The federal government has introduced legislation that outlines new protections for whistleblowers, and requires public and large private companies to have a whistleblower policy. The laws are expected to be passed in the coming months, and parts of them are likely to have retrospective application.
What is the legislation?
The government is contemplating changes to a variety of statutes, including those governing corporations, taxation administration, superannuation and life insurance. This article focuses on the proposed changes to the Corporations Act 2001 (Cth).
If passed, the legislation is expected to apply to protected disclosures made after 1 July 2018. Companies covered by the legislation are expected to have until January 2019 to implement a whistleblower policy.
Who will be covered?
All companies will be covered by the new legislation. However only public companies and large private companies will be required to have a whistleblower policy. These are companies that have at least two of the following criteria: consolidated revenue of at least $25 million, consolidated gross assets of at least $12.5 million or at least 50 employees within the company and the entities it controls.
What types of disclosures are protected?
The legislation aims to protect people who make disclosures about:
- 'misconduct, or improper state of affairs or circumstances relating to the company';
- whether an offence has been committed under any legislation that requires ASIC or APRA's oversight, such as the Corporations Act 2001 (Cth) and ASIC Act 2001 (Cth);
- information about activity that threatens the safety of the public or financial system; and
- information about whether someone has committed a Commonwealth offence (civil or criminal) punishable by at least one year’s imprisonment or more.
One of the initial difficulties will be understanding what constitutes 'misconduct, or improper state of affairs or circumstances relating to the company'.
According to the bill's explanatory memorandum, this wording was deliberately broad, so as to capture conduct that doesn’t necessarily break any laws but may be viewed as unethical. The CommInsure scandal, which found that the Commonwealth Bank had not engaged in illegal conduct but had nonetheless engaged in unethical conduct that harmed consumers, was given as an example as the type of conduct that is intended to be caught.
Examples of conduct that would obviously be caught are:
- insider trading;
- insolvent trading;
- fraud; and
- failure to comply with statutory accounting and reporting requirements.
Other types of conduct that would be covered under the broad definition include:
- money laundering offences;
- offences involving terrorism financing; and
- activity that exploits loopholes in the law to harm the administration of government programs.
The Minister responsible for administering the legislation has the power to expand the types of misconduct that may be covered.
Who is protected?
The definition of a whistleblower is broad, effectively to encourage the reporting of misconduct. People protected by the legislation include:
- officers (both directors and senior management);
- individuals who supply services or goods (whether paid or unpaid);
- employees of individuals who supply services or goods (whether paid or unpaid);
- associates of a company (for example, the directories and/or secretaries of a subsidiary company) and;
- relatives or dependants of all the above categories (i.e. any spouse, parent, child, grandchild, sibling or other linear ancestor).
People within these categories do not have to be presently engaged with the company to qualify as a whistleblower. For example, former officers and employees are protected.
To whom can disclosures be made?
To qualify for protection under the legislation, the disclosure must be made to one of the following people or bodies:
- an officer of the company;
- an auditor, or member of an audit team conducting an audit into the company;
- an actuary of the company;
- a person authorised by the company to receive protected disclosures;
- a supervisor or manager of the whistleblower who is an employee of the company;
- a lawyer, for the purpose of legal representation or legal representation regarding the whistleblower protections; and
- in an emergency only, to a parliamentarian or a journalist.
What are whistleblowers protected from?
Whistleblowers who make protected disclosures will be protected from any civil, criminal or administrative liability (including disciplinary action) for making the disclosure.
No contractual or other remedies can be enforced against the whistleblower if they are exercised because of their disclosure.
Any information that is part of a disclosure is not admissible in evidence against a whistleblower in criminal proceedings or proceedings involving a penalty, except in proceedings about the falsity of the information.
Whistleblowers are also protected from “victimising conduct” as a result of making a disclosure. Victimising conduct includes dismissal from their position, injury, adjusting job duties that impacts the whistleblower negatively, discrimination, harassment or intimidation, psychological harm, as well as damage to their property, reputation or financial position.
Can whistleblowers make anonymous disclosures?
Yes. Whistleblowers do not have to disclose their identity in order to be protected under the Act.
Anyone who discloses the identity of the whistleblower who wishes to remain anonymous (or information that could disclose the identity of the whistleblower) faces a civil or criminal penalty.
What are the penalties for violating the whistleblower protections?
Whistleblowers are entitled to remedies if they are subject to reprisal, or even a threat of reprisal, because they made the disclosures.
Some of the remedies include monetary compensation, exemplary damages, injunctions to restrain the conduct or reinstating their employment (in the case of employees who are terminated because of their disclosure). In some cases, the employer may be required to apologise for their conduct towards the whistleblower.
The maximum amount that the court may order a person to pay is $200,000 for an individual, or $1 million for a company.
Who needs to have a whistleblower policy?
Only public and large proprietary companies will be required to have a whistleblower policy. As a matter of good corporate governance however, once the legislation is passed, all companies should adopt a whistleblower policy to ensure the protections in the legislation are observed.
For the purposes of the legislation, a large proprietary company is a company that satisfies at least two of the following criteria:
- consolidated revenue of at least $25 million,
- consolidated gross assets of at least $12.5 million or
- at least 50 employees within the company and the entities it controls.
Companies required to have a whistleblower policy must ensure it is available to the officers and employees of the company.
What should a whistleblower policy cover?
To comply with the legislation, a whistleblower policy will need to contain:
- the protections available to the whistleblower;
- how to make a disclosure, including details of the people to whom disclosures may be made;
- information on how the company can support whistleblowers and protect them from victimising conduct by management or other employees;
- information about how the company will investigate disclosures;
- how the company will ensure fair treatment of employees who are mentioned in disclosures; and
- how the policy is to be made available to employees or officers of the company.
The rationale for the policy is to improve company culture and transparency, as well as to deter wrongdoing. Penalties may apply to public and large proprietary companies who fail to implement a whistleblower policy.
An example of a whistleblower policy in action is the “Deloitte Whistleblower Service”, which functions as an anonymous online tip-off form for Deloitte managed by an external company. When a disclosure is made through the service, the external company files a report to a nominated person within Deloitte who then assesses the report and decides whether an investigation should take place.
Takeaways for Companies
All companies should be aware of the whistleblower legislation, so that they know how to respond if a protected disclosure is made. A failure to comply with the legislation can lead to heavy penalties.
Public companies and large private companies will be required to implement whistleblower policies. As a matter of good corporate governance, all companies should have a whistleblower policy, to ensure the protections in the legislation for whistleblowers are observed.
Companies who fail to observe the whistleblower protections may face heavy penalties, including fines.