ASIC whistleblowing policy guidance rocks the boat for companies required to have a compliant whistleblowing policy by 1 January 2020

15 Nov 2019

Public companies and large proprietary companies will need to review their whistleblowing policies and procedures to ensure they are compliant by 1 January 2020, following the release on 13 November 2019 of "Regulatory Guide 270 – Whistleblower policies" by the Australian Securities and Investments Commission (ASIC) (Guide). The Guide (which is some 52 pages long) prescribes an extensive list of mandatory matters that ASIC considers must be included in a compliant whistleblowing policy under the Corporations Act 2001 (Cth).

The Guide also provides good practice tips and guidance which, although not mandatory, will probably be viewed as setting the benchmark for good practice in the whistleblowing space.

The mandatory matters specified in the Guide are onerous and, on any view, go well beyond the content requirements specified in the Corporations Act (which are outlined further below). ASIC received numerous submissions from stakeholders advising that adopting a draft form of the guidance would lead to lengthy, cumbersome whistleblowing policies. Despite these submissions, ASIC has expanded the matters mandated to be included in its final issued guidance.

In light of ASIC’s "why not litigate" approach, we expect that companies will prefer to adopt a conservative approach, consistent with the Guide, when drafting their whistleblowing policies. A less prudent approach would be risky, given ASIC has said it will be conducting surveillance activities to ensure compliance with the obligations under the Guide and pursuing non-compliance in accordance with its enforcement approach and operational priorities.

What is required under the Corporations Act?

The Corporations Act requires public companies and large proprietary companies to have a whistleblowing policy by 1 January 2020 that sets out the following information and is made available to officers and employees of the company:

  • information about the protections available to whistleblowers, including under the Corporations Act;
  • information about to whom disclosures that qualify for protection under the Corporations Act may be made, and how they have been made;
  • information about how the company will support whistleblowers and protect them from detriment;
  • information about how the company will investigate disclosures that qualify for protection under the Corporations Act;
  • information about how the company will ensure fair treatment of employees of the company who are mentioned in disclosures that qualify for protection under the Corporations Act; and
  • information about how the policy is to be made available to officers and employees of the company.

What does ASIC require for whistleblower policies?

In addition to including the information set out above in a compliant whistleblowing policy, ASIC has mandated in the Guide that a whistleblowing policy must also:

  • include a brief explanation about the purpose of the policy;
  • identify the different types of disclosers within and outside an entity who can make a disclosure that qualifies for protection;
  • set out the criteria for a discloser to qualify for protection under the Corporations Act;
  • identify the types of wrongdoing that can be reported based on the entity’s business operations and practice and outline the types of matters that are not covered by the policy (eg. personal work-related grievances);
  • state that disclosures that are not about "disclosable matters" under the Corporations Act do not qualify for protection under the Corporations Act or the Tax Administration Act where relevant (including broader disclosures that may be specified in a policy as part of the entity's "speak up culture", such as breaches of a Code of Conduct);
  • state that a discloser can still qualify for protection even if their disclosure turns out to be incorrect;
  • clarify that personal work-related grievances do not qualify for protection under the Corporations Act and outline when a disclosure about or including a personal work-related grievance still qualifies for protection;
  • state that a discloser must make a disclosure directly to one of the entity’s eligible recipients to be able to qualify for protection under the Corporations Act (or the Tax Administration Act, where relevant);
  • state that protected disclosures can be made to a journalist or parliamentarian in certain circumstances and that it is important for a discloser to understand the criteria for making a public interest or emergency disclosure;
  • include information about who a discloser can contact to obtain additional information before making a disclosure;
  • include a range of internal and external disclosure options and how to access each option along with the relevant instructions;
  • advise that disclosures can be made anonymously and still protected under the Corporations Act (and that a discloser may remain anonymous during and after an investigation) and outline the entity's measures and/or mechanisms for protecting anonymity;
  • provide examples of how the entity will, in practice, protect the confidentiality of a discloser’s identity and to protect a discloser from detriment;
  • outline the key steps the entity will take after it receives  a disclosure, including how it investigates a disclosure (including timeframes), keeps a discloser informed (which must be via regular updates) and documents, reports internally and communicates to the discloser the investigation findings; and
  • outline the entity's measures for ensuring its policy is widely disseminated to and easily accessible by disclosers within and outside the entity (eg. through education and training).

