Against this backdrop, new whistleblowing laws were introduced in Australia under the Corporations Act 2001
(Cth) (Corporations Act)
which have significantly strengthened protections available to whistleblowers. The laws apply across sectors and require that public and large proprietary companies now have a compliant whistleblowing policy in place (there are exemptions from policy requirements for smaller not-for-profits).
These laws have significantly upped the stakes personally for directors, due to enhanced criminal and civil penalties (see section below) which apply to both corporates and individuals who act in breach of the laws. These penalties recognise the pivotal role that whistleblowers play, and the need to ensure they are appropriate protected, by wielding a meaningful deterrent.
The new laws present an opportunity to strengthen corporate culture and compliance within organisations. The freedom of whistleblowers to call out bad behaviour will positively impact on issues of workplace culture and any liabilities of the business. Where bad behaviour may have gone undetected in years gone by, a strong whistleblower framework will ensure that such conduct is surfaced and identified more quickly, allowing companies to address any underlying causes or systemic issues. This supports improved business performance and minimises the risk of corporate liability and disruption.
With whistleblowing disclosures already on the rise following the reforms, there is greater legal exposure associated with mishandling a protected whistleblower disclosure. Directors are defined as “eligible recipients” of protected disclosures at law, and significant personal liability can arise if a director fails to treat a disclosure protected under law in accordance with the strict confidentiality and anti-victimisation requirements imposed, or if they are otherwise involved as an accessory in a contravention by another person (including a body corporate). Even with the best intentions, it is possible that a breach of these laws may nevertheless arise.
In addition, the reputation of corporates and individuals is also at stake if a whistleblower complaint is not properly managed. The new laws confer protections on whistleblowers if they approach regulators with a concern about misconduct or an improper state of affairs or circumstances in relation to an entity, and there is also the potential for whistleblowers to make protected disclosures to parliamentarians and journalists about such matters in certain circumstances. Having a robust whistleblowing framework in place that encourages and supports whistleblowers raising matters internally minimises the risk of potential reputational damage and fallout.
Following these reforms, and particularly in light of the enhanced penalty regime that now applies, whistleblowing has become a 'front and centre' compliance matter for organisations. However, viewing whistleblowing simply as a compliance exercise risks missing out on the benefits that can be achieved when it is approached as an integral part of supporting good governance and corporate culture.
This tool focuses on the corporate sector whistleblower protection regime – separate considerations apply in the public sector. Specifically, it sets out an overview of the legal framework and some practical insights and tips for directors in supporting an effective whistleblowing framework.
“Whistleblowing plays an important role in alerting businesses to changes necessary to help improve overall corporate performance. Encouraging people to speak up when they see wrongdoing increases transparency and has the added benefit of improving organisational culture. That’s why companies should make it as easy as possible for their own people to come forward when they observe or experience misconduct in the workplace...” - John Price on transparency and culture.1
Overview of legal framework
Who is eligible for protection?
For a whistleblower to be eligible for protection under the Corporations Act, they must:
- Be a current or former employee, officer or supplier (or an employee of a supplier) of a company. They can also be a relative or dependant of one of those individuals;
- Make a disclosure (which may be done anonymously) about “misconduct or an improper state of affairs or circumstances” in relation to a company or a related body corporate (RBC). They can also disclose that a company or RBC (or one of their officers or employees) has contravened certain corporate and financial sector laws, any law of the Commonwealth punishable by 12 months or more imprisonment, or has engaged in conduct that represents a danger to the public or the financial system;
- Make their disclosure to an officer (including a director), “senior manager”, auditor or actuary of a company or RBC, or a person authorised by a company to receive whistleblowing disclosures.
These laws do not apply to “personal work-related grievances”, which solely concern a whistleblower in relation to their employment. In practice, this carve-out is likely to be fairly limited in application. Importantly, the laws can apply outside Australia. For example, they can apply to disclosures made to overseas-based directors and/or concern conduct by an overseas-based company, their officers and/or employees.
What protections apply?
A protected whistleblower is entitled to two main protections under the legislation:
- Confidentiality: their identity, or information that is likely to lead to their identification, cannot be disclosed by any person in connection with their disclosure without their consent (unless some limited exceptions apply).
