Whistleblower policies and the compliance gap

Speech by ASIC Commissioner Sean Hughes at the 3rd Australian National Whistleblowing Symposium, Thursday 11 November 2021.

Check against delivery

I begin by acknowledging the Traditional Custodians of the lands I am on today, the Boon Wurrung and Woiwurrung people of the Kulin nation. I pay my respects to their elders past, present and emerging, and extend that respect to Aboriginal and Torres Strait Islander peoples joining the symposium today.

It is a pleasure to speak to you today and to participate in this important symposium. Conversations such as this topic are increasingly relevant.

Today I am here to provide a regulatory update on ASIC’s role as conduct regulator in corporate and financial services.

Most of you attending today are aware that the past three years have seen world-leading changes to the Australian whistleblower protection regime under the Corporations Act 2001.

What you may not realise is that as the conduct regulator of Australia’s corporate sector, ASIC is also benefiting from those changes in terms of the amount of information on misconduct being shared with us by whistleblowers.

We are able to perform our role more effectively. We can step in and address misconduct that may cause serious harm to consumers and investors. And as a result, all Australians benefit from having increased confidence and deeper trust in a fair, strong and efficient financial system.

I will share some statistics to back that up shortly.

But first I would like to say thank you on behalf of ASIC to the people who step forward to speak up. We know that takes a certain level of courage. And a willingness to endure a lonely process of assessment and investigation before any form of closure.

Investigating misconduct revealed by whistleblowers is just one touchpoint ASIC has with the whistleblower protection regime. We do more than just: 1. investigate misconduct and 2. enforce breaches of the protections. We also promote and foster compliance with the whistleblower protection regime.

It is for that reason ASIC has called on Australian CEOs – from public companies, large proprietary companies and corporate superannuation trustees – to review their whistleblower policies to ensure they comply with the law.

I have called this speech ‘Whistleblower policies and the compliance gap’ because it’s the gap that matters – that is what our recent review uncovered – a gap between the legal requirements and how company policies are responding to them.

In the next 10 minutes I will briefly outline:

  1. the Corporations Act reforms
  2. the scope of ASIC’s review and our findings
  3. what we are asking Australian CEOs to do.

If time permits, I will also outline what ASIC is doing to ‘walk the talk’ on whistleblowing within our own organisation.

1. Corporations Act reforms and goals

The 2019 reforms to the Corporations Act whistleblower protection regime have not only encouraged more people to come forward, but also supported ASIC’s performance of its regulatory role.

The latest statistics speak for themselves.

  • In the 2018–19 financial year, (before the protections commenced), ASIC dealt with 278 whistleblower reports.
  • The following 2019–20 financial year, we dealt with 644 whistleblower reports.
  • In the 2020–21 financial year we dealt with 817.

In other words, the immediate post reform period has witnessed an increase of 194% in reports over two years.

I acknowledge that many factors will have contributed to this 194% increase in the number of reports to ASIC. But some correlation to the law reform cannot be denied. I know we are also hearing that the reforms have encouraged reporting by whistleblowers within businesses.

These statistics relate to reports to ASIC. But we are also responsible for enforcement of the whistleblower protection regime under the Corporations Act. I would like to call out two important protections that ASIC is responsible for enforcing:

  • Protection offered by confidentiality – including protection of identity.
  • Protection from harm or detriment – including from threats to cause detriment for making disclosures.

ASIC can take action against people who breach a whistleblower’s identity. And we can also take action against people who harm or fail to prevent harm to whistleblowers. Those who suffer detriment can also separately seek compensation and other remedies.

We have current investigations underway into alleged breaches of the whistleblower protections. And we continue to assess new reports of these matters. Given the nature of our activities and the confidentiality protections in place, I will not go into any detail on individual matters.

Please know that ASIC takes non-compliance with the whistleblower protections seriously. If you have suffered detriment for making a whistleblower disclosure or because someone thinks you have, we want to hear about your experiences. ASIC may be able to take action against the company or individual for their detrimental actions.

2. Review of whistleblower policies

I will now turn to ASIC’s whistleblower policy review.

