The Australian Securities and Investments Commission (ASIC) has written to CEOs of public companies, large proprietary companies and trustees of registrable superannuation entities (RSEs) urging them to review their whistleblower policies to ensure they comply with the law.

Since 1 January 2020, the Corporations Act 2001 (Corporations Act) has required public companies, large proprietary companies, and trustees of RSEs to have a whistleblower policy that sets out particular matters and to make that policy available to its officers and employees.

During 2020, ASIC reviewed a sample of whistleblower policies to understand how entities are responding to the Corporations Act’s whistleblower policy requirements.

The most prevalent and concerning issues the regulator observed in the policies it reviewed involved unclear, incomplete or inaccurate information about how potential whistleblowers can make a qualifying disclosure and about the protections available under the Corporations Act.

ASIC saw policies that:

  • did not list all the categories of people to whom a whistleblower can report misconduct and qualify for protection under the Corporations Act. Instead, some policies limited the information to the entities’ preferred reporting channels
  • inaccurately referred to obsolete requirements for whistleblowers to identify themselves or make disclosures in good faith or without malice in order to qualify for protection
  • omitted or inaccurately described one or more of the protections available to whistleblowers under the Corporations Act.

To address the most common issues, entities should do the following:

  • Clearly articulate how a person can make a disclosure that qualifies for the legal protections for whistleblowers, including to whom
  • Carefully update their whistleblower policy to reflect the whistleblower protection regime that started on 1 July 2019
  • Accurately describe the legal rights and remedies whistleblowers can rely on if they make a qualifying disclosure, which are identity protection (confidentiality), protection from detriment, compensation and other remedies, and civil, criminal and administrative liability protection.

ASIC says it will continue to monitor compliance with the whistleblower policy requirements and the handling of whistleblower disclosures. ASIC plans to conduct a further review of whistleblower policies in the future. It will consider the full range of regulatory tools available, including enforcement action, where it identifies non-compliance.