Australia's whistleblowing regime

Part 9.4AAA of the 2001 Corporations Act sets out a consolidated whistleblower protection regime for Australia's corporate sector. Changes to this regime designed to provide whistleblowers with stronger and more robust protections were introduced by the 2019 Treasury Laws Amendment (enhancing Whistleblower Protections) Act.

Companies need to assess whether their whistleblower policies are compliant with the new laws. The Australian Securities and Investments Commission (ASIC) has published regulatory guidance to assist companies with compliance.

What entities do the whistleblower laws apply to?

The new laws apply to:

• a company;
• a corporation to which section 51(xx) of the Constitution applies i.e. foreign corporations and trading or financial corporations formed within the limits of the Commonwealth;
• an authorised deposit-taking institution (ADI) within the meaning of the 1959 Banking Act (Cth), an authorised non-operating holding company (NOHC) within the meaning of that Act or a subsidiary of an ADI or NOHC;
• a general insurer within the meaning of the 1973 Insurance Act (Cth), an authorised NOHC within the meaning of that Act or a subsidiary of a general insurer or an authorised NOHC;
• a life company within the meaning of the 1995 Life Insurance Act, a registered NOHC within the meaning of that Act or a subsidiary of a life company or a registered NOHC;
• a superannuation entity, or a trustee of a superannuation entity within the meaning of the 1993 Superannuation Industry (Supervision) Act.

What are a company's main obligations under the whistleblowing laws?

The new laws have a strong focus on preserving the whistleblower's confidentiality and deterring others from engaging in detrimental conduct. Some regulated entities are also required to have a whistleblower policy in place by 1 January 2020. Regardless of whether entities are required to have a whistleblower policy in place by 1 January 2020, the way they handle whistleblower complaints will need to change to comply with the new laws.

Confidentiality

The identity of a whistleblower or information that is likely to lead to the identification of the whistleblower must be kept confidential unless:

• the whistleblower consents to disclosure of their identity; or
• the whistleblower's identity is disclosed to ASIC, the Australian Prudential Regulation Authority (APRA), a member of the Australian Federal Police, a legal practitioner for the purpose of obtaining legal advice or legal representation in relation to the operation of the whistleblowing laws or anyone else prescribed by the regulations.

Information that may lead to the identification of the whistleblower may only be disclosed if it is reasonably necessary for the purposes of investigating the disclosure, and all reasonable steps are taken to reduce the risk that the whistleblower will be identified.

Detrimental conduct

The law prohibits detrimental conduct against a whistleblower. Detrimental conduct is conduct that causes detriment to an individual, and includes making threats to cause any detriment to an individual.

Detriment includes:

• dismissal of an employee;
• injury of an employee in their employment;
• alteration of an employee's position or duties to their disadvantage;
• discrimination between an employee and other employees of the same employer;
• harassment or intimidation of an individual;
• harm or injury to an individual, including psychological harm;
• damage to an individual's property;
• damage to an individual's reputation;
• damage to an individual's business or financial position;
• any other damage to an individual.

The confidentiality obligation and the obligation not to engage in detrimental conduct apply not only to regulated entities but to their employees and officers.

Whistleblower policy

The following entities must implement compliant whistleblower policies by 1 January 2020:

• public companies;
• large proprietary companies;
• trustees of registrable superannuation entities.

A company is a large proprietary company if it and any entities it controls meet two or more of the following thresholds:

• A$50 million (US$34m) or more in consolidated revenue;
• A$25m or more in consolidated gross assets;
• 100 or more employees.

ASIC will be surveying whistleblower policies from a sample of public companies, large proprietary companies and corporate superannuation trustees during 2020 to review compliance with the legal requirements and to monitor the good practice requirements.

Public and large proprietary companies will be liable where they fail to have a whistleblower policy in place by 1 January 2020.

The regulatory guidance

ASIC Regulatory Guide 270 (RG 270) sets out the components that a whistleblower policy must include to comply with the laws. These include:

• purpose of the policy;
• who the policy applies to;
• matters the policy applies to;
• who can receive a disclosure;
• how to make a disclosure;
• legal protections for disclosers;
• support and practical protection for disclosers;
• handling and investigating a disclosure
• ensuring fair treatment of individuals mentioned in a disclosure; and
• ensuring accessibility of the policy.

The matters set out above are meant to reflect all stages of the whistleblowing process.

A compliant whistleblowing policy must also cover:

• receiving a disclosure;
• assessing how a discloser should be supported and protected;
• assessing whether a disclosure should be investigated;
• undertaking an investigation;
• supporting and protecting a discloser during and after the investigation;
• communicating with a discloser, including the outcome of an investigation; and
• ensuring oversight and monitoring by the entity's board.

What are the consequences of failure to comply with the laws?

Applicable penalties under the Corporations Act are as follows:

For detrimental conduct:

Criminal penalties:

• for an individual: 240 penalty units (A$50,400) or imprisonment for two years, or both;
• for a body corporate: 2,400 penalty units (A$504,000).

Pecuniary penalties:

• for an individual: 5,000 penalty units (A$1,050,000) or three times the benefit derived or detriment avoided;
• for a body corporate: 50,000 penalty units (A$10.5m) or three times the benefit derived or detriment avoided or 10% of the body corporate's annual turnover (up to 2.5m penalty units, A$525m).

For breach of confidentiality:

Criminal penalties:

• for an individual, 60 penalty units (A$12,600) or imprisonment for six months, or both;
• for a body corporate, 600 penalty units (A$126,000).

Pecuniary penalties:

• for an individual: 5,000 penalty units (A$1,050,000) or three times the benefit derived or detriment avoided;
• for a body corporate: 50,000 penalty units (A$10.5m) or three times the benefit derived or detriment avoided or 10% of the body corporate's annual turnover (up to 2.5m penalty units, $525m).

For failure to have a compliant whistleblower policy:

Criminal penalties:

• for an individual: 60 penalty units (A$12,600);
• for a body corporate: 600 penalty units (A$126,000).

No pecuniary penalties are available.