Why now is the time to revisit your organisation’s compliance culture

Now more than ever, there is an imperative for companies to seek to create a strong compliance culture.

But it is equally important to ensure robust mechanisms are in place to identify any cracks early – both before they spread throughout the organisation, and before frustrated insiders decide that the only way they can secure action is to go outside the organisation.

After several years of consultations, committee hearings and draft proposals, the long foreshadowed reforms to Australia’s private sector whistleblower regime – the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) (Whistleblower Act) – were finally passed on 19 February 2019.

The Whistleblower Act will harmonise current Federal private sector whistleblower laws, expand the existing protections and remedies for whistleblowers and create a whistleblower regime for tax-related misconduct and contraventions.

These reforms will impose a significant compliance burden, and we think there is an insufficient appreciation of the challenges affected organisations have to address. For example:

• Those who receive and investigate reports of misconduct which may trigger whistleblower protections under the Whistleblower Act (‘protected disclosures’) should review current processes for handling information given the limited permitted grounds for disclosure for the purposes of an investigation. In this context, it is important to consider the very broad range of matters which may be the subject of a protected disclosure under the Whistleblower Act.
• Additional training will be required for ‘eligible recipients’ (company officers, senior managers, auditors and actuaries, or others authorised to receive protected disclosures) so they can identify a whistleblower report and know what to do if they receive one.
• There is some difficulty in scoping the detail that will be required to satisfy the whistleblower policy obligation. ASIC has indicated draft guidance will be issued, preceded by a consultation process. Corporations will face significant penalties if they get this aspect wrong in practice.
• Organisations that operate in multiple jurisdictions should consider whether a ‘one size fits all’ approach is truly appropriate, given there are differences between the whistleblower protection regimes across key jurisdictions such as the UK, EU and US.

Most provisions take effect on 1 July 2019, although the requirement for public companies and ‘large proprietary companies’[1] to have mandatory whistleblower policies, with mandatory content, applies from 1 January 2020. In practice, many companies will not delay introducing a policy to ensure that from 1 July, those within their organisation understand their obligations to protect whistleblower confidentiality and ensure whistleblowers are not victimised.

The amendments will apply to disclosures made from 1 July, but this could concern conduct that occurred before then. Some parts of the Whistleblower Act (including matters relating to compensation and remedies) will also apply retrospectively to disclosures made prior to commencement, so long as the disclosure could have been protected had the Whistleblower Act been in force at the time.

In this heightened environment of identifying and informing on wrongdoing, there will be significant penalties for corporations (and individuals) arising from contraventions of the legislation. As importantly, an entity’s ability to maintain stakeholder confidence is considerably enhanced by pinpointing and resolving internal control weaknesses before this information becomes public.

The commencement of the new whistleblower requirements is an opportune time for organisations to consider holistically how they encourage people to speak up, how they respond when issues are raised and how they maintain confidence in these processes after an allegation is substantiated.

_{[1] A large proprietary company is currently defined in the Corporations Act 2001 (Cth) s 45A(3) as a proprietary company that satisfies at least two of the following in the financial year: (a) consolidated revenue $25 million or more; (b) gross assets of $12.5 million or more; (c) the company and any entities it controls have 50 or more employees. However, draft regulations were introduced for consideration in 2018 (Corporations Amendment (Proprietary Company Thresholds) Regulations 2018), which would double those thresholds, meaning that fewer proprietary companies would be subject to these obligations.}