ASIC has written to public companies, large proprietary companies and trustees of registrable superannuation entities urging them to review their whistleblowing policies to ensure they are compliant with the Corporations Act 2001 (Corporations Act). A copy of ASIC’s announcement relating to the letters is available here.
The warning comes after ASIC reviewed a sample of whistleblowing policies and found that the majority were not compliant with the requirements for whistleblowing policies set out under the Corporations Act.
In particular, ASIC is concerned that a number of the policies contained unclear, incomplete or inaccurate information about how potential whistleblowers can make a qualifying disclosure and about whistleblower protections that are available under the Corporations Act.
ASIC also took the opportunity to repeat its expectation that officers and senior managers of large corporate entities are responsible for ensuring that the entity complies with Australia’s whistleblower protection regime.
ASIC also warned that it intends to conduct further reviews of whistleblowing policies and will consider taking enforcement action in relation to non-compliant policies. For large proprietary companies and other entities that are required to have a compliant whistleblower policy in place under the Corporations Act, failure to have and make available a compliant whistleblowing policy is a strict liability offence that carries a penalty of 600 penalty units for companies (currently AU $133,200).
Implementing a whistleblower policy that is both effective and compliant with the robust Australian regime can be difficult, especially in circumstances where companies are trying to fit an Australian specific whistleblowing policy into a global compliance framework. Including all of the recommendations contained in ASIC’s guidance in RG270 will protect companies from a fine from ASIC but can result in a lengthy policy which if not structured effectively may be confusing for employees and not fulfill the objective of encouraging employee to report issues that they have identified.
There are a number of ways for whistleblowing policies to remain user-friendly whilst still being compliant with the Corporations Act, including:
- through the use of annexures to set out the detailed information required under the Corporations Act. Companies with global whistleblowing policies may also consider dealing with the Australian whistleblowing rules through an Australian specific annexure to existing policies.
- using the policy to encourage potential whistleblowers to make reports to dedicated third party hotlines or reporting services in an effort to streamline and simplify the reporting process. This must be done in a way that still makes clear that reports made to other eligible recipients under the Corporations Act will also provide the legislative protections to the whistleblower.
ASIC’s warning comes as a reminder to all Australian entities subject to review their whistleblower policies and procedures and ensure they meet the requirements set out under the Corporations Act.
Companies should also train Board members and senior managers, as well as other potential recipients of whistleblower reports, on how their whistleblowing policies work in practice, particularly given ASIC’s comments in relation to their responsibilities. This is especially important given the severe penalties that can result from incorrectly handling whistleblowing reports and breaching confidentiality. In addition to criminal penalties (including up to six months imprisonment for individuals), breaching confidentiality protections could potentially result in the following pecuniary penalties:
- for an individual, 5,000 penalty units (currently AU $ 1.1 million), or three times the benefit derived or detriment avoided; or
- for companies, up to 50,000 penalty units (currently AU $11.1 million ), or three times the benefit derived or detriment avoided or 10% of the company’s annual turnover (up to 2.5 million penalty units or AU $555 million).
Those entities that are not ‘large propriety companies’ for the purposes of the Corporations Act (and, consequently, are not legally required to have a whistleblower policy in place), should also look to review their whistleblowing frameworks as the laws and penalties surrounding whistleblower confidentiality and victimisation still apply to those entities under the Corporations Act. These entities should ensure that any whistleblowing policy they have in place aligns with the requirements of the Corporations Act, as any inconsistencies could give rise to breaches of the whistleblower protections.