The whistleblower protection regime was introduced in 2019, and required large proprietary companies, public companies as well as corporate trustees of registrable super entities to have specific policies that outline the legislated protections for whistleblowers under the Corporations Act and how misconduct can be reported.

While it is obvious what public companies and corporate trustees of registrable super entities refer to, a proprietary company will be considered to be a large proprietary company and captured under the whistleblower protection regime if it meets at least two of the following:

• have consolidated revenue for a financial year of $50m or more (this includes the company and any entities it controls);
• value of consolidated gross assets at the end of the financial year of $25m or more (this includes the company and any entities it controls);
• the company and any entities it controls has 100 or more employees at the end of the financial year.

If at any time during the financial year, a company qualifies as a large proprietary company, they are required to have in place a whistleblower policy and make it available to officers and employees within 6 months after the end of that financial year. For example, if a company qualifies as a large proprietary company in the 2021-22 financial year, the whistleblower policy must be made available to relevant individuals by 30 December 2022.

After an initial settling in period to allow companies to implement these enhanced whistleblower protection reforms, the last ASIC review in 2020 found a majority of the 102 policies fell short of the legal requirements. The two most prevailing areas of concern include incomplete or inaccurate information, and out-of-date or obsolete policies.

In addition, ASIC notes that while not legally required, it was concerned to see many policies did not include details of the oversight arrangements for the whistleblower policy and program. Company officeholders including directors and senior managers have obligations to ensure whistleblower provisions are not breached when handling a disclosure, hence the importance of maintaining oversight over the whistleblower program itself.

ASIC reminds qualifying entities that the whistleblower policy itself must cover information on the protections available, how disclosures can be made and to whom, how the entity will support and protect whistleblowers, how the entity will investigate disclosures, how the entity will ensure fair treatment of employees, and other matters. It must also include information on the protections provided under the tax whistleblower regime. Specific detail of what must be included can be found in ASIC Regulatory Guide 270.

If you are a company officeholder or a senior manager of a qualifying entity in relation to the whistleblower protection regime, beware that one of ASIC’s priorities for the 2022 year is to review policies from a sample of companies in order to assess the handling of whistleblower disclosures, how information is used to address issues or change operations, and the level of board and executive oversight of the program. Any non-compliance identified will be subject to the “full-range of regulatory tools…including enforcement action”.