ASIC has released Regulatory Guide 270 "Whistleblower policies" (the Regulatory Guide) to assist companies and other applicable entities in establishing their mandatory whistleblower policies. With eligible entities required to publish a compliant whistleblower policy before 1 January 2020, now is the time to consider whether your business policy meets ASIC's standards. Any business that does not meet this deadline may face a fine of AU$12,600, with ASIC stating that it will be conducting surveillance activities to ensure compliance in accordance with its recently revised enforcement approach.
The Whistleblower Protection Scheme
The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) established a new national whistleblower protection scheme, amending the Corporations Act 2001 (Cth) (the Corporations Act) and the Tax Administration Act 1953 (Cth) to increase protections for whistleblowers who report corporate and tax misconduct.
Under the scheme, eligible whistleblowers are provided legislative protections when disclosing information regarding misconduct or an improper state of affairs that they have reasonable grounds to suspect is occurring or has occurred within an entity or its subsidiaries. Whistleblowing disclosures can be made to ASIC or APRA, as well as "eligible recipients" within the entity itself, including its directors, the company secretary, the company's auditors, senior management or any person authorised by the entity to receive whistleblower disclosures, such as a human resources manager.
Whistleblowers who make disclosures in accordance with the scheme are entitled to a number of legislative protections, including having their identity kept confidential and being protected from any real or threatened detriment as a result of their disclosure. Companies may be required to pay compensation to protected whistleblowers for any detriment suffered in connection with their disclosure.
Further, a whistleblower is protected from any civil, criminal or administrative liability that could otherwise arise in relation to their disclosure, such as legal action for breach of an employment contract or confidentiality obligation, prosecution for the unlawful disclosure of information or other disciplinary action for making the disclosure. However, these protections do not grant immunity for actual misconduct engaged in by the whistleblower, which is revealed in their disclosure.
For employers concerned that potentially frivolous or vexatious employee complaints may fall under the legislation's protection, the scheme does not protect disclosures concerning an employee's "personal work-related grievances" (unless the grievance relates to victimisation because of a previous protected disclosure). However, employers must not forget that the Fair Work Act 2009 prohibits taking adverse action against employees because of a "complaint or inquiry in relation to their employment".
A key requirement for affected entities is the headline obligation to prepare and publish a whistleblower policy that complies with guidance from ASIC. Under section 1317AI of the Corporations Act, large proprietary companies1, public companies and corporate trustees of APRA-regulated superannuation entities must, before 1 January 2020, publish and maintain a compliant whistleblowing policy.
While subsection 1317AI(5) sets out the legislative requirements that whistleblower policies must address, the recently released Regulatory Guide has supplemented and expanded on the mandatory content of these policies. In our view, ASIC's guidance has established new mandatory standards that go well beyond the obligations expressly set out within the Corporations Act. In order to highlight these new obligations, set out in the table below is a comparison between the legislative requirements of section 1317AI(5) and ASIC's Regulatory Guide guidance.
1 Large proprietary companies are proprietary companies with consolidated annual revenue in excess of AU$50 million, consolidated gross assets in excess of AU$25 million and more than 100 employees, either individually or in combination with any subsidiaries it controls.
Under s. 1317AI(5), the matters that a policy must set out are:
ASIC's guidance requires that a policy must:
Information about the protections available to whistleblowers, including protections under Part 9.4AAA (this Part).
Include a brief explanation about the purpose of the policy.
Identify the different types of eligible whistleblowers within and outside the entity.
Set out the criteria for a discloser to qualify for protection as a whistleblower.
Identify the types of wrongdoing that can be reported, based on the company's business operations and practices, including examples.
Outline the types of matters that are not covered by the policy, such as workrelated grievances. However, it must outline when a disclosure, which may also be a work-related grievance, still qualifies for protection (for example, if it is a "disclosable matter").
State that disclosures that are not about "disclosable matters" do not qualify for protection.
Include information about the protections available to disclosers who qualify for protection as a whistleblower.
State that a discloser can still qualify for protections under the Corporations Act, even if their disclosure turns out to be incorrect.
Information about to whom disclosures that qualify for protection under this Part may be made and how they may be made.
Identify the types of people within and outside the company who can receive a disclosure that qualifies for protection, including that disclosures can be made to ASIC, APRA and other prescribed bodies.
