Is your whistleblower policy compliant?

Generally, whistleblower policies must:

• clearly outline how, and to whom, a person can make a disclosure that qualifies for the legal protections for whistleblowers;
• explain how a company will investigate a disclosure;
• reflect the whistleblower protection regime that started on 1 July 2019; and
• accurately describe the legal rights and remedies whistleblowers can rely on if they make a qualifying disclosure.

Upon reviewing the sample whistleblower policies, ASIC found that many of the policies were non-compliant, as the policies:

• failed to list all the categories of people to whom a whistleblower disclosure can be made (and instead, were unduly limiting in requiring the disclosure to be made through a particular channel);
• failed to list all the persons that qualify for the protections;
• inaccurately referred to requirements for whistleblowers to identify themselves or make disclosures in good faith or without malice in order to qualify for protections; or
• omitted or inaccurately described the protections available under the Corporations Act 2001 (Cth) (Corporations Act).

As a consequence of this non-compliance, ASIC found that:

• there may be potential whistleblowers who do not understand how to make a protected disclosure, and are therefore discouraged from speaking up; and
• further, entities are not handling whistleblower disclosures in line with the Corporations Act obligations.

ASIC encouraged entities that are required to maintain a whistleblower policy to review both their policy and internal systems and processes, to ensure compliance with both the Corporations Act and Regulatory Guide RG270

If you have any queries or concerns about how to draft, implement or manage a whistleblower policy, or would like your whistleblower policy reviewed to ensure it is compliant with the law, please contact: Alex Gulli, Hamish Fraser, Leila Moddel, Kristy Peacock-Smith