Public companies and large proprietary companies must have a compliant whistleblower policy in place by 1 January 2020, following substantial amendments to the whistleblower protection regime under the Corporations Act 2001 (Cth) (Corporations Act) earlier this year (see our previous reports here and here).

ASIC has now released Regulatory Guide 270 Whistleblower Policies (Regulatory Guide), which sets out recommended (what ASIC considers good practice) and mandatory matters that ASIC considers should be included in a whistleblower policy to comply with the legal obligations under the Corporations Act. On our reading, the matters that ASIC considers mandatory for inclusion in a whistleblower policy are broader than the specific matters prescribed by the Corporations Act, so even recently adopted policies may not meet the requirements of the Regulatory Guide.

Some of the key mandatory requirements under ASIC’s Regulatory Guide are as follows:

Disclosable matter

A policy must identify the types of wrongdoing that can be reported (termed “disclosable matters” under the Corporations Act) based on the entity’s business operations and practices.

In addition, the policy must outline the types of matters that are not covered by the policy.

Who can receive a disclosure

A policy must identify the types of people within and outside the entity who can receive a disclosure and also include information about who a discloser can contact to obtain additional information before making a disclosure.

How to make a disclosure

A policy must include a range of internal and external disclosure options and information on how to access each option along with the relevant instructions.

Support and protection

A policy must outline the entity’s measures for supporting disclosers and protecting disclosers from detriment in practice.


A policy must set out the process for investigating disclosures including timeframes and how the entity will keep a discloser informed of the investigation and document any findings.

Fair treatment of employees

A policy must include information about how the entity will ensure the fair treatment of employees named in a disclosure that qualifies for protection, including those who are the subject of a disclosure.


A policy must highlight that it is illegal for a person to identify a discloser or disclose information that is likely to lead to the identification of the discloser, and include information about how a discloser can lodge a complaint with the entity about a breach of confidentiality.

Legal practitioners

A policy must highlight that disclosures to a legal practitioner for the purposes of obtaining legal advice or representation in relation to the operation of the whistleblower regime are protected (even in the event that the legal practitioner concludes that a disclosure does not relate to a “disclosable matter”).


A policy must cover how the policy will be made available to the company’s officers and employees. It must outline the company’s measures for ensuring its policy is widely disseminated to and easily accessible by disclosers within and outside the entity (e.g. through upfront and ongoing training for employees).

The Regulatory Guide also states that an entity should publish its policy on its external website (though may, where appropriate, exclude information that would not be suitable for external publication, such as the names and contact details of internal eligible recipients for employees).

In addition, ASIC recommends as a matter of “good practice” guidance that companies:

  • foster a whistleblowing culture - by ensuring the company has a positive and open environment where employees feel they can come forward and the leadership team demonstrates the company’s commitment to its whistleblower policy;
  • allocate key roles and responsibilities under the whistleblower policy;
  • ensure the privacy and security of personal information;
  • monitor and report on the effectiveness of the policy, such as by setting up oversight arrangements for ensuring the company’s board or audit or risk committee are kept informed about the effectiveness of the policy and its implementation; and
  • review and update the policy and associated processes and procedures on a regular basis.

In light of ASIC’s stated “Why not litigate?” enforcement approach, and ASIC publicly stating its intention to undertake surveillance next year to review compliance, it would be prudent for companies required to have a whistleblower policy to follow the Regulatory Guide as closely as possible, even in respect of the non-mandatory “good practice” recommendations.

Public companies and large proprietary companies should take steps to ensure that they adopt a compliant policy as soon as possible and in advance of the 1 January 2020 deadline. If your company had already adopted a whistleblower policy, it may need to be reviewed in light of the new Regulatory Guide and ASIC’s stated approach.

ASIC also notes that companies not required to adopt a formal whistleblower policy may still benefit from documenting and implementing a strategy for handling any whistleblower reports received under the whistleblower protection regime in the Corporations Act.