State that disclosures can be made to a journalist or parliamentarian under certain circumstances and qualify for protection. It must also highlight that it is important for the discloser to understand the specific circumstances in which those disclosures may be made.
Include information about whom a discloser can contact to obtain additional information before making a disclosure.
Include information about how to make disclosures, including that disclosures must be made directly to an eligible recipient in order to qualify for protection.
Outline different options available for making a disclosure (such as anonymously and, or, confidentially, securely or outside business hours).
Include information about how to access each disclosure option, along with relevant instructions.
Advise that disclosures can be made anonymously and still be protected under the Corporations Act.
Highlight that disclosures to a legal practitioner for the purposes of obtaining legal advice in relation to the operation of the whistleblower provisions are protected.
(d) (e) (f)
Under s. 1317AI(5), the matters that a policy must set out are: Information about how the company will support whistleblowers and protect them from detriment.
Information about how the company will investigate disclosures that qualify for protection under this Part.
Information about how the company will ensure fair treatment of employees of the company who are mentioned in disclosures that qualify for protection under this Part, or to whom such disclosures relate. Information about how the policy is to be made available to officers and employees of the Company.
ASIC's guidance requires that a policy must:
Outline the entity's measures for supporting disclosures and protecting disclosures from detriment in practice.
Explain the entity's legal obligation to protect the confidentiality of a discloser's identity and provide examples of how the entity will, in practice, protect the confidentiality of a discloser's identity.
Explain and provide examples of how the entity will, in practice, protect them from detrimental acts or omissions.
Highlight that it is illegal for a person to identify a discloser or disclose information that is likely to lead to the identification of a discloser, unless exceptions apply.
Outline that a discloser can seek compensation and other remedies in certain situations.
Include information about how the entity will investigate disclosures that qualify for protection.
Outline the key steps the entity will take after it receives a disclosure, including how it investigates a disclosure, keeps the discloser informed and document report and communicates to the discloser its investigations findings.
Include information about how the entity will ensure the fair treatment of employees who are mentioned in a disclosure that qualifies for protection, including those who are the subject of a disclosure.
Cover how the policy will be made available to the entity's officers and employees.
Outline the entity's measures for ensuring its policy is widely disseminated to and easily accessible by disclosers within and outside the entity.
Beyond ASIC's mandatory obligations set out above, the Regulatory Guide also includes "good practice tips" and additional guidance that, while not mandatory, indicates the level of detail and scope that ASIC considers should be contained within these policies. It is likely that these good practice tips will shape best practice compliance standards moving forward. Accordingly, we recommend this guidance is also considered when preparing or reviewing your business' whistleblower policy.
Along with the publication of the Regulatory Guide, ASIC also announced that it has granted relief to small not-for-profits or charities by way of ASIC Corporations (Whistleblower Policies) Instrument 2019/1146 (the Relief). Under the Relief, not-for-profit companies limited by guarantee with a consolidated annual revenue of AU $1 million are not required to maintain or publish a whistleblower policy in accordance with section 1317AI.
While the whistleblower regime will still apply to these entities, the Relief brings not-for-profit companies limited by guarantee into line with similar financial exemption thresholds offered to proprietary companies. The implementation of this Relief recognises the financial and administrative burden that preparing and maintaining a compliant whistleblower policy would place on entities in the not-for-profit industry, many of which are companies limited by guarantee that would otherwise need to comply.
As set out in the table above, the Regulatory Guide has established new baseline compliance requirements that businesses must consider when drafting a whistleblower policy. The extent and scope of ASIC's mandatory guidance means that a "close enough is good enough" approach to the requirements of subsection 1317AI(5) will be insufficient.
The 1 January 2020 deadline is fast approaching and, despite ASIC releasing such sweeping guidance changes only fifty days prior, no extension is currently contemplated. Accordingly, eligible entities must move quickly to draft or update a compliant whistleblower policy.
Our Corporate and Labour and Employment teams can assist you in understanding the requirements of the new whistleblower scheme and how to comply with obligations to regulators and workers, as well as ensuring you have a compliant whistleblower policy in place in time to avoid potentially costly penalties. If you think your business requires assistance, please do not hesitate to contact us.
Bruno Di Girolami
Michael Van Der Ende
The contents of this update are not intended to serve as legal advice related to individual situations or as legal opinions concerning such situations, nor should they be considered a substitute for taking legal advice. Squire Patton Boggs. All Rights Reserved 2019