How ASIC handles whistleblower reports
This is Information Sheet 239 (INFO 239).
We value the people from inside companies and organisations who come to ASIC with reports of potential misconduct or breaches of the law. Whistleblowers provide ASIC with important information. They help us enforce the laws we administer, and help us to address and prevent consumer harm.
We appreciate that whistleblowers can find themselves in difficult and stressful circumstances, and may risk their careers or even their personal safety. The concerns whistleblowers raise with ASIC are taken seriously.
This information sheet (INFO 239) explains:
- Whistleblower reports that we may receive
- ASIC’s role
- How we deal with the information you provide, including When we will act on your informationand Matters outside of our regulatory responsibilities
- How we pursue alleged breaches of the whistleblower protections
- Our communication with whistleblowers
- The role of ASIC’s Office of the Whistleblower
The Corporations Act 2001 (Corporations Act) provides certain legal rights and protections for people who meet the definition of an ‘eligible whistleblower’. For information about who can qualify for protections as a whistleblower under the Corporations Act, please see Information Sheet 238 Whistleblower rights and protections (INFO 238).
The whistleblower protections in the Corporations Act apply to you if you are an insider to a company or organisation and make a report about:
- an improper state of affairs or circumstances, or
- a breach of the law by the company or organisation or an officer or employee of the company or organisation.
This is a broad test, and the subject matter of a whistleblower report may extend beyond ASIC’s regulatory responsibilities as Australia’s corporate, markets, financial services, and consumer credit regulator.
Whistleblowers can access their legal rights and protections from when they report to ASIC. Whistleblowers can also access the protections from when they report internally within the company or organisation or externally to the company’s or organisation’s auditor, actuary, or whistleblower complaints service.
Further information about the legal rights and protections for whistleblowers, ASIC’s enforcement approach, and our handling of reports of misconduct is available in:
- Information Sheet 238 Whistleblower’s rights and protections (INFO 238)
- Information Sheet 151 ASIC’s approach to enforcement (INFO 151)
- Information Sheet 153 How ASIC deals with reports of misconduct (INFO 153).
If your report is about matters within the Australian Prudential Regulation Authority’s (APRA’s) responsibilities, such as compliance with prudential regulation or the safety and soundness of financial institutions, you may wish to raise your concerns directly with APRA. The whistleblower protections in the Corporations Act also apply to reports from whistleblowers made direct to APRA. For guidance on providing information on institutions APRA regulates, see APRA’s webpage on whistleblowing.
ASIC’s primary role in relation to you as a whistleblower is to receive and consider your report about misconduct and breaches of the law, and investigate the concerns where it is appropriate and within our regulatory responsibilities. We also look into allegations that you have experienced or been threatened with detriment for making a disclosure or have had your confidentiality breached.
However, under the law there are limits to our role that are important to understand:
- ASIC enforces the laws we administer, and we prioritise which matters we will investigate. We pursue breaches of the law through a variety of means, including litigation, administrative action, stakeholder engagement, and negotiation. We cannot enforce laws we are not responsible for, and not every report triggers a formal investigation.
- The whistleblower protection provisions in the Corporations Act do not oblige ASIC to:
- act for you if you are the subject of a private litigation or prosecution
- bring an application on your behalf if your employer has terminated your employment as a result of a disclosure
- bring an action seeking compensation for you for loss, damage, or injury caused by detriment or threatened detriment.
- We do not decide who is and who is not a whistleblower. The definition of a whistleblower is set out in the law. If there is a dispute about whether you satisfy this definition, it can only be determined by a court. See INFO 238 for more information on the criteria for protection as a whistleblower under the law.
- We cannot provide you with legal advice. If you believe you may be a whistleblower or are unsure what protections apply to you, we urge you to seek independent legal advice.
- Obtaining or accessing the protections under the Corporations Act does not depend on any action by ASIC.
- Unlike some foreign countries, whistleblowers in Australia are not eligible to receive a financial reward for making a whistleblower report; the Corporations Act does not provide for it.
We will register your report on our confidential internal database and provide you with a reference number.
We will contact you if we require further information from you. We will keep your information and your identity confidential. However, in very limited circumstances – for example, if a court requires us to do so – we may be compelled to provide it. If this happens, we will seek to speak with you ahead of time and seek to protect your identity.
You can give us information anonymously but we will not be able to follow up with you for further information. However, anonymous disclosures can still qualify for the whistleblower protections (see INFO 238).
When we will act on your information
All reports of alleged misconduct (including those from whistleblowers) reported to ASIC are initially considered by the Misconduct and Breach Reporting team. For more information, see INFO 153.
Often these matters occur in the context of an employment dispute or issue. We are not likely to focus on those issues, but on the alleged misconduct or breaches of the law disclosed or reported to ASIC.
We cannot investigate every allegation that is made to ASIC; we must prioritise. We do not act for individuals and we will seek to take action only where our action will result in a greater impact in the market and benefit the general public more broadly.
For information on our enforcement role and why we respond to particular types of breaches of the law in different ways, see INFO 151.
Matters outside of our regulatory responsibilities
Apart from being a means to receive tip-offs and insider information, ASIC’s role to receive and consider whistleblower reports can be important for whistleblowers to access their legal rights and protections. This includes where a whistleblower is not comfortable first reporting their concerns internally or fears reprisals for doing so.
We can only enforce the laws we are responsible for. However, by reporting to ASIC, even if your concerns are not breaches of the laws ASIC enforces, you are still able to access the whistleblower protections.
