ASIC reports on good whistleblower practices, sues directors for alleged breaches

Monday, 20 March 2023

Amanda Lyras and Josh Krechman,  photo
Amanda Lyras and Josh Krechman,
Clayton Utz

    Directors should be on notice of the regulator's expectations regarding whistleblower regimes with the release of ASIC's Report 758 Good practices for handling whistleblower disclosures and ASIC's first legal action under the current whistleblower laws against TerraCom and its directors for alleged breaches of whistleblower protections.

    Since 1 July 2019, the Corporations Act has contained strengthened protections for eligible whistleblowers that restrict the disclosure of their identity and prohibit victimisation. These laws apply to a broad range of entities, including companies registered in Australia and foreign corporations in a range of circumstances. Under these laws, public companies and large proprietary companies are also required to have and make available to employees and officers a whistleblowing policy that contains certain prescribed matters.

    In 2022, we prepared a director toolkit setting out:

    • the legal framework and some practical insights and tips for directors in supporting an effective whistleblowing framework; and
    • how ASIC has worked collaboratively with entities in relation to whistleblower regimes. For example, in November 2019 it released Regulatory Guide 270 Whistleblower policies and in October 2021, ASIC released an open letter to CEOs which urged them to review their whistleblower policies and included relevant guidance.

    ASIC Report 758 -  good whistleblower practices

    The report, which was released by ASIC on 2 March 2023:

    • details good practices for handling whistleblower disclosures that ASIC observed from an extensive review of seven selected organisations' whistleblower regimes;
    • confirms that ASIC will continue to review firms' whistleblower policies and arrangements for handling disclosures (including when it receives reports from whistleblowers alleging breaches of the whistleblower protections); and
    • reiterates that ASIC will act where it identifies serious harm.

    This report came hot off the heels of ASIC announcing that it was suing TerraCom Limited, its managing director, chief commercial officer, former Chair and a former director (all members of TerraCom's disclosure committee), for the first time under these laws. In this case, ASIC is alleging that:

    • TerraCom and several of these individual respondents engaged in detrimental conduct to a whistleblower by allowing false and misleading ASX announcements to be published regarding the whistleblower's allegations; and
    • all individual respondents breached their duty to exercise reasonable care and skill in the discharge of their duties as directors and officers of TerraCom, by failing to take reasonable steps upon receipt of the independent investigator’s report into the issues raised by the whistleblower.

    What does the report mean for directors?

    In the report, ASIC encourages organisations to carefully consider:

    • formalising arrangements for board or board committee oversight of their whistleblowing policy and program, including considering which board committee is most appropriate;
    • the frequency, type and level of information that management should provide to board committees so that they can discharge their oversight responsibilities

    ASIC has also encouraged boards and board committees to reflect on whether they receive sufficient information to perform their oversight function and are providing informed oversight over the policy and program.

    Directors should take note of the following observed good practices outlined in the Report (noting ASIC refers to the seven organisations which participated in its review as 'firms'):


    Observed good practices

    Frameworks to facilitate effective director oversight

    • Most firms used board risk committees to oversee their policies and programs during the relevant period. At some firms, these committee meetings were generally attended by all directors, providing the entire board with visibility of how the policy and program were operating.
    • Most firms formalised the scope of their committee’s interest in their charters or terms of reference, some more specifically than others.
    • Firms provided board committees with:
      • de-identified information about all disclosures received (generally firms with relatively low volumes of disclosures) or information and updates on the progress and resolution of disclosures that met a defined risk threshold as well as information about the total volume of disclosures received (generally firms with higher volumes of disclosures);
      • revised policies for endorsement or approval;
      • periodic information about how the program was designed, resourced, and operating insights derived from data analytics or individual disclosures;
      • information about all substantiated disclosures that did not result in termination of employment of an implicated person;
      • specific follow-up or deep-dive information requested by directors; and
      • periodic training or briefings on the whistleblowing regime, the firm’s practices, and directors’ duties.

    Director engagement

    Directors were engaged in the whistleblower program and the:

    • underlying issues raised by allegations in specific disclosures, including what an issue may reveal about a relevant part or location of the firm’s business, the issue’s underlying root causes, and future preventative actions;
    • disciplinary outcomes for substantiated disclosures;
    • insights derived from data analytics;
    • timeframes for completing investigations and a timeframe’s impact on whistleblowers using the program;
    • frequency and quality of reporting received from management; and
    • design, resourcing, and operation of the program, including regulatory developments and improvements.

    While ASIC recognises that the Corporations Act does not expressly impose responsibility on a board for whistleblower programs, the regulator considers that a firm's board is ultimately responsible as part of its broader risk management and corporate governance framework. We note that ASIC has recently brought a number of enforcement actions in relation to alleged breaches of directors' duties to exercise their powers and discharge their duties with care and diligence under section 180 of the Corporations Act. For example, in addition to the allegations brought against the relevant TerraCom directors, ASIC has also recently sued current and former directors of Star Casino and Nuix for alleged breaches of the duty of care and diligence.

    Where to from here?

    The key takeaways from ASIC's report are that directors should reconsider their current whistleblower regimes to:

    • ensure that they incorporate evolving best practice, including having regard to ASIC's guidance;
    • support compliance and mitigate against the potential consequences of costly and lengthy enforcement action, in circumstances where we expect ASIC to take further action against firms and individual directors in this space having made its expectations clear; and
    • revisit the AICD’s director toolkit to refamiliarise themselves with the legal framework and some practical insights and tips for directors in supporting an effective whistleblowing framework.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.