Mind the gap — ASIC turns its mind to whistleblower policies and entities must “walk” the policy “talk”

Yoness Blackmore – Senior Legal Writer, LexisNexis Practical Guidance Employment

The Australian Securities and Investments Commission (ASIC) is calling on Australian CEOs, from public companies, large proprietary companies and corporate superannuation trustees to review their whistleblower policies and processes to ensure compliance with private sector whistleblower laws.

Strengthened private sector whistleblower regime

An enhanced private sector whistleblower regime commenced 1 July 2019: Pt 9.4AAA, Corporations Act 2001 (Cth) and Taxation Administration Act 1953 (Cth) (together, Acts).

The regime protects eligible whistleblowers who complain about disclosable matters to eligible recipients as required under the Acts: Pt 9.4AAA, Corporations Act 2001 (Cth) (Corporations Act) and Part IVD, Taxation Administration Act 1953 (Cth) (Tax Act).

Under the Acts, the definition of eligible whistleblowers is broadly defined and extends to the supply chain and relatives or dependents of an employee, officer or contractor: s 1317AAA Corporations Act and s 14ZZU, Tax Act..

The Acts do not require a disclosure to be made in “good faith”. The whistleblower must, however, have reasonable grounds to suspect that the information concerns misconduct, or an improper state of affairs or circumstances, in relation to the regulated entity or a related body corporate of the regulated entity. In the case of the Tax Act, this concern must relate to the entity’s tax affairs.

The Acts protect whistleblowers from having their identities disclosed without consent. The whistleblowers’ policy also prohibits victimisation for a reason which includes a belief or suspicion of the whistleblowers’ anticipated or actual whistleblower disclosures. A reverse onus of proof applies once a whistleblower demonstrates there is a reasonable possibility of the belief or suspicion. Whistleblowers may seek remedies, including compensation orders.

Significant civil or criminal penalties may also be imposed for contraventions of these protections. For an individual, the maximum civil penalty is 5,000 penalty units (ie, currently $1.11 million) or three times the benefit or detriment avoided. For a corporation, the maximum civil penalty is 50,000 penalty units (ie, currently $11.1 million), three times the benefit derived or detriment avoided, or ten per cent of the body corporate’s annual turnover (up to 2.5 million penalty units). The maximum criminal penalty is two years’ imprisonment or 240 penalty units. The current penalty unit value is $222 for offences committed after 1 July 2020.

ASIC provides guidance on whistleblowing: Information Sheet 246 Company auditor obligations under the whistleblower protection provisions (INFO 246), Information Sheet 247 Company officer obligations under the whistleblower protection provisions (INFO 247), Information Sheet 238 Whistleblower rights and protections (INFO 238) and Information Sheet 239 How ASIC handles whistleblower reports (INFO 239) and the ASIC Whistleblowing webpage.

Cross-pollination with more traditional workplace grievances

Increasingly, regulators and lawmakers are focusing their attention on workplace grievances such as sexual harassment and underpayments as key matters to be addressed by businesses.

Relevantly, issues of sexual harassment or underpayments may also be matters that are “misconduct” or “an improper state of affairs,” especially if systemic. The carveout under s 1317AADA for personal work-related grievances may not extend to disclosures of systemic underpayments or sexual harassment involving more than one person in the workplace (eg, hostile work environment) and these disclosures are likely to have significant implications for the entity.

Many whistleblowers will not be aware that the private sector whistleblower regime may not protect them if they disclose underpayments or widespread sexual harassment through an internal grievance process. This might happen, for example, if the internal grievance process does not authorise an eligible recipient to deal with the complaint.

Conversely, this may also create a risk for the entity itself, where it may receive a sexual harassment or underpayment complaint made in accordance with the Act but fails to provide the protections to the complainant (ie, whistleblower). As discussed above, significant civil or criminal penalties may be imposed and if the complainant is victimised and takes court action, the court may order compensation for loss and damage because of the victimisation.

Conduct regulator for whistleblower protection

On 11 November 2021, ASIC Commissioner Sean Hughes spoke at the 3rd Australian National Whistleblowing Symposium and gave a regulatory update on ASIC’s role as the conduct regulator in corporate and financial services.

Commissioner Hughes focused on whistleblower protections as being integral to that role.

He said the significantly enhanced whistleblower protections regime (which commenced 1 July 2019) benefits ASIC because it now receives more information about misconduct and is able to step in and address misconduct which may otherwise cause serious harm to consumers and investors.

ASIC is also responsible for enforcing protections offered to whistleblowers under the enhanced regime, including the protection of identity and the protection from harm and detriment. Whistleblowers may also seek compensation and other remedies through court action.

Commissioner Hughes said that ASIC takes non-compliance issues very seriously and may be able to take action against the company or individual for their detrimental actions against a whistleblower.

