Australia’s recently overhauled whistleblower protection regime requires all public companies and large proprietary companies to have their required whistleblower policy in place by 1 January 2020. Now that this date has come and passed, failure to have a compliant policy is a strict liability offence.
What do I need to know?
The new whistleblower protection regime, which commenced on 1 July 2019, requires all public companies and large proprietary companies to have a compliant whistleblower policy and make such policy available to the entity’s officers (e.g. director, secretary, senior executives) and employees from 1 January 2020 onwards.
Now that the date has passed, failure to have a compliant whistleblower policy is a strict liability offence (i.e. you need not have known that you required one or did not have a compliant whistleblower policy) with a penalty of A$12,600 for individuals and A$126,000 for corporations.
Does the requirement apply to my organisation?
All public companies (including those related to charities and not-for-profits), large proprietary companies and proprietary companies that are trustees of registrable superannuation entities must have a compliant whistleblower policy. A large proprietary company is one that has any two of the following three features:
- the consolidated revenue of your organisation (and any entities it controls) is A$50 million or more;
- the value of the consolidated gross assets of your organisation (and any entities it controls) is A$25 million or more; and
- your organisation (and any entities it controls) has 100 or more employees.
Smaller not-for-profits are exempted from the requirement to have a whistleblower policy by reason of an ASIC Order dated 13 November 2019. That is, where the public company is a not-for-profit (and not a trustee of a registrable superannuation entity) and has never had a consolidated annual revenue exceeding A$1 million the requirement to have a compliant whistleblower policy does not apply.
The requirement to have a compliant whistleblower policy is distinct and separate to the broader obligations under the new whistleblower regime that commenced 1 July 2019. The protections available under the regime apply whether or not your organisation has a compliant whistleblower policy.
Who is responsible for this?
Your organisation’s Board is ultimately responsible ‘as part of the entity’s broader risk management and corporate governance framework’. The Board must also ensure that ‘the broader trends, themes and/or emerging risks highlighted by the disclosures made under its policy’ are addressed and mitigated by the entity as part of its risk management and corporate governance work plans. The Board may fulfil this responsibility through its audit or risk committee.
Is our whistleblower policy compliant?
A compliant whistleblower policy must set out information about:
- the protections available to whistleblowers (e.g. as per the new law);
- the people and organisations to whom protected disclosures may be made and how they can be made;
- how the organisation will support whistleblowers and protect them from suffering detriment for making a protected disclosure;
- how the organisation will investigate protected disclosures;
- how the organisation will ensure fair treatment of its employees who are mentioned in protected disclosures or to whom such disclosures relate; and
- how the whistleblower policy is to be made available to the officers and employees of the organisation.
Further mandatory content for whistleblower policies may be added from time to time by regulations which supplement the Corporations Act 2001 (Cth).
Guidance on the sections to include in a compliant whistleblower policy and what points to address in respect of each can be found in ASIC’s Regulatory Guide 270.
How will a whistleblower policy benefit my organisation?
A whistleblower policy is not only required by law but is important because it helps:
- provide better protections for individuals who disclose wrongdoing (disclosers);
- improves the whistleblowing culture of entities and increases transparency in how entities handle disclosures of wrongdoing;
- encourages more disclosures of wrongdoing; and
- deters wrongdoing, promotes better compliance with the law and promotes a more ethical culture by increasing awareness that there is a likelihood that wrongdoing will be reported.
We have updated our whistleblower policy. What happens now?
You need to ensure that your whistleblower policy is tailored to your organisation and actively incorporated into your day-to-day operations. ASIC expects entities to:
- establish and implement a whistleblower policy that:
- is aligned to the nature, size, scale and complexity of the entity’s business;
- is supported by processes and procedures for effectively dealing with disclosures received under the policy; and
- uses a positive tone and language that encourages the disclosure of wrongdoing;
- take steps to give effect to their whistleblower policy by ensuring that the policy is implemented appropriately and consistently carried out in practice; and
- have arrangements in place for periodically reviewing and updating their whistleblower policy to ensure issues are identified and rectified.