New corporate whistle-blower laws

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Andrew Gray.


The enhanced protections for corporate whistle-blowers under the Corporations Act 2001 (Cth) commenced on 1 July 2019.  The laws were enacted to provide a single regime, replacing multiple regimes that were administered by various regulators, and to create stronger statutory protections that will encourage whistleblowing.  The Government's objective is to improve corporate compliance and promote ethical corporate culture.

Broadened protections

Under the new laws, protection is provided for an eligible person (past or present employee, supplier or contractor) who makes a disclosure to an eligible recipient (see below) of information concerning 'misconduct or an improper state of affairs' in relation to a regulated entity (basically a corporation, a bank, an insurer or superannuation entity regulated in Australia, including foreign entities) or its related bodies corporate. 

Without limiting this provision, the new laws specify that information relating to the following matters will qualify as a protected disclosure:

  • conduct that amounts to an offence or contravention of Australia's corporations and financial services legislation, or any other Commonwealth offence carrying a penalty of at least 12 months imprisonment; or
  • conduct that 'represents a danger to the public or financial system'.

However, personal work-related grievances are expressively excluded from protection.

A significant change is that a whistle-blower can now make an anonymous disclosure and still be protected.

People who can receive complaints

The list of eligible recipients in the new laws includes an 'officer or senior manager' of the regulated entity.  For companies, all directors will be eligible recipients and will need to comply with the strict information controls discussed below.  Significantly, directors of one company in a corporate group will be eligible to receive whistle-blower disclosures made about any of the entities within the group.

Eligible recipients also include regulators and legal practitioners. If a disclosure is made to a regulator, and no action is taken within 3 months, the whistle-blower can disclose the matter to a journalist and continue to be protected.


An eligible recipient (including any director) who receives a whistle-blower disclosure is subject to strict confidentiality obligations and should not disclose the identity of the whistle-blower to anyone without the whistle-blower's consent.  The only exception to this legislative prohibition is where the eligible recipient discloses the whistle-blower's identity to:

(1)   a regulator (ASIC, APRA or the ATO); or

(2)   a legal practitioner for the purposes of obtaining advice in relation to the whistle-blower regime.

The eligible recipient should not identify a whistle-blower to any Board member unless specific, informed consent has been provided beforehand.

The details of the disclosure may be disclosed but the recipient will also need to take precautions to ensure that details about the substance of the complaint are strictly limited, and only shared on a 'needs to know' basis for the purposes of proper investigation of the disclosure.  Spreading information of this nature risks the identification of the whistle-blower, or victimisation of the whistle-blower for which the company may be liable.

Deemed liability of employers

The new laws impose significant civil and criminal penalties for any victimisation of individuals who have made, or supported those who have made, whistle-blower disclosures.  Compensation orders can be made against an employer, in circumstances where the victimisation was engaged in by an employee, and in connection with their position as an employee.  

In deciding whether to make an order against the employer, the court will have regard to (among other things) whether the employer took reasonable precautions, and exercised due diligence, to avoid the victimisation. As a result, it will be important for employers to implement policies and effective governance mechanisms and training to avoid being deemed liable for the conduct of their employees.  

What do you need to know?

In order to comply with the new laws, organisations should take steps to:

  • update current whistle-blower policies (this is mandatory for public companies and large proprietary companies from 1 January 2020);
  • educate officers and senior managers on their roles under the new laws;
  • develop a governance framework to ensure protected disclosures are properly handled and investigated; and
  • provide general training for employees to understand the avenues through which to make a complaint, and to prevent liability for any reprisal action that may be taken by employees.

For listed entities, the suggestions in box 3.3 of the ASX Corporate Governance Council Principles and Recommendations, 4th Edition, February 2019 are a helpful starting point for the content of whistle-blower policies.

In person and online, stages are being set for the biggest annual event on Australian listed companies’ corporate calendar. What to expect this AGM season? The KWM Corporate M&A team has pulled together a quickfire list of seven points to watch, and five key issues for every company to consider as they prepare…

15 August 2022

With the promise of cost savings, greater flexibility and ability to scale, it is not surprising that companies are continuing to move their key business applications and data to the cloud.

15 August 2022

APRA has released its proposed new remuneration disclosure and reporting requirements for APRA-regulated entities for consultation. This article explores the key features of the new and enhanced disclosure requirements proposed by APRA.

12 August 2022