the threshold for whistleblowers to be protected under the scheme.

The Whistleblower Laws sought to achieve this purpose by (among other things):

  • removing the requirement that disclosures be made in ‘good faith’;
  • expanding the classes of eligible whistleblowers to include those external to an organisation;
  • broadening the subject matter about which a protected disclosure can be made;
  • tightening confidentiality obligations for those receiving or handling whistleblowers complaints; and
  • imposing hefty civil and criminal penalties on individuals and organisations for non-compliance.

The Whistleblower Laws also introduced a requirement that public companies and large proprietary companies have a policy which “sets out…information about” certain matters relating to the entity’s handling of whistleblower complaints (Policy Content).  While the Policy Content was and is mandatory, the requirements are pitched at a level of generality and appear to permit some organisational autonomy.  Public companies and large proprietary companies were required to have a policy containing the Policy Content by 1 January 2020.

RG 270: concurrent ASIC expansion

After public consultation from July 2019, ASIC released RG 270 on 13 November 2019 as “guidance to help…entities establish a whistleblower policy that complies with the obligations under the Corporations Act”.  It is a comprehensive guide which sets out ASIC’s interpretation of the Policy Content obligations and contains a mix of mandatory guidance and good practice tips.

As is apparent, the final guidance was released less than 2 months before the whistleblower policy requirements came into effect.  It was preceded by a consultation draft in July 2019.

The final guidance adopts a prescriptive formulation of ASIC’s expectations which has a quasi-legislative character.  The guidance is far more comprehensive than the Policy Content obligations contained in the Corporations Act and has the effect of expanding those obligations beyond the letter of the law.  RG 270 has taken out some of the guesswork for businesses looking to prepare a policy and should be strictly adhered to in any policy review.

For all its prescriptive language, it is noteworthy that RG 270 outlines ASIC’s expectations for a policy that:

  • is aligned to the nature, size, scale and complexity of the entity’s business;
  • is supported by processes and procedures for effectively dealing with disclosures received under the policy; and
  • uses a positive tone and language that encourages the disclosure of wrongdoing.

This contemplates a policy that is complemented by a supportive culture for whistleblowers.

ASIC review and communications

In an open letter to CEOs on 13 October 2021 (ASIC Letter) and a speech delivered by Commissioner Sean Hughes on 11 November 2021 (ASIC Speech), ASIC provided its feedback following a sampling review of 102 whistleblower policies during the course of financial year 2020-2021.  The results were poor across the board and a majority of the policies did not fully address the legal requirements of the Whistleblower Laws.  Mr Hughes sought to emphasise three deficiencies that were observed:

  1. incomplete or inaccurate information: many policies did not canvass a whistleblower’s right to confidentiality, or the remedies they could seek if they suffer any form of victimisation. Without a clear understanding of these protections, whistleblowers may not speak up about misconduct.
  2. obsolete and out-of-date policies: some policies appeared not to recognise the fundamental requirements of Whistleblowing Laws, including incomplete statements of the possible eligible recipients of disclosures.
  3. policies without oversight arrangements: around a third of policies did not refer to any mechanism for monitoring the effectiveness of the policy. While acknowledging there is no legal requirement for the policy to detail the applicable oversight arrangements Mr Hughes raised the concern that the lack of reference to these arrangements suggests there may be a “set and forget” attitude which is unacceptable.  ASIC’s expectation is that entities treat their whistleblower programs as an important corporate governance function and has apropriare review mechanisms in place to monitor effectiveness.

The letter states that ASIC expects CEOs to:

  • discuss the letter within their entity and review the entity’s whistleblower policy;
  • review RG 270; and
  • review other parts of their whistleblowing systems and processes.

While ASIC targets quite specific instances of non-compliance, the underlying sentiment is one of frustration with the corporate response to the new requirements.  As is apparent in the ASIC Letter and ASIC Speech, there is a concern about company attitudes to whistleblower matters and Mr Hughes even hints at the possibility that entities may have “chosen to ignore” the Whistleblower Laws altogether.

This comes as the statistics show that whistleblower reports to ASIC have increased by 194% since the new laws commenced.  Taken together, provides a strong warning that this is an area of focus for ASIC.

Current position

The findings in the ASIC review demonstrate the regulator’s dim view of corporate compliance with the policy requirements and regulatory guidance.  Our key takeaways from ASICs recent communications are set out below.

  • A policy review and uplift is only one aspect of the expectation ASIC has articulated. These non-compliant policy documents are fairly straightforward to rectify for any business and, in any event, do not attract the most significant penalties.  However, the deeper message in ASIC’s public position is that the shift towards “a culture of speaking up” that the Whistleblowing Laws were expected to trigger, has not yet occurred.  Although ‘culture’ is an inherently nebulous concept, it captures everyone within an entity and requires a more concerted effort to change.  Any such change is of additional importance because the Whistleblower Laws impose obligations on employers to prevent their employees from victimising whistleblowers.  Positive steps in this area should reduce a company’s potential exposure on whistleblower matters, particularly in view of the compensation orders and significant civil penalties for victimisation.
  • There is a tension between a straightforward policy and process, and one which is a correct statement of the Whistleblowing Laws and exhaustive of the RG 270 requirements. To be effective as a governance document, the policy must be drafted in accessible language for eligible whistleblowers and eligible recipients alike.  Indeed, the ASIC Letter encourages “simple and less legalistic language” but at the same time is critical of policies which do not comprehensively state the position in the Whistleblowing Laws.  The reality is that these two positions are not mutually exclusive, but the most effective policies adopt a tailored approach to ensure that both are achieved in a single, compliant policy document.  This can be carried through to supplementary guidance which ensures the policy is applied in a consistent and effective manner. 
  • ASIC refers to “one of [its] priorities in the coming year” is to review the evolution of corporate governance with respect to whistleblower programs. The review looks likely to deal with:
    1. how entities are handling whistleblower disclosures;
    2. how entities use the information from disclosures to address issues of misconduct or change their operations; and
    3. the level of board and executive oversight of whistleblower programs.

This statement sends a clear message to boards that ASIC expects directors to receive information on whistleblower matters and exercise appropriate oversight over the corporate whistleblower program

One thing that is apparent from the recent ASIC communications is that the Whistleblower Laws – and the significant penalties they contemplate – are clearly on ASIC’s priority agenda.  All entities required to have and apply whistleblower policies are now on notice that ongoing non-compliance will not be tolerated, and best practice is expected.  ASIC also expects the whistleblower program to be a focus og the entities governance arrangements – the program should form an important part of corporate governance and entities should integrate insight from the programs into information sources for board to make decisions.

Our team at KWM offers expertise on a range of whistleblower matters, including policy review/uplift, board/employee training sessions and investigation advice and would be please to provide guidance on both policy implementation and governance to ensure this is aligned to best practice and ASIC’s expectations.

The government has published an exposure draft of legislation for an economy-wide digital identity system.

28 September 2023

Consequence management frameworks (CMFs) are documents which set out how an entity ought to respond to instances of misconduct and risk management failures.

26 September 2023

OnBoard delivers our leading market insights purposefully curated for directors, general counsel and company secretaries.

26 September 2023