ASIC enforces whistleblower laws, pursues individual directors and calls out good practice

A healthy speak-up culture must start at the top 8 min read

Again demonstrating that it has more than one tool in the regulatory workshed, in the space of a few days ASIC has commenced civil penalty proceedings against a company and its directors for alleged breaches of the whistleblower provisions, and released a report that identifies good whistleblower practices emerging from a review of seven large Australian companies.

The civil penalty proceedings concern pecuniary penalties and disqualification orders against TerraCom Limited and its directors, in relation to alleged victimisation of a whistleblower. The good whistleblower practices ASIC has identified are set out in Report 758 Good practices for handling whistleblower disclosures (Report 758).

In this Insight, we review the TerraCom proceedings, set out the key takeaways from ASIC's guidance on good practices for handling whistleblower disclosures, and highlight some actions you can take now to ensure compliance with the laws and good practice.

Key takeaways

• ASIC's position is that:
  • publicly denying a whistleblower's allegations may constitute victimisation (which is criminal conduct under the whistleblower laws); and
  • directors who fail to take reasonable steps upon receipt of an investigation report may be in breach of their directors' duty to exercise reasonable care and skill in the discharge of their duties.
• ASIC's pursuit of individual directors in this case continues the recent trend of high-profile directors' duties prosecutions, and the regulator's focus on individual compliance and governance failures.
• All companies operating in Australia should ensure that their whistleblower policies and programs are compliant with law, align with good practice and prevent victimisation – those that fail to do so are at risk of scrutiny and/or enforcement action by ASIC. Having received over 2200 whistleblower disclosures since July 2019, we expect its enforcement activity in this space to increase.
• Meanwhile, Report 758 contains valuable guidance from ASIC in relation to good practices for whistleblowing programs and policies, providing useful insights to those responsible for designing and maintaining their company whistleblower program.
• Large companies not already subject to a review by ASIC are advised to prepare for one – the regulator has indicated that it will continue to review entities’ whistleblower policies and arrangements for handling whistleblower disclosures, and that it will consider enforcement where it identifies serious harm.
• If you only do one thing after reading this Insight (and assuming that your whistleblower program is already legally compliant), ensure that your board and executives are regularly trained on whistleblower obligations and processes. Not only will this address legal risk but a healthy speak-up culture must also start at the top – it is essential that senior people are leading the way in this area.

Who in your organisation needs to know about this?

Boards, executives, and those responsible for designing, reviewing and implementing company whistleblower programs (often legal, compliance and/or investigation teams).

Alleged breaches of whistleblower provisions in the TerraCom proceedings 

TerraCom is a coal producer in Queensland. ASIC has launched civil penalty proceedings against it and its directors in relation to whistleblower allegations by a former employee about falsification of coal quality results. Allegedly, following receipt of a whistleblower disclosure, TerraCom made two ASX announcements, and published an open letter to shareholders in the Australian Financial Review and the Australian denying the allegations.

ASIC alleges that TerraCom's directors failed to take reasonable steps to ensure those statements were not false and misleading and, as a result, caused detriment to the whistleblower's reputation and earning capacity, as well as to their psychological and emotional state. Further, ASIC alleges that TerraCom's directors and officers breached their duty to exercise reasonable care and skill in the discharge of their duties by failing to take reasonable steps upon receipt of the independent investigator’s report into the issues raised by the whistleblower. Those named in the proceeding include the former chairman of the board, the current managing director and the chief commercial officer.

The penalty proceedings come after a lengthy privilege dispute over a report prepared by PricewaterhouseCoopers concerning the whistleblower allegations, which ended when the Full Federal Court found that TerraCom had waived its privilege over the report by reason of its ASX announcements.^[1]

TerraCom has denied the allegations and committed to vigorously defending the proceedings.

Meanwhile, ASIC has stated that it will refer information to the ACCC in relation to the coal falsification allegations and there have also been calls to launch a parliamentary inquiry into the issue.

Each year, ASIC receives a large volume of whistleblower disclosures. There have been over 2,200 disclosures between July 2019 (when strengthened corporate whistleblower laws commenced) and June 2022. However, this is the first time that the regulator has filed proceedings to enforce these laws and, given the large volume of disclosures that ASIC receives each year, we expect more will follow.

Guidance on good practices for handling whistleblower disclosures

During 2022, ASIC conducted a review into the whistleblowing programs of ANZ Bank, AustralianSuper, BHP, Commonwealth Bank, Netwealth Group, Treasury Wine Estates and Woolworths Group.

Report 758 focuses on good practices that ASIC identified during its review. It does not make any criticism of the seven companies' programs. By calling out good practice, the report provides guidance regarding how to establish, maintain and operate an effective whistleblower program. The key takeaways from this report are summarised below.

Establishing a strong foundation

In addition to documenting a whistleblower policy, ASIC encourages companies to do the following in order to establish a strong foundation for their whistleblower programs:

• define and allocate the roles and responsibilities of those relevant to the whistleblower program;
• establish supporting procedures to manage whistleblowing; and
• ensure the program has adequate resources to keep personal information secure.

In terms of good practice in these areas, ASIC observes :

• mature supporting procedures and guidelines included workflows or process maps, simplified guidance, template forms for consent and reports, and conversation guides for people receiving whistleblower reports;
• identified individuals were responsible for certain aspects of the whistleblower program;
• back-up delegates were available in the case of unavailability or potential conflicts of interest; and
• management of information relevant to a whistleblower disclosure was deliberate and careful, either by using third parties to receive whistleblower disclosures, or by allocating that responsibility to an internal person.

