Common compliance gaps in whistleblower policies

Following the introduction of a consolidated whistleblower regime in July 2019, ASIC has conducted a review of whistleblower policies of many regulated entities and identified that most are not compliant.

The whistleblower regime

In July 2019, changes were made to the Corporations Act 2001 (Cth) that required certain entities (including public companies and large proprietary companies) to implement a whistleblower policy from 1 January 2020. For more details, see our article on the whistleblower policy regime. In November 2019, ASIC also released a regulatory guide RG 270 Whistleblower policies to assist regulated entities with establishing, implementing and maintaining a compliant whistleblower policy and program.

Common compliance gaps in whistleblower policies

In the 2020-2021 financial year, ASIC reviewed the whistleblower policies of 102 regulated entities to understand how entities are responding to the expanded whistleblower regime, benchmark the standard of policies across regulated entities and refine ASIC’s regulatory approach.

Though the polices reviewed met some of the requirements of the whistleblower regime, ASIC identified three main compliance gaps:

  • Unclear, incomplete or inaccurate information: A third of policies reviewed had unclear, incomplete or inaccurate information about the whistleblower protections available. Common errors included policies that failed to:
    • list all eligible whistleblowers;
    • explain all protections available under the law, including a whistleblower’s right to confidentiality; and
    • detail all remedies available to whistleblowers, including the right to compensation if the whistleblower incurred harm due to disclosure.
  • Obsolete and out-of-date policies: Many policies referred to obsolete requirements under the whistleblower regime or had not been updated to refer to the expanded scope following changes made in 2019. For example, some policies included the obsolete requirements for whistleblowers to:
    • identify themselves; and/or
    • make disclosures in good faith or without malice in order to qualify for protection.
  • Lack of oversight arrangements: ASIC expressed concern that many regulated entities have taken a “set and forget” approach, by not including clear mechanisms for review of whistleblower policies. ASIC has suggested that there should be clear review mechanisms set out in a whistleblower policy, and board oversight for certain types of investigations.

ASIC will continue to scrutinise whistleblower programs

ASIC has flagged that it intends to continue to review whistleblower programs. In the ASIC Corporate Plan 2021-25, ASIC has said that it will continue to review whistleblower policies and programs from a sample of regulated entities, including conducting assessments of their whistleblower disclosure handling processing and level of board and executive oversight.

What does this mean for your business?

All businesses should confirm whether they must have a whistleblower policy in place, and if so, ensure that their whistleblower policy and program is compliant with the requirements set out in the Corporations Act.

Please contact us if you need any assistance with reviewing your whistleblower policy and program.


Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.