When there's a whistle(blower), there's a way18 November 2019
The Australian Securities and Investments Commission (ASIC) released its much-anticipated guidance on whistleblower policies in Regulatory Guide 270 Whistleblower policies (RG 270) on 13 November 2019. The guide is for entities that must have a whistleblower policy under the Corporations Act 2001 (Cth) as amended by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) (Whistleblower Act).
The guide is also helpful for entities that do not require a whistleblower policy but are still subject to the Whistleblower Act. In light of RG 270, we strongly recommend reviewing and updating your whistleblower policy to ensure it is compliant, and we have summarised the key things regulated entities should be aware of, below.
Are you required to have a whistleblower policy?
Each of the following entities must have a whistleblower policy:
- public companies (unless eligible for the small not-for-profit exemption, which is for a company limited by guarantee that is operated on a not-for-profit basis with consolidated revenue for each financial year less than $1 million)
- large proprietary companies (see next section), and
- proprietary companies that are trustees of registrable superannuation entities.
Even if an entity is not required to have a whistleblower policy, it may wish to do so as a matter of good corporate governance and to manage its obligations under the Whistleblower Act.
Companies listed on the ASX should be aware of the requirements under the new Corporate Governance Principles and Recommendations (4th Edition) that comes into force on 1 January 2020 and which requires, amongst other things, for a listed company to have:
- a whistleblower policy, and
- ensure that the board or a committee of the board is informed of any material incidents under that policy.
Is your company a large proprietary company?
The criteria for a large proprietary company changed for financial years commencing on or after 1 July 2019. A proprietary company is defined as “large” if it satisfies at least two of the following minimum criteria:
- $50 million or more—the consolidated revenue for the financial year of the company and any entities it controls
- $25 million or more—the value of the consolidated gross assets at the end of the financial year of the company and any entities it controls, and
- 100 employees or more—the company and any entities it controls have at the end of the financial year.
What does the Whistleblower policy need to include?
The Whistleblower Act prescribes the following content, which must be covered in a whistleblower policy:
- the protections available to whistleblowers
- to whom disclosures that qualify for whistleblower protection may be made, and how they may be made
- how the entity will support whistleblowers and protect them from detriment
- how the entity will investigate disclosures that qualify for whistleblower protection
- how the entity will ensure fair treatment of its employees who are mentioned in disclosures that qualify for protection, or its employees who are the subject of disclosures
- how the policy will be made available to officers and employees of the entity, and
- any other matter prescribed by regulation.
An “off-the-shelf policy” is unlikely to meet the objectives of the whistleblower regime. Instead, a regulated entity should ensure the policy is aligned to the “nature, size, scale and complexity” of its business as recommended by ASIC (in RG 270).
When establishing or reviewing your whistleblower policy, keep in mind the following:
What is the penalty for non-compliance?
ASIC is empowered to undertake surveillance to monitor compliance with the whistleblower protection regime. Failure to comply with the requirement to establish and make available a compliant whistleblower policy is an offence of strict liability and carries a fine of $12,600.
There are also serious penalties for breaching the confidentiality of a whistleblower or the victimisation or threatened victimisation of a whistleblower. Fines can be imposed of up to $1 million for a company and $200,000 for an individual, and/or liability for criminal charges.
Acknowledging the seriousness of these penalties, the Government noted that “the penalties are intended to deter unauthorised disclosure of the identity of individuals who disclose wrongdoing” (see the Explanatory Memoranda to the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018).
It’s important to note that the Whistleblower Act also provides for a person to bring civil proceedings for compensation or other remedies, such as an apology, in the event of non-compliance.
When do I need to establish a policy?
For most public companies, large proprietary companies and corporate trustees of registrable superannuation entities, the deadline to establish a compliant whistleblower policy is 1 January 2020. For more information or guidance on these changes, please get in touch with Sally Weatherstone.