- Victimisation: a person may not cause any detriment to them, or threaten to do so, because of a belief or suspicion that they made, may have made, proposed to make or could make a disclosure that would qualify for protection.
A breach of either of these protections is a criminal offence and can give rise to the hefty civil and criminal penalties referred to as well as jail (see breakout below). Notably, the Australian Securities and Investments Commission (ASIC) has received additional federal funding in support of prosecution and has said it will be looking for cases involving breaches of these protections.2
Additionally, a whistleblower can directly seek uncapped compensation orders from a court in relation to a claim of victimisation and a “reverse onus” will apply, such as that the corporate and/or any individuals responding to the claim must prove they did not victimise a whistleblower. This means the whistleblower does not need to prove their case, but rather only point to the fact that there is a “reasonable possibility” that victimisation has occurred.
A similar regime has been replicated under the Taxation Administration Act 1953 in relation to tax matters.
Who is an eligible recipient?
In order for a disclosure to be protected under the Corporations Act, it must be made to an eligible recipient. The legislation outlines a broader pool of eligible recipients than the previous whistleblowing regime, including:
- an officer or senior manager;
- an auditor, or member of an audit team conducting an audit;
- an actuary;
- ASIC, APRA or the AFP;
- the Commissioner of Taxation; or
- a member of parliament or a journalist in specific circumstances.
Eligible recipients must exercise care in how they deal with a disclosure, particularly in relation to maintaining the confidentiality of the whistleblower's identity. Importantly, a person may not always identify themselves as a whistleblower. Eligible recipients must be mindful about whether any serious or systemic issues are being raised that fall into the categories of matters that a whistleblower can raise under the company’s whistleblower policy.
In circumstances where a disclosure is made to an eligible person other than the company's authorised recipients, the discloser may be required to consent to the disclosure of the whistleblowing report to the authorised recipients. As a practical matter, a properly drafted whistleblowing policy is key to ensuring that disclosures are made to the company’s authorised recipients. This will assist with funnelling disclosures to the appropriate individuals and ensure they are dealt with effectively. ASIC has confirmed the merits of this approach in recent guidance for directors.
As outlined above, whistleblowers also have the ability to make a protected disclosure outside of their organisation (that is, to ASIC, APRA, AFP, Commissioner of Taxation, a member of parliament or journalist in certain circumstances). The reputational risk associated with a disclosure that is made externally to one of these parties can be significant, and is another reason to strengthen internal mechanisms in order to encourage disclosures being raised within the organisation.
How does the regime apply in the context of not-for-profits and charities?
Not-for-profit incorporated organisations that meet the definition of a trading or financial corporation must comply with the corporate sector whistleblower protection regime. Some guidance on ‘trading or financial corporations’ is available on the ASIC website.3 This may include the following organisations incorporated under state or territory legislation, if they are trading or financial corporations:
- incorporated associations;
- other bodies corporate, including not-for-profit bodies corporate;
- incorporated organisations registered with ASIC as Australian registered bodies;
- incorporated organisations registered with the Australian Charities and Not-for-profits Commission (ACNC) as charities.
All not-for-profit organisations structured as public companies limited by guarantee must comply with the whistleblower protection provisions.
What needs to be in a whistleblowing policy?
The Corporations Act is very prescriptive about the content that must be contained in a whistleblowing policy. This is to support the overall public policy position of seeking to encourage whistleblowers to raise concerns, by providing them with clear information about how they can raise a concern, and how they will be protected and supported where they do so. The prescriptive nature of whistleblowing policies means they will be necessarily more detailed than other employment policies.
ASIC has released regulatory guidance to assist entities that are required to have a whistleblower policy in place – ASIC Regulatory Guide RG270 (Guide) (referenced below). This Guide, although not law, should be used as a foundation for drafting a company whistleblowing policy. The Guide identifies content which is described as 'mandatory' to include in a whistleblowing policy in order to comply with the Corporations Act, along with non-mandatory, good practice guidance. It also provides a strong indication of ASIC's expectations and issues that are likely to be considered in the exercise of its enforcement role.