ASIC also flagged non-compliance with whistleblower policies as being a priority for the 2021-22 financial year. It will approach this through a corporate governance lens. It will look at how entities are handling whistleblower disclosures, how they use the information from disclosures to address issues or misconduct or change their operations and the level of board and executive oversight of whistleblower processes and procedures.

More whistleblower reports

There has been an almost 300% increase in whistleblower reports in the last three years, ie 278 in 2018-19, 644 in 2019-2020 and 817 in 2020-21 financial years. So, this is increasingly a front of mind issue for entities.

Commissioner Hughes said the increase in the last two years is likely correlated with the commencement of the whistleblower reforms to the Corporations Act 2001 (Cth) which largely commenced 1 July 2019.

Certain entities must have compliant whistleblower policies

Public companies and large proprietary companies must have compliant whistleblower policies that are made available to employees and officers: s 1317AI. Failing to have a compliant policy may lead to a penalty being imposed which is 60 penalty units (ie, currently $133,200 for offences committed after 1 July 2020). This is a strict liability offence and as the penalty is imposed on a corporation, so it is multiplied by 10: s 1331C (ie, 60 x $222 x 10).

ASIC provides guidance on how to draft a compliant policy: Regulatory Guide 270 Whistleblower policies.

Deficiency in whistleblower policies

In the 2020-2021 financial year, ASIC reviewed 102 policies and found that while many met some of the requirements, most did not fully address the legal requirements set out under s 1317AI of the Corporations Act 2001 (Cth).

The key deficiencies include:

• incomplete or inaccurate information about the protections — eg do not mention compensation and remedies for disclosure-related harm, explain the whistleblower’s right to confidentiality or explain that these protections are available under the law;
• obsolete and out-of-date policies — 40% of policies were not updated to reflect the new regime, focused on internal reporting only and did not clarify that internal discussions with the whistleblower may not qualify for whistleblower protections (eg, if not made to an eligible recipient for example); and
• policies without oversight arrangements — while not legally required, ASIC noted one-third of entities did not have an oversight mechanism to monitor the effectiveness of the policy and it views this as a corporate governance failure.

Commissioner Hughes observed that courts can consider whether a company’s whistleblower policy has been effectively implemented when deciding on compensation claims for whistleblowers who may have suffered for speaking out.

ASIC expects the following steps to be taken by Boards and CEOs:

• read the open letter;
• ensure that the whistleblower policy is compliant;
• review internal systems and processes; and
• more holistically, to “walk the talk”.

New reporting platform for whistleblowers within ASIC

ASIC itself recently launched a new reporting platform to complement its existing internal reporting mechanisms.

Commissioner Hughes said the new platform provides a channel for ASIC staff to easily lodge public interest disclosure reports, or other reports about integrity-related matters. It also makes it easier for those who want to raise issues anonymously to do that, and to remain anonymous throughout the assessment and investigation process.

ASIC has processes and resources which ensure its staff have confidence that the matters raised will be treated confidentially, they will be protected from retaliation, and they will be treated fairly, professionally and respectfully.

ASIC also has internal escalation and reporting mechanisms designed to ensure that it addresses immediate issues from reports but also uses the information to identify trends and address emerging risks before they become systemic.

ASIC’s efforts in this regard are evolving and are subject to continuing improvement within its operating and legal environment.

Given ASIC’s efforts to “walk the talk”, entities should expect that they need to meet similar standards to be compliant.

European developments in the Whistleblower Protection Directive

Commissioner Hughes says that ASIC will be closely monitoring developments in the European Union, including how EU member states implement the standards in the Whistleblower Protection Directive (EU 2019/1937).

ASIC also flagged that it may consider some of the broader practical guidance in the recently published ISO 37002 Guidelines for Whistleblowing management systems in its next whistleblower review.

What must entities do In order to stay compliant with whistleblower policies?

Entities must prioritise a review of their whistleblower policies and ensure they are compliant and fully supported by appropriate resources and processes.

Where there are risks of cross-pollination with more traditional HR matters (eg, sexual harassment and underpayments), entities may consider having a single reporting mechanism to an eligible recipient who can ensure protections such as confidentiality of identity and victimisation are complied with. Entities may at the outset also seek consent from the whistleblower for a limited disclosure of identity as part of the investigation process.

Measures must be taken to ensure that these measures are not “set and forget” and entities should consider analysing information collected to inform corporate governance and to drive changes within the entity to support a good corporate culture. In the case of sexual harassment, this may be also be a control measure utilised to eliminate or mitigate risks of sexual harassment in the workplace as required under work health and safety legislation.

Failing to have a compliant policy may lead to a significant penalty being imposed and, if a court finds a whistleblower has been treated detrimentally, significantly higher compensation awards.