Whether you have already revised your Whistleblower Policy or are yet to do so, the draft Regulatory Guide released by ASIC on 7 August 2019 provides valuable guidance on the regulator's expectations on the Policy's content and the manner of its implementation.

The new whistleblower provisions in the Corporations Act commenced on 1 July 20191.

In short, the amendments provide protection to "Eligible Whistleblowers" who report "Disclosable Matters" to "Eligible Recipients" within the entity concerned, or to ASIC or APRA. The provisions apply to all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities2.

The Whistleblower Policy

A key element of the new provisions is the requirement that a Whistleblower Policy be in place, and made available to officers and employees, by 1 January 2020.

While that date is still a few months away, ASIC's draft Regulatory Guide3 illustrates that there is quite a bit involved in meeting the requirement. There is also a significant advantage for relevant entities to have a compliant Whistleblower Policy in place before that time, given that the new whistleblower legislation already applies and that the courts are expressly authorised to have regard to whether an entity has a Whistleblower Policy in place, and the extent to which it has been given effect in practice, in determining compensation for breaches.

The draft Regulatory Guide includes valuable detail of what ASIC expects to see in the Whistleblower Policy. For those entities which do not yet have a compliant Policy in place, that will provide significant assistance on how it should be prepared and implemented. For those that do, it should provide additional guidance on how the document might be enhanced.

As to the core elements of the new whistleblower legislation, the draft Regulatory Guide provides a range of useful information.

Who are "Eligible Whistleblowers"?

The new legislation provides protection for "Eligible Whistleblowers". The Whistleblower Policy should therefore set out all those persons who could fall within that group. Along with all current and past officers and employees, that will need to include the other categories referred to in the whistleblower legislation, namely:

  • current and past suppliers to the entity and their employees;
  • associates of the entity; and
  • relatives, dependents and spouses of each of these groups.

Ideally, the Policy would go beyond just listing these categories and provide some detail as to how they apply to the entity in practice; for instance, it might set out the nature or even the identity of the suppliers and associates caught.

What "Disclosable Matters" are subject to the Policy?

The Whistleblower Policy should provide detail of the types of wrongdoing that would qualify for protection as "Disclosable Matters", as well as examples of matters that would not qualify.

The whistleblower legislation provides protection for "information the discloser has reasonable grounds to suspect concerns misconduct, or an improper state of affairs or circumstances". The Policy should explain that that would capture information relating to potentially unlawful conduct (eg. breaches of relevant legislation), but then go on to provide an outline of other protected matters that are not unlawful in themselves. ASIC provides the following examples of this second category of matters:

  • "a systemic issue that the relevant regulator should know about to properly perform its functions";
  • "dishonest or unethical behaviour or practices";
  • "conduct that may cause harm"; and
  • "conduct prohibited by the entity's standards or codes of conduct".

These are plainly very broad descriptions. While they may attract some feedback during the submission process, they do seem consistent with the terms of the legislation – the reference to "improper state of affairs or circumstances" is purposefully broad.

Following this lead, the draft Regulatory Guide recommends that the Whistleblower Policy include its own examples of disclosures that would be protected within the relevant entity's business. ASIC provides a list of matters that might be included, such as theft, violence, fraud and bribery.

As to matters that would not qualify for protection, the Whistleblower Policy should explain the extent to which "personal work-related grievances" are not covered and, as a matter of good practice, refer readers to any separate process in place for raising such grievances, for instance with the entity's Human Resources department.

Who can receive Disclosable Matters under the Policy?

The Policy needs to explain that, in order to qualify for protection, a Disclosable Matter must be made to an "Eligible Recipient" within the entity, or to ASIC or APRA. The definition of "Eligible Recipient" in the whistleblower legislation is very broad, including:

  • all officers and senior managers;
  • internal and external auditors;
  • actuaries; and
  • others authorised by the entity to receive the disclosure.

It will be very important, therefore, that the Whistleblower Policy clearly directs potential whistleblowers to the entity's preferred recipient of Disclosable Matters. Without that, the entity would face a significant risk of inadvertent breaches, for instance through disclosures being made to Eligible Recipient staff who are not adequately trained to manage the disclosure.

ASIC does not prescribe which of an entity's internal functions should receive its whistleblower reports, though it does recommend as a matter of good practice that the whistleblower investigation officer (who would receive the reports):

  • report to a senior executive with responsibility for legal, compliance or risk matters; and
  • be independent of the whistleblower protection officer.

While ASIC accepts that an entity might also use an independent whistleblower service provider as part of its process, that would need to be implemented in a way which works effectively with the internal function responsible for disclosures.

Drafting the Policy

So, what does ASIC say about how the Whistleblower Policy should be drafted?

ASIC's expectation is that it be "robust", which suggests a significant level of detail. It recognises, though, that the Policy should be aligned to the nature, size, scale and complexity of the entity's business. What is needed for a large and complex business, in terms of the nature of disclosures caught and the processes required to protect those disclosures across the entity's different business segments, would likely not be required for smaller and simpler businesses.

ASIC also requires the Policy to be "clear", so it should be written in a way which is easy to understand and free of jargon. Given the content required in the Policy, which will inevitably stretch to quite a few pages, some thought should also be given to how it will be most easily navigated by its readers.

Finally, ASIC makes a point that the Whistleblower Policy should be written using a "positive tone and language that encourages the disclosure of wrongdoing". It notes, for instance, that it could include a statement discouraging false reporting, but that must not be done in a way which would deter staff from making disclosures. Provided a discloser has "reasonable grounds" for their views, they will remain protected despite the matter not ultimately being proved.

Implementation of the Policy

Once approved, the Whistleblower Policy should be widely disseminated. That will involve a good deal more than just posting it on the staff intranet. ASIC states an expectation that relevant entities will:

  • hold staff briefings on the Policy;
  • include it in new employee induction packs; and
  • provide regular training to all employees on its content.

While the new legislation does not strictly require these activities to be undertaken by 1 January 2020 (ie. it requires only that the Policy be made available to officers and employees by that date), it is likely ASIC would want to see at least some of them underway by that time.

Ownership of the Whistleblower Policy

ASIC also makes some interesting comments on ownership of the Whistleblower Policy. As part of its good practice guidance, it recommends that entities make a Board Committee or individual independent director the "owner" of the Whistleblower Policy. That body or person would also have responsibility for oversight, monitoring and reviewing updates of the Policy.

Based on that view, it would be prudent for the Whistleblower Policy to be put to the entity's Board or an appropriate Board Committee for approval, along with appropriate reporting on its implementation and operation.

Other material

The draft Regulatory Guide sets out ASIC's expectations on other aspects of the Whistleblower Policy as well as some "good practice guidance" on how entities should establish, implement and maintain their Whistleblower arrangements. All this material will provide useful reference for entities in meeting their Whistleblower Policy requirements and otherwise complying with the new whistleblower legislation.

What's next?

ASIC has sought submissions on the draft Regulatory Guide by 18 September 2019 with a view to releasing the final document in October 2019. While that final guide can be expected to vary a little from the draft, a Whistleblower Policy which follows the contents of the current draft guide is likely to provide an effective basis for managing whistleblower disclosures and to be very closely aligned with ASIC's final position.

The link to ASIC's draft Regulatory Guide and Consultation Paper can be found at: https://asic.gov.au/about-asic/news-centre/find-a-media-release/2019-releases/19-205mr-asic-consults-on-new-guidance-for-companies-on-whistleblower-policies/