At a minimum, a whistleblower policy must outline:
- the protections available to whistleblowers, including protections under the Corporations Act;
- to whom disclosures that qualify for protection under the Corporations Act may be made, and how they may be made;
- how the company will support whistleblowers and protect them from detriment;
- how the company will investigate disclosures that qualify for protection under the Corporations Act;
- how the company will ensure fair treatment of its employees who are mentioned in disclosures that qualify for protection, or its employees who are the subject of disclosures;
- how the policy will be made available to officers and employees of the company; and
- any matters prescribed by regulations.
Of course, simply having a compliant policy in place, without ensuring that the underlying procedures in an organisation support the effective implementation of that policy, run the risk that the policy does not play out in practice and that corporate and personal liability is enlivened.
What are the requirements for whistleblowing policies for not-for-profits?
While there is an exception from the legal requirement to have a whistleblower for certain not-for-profits and charities (see below), the AICD recommends that, as a matter of good governance, entities should implement whistleblower policies or at a minimum arrangements for handling whistleblower disclosures.
The AICD’s Not-For-Profit Governance Principles (NFP Principles)4, which were revised in January 2019 and are intended to provide a framework for all not-for-profits to consider good governance practices, recognise that whistleblowers are an important line of defence against wrongdoing, and providing them with adequate protection against retribution can encourage them to come forward with valuable information. The Principles further note that it is a good idea to establish a whistleblower policy, and suggest a number of matters to be addressed including how to make a disclosure.
Not-for-profit Law, a service of Justice Connect, has made available a template whistleblower policy that is based on the requirements of ASIC Regulatory Guide 270.5
Are any entities exempt from the requirement to have a whistleblowing policy?
The requirement to have a whistleblower policy applies to public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities. Not-for-profits and charities with an annual consolidated revenue of less than $1 million are not required to have a whistleblower policy unless they are trading or financial corporations. ASIC formalised this position in ASIC Corporations (Whistleblower Policies) Instrument 2019/114.6
The substantive whistleblowing protections outlined above still apply.
What penalties apply?
CORPORATIONS that breach their obligations may be liable for:
INDIVIDUALS who breach their obligations may be liable for:
Civil penalties of the greater of $10.5M, three times the benefit derived or detriment avoided by the contravention, or 10% of annual turnover (up to $525m); and/or
Civil penalties of the greater of $1.05m or three times the benefit derived or detriment avoided by the contravention.
Criminal penalties of $126,000 (for breach of confidentiality protections) or $504,000 (for breach of protections against victimisation).
Criminal penalties of $12,600 (for breach of the confidentiality protections) or $54,000 (for breach of the protections against victimisation); and/or
Public and large proprietary companies that fail to have a compliant whistleblowing policy by 1 January 2020 may also be liable for a criminal penalty of $126,000
Up to six months’ jail (for breach of confidentiality protections) or up to two years’ jail (for breach of protections against victimisation).
Practical tips and insights for directors
The whistleblower reforms raise a number of practical issues of which directors need to be aware.
Issue 1 - How do I recognise that someone has made a whistleblowing disclosure?
It is critical directors recognise when a protected disclosure is made to them so they comply with their legal obligations (including to maintain the confidentiality of a whistleblower). This is one of the trickier issues to navigate, as a whistleblower may not always identify themselves as such or refer to an organisation’s whistleblowing policy when making a disclosure. This doesn’t affect the protections available to whistleblowers under law. They will still apply, provided the whistleblower is a type of person eligible to make a disclosure and the subject matter of their disclosure is covered by the legislation.
To add to the complexity, the scope of what might amount to a protected disclosure under law is not straightforward. For example, there is no real guidance on the meaning of an “improper state of affairs or circumstances”, and it is often not immediately evident whether an issue could give rise to a breach of the relevant Commonwealth laws.
