The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Whistleblower Protections Act) introduced new obligations in respect of whistleblowing, including the requirement for all public listed companies, large proprietary companies and trustees of registrable superannuation entities to have a whistleblowing policy in place by 1 January 2020.
In our recent article, we considered the draft guidance released by ASIC to assist organisations to implement and maintain a whistleblower policy that complies with the obligations under the Corporations Act.
This week, ASIC released the finalised Regulatory Guide 270 – Whistleblower policies (Guidance), along with its response to submissions received on the draft guidance.
With only weeks to go until the whistleblowing policy requirement comes into effect, we take a look at significant aspects of the Guidance and some of the issues organisations should consider in assessing whether their policies are compliant for 1 January 2020.
Key mandatory requirements
The Guidance makes clear that, in ASIC’s view, a whistleblowing policy must include the following:
- the purpose of the policy;
- who the policy applies to (including the identification of persons both within and outside the entity who can make a disclosure that qualifies for protection);
- matters the policy applies to, based on the entity’s business operations and practices, as well as the types of matters that are not covered by the policy (in addition, the policy must state the disclosures that are not about ‘disclosable matters’ do not qualify for protection under the Corporations Act);
- who can receive a disclosure, including information about how a discloser can obtain additional information (e.g. by contacting the whistleblower protection officer or an independent legal adviser);
- how to make a disclosure, including the different options available and instructions on how to do so (including by anonymous means);
- the legal protections available to the discloser;
- information on support and practical protection for disclosers;
- how the entity will handle and investigate disclosures, including how it keeps the discloser informed and documents, reports internally and communicates to the discloser the investigation’s findings;
- information on how to ensure fair treatment of individuals mentioned in a disclosure;
- ensuring the policy will be made accessible, including external whistleblowers, (notwithstanding that s1317AI(5) only requires entities to make their policy available to officers and employees).
These requirements appear to go beyond the scope of the six matters that a policy must deal with in accordance with s1317AI of the Corporations Act.
Changes from the draft guidance
The Guidance differs in several respects from the draft version released by ASIC in August. Some of the significant changes include:
- A hardening of the terminology used in relation to those matters ASIC considers mandatory for a policy to deal with in order to comply with legislation, characterised by a change from the use of the term ‘should’ to ‘must’ on a number of matters.
- Clarification that a policy must include a range of both internal and external disclosure options.
- New requirements to outline the specific mechanisms for protecting anonymity and confidentiality, as well as protecting disclosers from detriment.
- A limitation on the extent to which an entity may rely on links in the policy to other policies and procedures. ASIC’s expectation is that all information required to be included under legislation be expressly included in the policy itself.
- The requirement to highlight the importance for a discloser to understand the criteria for making a public interest or emergency disclosure, and stating that a discloser should contact an independent legal adviser before making such a disclosure.
- Including a requirement to specify the timeframes for handling and investigating disclosures, as part of an overall requirement to provide transparency about how investigations are handled.
- Adding a requirement that the policy state that the entity will provide a discloser with regular updates on the investigation, including (if necessary) through anonymous channels.
- Revisions of the sections dealing with disclosable matters and the definition of personal work-related grievances, indicating ASIC has taken on board concerns raised by submissions regarding the expansive approach the draft guidelines adopted in relation to protected disclosures. The Guidelines clarify that an entity may choose to implement a policy that also applies to a broader range of (non-statutory) disclosures as part of a ‘speak up’ culture, and offers organisations more flexibility in how they define and identify personal work-related grievances which are to be excluded from the operation of the policy.
- Removing the requirement that the policy specify the names of the internal reporting points and deleting the section on ‘Roles and Responsibilities’, which covered WPOs, WIOs and the nomination of recipients outside the chain of command, among other things. The removal of this section will provide some simplification of an entity’s policy.
- Additional ‘best practice’ guidance on issues such as the use of independent whistleblowing services to act as an eligible recipient, and providing advice as to how an employee can made a disclosure outside the entity (including to ASIC, APRA or the ATO).
- Requirements in relation to monitoring and reporting on the effectiveness of the policy have been moved and are now set out as best practice suggestions (see section C of the Guidance).
Exemption for small charitable organisations
In addition to the release of the Guidelines, ASIC announced it is granting relief to public companies that are not-for-profits or charities with annual revenue of less than A$1 million from the requirement to have a whistleblower policy. In doing so, ASIC acknowledged that these entities may face a compliance burden that outweighs the benefits a policy might otherwise offer.
Where to from here? Counting down to 1 January 2020
ASIC has indicated that there will be no extensions to the 1 January 2020 start date, and it plans to survey the whistleblower policies of a sample of companies next year to review compliance with the legal requirements.
In light of the adjustments made to the final Guidance, organisations should now consider whether they need to revisit their whistleblowing policies to ensure they are meeting ASIC’s expectations. It is clear that short and simplistic policy, which contained links to other polices and guidance will not meet those expectations. ..
The Guidance is detailed and, in some areas, prescriptive. This is particularly the case in relation to the inclusion of detail on matters such as the length and manner that investigations will be conducted (even if these are expressed to be ‘subject to variation’). Our experience is that whistleblowing investigations are often complex and administratively challenging, and require adjustments in the investigative approach depending on the issue. This makes it difficult to adhere to any prescriptive process or timeframes.
Adopting the Guidance in its entirety without regard to internal capability, resources and structure may result in an organisation being burdened with a complex and unwieldy policy which is difficult for policy participants to understand and implement. This could in turn lead to breaches of the policy, a loss of confidence by participants in the process and, in severe cases, potential breaches of the confidentiality and other legislative requirements on how whistleblowing disclosures should be handled.
The challenge for organisations will be developing a policy that is clear, practical and adapted to their organisation, but which also meets the expectations of the regulator as indicated in the Guidelines.
Four tips for organisations
- As a baseline, ensure your policy complies with the mandatory requirements in the Guidance on and from 1 January 2020.
- Consider whether the Guidance ‘best practice’ elements are appropriate and suitable for your organisation. If some aspects are not suitable for inclusion in your policy, identify and document why this is the case.
- Consider whether there is an urgent need to amend your policy in light of the finalised Guidance, particularly if you have already relied on the draft Guidance in finalising your policy.
- Exercise caution in drafting policy amendments and rushing them through. If you have only recently rolled out your whistleblowing policy, a further version can lead to employee confusion and errors in version control.
 See Regulatory Guide 270 – Whistleblower policies, available at: https://download.asic.gov.au/media/5340534/rg270-published-13-november-2019.pdf
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.