Does your organisation have a compliant whistleblowing policy?

Rohit Sharma


Based on our numerous conversations with our clients on the increased protection to whistleblowers under the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 applicable from 1 July 2019, we understand that the biggest concern of an organisation is often whether its whistleblower policy is updated.

To address these concerns, we have listed a few FAQs, which may be helpful to you and your organisation in making an informed decision. We’ve included questions on the recent changes, applicability and how you can keep abreast of the changes.

When do the changes come into effect?

Protection of whistleblowers has been amended and expanded in the Corporations Act 2001 (Cth) (Corporations Act) which is applicable from 1 July 2019. Certain companies will be required to have a whistleblower policy which adheres to the amended legislation from 1 January 2020.

Does it apply to all companies?

The requirement for a Whistleblower policy is not applicable to all companies, it applies to:

  • Public companies;
  • Large proprietary companies;
  • A proprietary company that is the trustee of a registrable superannuation entity.

Given the far reaching impact, we recommend every company should design and implement a whistleblower policy, or at least have a process in place through which whistleblowers can report fraud instances anonymously.

Why should you have a whistleblower policy if it’s not mandatory for your organisation?

As reported by the Association of Certified Fraud Examiners (ACFE) in its 2018 Report to the Nations, an organisation loses an average of 5% of their annual revenues to fraud and 40% of the reported frauds are detected via whistleblowing [1].

Most organisations are under a delusion that no fraudulent activity has ever taken place in their organisation because it was never reported/detected. Absence of detection does not necessarily mean that no fraudulent activity has ever taken place, but it may indicate that the organisation’s internal processes are not sufficiently strong to detect a fraud or the people associated with the organisation are not comfortable in reporting a fraud. This could be because of an inherent fear of being targeted or victimised once the fraud is reported. Implementing a whistleblower policy or an anonymous reporting process provides an additional layer of protection and confidence for a whistle blower to come forward and raise concerns without the fear of being targeted or losing their job.

One suggested tactic is for an organisation to form a committee of senior management/board members and designate the committee with an email ID. The organisation may then encourage the employees to anonymously report potential fraud to the committee via the given email. The employees can report potential frauds using anonymous IDs which will give them a level of comfort to report suspected frauds without the fear of being victimised.

What are the factors to be considered while designing a whistleblower policy?

In order to ensure that the policy is compliant with section 1317AI of the Corporations Act, the policy must set out the following:

  • the protections available to whistleblowers; and
  • to whom can whistleblowers disclose information and the process to be followed to disclose such information; and
  • how the company will support whistleblowers and protect them from damage/injury; and
  • how the company will investigate disclosures; and
  • how the company will ensure fair treatment of employees of the company who are mentioned in whistleblower disclosures; and
  • how the policy will be made available to officers and employees of the company.

The organisation may also consider including a discussion on whether the whistleblower would like to be identified or to remain anonymous, and the process to be followed in either case. There should also be processes in place to manage situations where the person of interest in regards to the disclosure is also a recipient of the report.

What if the company has a whistleblower policy in place?

If the company has a whistleblower policy in place, then it is the company’s responsibility to review the existing policy and update it to ensure compliance with the current amendments. Upon review, it is possible that the existing policy may require a complete overhaul and a new policy designed afresh.

What happens if the company does not have a whistleblower policy or does not update its existing whistleblower policy?

If the company does not have a whistleblower policy or has not updated its existing whistleblower policy by 1 January 2020, it may be charged with a penalty up to $12,600.

What are the consequences if the company or an employee breaches the policy?

Designing a policy is only half the job, but it is also important to ensure that the policy is well implemented and meets its objectives. As a better practice, the company should organise training sessions to educate senior management about the changes in the whistleblower policy including anonymity of the complainant, and to also inform the employees about the protection granted under the whistleblower policy.

In case of breach of confidentiality and anonymity, the individual may be charged with a civil penalty up to $1.05 million, while the company may be charged with a penalty up to $10.5 million.

We understand you may have a number of unanswered questions. To have a detailed discussion on how to comply with the amendments or learn how Findex specialists can be of any help, contact your local adviser.

[1] 2018 Report to the Nations | ACFE