With the 1 January 2020 deadline approaching for compliance with the whistleblower policy requirements of the corporate whistleblower regime (see our earlier article here), the Australian Securities & Investments Commission (ASIC) has published Regulatory Guide 270 “Whistleblower Policies” (Regulatory Guide) to assist entities establish a policy that complies with legislative requirements.

ASIC expectations

Section 1317AI of the Corporations Act 2001 (Cth) requires all (i) public companies; (ii) large proprietary companies; and (iii) proprietary companies that are trustees of registrable superannuation entities to have a whistleblower policy and make it available to their officers and employees. Section 1317AI(5) prescribes mandatory content requirements for the policy.

The Regulatory Guide includes requirements and recommendations for whistleblower policies that exceed the mandatory content requirements prescribed by the Corporations Act and will require attention by organisations, including those who have recently amended their policies to align to the revised laws.

The Regulatory Guide gives mandatory guidance on matters that must be addressed by an organisation establishing a whistleblower policy as well as helpful, non-mandatory good practice content examples and tips. It also addresses how ASIC will exercise specific powers under the Corporations Act, its interpretation of the law and its expectations on the steps an organisation should be taking to comply with its obligations.

Interestingly, as part of an increasing trend by regulators to focus on Board responsibility, the Regulatory Guide makes ASIC’s view clear that ultimate responsibility for an entity’s whistleblower policy and its implementation rests with the Board. The Regulatory Guide expresses ASIC’s view that an entity’s board (either directly or through its Audit or Risk Committee) must ensure that broader trends, themes and/or risks that emerge as a consequence of an entity’s disclosure regime are addressed and mitigated as part of an entity’s broader risk management and corporate governance framework, additionally the Board (or Audit or Risk Committee) should receive periodic reporting on the effectiveness of the policy.

In doing so, ASIC recognises there is no one-size-fits all approach to whistleblower policies and their implementation but that it expects organisations to establish a whistleblower policy which is aligned to the size and complexity of the business, is supported by processes to deal with disclosures and uses a positive tone to encourage disclosure.

The Regulatory Guide also indicates that ASIC will conduct periodic surveillance activities to ensure compliance with the whistleblower protection laws (including the policy requirement) and will pursue non-compliance in line with their enforcement approach and operational priorities.

Key mandatory elements

The mandatory requirements identified by ASIC for inclusion in whistleblower policies are set out below.

Above and beyond wrap up

The above list is not exhaustive, and the full Regulatory Guide should be consulted to ensure all requirements have been met by your organisation (find the Regulatory Guide here).

Organisations should also be alert to the fact that the Regulatory Guide includes guidance that goes above and beyond the requirements of the Corporations Act. Although most of this guidance is non-mandatory, it does reflect ASIC’s expectations as to better practice in this area.

We have identified the key aspects of the Regulatory Guide which deviate from current market practice for whistleblower policies or the requirements of the Corporations Act below. These are the areas of the Regulatory Guide which we expect are most likely to require additional attention by entities required to implement a whistleblower policy.

What you need to do now

For those organisations who:

  • are yet to put their whistleblower policy in place, the Regulatory Guide will provide a useful tool to help establish a policy that not only meets the legislative requirements of the Corporations Act but incorporates ASIC’s guidance on what it considers to be sound corporate governance practices;
  • have already rolled out their whistleblower policy and governance framework, there is still time before 1 January 2020 to review the Regulatory Guide to ensure the policy meets the mandatory content identified by ASIC and consider the inclusion of non-mandatory content as a matter of good governance.