Is your business whistleblower ready?

2020 could be the year of the whistleblower, as the effect of recent legal changes are felt and certain entities are required to implement a whistleblower policy from 1 January 2020.

Whilst it has become common practice to label any person disclosing company information as a ‘whistleblower’, it is important for business to recognise true whistleblowers who are protected under the law and distinguish them with others who disclose information and may be subject to sanctions. Studies show that a well thought out whistleblower policy which facilitates internal disclosures could “save companies money by resulting in fewer lawsuits and smaller settlements”.1 Risk of external and damaging disclosures could be minimised by a whistleblower policy that is supportive of disclosures being made and has consistent processes and procedures in place.

The new regime: amendments to the Corporations Act 2001 (Cth)

As of 1 July 2019, changes to the Corporations Act 2001 (Cth) (Corporations Act) and other finance related Acts were introduced to provide a consolidated whistleblower protection regime to the corporate and financial sectors.2 The changes seek to overcome the significant gaps in protection that existed in the previous regime, which was noted to have “expanded in a piecemeal way”.3

The new regime provides protections to “eligible whistleblowers” who disclose certain types of conduct. No protection is afforded to those who do not meet the legislative requirements, meaning that whistleblowers who do not adhere to the strict legal requirements may be exposed to a variety of risks, including potential civil claims by their employers, including breach of confidence and defamation actions.

The new regime also requires certain entities to establish a whistleblower policy. It is an offence not to have a policy implemented by 1 January 2020 and even if not caught by these requirements, all entities are now required to manage whistleblowing in accordance with the Corporations Act 2001 (Cth).4

The whistleblower regime

Under the new regime a person will be entitled to protections if they:

  1. qualify as an eligible whistleblower;
  2. disclose certain information;
  3. about disclosable matters;
  4. to a regulator/eligible recipient.

Eligible whistleblower

The new regime applies to disclosures relating to “regulated entities”, being companies, registered corporations, authorised deposit-taking institutions, non-operating holding companies, insurers and superannuation entities.5 In respect of such entities, an “eligible whistleblower”, is:

  • an officer;
  • an employee;
  • someone who supplies, or an employee of an entity who supplies, goods or services to the entity (for example, a contractor);
  • an associate; or
  • a relative or dependant of any of the above persons.6

Disclosure of certain information

Only the disclosure of certain information is protected under the Corporations Act. The information must relate to the regulated entity or a related corporate body of the regulated entity.7 Additionally, the discloser must have reasonable grounds to suspect that the information relates to a “disclosable matter”.8

Disclosure of disclosable matters

An eligible whistleblower is only protected for “disclosable matters”, which, broadly speaking, includes misconduct, or an improper state of affairs or circumstances in relation to a regulated entity.9 More specifically, it includes criminal conduct that would result in imprisonment of 12 months or more;10 anything that would be a danger to the public or to the financial system;11 and conduct that breaches certain statutes.12 Solely “personal work-related grievances” that do not relate to detriment or threat of detriment to the discloser are specifically excluded under this regime.13

Disclosure to a regulator/eligible recipient

Disclosures are protected if they are made to certain persons,14 including ASIC; APRA; a lawyer, for the purpose of obtaining legal advice; an officer, senior manager, auditor or actuary of the corporation; and any other person who has been authorised by the corporation.15


If the disclosure meets the requirements set out above, then the discloser is entitled to receive the benefit of certain protections:

  • It is an offence for an individual or a corporation to disclose the identity, or information that is likely to lead to the identification, of the discloser.16 However, in certain circumstances, disclosures may be made to the Australian Federal Police, ASIC, APRA or a lawyer or with the discloser’s consent.17
  • It is also an offence for an entity to take “detrimental conduct” against the discloser due to their disclosure, or a suspicion that the discloser has made or will make a disclosure that would entitle them to protection.18 Detrimental conduct includes dismissing or demoting the employee; discriminating, harassing or intimidating the employee; damaging the employee’s property; damaging the employee’s reputation; and damaging the employee’s business or financial position.19 If the disclosure is a reason for the detrimental conduct, the discloser has the ability to bring civil proceedings to stop, or compensate for, any detrimental conduct.20
  • Similarly, if a person makes a protected disclosure, they will be protected from civil, criminal or administrative liability (including disciplinary action) for making the disclosure, as well as receiving other contractual and evidentiary protections.21

External disclosures

Protection is also available for disclosures made to journalists or Parliamentarians where the disclosure is reasonably believed to be in the public interest (public interest disclosure) or where an emergency situation exists (emergency disclosure).22

A public interest disclosure is one where:

  • the discloser has made a previous disclosure which would qualify for protection;
  • 90 days have passed since the previous disclosure was made;
  • the discloser does not have reasonable grounds to believe that the matter is being addressed;
  • the discloser reasonably believes that disclosure is in the public interest;
  • the discloser has notified the entity that they are going to disclose to the media or a member of Parliament; and
  • no more than what is necessary is disclosed.23

An emergency disclosure is one where:

  • the discloser has made a previous disclosure which would qualify for protection;
  • the discloser reasonably believes that the information concerns a “substantial and imminent danger” to the health or safety of the public or the environment;
  • the discloser has notified the entity that they are going to disclose to the media or a member of Parliament; and
  • no more than what is necessary is disclosed.24

Whistleblower policy

Public companies, large proprietary companies and trustees of registrable superannuation entities are required to establish a whistleblower policy.25 Such policies were required to be implemented by 1 January 2020. Breach of this requirement is a strict liability offence and can result in companies and individuals being faced with fines.26

‘Public companies’ include listed companies and public companies that are owned and controlled by the Commonwealth.27 A proprietary company will be considered to be a large proprietary company for a financial year if it has at least two of the following characteristics:

  • the consolidated revenue for the financial year of the company and any entities it controls is $25 million or more;
  • the value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $12.5 million or more; and
  • the company, and any entities it controls, has 50 or more employees at the end of the financial year.28

What are the requirements?

