Close Menu
ABL Logo
Link to the Link to the Link to the

Enhanced whistleblower regime

Corporate and M&A, Shareholder Activism
Whistleblower man and woman talking

In July 2019, the Australian Government introduced a new whistleblower regime to strengthen protections available to people who expose wrongdoing in the corporate sector.

The changes have been legislated under the Corporations Act 2001 (Cth) (Corporations Act), with a similar regime also imposed under the Taxation Administration Act 1953 (Cth) (Tax Act).

The move reflects the heightened focus on corporate misconduct associated with the Royal Commission into the financial services sector, and a spate of whistleblower disclosures that have made their way into the media.

The changes mean that all companies will need to establish comprehensive internal processes for receiving, investigating and handling disclosures.

Some companies will be required to implement specific whistleblower policies by 1 January 2020.

Individuals and companies face significant criminal and civil penalties for non-compliance.

When is a company required to have a whistleblower policy?

All listed companies, unlisted public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities are required to implement a whistleblower policy by 1 January 2020.

Charities that fall within the above list will also be captured by this requirement, except for small not‑for‑profits limited by guarantee that have an annual revenue (or consolidated revenue) under $1 million, for whom ASIC has granted relief from the requirement to adopt a whistleblower policy.

The Corporations Act sets out minimum content requirements to be addressed by whistleblower policies. ASIC has also just released its final guidance and recommendations on how entities should establish, implement and maintain a whistleblower policy. These recommendations contain comprehensive “best practice” guidance on what should be included in a policy.

All other entities have the option to voluntarily adopt a whistleblower policy, but should carefully consider the implications of doing so, given non‑compliance with their adopted policy could impact on potential liability if they or their employees are found to be in breach.

ASIC has publically stated its intention to review a selection of companies’ policies next year for compliance with the legal requirements.

When is someone eligible for whistleblower protection?

Broadly speaking, a person connected to a company can make a disclosure where they have a reasonable basis to believe the information they hold:
  • concerns misconduct
  • concerns an improper state of affairs or circumstances
  • indicates that the company (or its officers or employees) has contravened certain laws of the Commonwealth relating to corporations and financial services, or the breach of which is punishable by imprisonment for a period of 12 months or more, and/or
  • indicates conduct by the company (or its officers or employees) that represents a danger to the public or the financial system.

Protection is not available for disclosures about personal work related grievances that only impact an individual.

Whistleblowers are protected if they disclose the information to a number of eligible recipients, including officers, senior managers and other nominated recipients of the company. Whistleblowers are also entitled to protection if they disclose to certain third party recipients, for example a legal practitioner, corporate regulators, auditors or, in some cases, journalists or parliamentarians. 

Disclosures can be made anonymously.

The new whistleblower laws reflect the heightened focus on corporate misconduct associated with the Royal Commission into the financial services sector, and a spate of whistleblower disclosures that have made their way into the media.

What protections are available to whistleblowers?

A core concern under the new regime is ensuring that companies’ internal procedures and support systems adequately protect whistleblowers. 

Whistleblowers have the following rights and protections under the regime:

  • Protection of their identity (confidentiality): the identity (or information likely to expose the identity) of a whistleblower cannot be disclosed (except in certain exempt circumstances).
  • Protection from detriment: whistleblowers cannot be subjected to detrimental acts or omissions (or threats of such conduct) because (or partly because) the whistleblower has made, may have made, proposes to make or could make a disclosure.
  • Rights to compensation: whistleblowers can claim compensation for loss, damage or injury where a company failed to take reasonable steps to uphold its duty to protect them from detriment. To claim compensation, whistleblowers only need to establish that it was reasonably possible that they were subject to detriment, with the onus on the company to then disprove that claim.
  • Protection from liability: whistleblowers are protected from civil, criminal and administrative liability relating to their disclosure (however do not have immunity for any misconduct they have engaged in that is brought to light by the disclosure).

Companies should also consider how they will protect employees implicated through disclosures of wrongdoing.

What is a company’s obligation when it receives a whistleblower complaint?

All companies are now required to have in place processes and procedures for receiving, responding to and investigating allegations.

In formulating these processes and procedures, a company should consider:

  • who will handle each stage of the disclosure process (ie, designated contact points for receiving disclosures, mandated ‘protection officers’ to support whistleblowers and ‘investigation officers’ responsible for exploring allegations of wrongdoing)
  • whether the company’s information handling practices are secure (eg, appropriate IT systems and secure filing), given the potential risks to whistleblowers and companies if disclosures were to be leaked
  • how the company will protect whistleblowers from mistreatment (eg, staff support systems and possible adjustments to working arrangements)
  • how investigations will be conducted in a manner that is thorough, objective, fair and independent, and
  • how whistleblowers will be kept informed throughout the investigation process.

Insufficient internal processes could result in significant liability for both individuals and companies, and cause serious reputational damage.

What are the consequences for non-compliance with the regime?

Significant criminal and civil penalties can arise for individuals and companies (and third parties with accessorial liability) for breach of the new regime:

Type of breach Corporations Individuals
  Civil penalties  
For breach of confidentiality or for detrimental conduct The greater of:
  • $10.5 million
  • 3 times the benefit derived or detriment avoided by the contravention, or
  • 10% of the company’s annual turnover (up to $525 million).
The greater of:
  • $1.05 million, or
  • 3 times the benefit derived or detriment avoided by the contravention.
Criminal penalties
For breach of confidentiality $126,000 $12,600 and / or up to 6 months’ imprisonment
For detrimental conduct $504,000 $54,000 and / or up to 2 years’ imprisonment

Companies can be deemed to be vicariously liable for the acts of its employees in breach of the regime.

Failure to have a compliant whistleblower policy by 1 January 2020 may also result in criminal sanctions and fines (currently $126,000).

Non-compliance with the company’s own stated whistleblower policy and/or processes may result in additional liability.

Contravention of the Tax Act in relation to a breach of confidentiality or for detrimental treatment of a whistleblower can also trigger significant criminal and civil penalties for both individuals and companies.

What should a company do in response to the new regime?

In summary, a company should:

  1. Foster a culture of ethical conduct, and create a positive and open environment where employees feel comfortable making disclosures.
  2. Develop internal processes and reporting mechanisms that are appropriate to the company and comply with the new regime. Such processes should include record-keeping practices, clear reporting lines to keep the board apprised of whistleblowing developments, and periodic reviews to address systemic issues brought to light by whistleblowers and ensure the company’s processes are updated as and when required.
  3. Implement a compliant whistleblower policy – this is mandatory for public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities from 1 January 2020.
  4. Conduct training for officers and employees to make them aware of their rights and responsibilities under the regime.
  5. Consider authorising an independent, external whistleblowing service to receive, handle and investigate disclosures to help avoid potential conflicts of interest and provide better protections for whistleblowers.

How we can help

If you need further advice on how to comply with the new regime, ABL has a depth of expertise across our corporate, workplace and litigation practices to advise on:

  • whistleblower policies
  • how to develop best-practice whistleblower procedures
  • how to investigate whistleblower disclosures
  • employment law aspects in relation to whistleblower disclosures, and
  • compliance with ASX listing rules and ASX Corporate Governance Principles.

Read next