Whistleblower policies under the Corporations Act: who needs one and what it must include

Under section 1317AI of the Corporations Act 2001, the following entities must have a whistleblower policy: public companies, large proprietary companies (meeting at least two of: consolidated revenue ≥$50m, consolidated gross assets ≥$25m, 100+ employees), companies limited by guarantee that are public companies, and registered scheme managers.

Smaller proprietary companies are not required to have a whistleblower policy under the Corporations Act, but may be required to have one under other regulatory frameworks — AFSL holders, for example, face obligations under RG 267 (Breach Reporting) that practically require a robust internal reporting system.

For those not required to have a formal policy, having one is nonetheless best practice — particularly for businesses that deal with government contracts, enterprise clients, or ESG-conscious investors who may require evidence of an ethical governance framework as part of due diligence.

ASIC's guidance and the Corporations Act together require that a compliant whistleblower policy address: the protections available to eligible disclosers; how the company will protect the confidentiality of discloser identities; how disclosures are to be made (eligible recipients, internal and external channels); how the company will investigate disclosures; how the company will protect eligible disclosers from detriment; and how the policy will be made available to eligible disclosers.

The policy must clearly identify who constitutes an 'eligible discloser' — employees, contractors, suppliers, associates, and their relatives are all covered under the Corporations Act. It must also identify 'eligible recipients' — the specific internal roles to whom disclosures can be made (typically a compliance officer, legal counsel, or board member), and the external channels (ASIC, APRA, ATO, or AFP for eligible matters).

The victimisation prohibition is one of the most important and most frequently overlooked elements. The policy must not merely prohibit victimisation in principle — it must describe the specific protections available to disclosers, the process for raising a victimisation concern, and the consequences for any person found to have victimised a discloser.

A whistleblower policy that exists as a document but is not operationalised provides limited protection. ASIC's guidance makes clear that companies should train eligible recipients on how to handle disclosures, communicate the policy to all eligible disclosers (not just employees), and ensure the process for making a disclosure is genuinely accessible — including an anonymous channel.

Anonymous reporting channels — typically a third-party hotline or web-based reporting tool — significantly increase the number of disclosures made, as many potential disclosers are deterred by fears about confidentiality. The policy should describe the anonymous channel, explain how anonymity is maintained, and clarify the limitations of investigations where the discloser cannot be contacted for further information.

ASIC can and does review whistleblower policies for compliance. Policies that are clearly template-only, that name non-existent contact roles, or that contain provisions inconsistent with the legislation create enforcement risk. A policy tailored to your specific structure, with real contact roles named, is significantly more effective both legally and operationally.