New whistleblowing laws, which significantly strengthen the protections available to people who blow the whistle on corporate and financial misconduct, have tangibly changed the corporate landscape and director exposure.
The changes, introduced through amendments to the Corporations Act 2001 (Cth), came into effect on 1 July and have important implications for directors as defined “eligible recipients” of protected disclosures at law. Significant personal liability can arise if a director fails to treat a disclosure protected under law in accordance with the strict confidentiality and anti-victimisation requirements imposed.
The personal stakes for directors and senior managers, and corporate liability for breaches, are much higher due to significantly increased penalties that now apply for breaches of the Act, including the whistleblowing provisions (see breakout below). In addition, public and large proprietary companies that fail to have a compliant whistleblowing policy by 1 January 2020 may also be liable for a criminal penalty.
With whistleblowing disclosures already on the rise following the changes, there is greater legal exposure associated with mishandling a protected disclosure. However, it is not all bad news for directors, as the changes must be viewed in the current regulatory and corporate climate. The flipside is that the new laws present an opportunity to strengthen corporate culture and compliance within organisations.
It is important to note that the banking Royal Commission and corporate scandals such as misconduct in the Commonwealth Bank’s financial planning arm revealed that whistleblowers possessed important corporate intelligence critical to the identification of wrongdoing in companies.
To get directors up to speed, we highlight the main features of the new laws and provide practical tips to support compliance.
What protections apply?
For a whistleblower to gain protection under the Act, they must:
- Be a current or former employee, officer or supplier (or an employee of a supplier) of a company. They can also be a relative or dependant of one of those individuals.
- Make a disclosure (which may be done anonymously) about “misconduct or an improper state of affairs or circumstances” in relation to a company or a related body corporate (RBC). They can also disclose that a company or RBC (or one of their officers or employees) has contravened certain corporate and financial sector laws, any law of the Commonwealth punishable by 12 months or more imprisonment, or has engaged in conduct that represents a danger to the public or the financial system.
- Make their disclosure to an officer (including a director), “senior manager”, auditor or actuary of a company or RBC, or a person authorised by a company to receive whistleblowing disclosures.
These laws do not apply to “personal work-related grievances”, which solely concern a whistleblower in relation to their employment. In practice, this carve-out is likely to be fairly limited in application. Importantly, the laws can apply outside Australia. For example, they can apply to disclosures made to overseas-based directors and/or concern conduct by an overseas-based company, their officers and/or employees.
A protected whistleblower is entitled to two main protections under the legislation:
- Confidentiality: their identity, or information that is likely to lead to their identification, cannot be disclosed by any person in connection with their disclosure without their consent (unless some limited exceptions apply).
- Victimisation: a person may not cause any detriment to them, or threaten to do so, because of a belief or suspicion that they made, may have made, proposed to make or could make a disclosure that would qualify for protection.
A breach of either of these protections is a criminal offence and can give rise to the hefty civil and criminal penalties referred to as well as jail (see breakout below). Notably, the Australian Securities and Investments Commission (ASIC) has received additional federal funding in support of prosecution and has said it will be looking for cases involving breaches of these protections.
Additionally, a whistleblower can directly seek uncapped compensation orders from a court in relation to a claim of victimisation and a “reverse onus” will apply, such as that the corporate and/or any individuals responding to the claim must prove they did not victimise a whistleblower. This means the whistleblower does not need to prove their case, but rather only point to the fact that there is a “reasonable possibility” that victimisation has occurred.
Whistleblowers also have the ability to make a protected disclosure outside the organisation — to ASIC, the Australian Prudential Regulation Authority, Australian Federal Police, legal representative and, in certain “public interest” and “emergency” circumstances, to journalists and parliamentarians. The reputational risk associated with a disclosure that is made externally to one of these parties can be significant and is another reason to strengthen internal mechanisms in order to encourage disclosures being raised within the organisation.
A similar regime has been replicated under the Taxation Administration Act 1953 in relation to tax matters.
