Corporate and financial services whistleblowing

In brief

In this Insight, we have summarised recent whistleblowing developments from an ASIC perspective, and identified several international developments which may inform ASIC's supervisory and enforcement activities in this space going forward. 

Since the corporate and financial services whistleblowing laws contained in Part 9 of the Corporations Act 2001 (Cth) (Act) commenced in July 2019, ASIC has:

  • published four information sheets on whistleblowing, and issued Regulatory Guide 270;
  • experienced a sharp increase in whistleblower disclosures received (278 disclosures in FY2019 compared to 817 disclosures in FY2021); and
  • focused primarily on supervisory activities to ensure the obligations and protections contained in the Act are effectively embedded and implemented by regulated entities. No public enforcement outcomes have been recorded to date.

The expectation is that at least for the short term ASIC will remain focused on its supervisory activities, with a review expected to be undertaken in 2022 on how regulated entities are implementing and embedding their whistleblower programs. Despite its focus on supervision, the regulator will take non-compliance with the whistleblower laws seriously, and take enforcement action, where appropriate.

2021-2025 Corporate Plan

  • ASIC remains focused on supervising the whistleblower programs implemented by regulated entities.
  • In 2022, ASIC will undertake a review of a sample of those programs to assess how entities handle whistleblower disclosures, use the information from disclosures to address issues or misconduct or change their operations, and the level of board and executive oversight of the program.

Breach reporting

  • ASIC’s new breach reporting regime commenced on 1 October 2021, requiring a wider range of financial services entities to report a wider range of matters. As was the case under the previous regime, breaches of the statutory whistleblower protections might trigger a reporting obligation.
  • The regime introduces a new obligation to report investigations into breaches or likely breaches of core obligations that are significant, where those investigations continue for more than 30 days. Generally speaking, preliminary steps completed over a short timeframe and conducted as an initial response to a whistleblower disclosure will not be considered an investigation for the purposes of the regime. A reportable situation may be triggered, however, where an assessment is undertaken as to the extent to which a whistleblower disclosure concerns a breach of a core obligation that is significant. In that case, the investigation will be reportable to ASIC from day 31.
  • It is expected that the increase in the volume of reports received by ASIC under the expanded reporting regime:
    • will enable the regulator to synthesise and draw connections with any disclosures it has received, so as to assist in identifying and promptly addressing systemic problems; and
    • may, when coupled with ASIC’s immunity policy, serve as an incentive for individuals to come forward earlier.

ASIC letter to CEOs

  • In October 2021, ASIC called on the CEOs of regulated entities to review their internal whistleblower policies.
  • The letter was issued following a sample review conducted by ASIC of whistleblower policies in 2020. ASIC identified that the majority of the policies reviewed appeared not to include all the information required by the Act, including information about the legally enforceable protections available to whistleblowers.
  • ASIC is planning to conduct a further review of whistleblower policies, and where non-compliance is identified, will consider the full range of regulatory tools available, including enforcement action.

ASIC immunity policy for whistleblowers

  • In February 2021, ASIC released a policy which provides immunity from the 'market misconduct' provisions for individual whistleblowers. A summary of the policy is set out here.
  • The policy is available to the first person who reports the misconduct to ASIC where multiple persons are involved. It applies to individuals only (not companies).
  • The policy grants an individual immunity from civil penalties and criminal prosecution, and in that way extends beyond the existing statutory protections under the Act, which only shield individuals from civil and criminal liability in relation to having made a qualified disclosure, but not from any liability arising from any contravening conduct they may have been involved in.
  • The policy may incentivise individuals to make a disclosure to ASIC in the first instance, rather than make a report to the company under the company whistleblower policy.

Worldwide developments

Worldwide, governments are increasingly focused on implementing stronger whistleblower protections across the private sector. Some key developments are highlighted here. We anticipate that ASIC will be closely monitoring international developments and assessing the extent to which these should inform their supervisory or enforcement activities, as well as their best practice guidance to regulated entities.

EU Whistleblower protection directive

December 2021 is the deadline for all EU Member States to have implemented the EU whistleblower protection directive into their national law. This covers specific areas of EU law, including financial services, the prevention of money laundering and consumer protection. The directive requires employers to establish mechanisms and procedures for individuals (including eg workers, volunteers, shareholders) to report concerns through internal channels.

In light of the LuxLeaks, Panama Papers, and Paradise Papers scandals, the directive aims to unify the currently fragmented protection of whistleblowers across the EU through establishing certain common minimum standards and a hierarchy of reporting channels. Larger legal entities will be required to comply with those requirements.

International Standard ISO37002

In July 2021, a new International Standard was released on Whistleblower Management Systems. It was developed by an expert group that included Australian stakeholders.

ISO37002 is a governance standard underpinned by the principles of trust, impartiality, and protection and provides guidelines for establishing, implementing and maintaining a whistleblower system across four core areas:

(a) receiving whistleblower reports

(b) assessing reports

(c) addressing reports

(d) concluding cases

The guidelines can be used to help organisations of any size or type.

Companies that may find ISO37002 useful include those with a global reach, and those who have adopted whistleblower policies compliant with Australian law and are looking for best practice guidance on processes and procedures to underlie that policy.

Reporting, ownership and governance

  • In the past decade, there has been an intense focus globally on governance and culture within financial services firms. One aspect of that is ensuring firms have effective arrangements in place for employees to raise concerns, and to guarantee these concerns are handled appropriately and confidentially. 
  • One way in which the financial services regulators in the UK have sought to achieve this is to require regulated entities to (among other things):
    • appoint a senior manager role of a whistleblower’s champion (typically a non-executive director) who will be responsible for ensuring the effectiveness of whistleblowing arrangements; and
    • require reporting, at least annually, to the Board on the operation and effectiveness of its systems and controls in relation to whistleblowing.
  • At present, no equivalent obligations exist in Australia. ASIC’s RG 270and the ASX Governance Principles and Recommendations suggest (but do not mandate) board visibility over whistleblower reports. RG270 recommends that an entity set up oversight arrangements at the board or audit or risk committee level, and states that it would be good practice for an entity to provide periodic reports to the entity’s board or the audit or risk committee on whistleblowing matters.
  • We understand that ASIC is currently considering whether, similar to the approach in the UK, responsibility for whistleblowing should be included in its list of prescribed responsibilities under the proposed Financial Accountability Regime. If so, a senior person within the organisation would need to be appointed in respect of that responsibility.

What does this mean for you?

  • The number of whistleblower disclosures your company receives may increase. It will be important to ensure that your whistleblowing function is appropriately resourced to deal with those disclosures as they arise, in addition to any associated investigations or reporting obligations.
  • It would be prudent to review your existing whistleblowing policy against the findings outlined in ASIC’s ‘Dear CEO’ letter, to ensure that it is compliant with the law, and identify any areas for uplift or improvement.

How can Allens help further?

We can:

  • update your company’s whistleblower policy;
  • assist you to update your company’s processes and procedures in relation to whistleblower disclosures;
  • advise and assist your company in dealing with whistleblower disclosures as they arise, and with subsequent investigations and any reporting obligations;
  • advise on how the new breach reporting regime and immunity policy will operate;
  • present to and train your directors, executives and staff on how to comply with the whistleblower laws, and to avoid heavy penalties in relation to breaches of confidentiality and detrimental conduct provisions; and
  • conduct investigations into whistleblower reports and complaints of alleged wrongdoing.