ASIC recently released its Regulatory Guide 270 Whistleblower Policy” guidance to assist companies to meet their obligations under the new whistleblower protection laws.

What’s happened?

ASIC recently released its Regulatory Guide 270 Whistleblower Policy” guidance to assist companies to meet their obligations under the new whistleblower protection laws. Following the release, large proprietary companies and public companies must review their current whistleblowing policies and procedures to ensure compliance by 1 January 2020.

ASIC has indicated the commencement of periodic surveillance activities to ensure compliance with the whistleblower protection laws (including the policy requirement) due to begin on 1 January 2020. Non-compliance is now an offence and carries a penalty enforceable by ASIC.

Why is this important? 

The final ASIC Regulatory Guide remains fundamentally unchanged from the Draft Guide, but now includes much needed guidance on the mandatory elements required in an organisation’s whistleblower policy as well as helpful good practice governance tips.

Sally Mcdow, Your Call’s Head of Client Advisory believes Regulatory Guide 270 is crucial reading for organisations

“the Guide gives further insight into the specific implementation standards ASIC is looking for when auditing for compliance. When developing best-practice programs and Eligibel Recipient training we incorporate the Guide aswell as global best practice.”

Key mandatory requirements from the ASIC Regulatory Guide 270 Whistleblower Policies :  

  1. The Whistleblower policy must include specific information including:
    1. contain a brief explanation about its purpose
    2. specify who is an eligible whistleblower and the criteria to qualify for protection
    3. identify the types of wrongdoing which can be reported under the policy
    4. Identify who can receive a disclosure, including information about how a discloser can obtain additional information
    5. detail how it will be made available through training to employees), and
    6. detail the legal protections available to the discloser
  2. Training must be provided to staff to:
    1. demonstrate commitment to the policy by promoting it actively and regularly, and
    2. provide upfront and ongoing training to all staff

The above guide is not exhaustive. The ASIC Regulatory Guide should be consulted for a list of all mandatory requirements and non-mandatory good practice tips.

“Eligible Recipients must receive proper training and support to understand their roles/responsibilities under the legislation. It is crucial to establish and enforce proper procedures for this group. There is serious risk to the individual and company for mishandling a whistleblower report” says Mcdow.

What do I need to do?

With the 1 January 2020 deadline looming organisations should take immediate action and review whether their whistleblowing policies/programs are meeting ASIC’s expectations.

  1. Download our 10 Critical Actions for Company Directors guide here
  2. Don’t take a cookie-cutter approach
    The Guide is detailed and, in some sections, extremely prescriptive. Organisations must take care not to rush policy/procedure/program drafting to merely comply with the legislation – it is important to develop a tailored policy which is clear, practical and encourages a speak up culture.
  3. Be transparent and proactive with your people
    Organisations should properly understand their stakeholder demographics to best educate and inform them of the whistleblower policy, processes and procedures.
  4. Establish continuous training initatives
    Arrangements should be put in place to provide upfront and ongoing education and training to every employee particularly line managers on how to effectively manage disclosures.

The Regulatory Guide highlights that ultimate responsibility for an entity’s whistleblower policy, and its implementation, rests with the board of directors. ASIC has taken the view that an entity’s board must ensure  broader trends, themes and/or risks which emerge as a consequence of an entity’s disclosure regime are addressed as part of its broader risk management and corporate governance framework. Additionally the Board (or Audit or Risk Committee) should receive periodic reporting on the effectiveness of the policy which does not breach confidentiality or place the whistlebower at risk of detriment.