We encourage you to raise your concerns with the regulator or law enforcement agency that can best respond to your concerns. Issues that are outside of ASIC’s jurisdiction, even if they are serious, are not within ASIC’s jurisdiction to investigate.
For information on reports about misconduct outside of our regulatory responsibilities, see Information Sheet 208 When companies break laws that ASIC does not enforce (INFO 208).
We may also refer your report to another regulator or law enforcement agency ourselves. Generally, we will do this if:
- the concerns relate to a serious breach, compliance failure, or risk of harm to consumers
- a company director, officer or senior employee has been involved in the alleged misconduct
- an entity or person we license or register, such as an Australian financial services (AFS) licensee, Australian credit licensee, registered liquidator, auditor, or registered agent has been involved in the alleged misconduct outside of our regulatory responsibilities, or
- there is a risk you may suffer detriment in the future.
Before we refer your concerns to another regulator or law enforcement agency, we will generally contact you and seek your consent.
Whether or not your whistleblower report relates to a matter within ASIC’s regulatory responsibilities, we will consider allegations that a person has:
- caused you or threatened you with detriment for reporting your concerns, or
- breached your confidentiality.
When the underlying misconduct has already been reported to another agency, for example, the ATO or APRA, we will consider if any inquiries we may make into your report could interfere with inquiries by that other regulatory or law enforcement agency.
For more information on how we select matters for enforcement action and why we respond to particular types of breaches of the law in different ways, see INFO 151.
Causing or threatening detriment to a whistleblower
The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to cause or threaten detriment to you because they believe or suspect that you have made, may have made, propose to make or could make a whistleblower disclosure.
The criminal offence and civil penalty apply even if you have not made a whistleblower report, but the offender causes or threatens detriment to you because they believe or suspect you have or might make a report.
We can pursue allegations that a person caused or threatened detriment to you, but we would need your assistance to investigate the allegations. This may result in a penalty to the person but not necessarily any compensation. ASIC cannot order compensation be paid to you.
You can seek compensation through a court if you suffer loss, damage or injury for making your disclosure. Further information about the criminal offence and civil penalty for causing or threatening detriment and the ability to seek compensation is available in INFO 238.
Breaching a whistleblower’s confidentiality
The Corporations Act makes it illegal (through a criminal offence and a civil penalty) for someone to disclose your identity, or information likely to lead to your identification, as a whistleblower unless it is an authorised disclosure.
An ‘authorised disclosure’ of your identity or information is a disclosure:
- to ASIC, APRA or the Australian Federal Police,
- to a lawyer for advice about the whistleblower protections, or
- with your consent.
In a company’s or organisation’s investigation of the concerns raised in your report, the company or organisation must take reasonable steps to ensure that information likely to lead to your identification is not disclosed.
We can pursue allegations that a person made an unauthorised disclosure of your identity or information likely to lead to your identification as a whistleblower, but we would need your assistance to investigate the allegations. This may result in a penalty to the person but not necessarily compensation. ASIC cannot order compensation be paid to you.
You can seek compensation through a court if you suffer loss, damage, or injury for making your disclosure. We encourage you to seek legal advice about any potential remedies that may be available to you. Further information is available in INFO 238.
If you believe you may be a whistleblower or are unsure what protections may apply to you, it is important to seek legal advice. We are not able to give personal legal advice.
Only a properly accredited legal practitioner who understands your circumstances can give you legal advice. This is especially important if you are thinking of acting on the rights the whistleblower protections give to you.
After receiving your report, we will contact you if we need further information or to refer your concerns to another regulator or law enforcement agency.
If we progress your report to investigation, a dedicated ASIC Whistleblower Liaison Officer will contact you regularly to update you as best we can.
We appreciate the importance of informing the public of our regulatory activities; however, discussing information regarding our regulatory work may jeopardise an investigation. For more information, see Information Sheet 152 Public comment on ASIC's regulatory activities (INFO 152).
If your report to ASIC is about matters that fall within the responsibilities of another regulator or law enforcement agency, we may refer you to a more appropriate agency to consider the concerns – such as state or federal police or another regulatory body. In addition, we may not be able to inform you of the actions taken by the other regulator or agency. You may need to contact them directly for an update. This may be relevant if you are considering making a public interest disclosure to a journalist or parliamentarian. Further information is available in INFO 238.
ASIC has formed an Office of the Whistleblower to improve our ability to:
- identify, assess, and inquire into whistleblower reports
- communicate with whistleblowers if we make follow-up inquiries
- liaise with other regulators and industry stakeholders on whistleblower handling and the whistleblower protections.
The Office of the Whistleblower oversees the handling of whistleblower matters on behalf of all of ASIC’s teams, rather than our various teams handling or dealing with individual whistleblower matters directly.
As noted above, if you believe you are a whistleblower with information that relates to potential breaches of the laws ASIC administers, you should send the details to ASIC through our online misconduct reporting form or by writing to ASIC.
Where to find more information
- Regulatory Guide 103 Confidentiality and release of information (RG 103)
- INFO 151 ASIC’s approach to enforcement
- INFO 153 How ASIC deals with reports of misconduct
- INFO 172 Cooperating with ASIC
- INFO 208 When companies break laws that ASIC does not enforce
- INFO 238 Whistleblower rights and protections
Read the whistleblower provisions of the Corporations Act (especially Part 9.4AAA) on the Federal Register of Legislation.
Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. Omission of any matter in this information sheet will not relieve a company or its officers from any penalty incurred by failing to comply with the statutory obligations of the Corporations Act.
You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.
Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.
This information sheet was reissued in June 2023.