ASIC’s new Regulatory Guidance for whistleblower policies – what you need to know


Authors: Ben Motro, Mark Caile

Service: Banking & Finance | Corporate & Commercial | Employment & Labour | Whistleblower Protections
Sector: Financial Services

Amendments to the Corporations Act 2001 (Cth) (the Act) now require certain companies to implement a whistleblower policy with particular mandatory content. On 13 November 2019, ASIC released its finalised Regulatory Guidance (as Regulatory Guide 270).

The legislative framework

From 1 January 2020, it is a criminal offence for the following companies to not have a compliant whistleblower policy in place:

  • Public companies (including not-for-profit companies registered as companies limited by guarantee);
  • Proprietary companies that have been a “large proprietary company” (as defined in the Act) for any financial year;
  • a proprietary company that is the trustee, within the meaning of the Superannuation Industry (Supervision) Act 1993 (Cth) (SI Act), of a registrable superannuation entity (within the meaning of the SI Act).

The only exceptions to the above are if a company falls within the scope of an exemption issued by ASIC. At the date of publication, ASIC has only granted one exemption. This exempts certain not-for-profit companies from the requirement to have a mandatory policy. However, the scope of the exemption is very limited. Companies can also lose the ability to use the exemption if they earn above a certain threshold in any financial year. Therefore, not-for-profit companies should seek specific advice in relation to their circumstances.

Mandatory whistleblower policy content

Under section 1317AI(5) in the Act, where an organisation is required to have a mandatory whistleblower policy, that policy must contain the following:

  1. information about the protections available to whistleblowers, including protections under the Act;
  2. information about to whom disclosures that qualify for protection under the Act may be made, and how they may be made;
  3. information about how the company will support whistleblowers and protect them from detriment;
  4. information about how the company will investigate disclosures that qualify for protection under the Act;
  5. information about how the company will ensure fair treatment of employees of the company who are mentioned in disclosures that qualify for protection under the Act, or to whom such disclosures relate;
  6. information about how the policy is to be made available to officers and employees of the company; and
  7. any matters prescribed by the regulations.

ASIC’s Regulatory Guide

On 13 November 2019, ASIC released its Regulatory Guide with the intention of providing regulated entities with guidance in the preparation and implementation of mandatory whistleblower policies. The Regulatory Guide sets out what ASIC regards to be mandatory content, and also sets out ASIC’s “good practice” recommendations for what should ideally be included in a whistleblower policy.

Whilst some of ASIC’s recommendations are commendable and provide regulated entities with helpful guidance in drafting a compliant whistleblower policies, it is however based on ASIC’s own interpretation of the legislation, as we are yet to see any judicial interpretation of this part of the legislation (and do not expect to for some time).

Some may perceive the regulatory guidance as going beyond the minimum requirements of the legislation.  Nevertheless, being the regulatory agency responsible for ensuring compliance with the legislation, any deviation from ASIC’s regulatory guidance should be undertaken carefully, and only after obtaining legal advice.

Regulated entities also need to consider the practical effects of adopting ASIC’s guidance in its totality.  The court is required to assess whether it will make an order for compensation or other remedy in favour of someone who has suffered detriment as a consequence of making a protected disclosure.

However, the effect of section 1317AE(3)(b) is that if an employer has such a policy (whether or not actually required by the Act to have one), the court may have regard to the extent to which the employer gave effect to that policy.

Accordingly, regulated entities should not blindly follow the ASIC Regulatory Guidance, and must have regard to what it can practically implement at a minimum level.  Strict adherence to the legislative requirements will be essential, but overzealous adoption of unnecessary measures may have severe financial consequences for those employers and other entities that adopt measures they cannot in practice satisfy.

What does this mean for us?

The ASIC Regulatory Guidance is a helpful tool for organisations that are required to have a whistleblower policy.

However, such guidance should not be a substitute for legal advice, and regulated entities should consult their legal advisers to establish a policy that is workable, cost-effective and legally defensible.

Key Takeaways
  • From 1 January 2020, it is a criminal offence for relevant companies to fail to have a whistleblower policy which includes the mandatory content required under the Act.
  • Companies should carefully consider the ASIC Guidance, but should adopt their policies to their organisational needs.
  • Companies should avoid increasing their potential civil liability by adopting a policy that is overly prescriptive and impractical.
  • Not-for-profit companies, if registered under the Act, should seek legal advice to confirm whether they fall within the limited exemption for not-for-profit companies issued on 13 November 2019.