A refresher on Australia’s whistleblower laws

A. What are the requirements of the Corporations Act?

All Australian companies are required to comply with the whistleblower protection provisions set out in Part 9.4AAA of the Corporations Act.

The whistleblower regime in the Corporations Act is intended to facilitate reporting of corporate misconduct and provides that this may be done without recrimination.  Therefore, the Corporations Act provides not only a regime to protect whistleblowers, but also provides for a number of governance requirements.

The Corporations Act regime sets out:

• • The types of disclosure that are protected.
  • The rights and protections for whistleblowers.
  • Certain governance arrangements that should be implemented in respect of whistleblower disclosures.

Whistleblower disclosures

To fall within the whistleblower regime in the Corporations Act:

• • The disclosure must be made by an eligible person. The disclosures may be made not only by current and former employees, but also, for example, by suppliers to a company and their employees.
  • A disclosure must be about an eligible matter. That is a matter which amounts to, based on reasonable grounds, misconduct or an improper state of affairs or circumstances that impacts the company.  Examples include breaches of laws or regulation, bribery and corruption or danger to the public, though the Corporations Act specifically excludes defined personal work-related grievances from the scheme.
  • The disclosure must be to an eligible recipient. The list of eligible recipients includes those designated by the relevant company.  Most companies include as designated recipients an external whistleblower hotline.  But the Corporations Act allows disclosures to be made to persons who are not designated – for example, all of the directors of a company will be eligible recipients.  This means that it is important for every member of the board of a company to understand the requirements of the regime under the Corporations Act.

Protections for whistleblowers

Where a protected disclosure is made, the relevant person is protected, for example, they are not subject to civil, criminal or administrative liabilities for making the disclosure.

Whistleblowers may also make disclosures to the Australian Securities & Investments Commission (ASIC), or where relevant the Australian Prudential Regulatory Authority, and the Corporations Act provides for public interest and emergency disclosures.

In addition, if a whistleblower disclosure is made to a company:

• • the identity of the whistleblower must be protected – meaning that whistleblowers are able to remain anonymous and, even where the disclosure is not made on an anonymous basis, in most circumstances, unless the whistleblower consents their identity cannot be revealed;
  • the whistleblower must be protected from detriment and victimisation (and from threats of the same) – this applies even if ultimately it is determined that the disclosure is not a whistleblower disclosure.

Governance requirements:  the need for a whistleblower policy

Under the Corporations Act regime, public companies and large proprietary companies (as well as corporate trustees of registrable superannuation entities) must have a whistleblower policy that, at a minimum, meets the requirements of the Corporations Act.  While the Corporations Act mandates that it is only these types of entities that must have policies in place, ASIC encourages all companies to consider implementing whistleblower policies as part of their governance arrangements.

Where a policy is required to be put in place under the Corporations Act, it must set out how disclosures will be handled (including investigations) and the protections that will be implemented for whistleblowers.^[1]  The policy must be available to officers and employees and typically entities will make these available on their website.

B. What is the role of the board, based on ASIC guidance?

Importantly, there is a very clear expectation from ASIC that directors and senior managers will lead the way and will promote a culture which not only supports compliance but also supports the making of disclosures in appropriate circumstances.

Directors need to have overall oversight of their whistleblowing program, not just respond to disclosures that are received.  Over 2022 ASIC undertook a review of the programs of a sample of seven large corporates.  Following that review, ASIC released a report on good practices for handling whistleblower disclosures.^[2]  Key steps that ASIC recommended in that report are:

1. • Boards should actively promote their company’s whistleblower policy and ensure that operational guidance documents are in place to give effect to the policy.
   • Boards should monitor the effectiveness of their company’s policy – which requires identification of metrics that indicate success. For example, not receiving any disclosures may not be “success” if this is caused by a culture of not speaking up.
   • Boards should receive updates on the management of disclosures (with the form to be determined by reference to the number of disclosures that are typically received by the company in question) and also regarding what the disclosures indicate in terms of themes and emerging risks.
   • Regular training of board members is required, as is required for other officers of the company more broadly.

C. Lessons for directors from the TerraCom case

In 2023, ASIC commenced legal proceedings against TerraCom Limited (TerraCom) alleging breach of the whistleblower provisions of the Corporations Act.  The TerraCom case provides a good example of the expectations that ASIC has of directors.

In early 2020, TerraCom (which is an ASX listed resources company) made public announcements, including to the Australian Securities Exchange and major newspapers, denying whistleblower claims, which had been made by a former employee in 2019, that TerraCom had worked with ALS (an independent lab) in falsifying its coal quality reports.  The company referred to a report from PwC, which it had commissioned to investigate the disclosure as clearing the company and the relevant senior management.  However, the PwC report was heavily qualified and did not clear TerraCom in the manner claimed in its statements.

As well as alleging misleading and deceptive conduct in relation to the disclosures, the ASIC proceedings allege that:

1. • TerraCom and its senior employees harmed the whistleblower by making the public announcements. This was a direct breach of the whistleblower provisions of the Corporations Act.
   • Relevant directors breached their duties under the Corporations Act, namely the duty to exercise powers and discharge duties with the degree of care and diligence that a reasonable person in those circumstances would exercise. Specifically, this related to a failure to take reasonable steps in relation to the issues raised by the whistleblower, including to further examine the PwC report.

While the case has not yet been heard in the Federal Court, it is a reminder, if one is needed, that directors need to consider the whistleblower regime as a core part of their directors’ obligations.