The new Australian whistleblower laws commenced on 1 July 2019 and included a requirement that all “public” (including not-for-profits registered as public companies limited by guarantee) and “large proprietary” companies have a complying whistleblower policy in place from 1 January 2020.

ASIC has now released its final guidance on what a compliant whistleblower policy must include, as well as granting relief from the requirement to have a policy for smaller not-for-profits.

Recap of the new whistleblower regime

The new whistleblower protection laws bring significant changes to the existing whistleblower protection framework. Under the new regime, whistleblowers receive greater protections if they report corruption, fraud, tax evasion/avoidance and misconduct. In order to qualify for these protections, certain criteria must be met in relation to the identity of the discloser, the type of matter being reported and to whom the report is given to.

The new regime requires that “public” (including not-for-profits registered as public companies limited by guarantee) and “large proprietary” companies must have a compliant whistleblower policy in place from 1 January 2020. Failure to comply with this requirement is an offence and attracts significant penalty of 60 penalty units (currently $12,600 for an individual and $63,000 for a body corporate).

Further details of the new regime are contained in our earlier corporate alert “New Whistleblower laws commence on 1 July 2019”.

Whistleblower policy content requirements – final ASIC guidance

The Corporations Act requires that a whistleblower policy must cover information about:

  • the protections available to whistleblowers;
  • how a disclosure can be made and to whom it can be made to;
  • the support and protection that the company will provide to a whistleblower;
  • the company process for investigations following a disclosure;
  • how those mentioned in disclosures will receive fair treatment; and
  • how the policy will be made available.

On 13 November, ASIC released the finalised “Regulatory Guide 270 – Whistleblower policies” which specifies (in prescriptive detail) the content requirements for whistleblower policies, some of which appear to be in addition to the Corporations Act requirements listed above. In summary, these include that a whistleblower policy must also contain:

  • an explanation of the purpose of the policy;
  • the types of matters that can be reported under the policy (including applicable examples) and the types of matters not covered by the policy (such as personal work-related grievances), including details regarding public interest and emergency disclosures;
  • information about who a discloser can make a report to (both within an organisation and externally) and who they can contact to obtain additional information before making a disclosure;
  • how to make a disclosure, and the different options available for making a disclosure (including information and instructions about how to access each option);
  • information about how disclosures can be made anonymously and still protected under the Corporations Act;
  • the timeframes for handling and investigating disclosures, as part of an overall requirement to provide transparency about how investigations are handled;
  • the key steps that will be taken after a disclosure is received, including how a discloser will be kept informed and how the entity will document, report and communicate the investigation findings; and
  • how the entity will ensure its policy is widely disseminated to and accessible for disclosers (including by making the policy available on its public website).

Exemption for small not-for-profit organisations

In addition to the release of the final Regulatory Guide 270, ASIC announced that it is granting relief to public companies that are not-for-profits or charities with annual revenue of less than A$1 million from the requirement to have a whistleblower policy.

The use of a ‘public company limited by guarantee’ structure is common for many not-for-profits and charities, who were consequently captured by the new mandatory policy requirement (many of which have limited staff and financial resources). Accordingly, in granting this relief, ASIC has recognised that these organisations should not be burdened with the additional compliance requirement.

What to do next?

We recommend that all organisations required to have a whistleblower policy in place by 1 January 2020 ensure that they adopt a policy, or review their current policy, which complies with the requirements of both the Corporations Act and ASIC's Regulatory Guide 270 ahead of the deadline.