ASIC’s Guide suggested the types of conduct that may give rise to a protected disclosure include:
- Illegal conduct (such as theft, dealing in/use of illicit drugs, violence/threatened violence, and criminal damage against property);
- Fraud, money laundering or misappropriation of funds;
- Offering or accepting a bribe;
- Financial irregularities;
- Failure to comply with, or breach of, legal or regulatory requirements;
- Engaging/threatening to engage in detrimental conduct against a person who has made a disclosure or is believed/suspected to have made/be planning to make a disclosure.
However, this list is not exhaustive. It is likely a court will place some limits around the scope of disclosures that are captured by the legislation in the future. Until that time, directors should err on the side of caution when assessing whether a person has made a disclosure that could amount to a whistleblowing matter and, where this is a possibility, seek consent from a whistleblower to share their disclosure as needed (for example, with the organisation's nominated whistleblowing channel/s).
As a general guide, if a person has raised an issue which, in a director's mind, has the potential to give rise to legal or reputational damage for the organisation, that should act as a red flag to treat the disclosure with caution and consider whether whistleblower protections should be applied.
Issue 2 - How do I comply with the protections available to whistleblowers?
Practically speaking, a director is less likely to be accused of victimising a whistleblower, as opposed to a person who manages and supervises the relevant individual. There is still a possibility of this — noting the victimisation provisions under the new legislation can capture a director if they are involved as an accessory in a company or another individual’s victimising conduct.
The more likely risk for a director is they do not comply with the requirement under law not to disclose a protected whistleblower’s identity or information that is likely to lead to their identification, without their consent. A breach of this requirement, no matter how inadvertent, can still result in civil and criminal penalties (including up to six months’ jail time).
Practically, it may not always be obvious what information could reveal a whistleblower’s identity — simply redacting their name and other identifying details may not be enough. For example, it may be that their identity could be revealed by virtue of the issue raised or the company division their disclosure concerns.
In light of this, directors should adopt a prudent approach and seek consent in all cases from an individual who discloses concerning conduct, to share their disclosure as needed. In this regard, ASIC has noted in recent guidance for directors that it is appropriate for a director to encourage a whistleblower to make their report using the whistleblowing channels nominated by the relevant organisation.
Directors can obtain legal advice in relation to the operation of the whistleblower provisions under the Cororations Act, notwithstanding the strict confidentiality obligations. For this reason, directors should seek legal advice immediately if unsure how to handle a disclosure in accordance with these laws.
Compliance considerations for directors
Directors should take the following steps to support compliance with the laws and unlock the value that whistleblowing disclosures can provide in supporting good governance and corporate culture:
- Understand the types of disclosures that can be protected under the Corporations Act, so as to recognise when to apply the legislative whistleblower protections. This is not straightforward, so seek advice if unsure.
- Be aware of your organisation's nominated whistleblowing channels and seek consent from any whistleblowers that approach you to share their disclosure with those channels in order for them to be addressed in accordance with the applicable protections.
- Understand the director implications of whistleblower protections - including that directors are eligible recipients of whistleblowing disclosures under law and, as a person, can be personally liable for breaches of the confidentiality and victimisation protections (including where they are found to have acted as an accessory to a contravention of the whistleblowing laws).
- Ensure you’re receiving the right information. The board (or a subcommittee) should receive periodic reporting on whistleblowing matters (including appropriate metrics on reports made). Boards of listed companies should also be informed of material incidents reported under the organisation’s whistleblowing policy. No incidents being reported is not a sign of good governance but more likely a sign that the organisation has not successfully cultivated a 'safe to speak up' culture.
- Ensure the board (or a subcommittee) addresses and mitigates any broader trends and themes and/or emerging risks arising from reports made to the board.
- Ensure an organisation has a whistleblowing policy compliant with the Corporations Act (where applicable) that clearly identifies the types of concerns that may reported, and a framework that supports disclosures being received, assessed, investigated and resolved under that policy. There should also be a mechanism in place to periodically review the effectiveness of the policy.
- Ensure there are procedures in place which support the effectiveness of the whistleblowing policy in place - what happens in practice should align with what the policy requires.
- Encourage an ethical culture that values integrity and where whistleblowers feel safe to speak up, including formal endorsement of the organisation’s whistleblowing policy and processes by the Board and senior leadership.