Since 1 January 2020, the Corporations Act has required public companies, large proprietary companies, and trustees of registrable superannuation entities to have a whistleblower policy that sets out particular matters, and to make that policy available to its officers and employees.

In November 2019, ASIC released Regulatory Guide 270 Whistleblower policies, which contains guidance and good practice tips on establishing and implementing a whistleblower policy and program.

In the 2020–21 financial year, we reviewed a sample of 102 whistleblower policies from entities that are subject to the requirement to have a policy. We did this to:

  • understand how entities are responding to the requirements
  • understand and benchmark the standard of policies across entities
  • refine ASIC’s regulatory approach to the requirements.

First, the good news. Of the 102 policies we reviewed, many did meet some of the requirements set out in the Corporations Act.

We were pleased with the better practices we identified and I want to give credit where it is due before getting into the details of our findings.

Because unfortunately, the majority of policies we reviewed did not fully address the legal requirements. I will set out three of the most prevalent and concerning deficiencies we saw:

  • incomplete or inaccurate information
  • obsolete and out-of-date policies
  • policies without oversight arrangements.

These three issues are of particular concern to ASIC because they suggest that many entities do not fully understand the enhanced whistleblower protection regime, or worse still, have chosen to ignore them.

Incomplete or inaccurate information about the protections

Concerningly, around a third of the policies in our sample provided incomplete or inaccurate information about the protections available to whistleblowers. For example, we found policies that did not:

  • mention whistleblowers can seek compensation and other remedies if they suffer harm for making a disclosure
  • explain a whistleblower’s right to confidentiality
  • explain that these protections are available under the law.

Understandably, if a potential whistleblower is concerned about the negative effects of making a disclosure, they may not speak up. As such, it is vital for entities to provide clear and complete information about the protections available to encourage people to come forward.

The policies that did well in this area provided information about the protections in positive terms. For example, they described how the entity would safeguard the reporter’s entitlement to the protections and how whistleblowers can enforce the protections.

Obsolete and out-of-date policies

Two in five (or 40%) of policies we reviewed did not adequately summarise the threshold criteria for whistleblowers to qualify for protection. Many included references to obsolete requirements or had not been updated to refer to the regime’s expanded scope.

This suggests those policies were not fully updated to reflect the Government’s reforms to the regime, or management simply chose to ignore them. Neither response is acceptable.

For example, we saw policies that did not fully describe who a whistleblower can report to under the law (missing from nearly half the policies we reviewed).

Instead, they tended to list only the preferred or internal channels available to whistleblowers.

Some policies encouraged whistleblowers to discuss concerns with their managers before making a report – without clarifying that those discussions may not qualify for whistleblower protections.

These procedural and policy flaws may result in potential whistleblowers not understanding how to make a disclosure that qualifies for the protections.

It is important to note that we did see policies that correctly addressed some of these issues. For example, two thirds of the policies we reviewed acknowledged that whistleblowers could disclose anonymously and qualify for protections.

We also found some policies encouraged people to use the whistleblower reporting channels for all reports, even when it is unclear if the issue raised would be covered by the legal protections. This approach preserves a person’s ability to rely on the protections.

Policies without oversight arrangements

While not legally required, we are concerned that close to a third of policies we reviewed did not state if the entity had mechanisms to monitor the effectiveness of its whistleblower policy.

This suggests there is an attitude of ‘set and forget’, which is not good enough.

ASIC wants to see entities treating their whistleblower programs as an important governance function which supports robust and timely escalation of important information and cultural warning signs to an organisation’s leadership. This includes review mechanisms to monitor their effectiveness. We also encourage entities to integrate insights from their whistleblower programs with other information sources for boards to make decisions.

3. Call to action for Australian CEOs

Review your policies

Once we completed our review in October 2021 ASIC published an open letter to CEOs of public companies, large proprietary companies and corporate superannuation trustees.

In it, we asked them to review their whistleblower policies to ensure they comply with the law.

The letter provides more information about our review and findings, and is available for anyone to read on the ASIC website.

You can read the letter in more detail to see where the policies in our sample fell short, and what entities can do to improve.