These mandatory matters for inclusion in a whistleblowing policy are onerous and require entities to essentially restate the whistleblowing provisions under the Corporations Act in addition to addressing a range of other matters that are substantially procedural. In this regard, the Guide goes well beyond the policy requirements prescribed under the Corporations Act and the utility in mandating such prescriptive policy content is unclear.

(Some) guidance on practical matters, but some important issues not tackled

Helpfully, ASIC has provided some additional guidance on:

  • disclosable conduct amounting to an "improper state of affairs or circumstances" (RG 270.52);
  • types of wrongdoing that can be specified in a policy (RG 270.55);
  • practical ways to protect confidentiality (RG 270.108) and prevent victimisation (RG 270.109);
  • a good practice risk assessment framework (RG 270.110).

ASIC has also acknowledged it is preferable for internal disclosures to be encouraged in the first instance (RG 270.71).

However, ASIC has not provided clear guidance on what will amount to taking “all reasonable steps” for the purposes of reducing the risk that a whistleblower will be identified with respect to information disclosed (other than their identity) for the purposes of an investigation.

Nor has ASIC provide guidance to companies which have international operations on how they should approach the policy requirements under the Corporations Act in the context of their global whistleblowing policy frameworks.

Limited legislative relief for some companies

At the same time as releasing the Guide, ASIC also issued a legislative instrument relieving public companies limited by guarantee that are not-for-profits or charities, and have an annual consolidated revenue of less than $1 million, from the requirement to have a whistleblowing policy under the Corporations Act. This is on the basis it would impose a disproportionate burden on them, many of which have limited staff and financial resources. This relief only extends to the policy requirement and the whistleblowing protections provided by the Act remain available to a whistleblower with respect to such companies.

Further, where such companies are newly formed and their first financial year ends on or after 1 January 2020, they are not required to have a whistleblower policy until 6 months after the end of their first financial year where their annual consolidated revenue is at least $1 million.

Getting your whistleblower policy ready for the 1 January 2020 deadline

While ASIC states that it expects companies to establish a whistleblower policy that is aligned to the nature, size, scale and complexity of their business, the Guide takes a highly prescriptive and legalistic approach to the content to be set out in a whistleblower policy.

The result will be less user-friendly policy documents and is likely to result in a "tick the box" compliance approach to whistleblower policies. In our view, this is a missed opportunity to allow organisations the flexibility required to establish a tailored whistleblower policy that is straightforward, practical and supportive of a "safe to speak up" culture.

Rather than encouraging individuals to raise any concerns as “a way we do business”, the Guide requires a whistleblowing policy to narrowly focus on the protections conferred on whistleblowers under the Corporations Act and to essentially to restate the whistleblowing provisions in the Corporations Act. In our view, this runs the risk of deterring whistleblowers from coming forward and undermine the objects of the amended whistleblowing legislation.

Nonetheless, companies to whom the Guide applies will need to consider how they will implement the guidance, and ensure they have a compliant whistleblowing policy by 1 January 2020.

Many entities have already implemented revised whistleblowing policies based on ASIC’s draft guidance released on 7 August 2019 and refreshing the policy documentation with any required changes may be challenging to achieve by 1 January 2020, in light of the time needed to revise a policy in accordance with the Guide and obtain any necessary board approvals. ASIC has not provided any transitional relief in this respect.

In the circumstances, companies will likely need to revisit their whistleblowing policies, as well as the processes and procedures that underpin them (as the Guide will extend to these in practice as well, notwithstanding the legislation does not purport to extend into internal processes and procedures). Failure to have a compliant policy is a criminal offence and, from a reputational perspective, we expect that companies will want to be on the front foot, given the increasing focus by ASIC, the public and the media on whistleblowing protections.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.