Whistleblower protections under the Corporations Act
Part 9.4AAA of the Corporations Act 2001 (Cth), as expanded by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, provides strong legal protection for whistleblowers who disclose corporate misconduct. Every public and large proprietary company must have a compliant policy. This guide walks through 10 core obligations.
Coverage
Every public company, large proprietary company, and trustee of a registrable superannuation entity must have a whistleblower policy. The protections apply across all ASIC-regulated entities and extend to current and former officers, employees, contractors, suppliers and their relatives.
Legal basis
Corporations Act 2001 (Cth) Part 9.4AAA (ss 1317AA-1317AE) governs corporate whistleblower protections. Tax Administration Act 1953 (Cth) Part IVD covers tax-specific whistleblowing. ASIC Regulatory Guide 270 sets out compliant policy content.
The obligations
Maintain a compliant whistleblower policy
Public and large proprietary companies must have a written whistleblower policy covering the matters in RG 270 — protections, eligible recipients, confidentiality, investigation processes, and support available to whistleblowers.
Identify the broad class of eligible whistleblowers
Eligible whistleblowers include current and former officers, employees, contractors, suppliers, associates, and relatives or dependants of any of those. The class is much wider than employees alone.
Define eligible disclosable matters
Disclosures are protected if they concern misconduct, improper state of affairs, a breach of the law, or a danger to the public — about the entity or its officers or employees. Personal work-related grievances are generally not protected.
Identify eligible recipients
Disclosures are only protected if made to an eligible recipient — typically an officer, senior manager, auditor, actuary, ASIC, APRA, or a legal practitioner for legal advice purposes. The policy should list the internal recipients clearly.
Maintain strict confidentiality
It is an offence to disclose the identity of a whistleblower (or information that could identify them) without consent, outside the permitted exceptions. Penalties for breach are significant.
Protect whistleblowers from detriment
It is prohibited to cause or threaten detriment (dismissal, demotion, harassment, discrimination, harm to reputation or property) to a whistleblower because of a protected disclosure.
Provide immunity from certain liability
A whistleblower making a protected disclosure has immunity from civil, criminal, and administrative liability for making the disclosure, and from breach-of-contract actions.
Train officers and senior managers
Officers and senior managers — particularly those who may be eligible recipients — need training on the protections, the confidentiality regime, and the investigation process. RG 270 flags training as an expected policy element.
Run a compliant investigation process
Investigations must be conducted fairly, confidentially, and by people independent of the matter. The whistleblower should be kept informed. The investigation process needs to be described in the policy.
Retain records and report concerns externally where required
Maintain records of disclosures and investigations. Where a disclosure relates to matters requiring external reporting (ASIC, APRA, AUSTRAC, police) ensure that chain is followed while preserving whistleblower confidentiality.
What happens if you do not comply
Breach of confidentiality: up to $1.565 million (individual) or 3x benefit / 10% turnover (corporation). Detriment offences: criminal penalties up to 2 years imprisonment and $264,000 (individuals). The court can also order reinstatement, compensation, and exemplary damages.
Reporting requirements
No periodic regulator reporting, but serious or systemic whistleblower disclosures often trigger separate regulator notification obligations (ASIC, APRA, AUSTRAC, AFSA). Document retention for at least 7 years is expected practice.
What firms should do today
- Publish the whistleblower policy on the intranet and in the employee handbook
- Nominate at least two internal eligible recipients — ideally across different functions
- Run annual training for all people managers on the confidentiality and detriment rules
- Set up a confidential external reporting line (phone or platform) as an alternative to internal disclosure
- Test the investigation playbook with a tabletop exercise at least annually
- Separate whistleblower investigations from HR grievance processes — different playbooks apply
Compliance with Quillio
Quillio drafts whistleblower policies, investigation plans, confidentiality memos, and board papers with the current Part 9.4AAA framework and RG 270 references built in. See /practice-areas/commercial-lawyers or start a free trial.
This guide is general information about whistleblower protections — not legal advice. Protection depends on the specific disclosure and recipient. Obtain specialist advice when receiving or investigating a disclosure, particularly where regulator reporting or employment consequences are involved.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial