The federal government has introduced legislation outlining new consolidated protections for whistleblowers, and requiring public, large private companies and trustees of private companies that are registrable superannuation entities to have a whistleblower policy. The new laws will commence on 1 July 2019.
This article was originally published on 7 September 2018 by Rachel Worsley. It has been revised by the author following assent to the Bill on 12 March 2019.
What is the legislation?
The current whistleblower protections and remedies are contained in a number of statutes, including those governing corporations, taxation administration, superannuation and life insurance. The changes consolidate those protections and remedies and provide for a single framework which will be set out in the Corporations Act 2001 (Cth). A similar regime will be introduced to the Tax Administration Act 1953 (Cth). This article focuses on the changes to the Corporations Act.
The legislation will apply to protected disclosures made after 1 July 2019. Certain companies covered by the legislation are required to implement a whistleblower policy, or update their existing whistleblower policies so they comply with the new regime, before 31 December 2019.
Who will be covered?
All companies will be covered by the new legislation. However only public companies, large private companies and private companies that are trustees of registrable superannuation entities (RSE) will be required to have a whistleblower policy.
A large private company is one that satisfies at least two of the following criteria: consolidated revenue of at least $25 million, consolidated gross assets of at least $12.5 million or at least 50 employees within the company and the entities it controls.
An RSE is a regulated superannuation fund, an approved deposit fund or pooled superannuation trust. A self managed superannuation fund is not an RSE. You can find a list of RSEs here.
What types of disclosures are protected?
The legislation aims to protect people who make disclosures about:
- 'misconduct, or improper state of affairs or circumstances relating to a regulated entity’ (essentially all companies and RSEs) on the basis that the whistleblower has ‘reasonable grounds to suspect’;
- whether an offence has been committed under any legislation that requires ASIC or APRA's oversight, such as the Corporations Act 2001 (Cth) and ASIC Act 2001 (Cth);
- information about activity that ‘represents a danger to the public or financial system’; and
- information about whether someone has committed a Commonwealth offence (civil or criminal) punishable by at least one year’s imprisonment or more.
One of the initial difficulties will be understanding what constitutes 'misconduct, or improper state of affairs or circumstances relating to the company'.
According to the Bill's explanatory memorandum, this wording was deliberately broad, so as to capture conduct that doesn’t necessarily break any laws but may be viewed as unethical. The CommInsure scandal, which found that the Commonwealth Bank had not engaged in illegal conduct but had nonetheless engaged in unethical conduct that harmed consumers, was given as an example as the type of conduct that is intended to be caught.
Examples of conduct that would be caught are:
- insider trading;
- insolvent trading;
- fraud; and
- failure to comply with statutory accounting and reporting requirements.
Other types of conduct that would be covered under the broad definition include:
- money laundering offences;
- offences involving terrorism financing; and
- activity that exploits loopholes in the law to harm the administration of government programs.
If the person engaging in conduct caught by the legislation is an employee, and the conduct was in connection with their position as an employee, the employer is effectively deemed to be liable for that employee’s conduct. A court may make an order requiring both employer and employee to jointly compensate the victim. Alternatively, it may be that only the employer is required to compensate the victim.
A ‘personal work-related grievance’ will not be protected by the new legislation. Some examples of this type of conduct include, among other things, interpersonal conflicts between the whistleblower and an employee or a decision relating to the engagement, transfer or promotion of the whistleblower.
The Minister responsible for administering the legislation has the power to expand the types of misconduct that may be covered.
Who is protected?
The definition of a whistleblower is broad, effectively to encourage the reporting of misconduct. People protected by the legislation include:
- officers (both directors and senior management);
- individuals who supply services or goods (whether paid or unpaid);
- employees of individuals who supply services or goods (whether paid or unpaid);
- an individual who is an associate of a company (for example, the directors and/or secretaries of a subsidiary company); and
- relatives or dependants of all the above categories (i.e. any spouse, parent, child, grandchild, sibling or other linear ancestor).
People within these categories do not have to be presently engaged with the company to qualify as a whistleblower. For example, former officers and employees are protected.
To whom can disclosures be made?
To qualify for protection under the legislation, the disclosure must be made to one of the following people or bodies:
- an officer of the company;
- an auditor, or member of an audit team conducting an audit into the company;
- an actuary of the company;
- a person authorised by the company to receive protected disclosures;
- a senior manager of the whistleblower who is an employee of the company;
- a lawyer, for the purpose of legal representation or legal representation regarding the whistleblower protections; and
- to a parliamentarian or a journalist (but only where it is a public interest or emergency disclosure).
What are whistleblowers protected from?
Whistleblowers who make protected disclosures will be protected from any civil, criminal or administrative liability (including disciplinary action) for making the disclosure.
No contractual or other remedies can be enforced against the whistleblower if they are exercised because of their disclosure.
Any information that is part of a disclosure is not admissible in evidence against a whistleblower in criminal proceedings or proceedings involving a penalty, except in proceedings about the falsity of the information.
Whistleblowers are also protected from ‘victimising conduct’ as a result of making a disclosure. Victimising conduct includes dismissal from their position, injury, adjusting job duties that impact the whistleblower negatively, discrimination, harassment or intimidation, psychological harm, as well as damage to their property, reputation or financial position.
The costs of instigating proceedings in court can be a deterrent to any person seeking compensation for damage. Under the new legislation, whistleblowers and victims are protected from an award of costs against them where they seek compensation. There are some limited exceptions to this rule.
Can whistleblowers make anonymous disclosures?
Yes. Whistleblowers do not have to disclose their identity in order to be protected under the legislation.
Anyone who discloses the identity of the whistleblower who wishes to remain anonymous (or information that could disclose the identity of the whistleblower) faces a civil or criminal penalty.
Will the disclosure remain confidential?
It is no longer unlawful to disclose the information received from the whistleblower as long as it is reasonably necessary to investigate the information and reasonable steps are taken to reduce the risk that the whistleblower will be identified by the information is disclosed.
What are the penalties for violating the whistleblower protections?
Whistleblowers are entitled to remedies if they are subject to reprisal, or even a threat of reprisal, because they made the disclosures.
Some of the remedies include monetary compensation, exemplary damages, injunctions to restrain the conduct or reinstating their employment (in the case of employees who are terminated because of their disclosure). In some cases, the employer may be required to apologise for their conduct towards the whistleblower.
The maximum civil penalties for ‘detrimental conduct’ are:
- for a company, approximately $10.5 million, three times the benefit derived or detriment avoided or 10% of annual turnover; and
- for an individual, approximately $1.05 million or three times the benefit delivered or detriment avoided.
The maximum criminal penalty is 2 years imprisonment.
Who needs to have a whistleblower policy?
Only public, large private companies and private companies that are trustees of RSEs will be required to have a whistleblower policy. As a matter of good corporate governance however all companies should adopt a whistleblower policy to ensure the protections in the legislation are observed.
Companies required to have a whistleblower policy must ensure it is available to the officers and employees of the company.
What should a whistleblower policy cover?
To comply with the legislation, a whistleblower policy will need to contain:
- the protections available to the whistleblower;
- how to make a disclosure, including details of the people to whom disclosures may be made;
- information on how the company can support whistleblowers and protect them from victimising conduct by management or other employees;
- information about how the company will investigate disclosures;
- how the company will ensure fair treatment of employees who are mentioned in disclosures; and
- how the policy is to be made available to employees or officers of the company.
The rationale for the policy is to improve company culture and transparency, as well as to deter wrongdoing. Failure to comply with the requirement to have a whistleblower policy is an offence. The current fine is $12,600.
An example of a whistleblower policy in action is the “Deloitte Whistleblower Service”, which functions as an anonymous online tip-off form for Deloitte managed by an external company. When a disclosure is made through the service, the external company files a report to a nominated person within Deloitte who then assesses the report and decides whether an investigation should take place.
Takeaways for Companies
All companies should be aware of the whistleblower legislation, so that they know how to respond if a protected disclosure is made. A failure to comply with the legislation can lead to heavy penalties.
Public companies, large private companies and private companies that are trustees of RSEs will be required to implement whistleblower policies. As a matter of good corporate governance, all companies should have a whistleblower policy, to ensure the protections in the legislation for whistleblowers are observed.