Of course, since the release of our whistleblower policy guidance in 2019, the COVID-19 pandemic has created multiple challenges for entities to address.

But (touch wood) now that we appear to be emerging from the worst of the pandemic, ASIC wants to remind CEOs and executives about these important issues.

In the new year we will continue to monitor compliance and we are planning another review of whistleblower policies in the future. If we identify non-compliance, ASIC will draw upon the full suite of regulatory tools we have available to us, which includes enforcement action.

Review your internal systems and processes

To ensure the whistleblower protections are embedded, ASIC considers it essential for a company to have effective internal systems and processes to handle disclosures in line with its whistleblower policy.

Courts can consider whether a company’s whistleblower policy has been effectively implemented when deciding on compensation claims for whistleblowers who may have suffered for speaking out.

Significantly, one of our priorities in the coming year is to review whistleblower programs from a sample of regulated entities to see how practices are evolving to address the reforms. With a corporate governance lens, we want to look at:

  • how entities are handling whistleblower disclosures
  • how entities use the information from disclosures to address issues or misconduct or change their operations
  • the level of board and executive oversight of whistleblower programs.

4. Walk the talk: ASIC’s approach to whistleblowing

Before I conclude I will briefly mention ASIC’s own approach to detecting and responding to concerns internally.

We are actively fostering an environment where people feel confident to speak up about wrongdoing. Commissioners, as well as our executives and senior leaders, strive to ensure our people know that we value the information they provide.

We have a range of formal and informal reporting mechanisms for our people to raise different issues. This includes our Public Interest Disclosure Policy and Procedures, governed by the Public Interest Disclosure Act 2013, which was discussed at this symposium earlier today.

We recently launched a new reporting platform to complement our existing reporting mechanisms. The new platform provides a channel for our people to easily lodge public interest disclosure reports, or other reports about integrity-related matters. It also makes it easier for those who want to raise issues anonymously to do that, and to remain anonymous throughout the assessment and investigation process.

We think this sends a clear message within our organisation that we genuinely want to hear about issues. We hope it encourages more people to speak up.

Our program is not limited to reporting mechanisms. We have processes and resources to ensure our people have confidence that:

  • matters they raise will be looked into confidentially
  • we will protect them from retaliation
  • they will be treated fairly, professionally and respectfully.

We also have internal escalation and reporting mechanisms designed to ensure that not only do we address immediate issues arising from reports, we also use the information we receive to identify trends and address emerging risks before they become systemic.

Our program has evolved over time and we will continue to try to improve it within the confines of our operating and legal environment.

Conclusion

After the community health and safety challenges of the past 18 months and the economic crisis surrounding them, it would have been tempting for entities and their senior management to treat the 2019 reforms – and indeed the whole whistleblower program of work as a “nice to have” which could be postponed to more benign times. But despite that pressure, I believe Australia’s corporate sector whistleblower regime is moving in the right direction.

In particular, I am positive about the changes we have seen in the past three years.

Once companies have caught up to the new requirements I believe we will see even greater benefits to the health and sustainability of the culture within Australia’s corporate sector.

I am looking forward to hearing more about the recently published ISO 37002 Guidelines for Whistleblowing management systems from some of the ISO Working Group members this afternoon. ASIC may consider some of the broader practical guidance in these guidelines in our next review.

We are also monitoring developments in the European Union. I am keen to see what we can learn from observing how each EU member state implements the standards in the Whistleblower Protection Directive (EU 2019/1937) on the protection of persons who report breaches of Union law by the end of this year.

This local and international activity points to the fact that laws and standards on protection are moving positively and consistent with the overall policy intent. We just need to bring companies along with us. Strong whistleblower systems, processes and procedures are – and always will be – a vital element of good corporate culture.

Consistent with our role in promoting increased confidence in a fair, strong and efficient financial system, ASIC will continue to advocate for whistleblower programs which place at their heart trust, impartiality and protection. With the increased transparency and earlier risk identification and harm prevention arising from an effective regime, we can all have greater confidence – and with that confidence – support the recovery of our community and economy.

Thank you.

Last updated: 11/11/2021 01:30