Changes to whistleblower laws: what not-for-profits need to know

The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 took effect on July 1 this year, amending the Corporations Act 2001 so that a single, strengthened whistleblower regime covers the corporate, financial and credit sectors.

And the Act is about to show its teeth, with the Australian Securities and Investments Commission (ASIC) indicating it will commence compliance audits in January 2020.

Criminal and civil penalties for non-compliance with the Corporations Act include fines of up to $1 million for individuals and $525 million for organisations.

A new guide published by ASIC last month, Regulatory Guide 270: Whistleblower Policies, outlines the changes, which include an exemption from the requirement to have a whistleblower policy for not-for-profits and charities with annual revenue of less than $1 million.

All incorporated companies remain bound by the whistleblower protection provisions in the Act, regardless of whether they are required to have a whistleblower policy.

The ASIC guide includes best-practice tips covering everything from encouraging whistleblowers to speak up, to focusing on the substance of whistleblower disclosures rather than on the motive of the whistleblower.

If your organisation's whistleblower policy was drafted before November this year, you should review it before January 1 to ensure it takes ASIC's new guidance into account.

1. Understand the consequences of non-compliance
   Breaches of the whistleblowing protection provisions attract serious penalties. These include fines of up to $1 million and jail sentences of up to two years for individuals, and fines of up to $525 million for organisations.
2. Demonstrate active and tangible leadership
   Provide active leadership and support for disclosers in your organisation. Ensure management provides the board with regular reports on the whistleblowing program.
3. Conduct a risk assessment
   Ensure a risk assessment is conducted for your organisation's whistleblower program, and allocate appropriate resources to ensure compliance.
4. Ensure your policy is legally compliant by 1 January 2020, and provide associated training
   By 1 January 2020, you should have in place a whistleblowing policy that is legally compliant and also in line with the guidance issued last month by ASIC. If your organisation is listed on the ASX or is a large private company, you must also a) issue the policy and guidelines to everyone to whom the policy applies, and b) provide training to all staff (ASIC has provided specific guidance on this).
5. Establish key roles and accountabilities
   Establish key roles responsible for protecting or safeguarding disclosers and witnesses from victimisation or detrimental action, and key roles for investigating reports.
6. Establish "eligible recipient" internal reporting pathways
   Designate and train specific staff members as "eligible recipients" for receiving disclosures internally and directly from disclosers.
7. Establish additional reporting pathways for disclosers
   Provide alternative means for disclosers to make disclosures, including a secure and safe means which allows disclosers to remain anonymous if they wish. These should include an external independent channel to receive reports of misconduct.
8. Implement continuous review processes
   Allocate senior personnel responsible for periodically reviewing the effectiveness of the policy and procedures, and updating them accordingly.
9. Understand that breaches of confidentiality will lead to significant penalties and reputational risk
   If a whistleblower makes a disclosure, ensure confidentiality is maintained throughout the process that follows.
10. Ensure timely and effective management of whistleblowing reports
    Ensure that disclosures are managed, assessed, investigated and progressed and finalised within a reasonable timeframe and in accordance with the policy and new laws, including providing effective and timely communication with the whistleblower.

You can use this flow chart to check whether your organisation is required by law to have a whistleblower policy.

But even if the law doesn't insist on it, why wouldn't you have such a policy?

Thousands of crimes targeting Australia's not-for-profits are going unreported, the ICDA Spotlight Report: Fraud & Cybercrime reveals. According to the study, asset theft and cyberhacking are the most common crimes suffered, followed by credit card fraud and cash thefts. In about a quarter of asset theft cases, the perpetrator was a staffer or a volunteer.

Whistleblowing plays a crucial role in managing risk and cultivating an ethical culture in your not-for-profit organisation. It's an essential and effective tool in your good governance toolkit.

Research conducted in 2014 by BDO Australia found that tip-offs from whistleblowers were more effective in uncovering fraud within a not-for-profit organisation than any other method, including strong internal controls, internal audits and external audits.