By Commissioner Sean Hughes

15 March 2022

Your whistleblower policy may not comply with the latest updates to the whistleblower protection regime, writes ASIC Commissioner Sean Hughes GAICD.

The past three years have seen extensive changes to the Australian whistleblower protection regime in the Corporations Act 2001 (Cth). Public companies, large proprietary companies and corporate trustees of registrable superannuation entities are required to have a whistleblower policy that reflects the strengthened whistleblower protection regime that started on 1 July 2019. This includes clearly setting out the legislated protections for whistleblowers and how they can report misconduct.

Compliance gap

After allowing a period of time for companies to adapt to the 2019 reforms, the Australian Securities and Investments Commission (ASIC) conducted a review of 102 whistleblower policies throughout 2020 to assess the extent of any gaps between the legal requirements and how policies are responding to them. Unfortunately, the majority fell short. Two of the most prevalent and concerning deficiencies we saw were incomplete or inaccurate information and obsolete, out-of-date policies.

These issues suggest that many companies do not fully understand the enhanced whistleblower protection regime or, worse still, have chosen to ignore them. This was concerning to say the least. So much so that ASIC wrote an open letter to CEOs urging them to review their whistleblower policies to ensure they comply with the law.

We encourage company directors to discuss this letter with senior management and think about your workplace culture of speaking up. If the issues we observed from our review are present in your company’s policy, we expect them to be addressed and corrected without delay.

While not legally required, we were also concerned to see many policies did not include details of the oversight arrangements for the whistleblower policy and program. We remind company directors of the importance of maintaining oversight over your entity’s whistleblower program and refer you to ASIC Information Sheet 247 Company officer obligations under the whistleblower protection provisions.

Corporations Act requirements

The Corporations Act requires entities to include information about the following matters in their whistleblower policies:

• Protections available to whistleblowers
• How to make a qualifying disclosure, including to whom
• Your entity’s measures to support and protect whistleblowers
• How your entity will investigate whistleblower disclosures ensure fair treatment of employees named in disclosures or to whom such disclosures relate
• How the police will be made available to officers and employees.

ASIC Regulatory Guide 270, Whistleblower policies contains guidance and good practice tips on establishing and implementing a whistleblower policy and program. We welcome feedback on this guidance as experience under the 2019 reforms evolves.

Don’t wait until it’s too late

ASIC continues to monitor compliance with the whistleblower policy requirements and the handling of whistleblower disclosures. It will come as no surprise to readers of this column that where we identify non-compliance, we will consider using the full range of regulatory tools available to us, including enforcement action.

One of our priorities this year is to review whistleblower programs from a sample of companies. This review will assess how these companies handle whistleblower disclosures, how they use the information from disclosures to address issues or change their operations, and the level of board and executive oversight of the program.

Whistleblowers help companies identify problems and issues that they need to address to comply with the law and improve their performance. If your employees do not know how they are protected by whistleblower policies or they feel unsure about how to speak up, you may miss many vital opportunities to address harm before it becomes significant or systemic. Not just the chance to identify and address potential misconduct at an early stage, but also to protect your company’s reputation and brand. A clear and compliant policy is an important step to encourage potential whistleblowers to speak up and prevent issues from snowballing.

This article was first published in AICD's Company Director magazine in March 2022.