Fostering a speak-up culture

ASIC identifies that creating a culture that promotes disclosures and supports whistleblowers is fundamental to an effective whistleblower program. It calls out the following as good practice:

• providing communications to employees about whistleblowing through various channels, and training all employees as to when and how to make a whistleblower disclosure;
• releasing routine promotional information about whistleblowing;
• ensuring messaging around whistleblowing is simple, encouraging and practical;
• using pre-existing and well-used 'speak-up' platforms to receive whistleblower disclosures;
• assessing and triaging disclosures to identify whistleblower disclosures, to ensure the whistleblower receives appropriate legal protections;
• allocating an individual to proactively protect or support whistleblowers;
• maintaining guidelines for assessing risk and controlling the risk to whistleblowers; and
• ensuring the terms of any settlement with a whistleblower do not limit their ability to voluntarily raise potential disclosable matters with a relevant regulator or agency.

Appropriate training

ASIC identifies training as a crucial control against breaches of whistleblower protections. It considers the following to be good practice:

• requiring annual training that summarises legal requirements in the context of practical information;
• arranging for the training to be provided by internal subject matter experts, external advisers and/or e-learning modules;
• providing employees with quick reference guides and process maps, lists of questions and template consent forms; and
• providing periodic, proportionate, specialised training to staff with specific responsibilities within a company's whistleblower program.

Ongoing monitoring and improvement

ASIC recommends that companies conduct periodic reviews of their whistleblower policies and procedures to ensure their objectives are met. Some companies considered the following:

• guidance provided by ASIC;
• International Standard ISO 37002: 2021: Whistleblowing management systems—Guidelines;
• feedback from directors, executives and whistleblowers;
• advice from lawyers and auditors;
• industry benchmarking; and
• tracking the effectiveness of whistleblower programs against metrics such as design and operating effectiveness, trust in the program and information received by it.

Using information from disclosures

ASIC also recommends that companies investigate allegations and take steps to address issues raised by whistleblowers, as well as consider how to proactively manage areas of emerging risk.

Good practice in this regard includes communicating insights from the whistleblower program to relevant business units and executives (subject, of course, to confidentiality obligations), and addressing gaps or deficiencies in internal processes where those processes are implicated.

ASIC also identifies that culture reviews are conducted by some of the companies under review in instances where behavioural or systemic issues are raised in a disclosure but a focused investigation may reveal a whistleblower's identity. The findings from the culture review can then be used as a catalyst for further investigation or review.

Executive accountability

ASIC notes that some of the companies included in its review had appointed a senior manager to be accountable for the whistleblower program.

The role of the senior manager was generally dependent on the volume of disclosures received by the company. Where there were fewer disclosures, the senior manager was more involved in the day-to-day operation of the program, whereas they held a stronger oversight and reporting role where there were a larger number of disclosures.

Some companies supplemented the senior manager with a cross-functional committee. ASIC noted that these committees allowed companies to draw on a diversity of knowledge, perspectives and expertise when considering various issues related to whistleblower disclosures.

Director accountability

ASIC also notes that board accountability and oversight over the whistleblower process is an important aspect of a program.

It considers the board is ultimately responsible for the company's whistleblower program, as part of the company's risk management and corporate governance frameworks. The TerraCom proceeding discussed above demonstrates this expectation.

Good practice that ASIC has identified for directors to monitor appropriately the company's compliance with its whistleblowing obligations includes the following:

• provision of de-identified information to the board about all disclosures – or, otherwise, provision of information regarding total volumes of disclosures received, and updates on the progress of disclosures that meet a defined risk threshold (depending on the number of disclosures);
• provision of information to the board about substantiated disclosures that did not result in termination of an implicated person;
• provision of information to the board, on a periodic basis, about how the program was designed, resourced and is operating;
• periodic training and briefings on the whistleblowing regime, the company's practices and directors' duties being provided to the board;
• board review of whistleblowing policies for endorsement or approval; and
• provision of insights to the board about the whistleblower program, including its effectiveness.

Actions you can take now

ASIC has flagged in Report 758 that it will continue to review companies' whistleblower policies and arrangements, and that it will consider enforcement action (including criminal action) where serious harm is identified. We recommend that all large companies operating in Australia prepare for being placed under review, and ensure they are compliant with the laws and good practice.

In doing so, it is useful to reflect on the following questions that ASIC suggests companies ask themselves:

• Have we established a strong foundation for our whistleblower program and is it equipped to handle disclosures?
• Are whistleblowers utilising our program and, if not, how can we promote and grow trust in it?
• Have we provided adequate training to people involved in receiving and investigating whistleblower reports?
• Are we monitoring the effectiveness of our whistleblower program?
• Are we using and sharing information from disclosures to improve our operations?
• Do we have senior executive accountability and board oversight of the program? Is information being provided to senior management to allow them to maintain oversight?

For those responsible for their organisation's whistleblower program (assuming it is already legally compliant) and who only have time to implement one thing – if you haven't already, ensure that your board and executives receive regular whistleblower training.

The proceedings launched against TerraCom illustrate the importance of educating company directors on their obligations under the whistleblower laws. Those responsible for the whistleblowing program in their organisation should not shy away from ensuring that they have a seat in the boardroom at least once every two years and that they train all new board members upon entry. Teaching clear and simple processes for the board and executives to follow, should they receive a report or be involved in the findings of an investigation, could mean the difference between compliance and criminal conduct at your organisation. Further, a healthy speak-up culture must start at the top; it is essential that senior people are leading the way in this area.

We are happy to discuss the case in more detail with existing clients of the firm. Please reach out to one of the Partners listed below if you would like to hear more.