Public companies and large proprietary companies must make their whistleblower policies available to their officers and employees and large proprietary companies must do so within six months after the end of the financial year.29 The policy should also exist on the entity’s external website.30

The policy must set out certain prescribed information, including:

  • information about the protections available to whistleblowers and how the company will protect them (including how the company will ensure that disclosers are treated fairly, if they are employees);
  • information about how the company will investigate a disclosure;
  • identifying the relevant people in the company to whom disclosures can be made; and
  • how the company will investigate disclosures.31

The policy should also reflect “the nature, size, scale and complexity of the entity’s business”.32

The Corporate Governance Principles and Recommendations also contain relevant recommendations for ASX listed companies, namely, that a listed entity should “have and disclose” their whistleblower policy and “ensure that the board or a committee of the board is informed of any material incidents reported under that policy”.33

Consequences of the regime

To reduce the risk of being exposed to legal and financial liability, businesses must ensure that they have appropriate policies in place to facilitate internal disclosures by their employees. An appropriate whistleblower policy may be effective in not only minimising instances of external disclosure, which can be highly damaging to a business’s reputation, but may also reduce litigation risks and costs. Being supportive of internal disclosures is therefore in the best interests of both employees and business. However, it is important to keep in mind that the extent of protections that will apply in relation to each disclosure will ultimately turn on its facts.

1.Stephen Stubben and Kyle Welch, ‘Evidence on the Use and Efficacy of Internal Whistleblowing Systems’ (2019) available at SSRN 3273589 in Brown et al, ‘Clean as a whistle: a five step guide to better whistleblowing policy and practice in business and government’ (Report, Griffith University, 2019) 8.
2. Taxation Administration Act 1953; Banking Act 1959; Insurance Act 1973; Life Insurance Act 1995; Superannuation Industry (Supervision) Act 1993.
3. Explanatory Memorandum, Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017 (Cth), 7.
4. Australian Securities & Investments Commission, Regulatory Guide 270, Whistleblower Policies (November 2019) RG 270.4, 270.10.
5. Corporations Act 2001 (Cth) ss 1317AA, 1317AAB.
6. Ibid s 1317AAA.
7. Ibid s 1317AA(4).
8. Ibid s 1317AA(4)-(5).
9. Ibid s 1317AA(4).
10. Ibid s 1317AA(5)(d).
11. Ibid s 1317AA(5)(e).
12. For example, the Banking Act 1959 (Cth), Insurance Act 1973 (Cth) or the Australian Securities and Investments Commission Act 2001 (Cth); Ibid s 1317AA(5)(c).
13. For example, grievances relating to the termination of employment or conflict with another employee are excluded under the Act; Ibid ss 1317AADA(1), 1317AC.
14. Corporations Act 2001 (Cth) s 1317AA.
15. Ibid ss 1317AA(1), 1317AA(3), 1317AAC.
16. Ibid ss 1317AAE, 1317G. Note that section 1317AAE(1) is also a civil penalty provision. Currently the maximum pecuniary penalty for breach of s 1317AAE is capped at: for individuals, the greater of 5,000 penalty units or, if the court can determine the benefit derived and detriment avoided because of the contravention, three times that amount; and for corporations, the greater of 50,000 penalty units or, if the court can determine the benefit derived and detriment avoided because of the contravention, three times that amount, or either 10% of the annual turnover of the company or 2.5 million penalty units (if 10% of the annual turnover exceeds 2.5 million penalty units). It is also a criminal offence punishable by 6 months imprisonment.
17. Ibid s 1317AAE(2).
18. Ibid ss 1317AD-AE, 1317AC. Note that the punishment for this offence is up to 2 years’ imprisonment and is also a civil penalty offence, see above n 16.
19. Ibid s 1317ADA.
20. Ibid s 1317AD, 1317AE.
21. Ibid s 1317AB.
22. Ibid s 1317AAD.
23. Ibid s 1317AAD(1).
24. Ibid s 1317AAD(2).
25. Ibid s 1317AI.
26. The penalty for breach of this requirement is 60 penalty units, which currently equates to $12,600; Ibid ss 1317AI(4), 1311(1).
27. See Corporations Act 2001 (Cth) ss 9, 1317AI(1); Public Governance, Performance and Accountability Act 2013 (Cth) s 89.
28. Corporations Act 2001 (Cth) s 45A(3).
29. Corporations Act 2001 (Cth) s 1317AI.
30. Above n 4, 270.138
31. Corporations Act 2001 (Cth) ss 1317AI(5).
32. Above n 4, RG 270.13.
33. Australian Securities & Investments Commission, Corporate Governance Principles and Recommendations (4th ed) (February 2019) Recommendation 3.3.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.

Download now