Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

ASIC publishes whistleblower policy review

10 November 2021

5 min read

#Corporate & Commercial Law, #Workplace Relations & Safety

Published by:

ASIC publishes whistleblower policy review

As ASIC welcomed in the new whistleblower regime in 2019, it warned covered entities that it would be conducting ongoing surveillance to monitor and enforce compliance. Now, the first findings from those surveillance programs have been released.

During 2020, ASIC reviewed a sample of whistleblower policies and analysed their compliance with the requirements under the Corporations Act 2001 (Cth) (Act).

In a letter to CEOs of entities covered under the regime, ASIC highlights common areas of concern in the policies they have reviewed and encourages entities to revisit their whistleblower policies to check their compliance with the Act.

Many of the deficiencies observed by ASIC centre on entities incorrectly believing they need only include the information explicitly prescribed in section 1317AI of the Act. ASIC’s letter to CEOs (as well as guidance released back in 2019) paints a different picture.

ASIC’s view is that insufficient information may discourage whistleblowers from speaking up. A compliant whistleblower policy must include enough detail for whistleblowers to effectively understand the protections available to them and how to make a disclosure that would qualify for such protection (a qualifying disclosure).

What must a compliant whistleblower policy include?

The Act requires that a policy must provide information about:

  • the protections available to whistleblowers
  • how a whistleblower can make a qualifying disclosure, including to whom
  • how the company will support whistleblowers and protect them from detriment
  • how the company will investigate whistleblower reports
  • how the company will ensure that employees mentioned in or the subject of reports are treated fairly
  • how the policy is to be made available to officers and employees of the company
  • any other matters prescribed by the regulations.

In November 2019, ASIC released Regulatory Guide 270 (RG 270) which sent entities a clear signal that ASIC was expecting more than a bare-bones policy. You can read our article on RG 270 here.

ASIC’s review

Those expectations are reflected in ASIC’s findings that “the majority” of policies reviewed did not include all the information required by the Act. In particular, ASIC advised CEOs that it was most concerned about policies that provided “unclear, incomplete or inaccurate” information about how a whistleblower can make a qualifying disclosure and the protections available in the event they do so.

For example, ASIC noted that a number of policies failed to identify all the protections available to whistleblowers or to note every category of person who is eligible to make and receive a qualifying disclosure. Policies that only listed the preferred or internal channels available to report relevant conduct did not meet ASIC’s compliance expectations.

ASIC also warned entities that policies that encourage whistleblowers to speak first to a manager about their concerns might place whistleblowers at greater risk of detriment and loss of confidentiality. This is because most managers will not be “eligible recipients”, and therefore, the whistleblower will not have made a disclosure that qualifies for protection under the Act.

Other observations on the specific policy requirements include:

1. whistleblower protections: ASIC emphasised that entities must specifically state that the protections available are legal protections to give potential whistleblowers clarity on the fact that they may seek legal recourse if the protections are not provided

2. making a qualifying disclosure: ASIC observed that policies that do not summarise the threshold criteria for making a qualifying disclosure might make it difficult for potential whistleblowers to understand how they can make a disclosure that attracts the legal protections available under the Act. In particular, some policies:

  • did not accurately describe the types of conduct that are reportable under the Act. For example, ASIC’s RG 270 advised entities that personal work-related grievances (which are ordinarily not covered under the Act) may still qualify for protection in some circumstances. ASIC has indicated that this level of detail is expected in a compliant policy;
  • did not state that whistleblowers may remain anonymous when making a disclosure that qualifies for protection; or
  • retained outdated statements about making a qualified disclosure. For example, under the new whistleblower regime, individuals are no longer required to make a disclosure “in good faith” or “without malice” to attract the protections under the Act. Any statements to the contrary must be removed from whistleblower policies.

3. investigating a qualifying disclosure: Entities must explain the process they have in place for investigating disclosures by whistleblowers, for example, by summarising the steps taken after a disclosure is made

4. support for whistleblowers and fair treatment for individuals named in qualifying disclosures: ASIC emphasised that entities must not merely state that they will support and protect whistleblowers and instead must describe how such support will be provided. Similarly, a statement that employees mentioned in qualifying disclosures will be treated fairly will not satisfy the requirement to describe how the entity will ensure that employee is given fair treatment

5. making the policy available: ASIC observed that not all entities made their policy publicly available on their websites. Although this is not a requirement under the Act, doing so ensures that eligible whistleblowers who are not an employee of the entity can easily find out how to make a qualifying disclosure without resorting to an external reporting channel.

Is your policy compliant?

As we approach the end of 2021, now is a good time to revisit your whistleblower policy and check if it is complaint.

This means your policy needs to go beyond what might be included in a ‘bare-bones’ policy to provide sufficient detail and ensure that potential whistleblowers understand exactly how they can make a qualifying disclosure and the protections that will be available to them if they do.

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this