The RG is intended to assist companies that are required to implement a whistleblower policy by 1 January 2020 in accordance with reforms to the Corporations Act 2001 (Cth) (Act) that strengthen whistleblower protections (see here for more information).
The RG is lengthy – just over 50 pages – and prescribes a number of matters that ASIC considers must be included in a whistleblowing policy to be compliant under the Act. In some respects, the RG goes beyond the legislative requirements.
The Guide also provides “good practice” guidance intended to assist companies in developing and implementing policies and procedures - although not mandatory, the good practice tips and examples will likely be viewed as setting a benchmark for best practice.
ASIC has also relieved public companies limited by guarantee that are not-for-profits or charities and have an annual consolidated revenue of less than $1 million, from the requirement to have a whistleblowing policy under the Corporations Act. In doing so, ASIC recognises that these entities may face a compliance burden that outweighs the benefits that a policy might otherwise offer. Notably, the relief only extends to the requirement to have a policy - the substantive whistleblowing protections provided by the Act still apply.
Key takeaways for directors and an update on the relevant requirements are set out below.
Key takeaways for directors
- ASIC has emphasised that an entity’s Board is ultimately responsible for the entity’s whistleblower policy, as part of the entity’s broader risk management and corporate governance framework. It is important for a Board (either directly or through its Audit or Risk committee) to have proper oversight and ensure that the broader trends, themes and/or emerging risks highlighted by the disclosures made under its policy are addressed and mitigated by the entity as part of its risk management and corporate governance work plans.
- ASIC has also made clear its expectation that the Board (or Audit or Risk Committee) should receive periodic reporting on the effectiveness of the policy and that mechanisms should be in place to escalate matters to the Board or a Board Committee.
- Companies required to have a whistleblower policy under the Act will need to review their whistleblower policies against the mandatory requirements of the RG, and consider the good practice guidance. The RG is relatively prescriptive, and may compel companies to make changes to their current policies and procedures. For those companies yet to put their policy in place, the RG will need to be considered.
- Notably, ASIC has indicated that it plans to survey the whistleblower policies of a sample of companies next year to review compliance with legal requirements. Companies are likely to want to adopt a conservative approach to ensure compliance, given ASIC’s regulatory focus and “why not litigate” enforcement approach. Failure to comply with the requirement to have and make available a whistleblower policy is an offence of strict liability.
- Not-for-profits and charities will need to consider their position in light of the relief granted by ASIC. Those companies exempted from the legislative requirement may nevertheless still wish to implement a whistleblower policy, particularly recognising that the substantive whistleblower protections under the law still apply. Companies exempted will have greater freedom to implement tailored policies and procedures, although they may wish to have regard to the provisions of the RG. The AICD’s Not-For-Profit Governance Principles (accessible here) recognise that whistleblowers are an important line of defence against wrongdoing and note that it is a good idea to establish a whistleblower policy.
Recap of Corporations Act requirements
The Act requires public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a whistleblowing policy by 1 January 2020 that sets out the following information and is made available to officers and employees of the company:
- the protections available to whistleblowers, including protections under the Corporations Act;
- to whom disclosures that qualify for protection under the Corporations Act may be made, and how they may be made;
- how the entity will support whistleblowers and protect them from detriment;
- how the entity will investigate disclosures that qualify for protection under the Corporations Act;
- how the entity will ensure fair treatment of its employees who are mentioned in disclosures that qualify for protection, or its employees who are the subject of disclosures; and
- how the policy will be made available to officers and employees of the entity.
Additional ASIC requirements
In addition to the information that is legislatively mandated, ASIC has stipulated that a whistleblowing policy must also contain additional detail and information including (but not limited to):
- the key steps the entity will take after it receives a disclosure, including how it investigates a disclosure (including timeframes), keeps a discloser informed (which must be via regular updates) and documents, reports internally and communicates to the discloser the investigation findings;
- the entity's measures for ensuring its policy is widely disseminated to and easily accessible by disclosers within and outside the entity (eg. through education and training);
- the different types of disclosers within and outside an entity who can make a disclosure that qualifies for protection and the criteria for a discloser to qualify for protection;
- a range of internal and external disclosure options and how to access each option along with the relevant instructions; and
- a statement that disclosures can be made anonymously and still protected under the Corporations Act (and that a discloser may remain anonymous during and after an investigation) and outline the entity's measures and/or mechanisms for protecting anonymity.
ASIC has also provided some further practical guidance on:
- types of wrongdoing that can be specified in a policy (RG 270.55);
- practical ways to protect confidentiality (RG 270.108) and prevent victimisation (RG 270.109); and
- a good practice risk assessment framework (RG 270.110).