Skip to main content

Whistleblowing – ASIC expectations

Whistleblowing continues  to be  front of mind for ASIC, triggering a need to reflect, review and refreshed whistleblowing protections across a range of industry segments.  ASIC has released REP 758 on “Good practices for handling whistleblower disclosures” on 2 March 2023 which lay down good practices for implementing whistleblower programs and follows a number of activities taken by the regulator to uplift practice across the industry.

ASIC had released RG-270 on Whistleblower Policies in November 2019 where they had advised on the guidelines to establish a whistleblower policy in line with the pre-requisites and instil a culture of whistleblowing to public companies, large proprietary companies, and corporate trustees of registrable superannuation entities (entities). ASIC also advised of its intention to implement the full range of regulatory tools available, including enforcement action, where non-compliance is identified.

Pursuant to RG-270 and part of a phased approach to overseeing how firms are implementing the 2019 reforms to the whistleblower protection regime, ASIC reviewed 102 whistleblower policies of leading organisations in various sectors in 2020 and advised their observations on inaccurate, incomplete or obsolete policies in the subsequent open letter to CEOs in October 2021. Many of the policies  did not include the details of the required oversight arrangements.

ASIC indicated in its Corporate Plan for 2022-26 that it intends to review whistleblower programs from a sample of regulated entities to assess:

  • how whistleblower disclosures are handled
  • how this information is used to address issues or change      processes/operations
  • the level of Board and executive oversight of whistleblower programs

In 2022, ASIC had conducted an intensive review of whistleblower programs of seven firms, Within REP 758 ASIC advises entities to consider how to scale and tailor good practices to suit their operations. ASIC clarified through the report that they will continue to review entities’ whistleblower policies and arrangements for handling whistleblower disclosures, including when they receive reports from whistleblowers alleging breaches of the whistleblower protections. Where serious harm is identified, ASIC will continue to consider the full range of regulatory tools available including, where appropriate, civil, or criminal enforcement action.

ASIC filed proceedings against TerraCom Limited for alleged whistleblower victimisation on 1 March 2023.

Corporate attitudes towards speaking up and protecting those who do are important in indicating and driving a culture of “doing the right thing”. To instil this culture of acting lawfully, ethically and responsibly, the ASX recommends in its ASX Corporate Governance Principles to have and disclose a whistleblower policy and to inform the Board and relevant Board Committees of any material incidents reported under the policy. To aid the smooth functioning of the whistleblower mechanism, an open culture with adequate measures for whistleblower protection is fundamental. Maintaining appropriate evidence of the action taken following a whistleblowing disclosure will help build confidence in the program (for both regulators and employees). A strong whistleblowing culture supports psychological safety and encourages employees to speak up on any actual or potential systemic flaws or conduct concerns. Further, whistleblowers should be provided independence to raise disclosable matters with ASIC, APRA or any other regulatory or Government agency.

Whistleblower policies and training must support and encourage a prospective whistleblower, who is likely to have some level of concern about making the requisite disclosures. Importantly, a prospective whistleblower should not face any consequences or retribution for making a disclosure. Operational arrangements including documented procedures and guidelines to handle whistleblower disclosures serve as a foundation for whistleblowing programs.

Anonymity and confidentiality for the whistleblower is a key pillar of the framework with civil and criminal penalties for disclosing the identity or victimising a whistleblower. Another key challenge is that the investigating team must be independent of the whistleblower, to avoid potential or perceived conflicts of interest. A designated whistleblower with independent reporting to the Chief Executive and the Board/ Board Committee would go a  long way to create a culture of transparency, trust and accountability.

Data protection is also critical in setting up appropriate operations for whistleblowing systems, as most incidents will include sensitive personal data. Whistleblowing programs should be periodically reviewed to ascertain if the whistleblowing framework is fit for it purpose, having regard to the nature, size and complexity of the organisation. It would be prudent to implement whistleblower program effectiveness indicators (qualitative and quantitative) to assess the effectiveness of the program and evaluate if any adjustments are required to encourage whistleblowers.

Board and Board Committees (such as Audit and/or Risk Committee) need oversight of the whistleblowing framework and should consciously review the appropriateness, adequacy and effectiveness of the framework, as well an understanding of key disclosed incidents. Importantly, information on trends and root causes must also be considered at Board level. This is essential in enabling remediation of any flaws in the organisation’s working structures. An insightful and impactful reporting with due integration with other datapoints such as employee grievances, fraud, etc. will assist in remediation of the efficacy of the framework within the organisation without revealing the whisteblowers’ identities.

At Deloitte, we assist our clients with their whistleblowing obligations in a number of ways:

  • Establishment and operationalisation of whistleblower frameworks
  • Review and assessment of the operating effectiveness of whistleblower frameworks, policy and procedures to assess the compliance with the current regulatory and legislative requirements including the Corporation Act and the RG-270 on Whistleblower policies
  • Offering support in managing whistleblowing incidents including forensic support, root cause analysis and resolution
  • Provide analytics and trends on the incidents data and advise on the proposed actions for systemic remediation
  • End-to-end  whistleblower service utilising the digital whistleblowing solution Deloitte Conduct Watch.
  • Online training on whistleblowing