“Directors should err on the side of caution when assessing whether a person has made a disclosure that could amount to a whistleblowing matter and, where this is a possibility, seek consent from a whistleblower to share their disclosure as needed.”
What are the main issues for directors?
The new laws raise a number of practical issues directors need to understand.
- Recognition risk It is critical directors recognise when a protected disclosure is made to them so they comply with their legal obligations (including to maintain the confidentiality of a whistleblower). This is one of the trickier issues to navigate, as a whistleblower may not always identify themselves as such or refer to an organisation’s whistleblowing policy when making a disclosure. This doesn’t affect the protections available to whistleblowers under law. They will still apply, provided the whistleblower is a type of person eligible to make a disclosure and the subject matter of their disclosure is covered by the legislation.
To add to the complexity, the scope of what might amount to a protected disclosure under law is not straightforward. For example, there is no real guidance on the meaning of an “improper state of affairs or circumstances”, and it is often not immediately evident whether an issue could give rise to a breach of the relevant Commonwealth laws.
In draft regulatory guidance released in August 2019, ASIC suggested the types of conduct that may give rise to a protected disclosure include:
- Illegal conduct (such as theft, dealing in/use of illicit drugs, violence/threatened violence, and criminal damage against property).
- Fraud, money laundering or misappropriation of funds.
- Offering or accepting a bribe.
- Financial irregularities.
- Failure to comply with, or breach of, legal or regulatory requirements.
- Engaging/threatening to engage in detrimental conduct against a person who has made a disclosure or is believed/suspected to have made/be planning to make a disclosure.
However, this list is not exhaustive. It is likely a court will place some limits around the scope of disclosures that are captured by the legislation in the future. Until that time, directors should err on the side of caution when assessing whether a person has made a disclosure that could amount to a whistleblowing matter and, where this is a possibility, seek consent from a whistleblower to share their disclosure as needed.
Practically speaking, a director is less likely to be accused of victimising a whistleblower, as opposed to a person who manages and supervises the relevant individual. There is still
a possibility of this — noting the victimisation provisions under the new legislation can capture a director if they are involved as an accessory in a company or another individual’s victimising conduct.
The more likely risk for a director is they do not comply with the requirement under law not to disclose a protected whistleblower’s identity or information that is likely to lead to their identification, without their consent. A breach of this requirement, no matter how inadvertent, can still result in civil and criminal penalties (including up to six months’ jail time).
Practically, it may not always be obvious what information could reveal a whistleblower’s identity — simply redacting their name and other identifying details may not be enough. For example, it may be that their identity could be revealed by virtue of the issue raised or the company division their disclosure concerns.
In light of this, directors should adopt a prudent approach and seek consent in all cases from an individual who discloses concerning conduct, to share their disclosure as needed. Directors can obtain legal advice in relation to the operation of the whistleblower provisions under the Act, notwithstanding the strict confidentiality obligations. For this reason, directors should seek legal advice immediately if unsure how to handle a disclosure in accordance with these laws.
Checklist for directors
- Understand the types of disclosures that can be protected under the Act, so as to recognise when to apply the legislative whistleblower protections. This is not straightforward, so seek advice if unsure.
- Ensure you’re receiving the right information. The board (or a subcommittee) should receive periodic reporting on whistleblowing matters (including appropriate metrics on reports made). Boards of listed companies should also be informed of material incidents reported under the organisation’s whistleblowing policy once the fourth edition of the ASX Corporate Governance Principles and Recommendations becomes effective.
- Ensure the board (or a subcommittee) addresses and mitigates any broader trends and themes and/or emerging risks arising from reports made to the board.
- Ensure an organisation has a whistleblowing policy compliant with the Act (where applicable) and a framework that supports disclosures being received, assessed, investigated and resolved under that policy. There should also be a mechanism in place to periodically review the effectiveness of the policy.
- Encourage an ethical culture that values integrity and where whistleblowers feel safe to speak up, including formal endorsement of the organisation’s whistleblowing policy
Cilla Robinson is a partner and Amanda Lyras is a senior associate at law firm Clayton Utz.