- Ensure training is provided for employees, managers and eligible recipients on the whistleblowing policy and its framework, including rights and obligations in respect of confidentiality and victimisation.
- Understand how COVID-19 may have impacted the organisation’s whistleblowing function.
1 Australian Institute of Company Directors, 2019, “ASIC’s reforms to whistleblower laws ahead”, 1 July, Company Director, https://aicd.companydirectors.com.au/membership/company-director-magazine/2019-back-editions/july/regulator, (accessed 13 July 2020).
2 Australian Institute of Company Directors, 2019, “ASIC urges companies to better manage non-financial risk”, 30 October, Company Director, http://aicd.companydirectors.com.au/membership/company-director-magazine/2019-back-editions/november/asic-urges-companies-to-better-manage-non-financial-risk, (accessed 13 July 2020).
3 Australian Securities and Investments Commission, Whistleblower protections for not-for-profit organisations, [website], https://asic.gov.au/about-asic/asic-investigations-and-enforcement/whistleblowing/whistleblower-protections-for-not-for-profit-organisations/, (accessed 13 July 2020).
4 Australian Institute of Company Directors, 2019, Not-for-Profit Governance Principles, 2nd edition, January, https://aicd.companydirectors.com.au/-/media/cd2/resources/director-resources/not-for-profit-resources/nfp-principles/pdf/06911-4-adv-nfp-governance-principles-report-a4-v11.ashx, (accessed 13 July 2020).
5 Not-for-profit Law, 2020, Whistleblower policy template, 10 January, Justice Connect, https://www.nfplaw.org.au/whistleblower-policy-template-now-available, (accessed 13 July 2020).
6 Australian Securities and Investments Commission, 2019, ASIC Corporations (Whistleblower Policies) Instrument 2019/1146, 13 November, Federal Register of Legislation, https://www.legislation.gov.au/Details/F2019L01457, (accessed 13 July 2020).
About the authors
Cilla Robinson is a partner at Clayton Utz. With over 18 years' experience in employment, industrial relations, discrimination and work, health and safety law, Robinson has a broad industry background and works with both private and public sector clients. She has deep expertise advising both Australian and international companies on the new whistleblowing and modern slavery laws and developing education and training to support this legal advice.
Amanda Lyras is a special counsel at Clayton Utz. Lyras is a trusted adviser to a number of organisations in relation to their whistleblowing programs and is experienced in delivering training to boards and senior executives on whistleblowing. Amanda was personally involved in the development of the new laws, including being invited to respond to questions on notice by the Senate Economics Committee in relation to a draft form of the laws.
Heloise Ormandy is a lawyer at Clayton Utz and has experience advising private and public sector clients on employment regulation and associated policy frameworks. She has advised on the new whistleblower laws, complex litigation and employment disputes, the development of award terms and industrial relations strategies, undertaking reviews of workplace investigations, as well as discrimination, bullying and misconduct issues.
The Australian Institute of Company Directors is committed to strengthening society through world-class governance. We aim to be the independent and trusted voice of governance, building the capability of a community of leaders for the benefit of society. Our membership includes directors and senior leaders from business, government and the not-for-profit sectors.
For more information t: 1300 739 119 w: aicd.com.au
This document is part of a Director Tool series published by the Australian Institute of Company Directors. This series has been designed to provide general background information and as a starting point for undertaking a board-related activity. It is not designed to replace a detailed review of the subject matter. The material in this document does not constitute legal, accounting or other professional advice. While reasonable care has been taken in its preparation, the Australian Institute of Company Directors does not make any express or implied representations or warranties as to the completeness, currency, reliability or accuracy of the material in this document. This document should not be used or relied upon as a substitute for professional advice or as a basis for formulating business decisions. To the extent permitted by law, the Australian Institute of Company Directors excludes all liability for any loss or damage arising out of the use of the material in this document. Any links to third-party websites are provided for convenience only and do not represent endorsement, sponsorship or approval of those third parties, or any products and/or services offered by third parties, or any comment on the accuracy or currency of the information included in third party websites. The opinions of those quoted do not necessarily represent the view of the Australian Institute of Company Directors.