Australian Organisations Move to Get Ahead of the Whistleblowing Curve

For much of the past decade, workplace disclosure programs in Australia were treated as a compliance exercise. You needed a policy. You wrote one. You filed it somewhere. Job done.

That approach is no longer good enough — and the regulatory environment is making that increasingly clear.

The legislative backdrop

The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 expanded whistleblower protections significantly. Since 1 January 2020, public companies, large proprietary companies, and trustees of APRA-regulated superannuation entities have been legally required to maintain a compliant whistleblower policy. Failure to have one is a criminal offence, with penalties of up to $165,000 for a body corporate.

But the law was always the floor, not the ceiling. What ASIC has been pushing for — consistently and with growing urgency — is genuine program maturity.

In December 2025, ASIC published Report 827 Insights from the ASIC Whistleblower Questionnaire: July 2024 to June 2025 [PDF], its most recent benchmarking review of whistleblower practices across 134 entities. The findings were pointed: 22% of companies received zero disclosures in the reporting period. Over a third had no dedicated whistleblower webpage. 30% weren’t reviewing whether their program was working at all.

Zero disclosures rarely means zero issues. More often, it means people don’t trust the system enough to use it.

Enforcement is real now

For organisations still treating whistleblowing as a paper exercise, 2025 delivered a clear signal. ASIC secured its first successful enforcement outcome under the victimisation provisions when TerraCom agreed to pay a $7.5 million penalty for breaching the whistleblower protection regime. The size of the penalty — even with mitigating factors — sent a clear message about the cost of non-compliance.

Meanwhile, the Whistleblower Protection Authority Bill 2025 has been tabled in both houses, signalling ongoing parliamentary appetite for stronger, more independent oversight of both public and private sector disclosures. The statutory review of the 2019 Act is also overdue — when it arrives, further reform is widely expected.

The direction of travel is clear: more scrutiny, more accountability, higher expectations.

The shift happening on the ground

What’s interesting is that the most forward-thinking organisations aren’t waiting to be pushed. They’re building disclosure infrastructure because they’ve recognised the business case — not just the compliance case.

The ACFE’s research is unambiguous: 43% of occupational fraud is detected through tip-offs. Audits catch far less. Internal controls catch less still. A well-functioning reporting channel is one of the most cost-effective fraud detection tools an organisation has — and it doubles as an early warning system for culture problems, safety issues, and compliance failures.

ASIC’s own data supports this. Organisations with more mature whistleblower practices consistently reported higher disclosure rates. The correlation is direct: better systems, more disclosures, earlier detection.

What good looks like

ASIC’s REP 827 identified several practices that distinguish high-performing programs from the rest. These include dedicated reporting channels — 69% of disclosures came through webpages or hotlines — the ability to communicate with anonymous reporters, and genuine follow-through that employees can see.

That last point matters most. A channel that receives disclosures but produces no visible action trains employees to stay silent. Trust is built through consistency, not policy documents.

82% of companies surveyed had engaged a third-party service provider as an eligible recipient — a recognition that independence and anonymity are not easily achieved internally.

Where this is heading

Australia’s disclosure landscape is maturing. Regulatory expectations are rising, enforcement is active, and the five-year review of the 2019 Act is on the horizon. For compliance managers and risk officers, the question is no longer whether your organisation has a whistleblower policy — it’s whether your program is actually working.

The organisations investing in that now will be better placed when scrutiny arrives. The ones waiting for a trigger may find the trigger is expensive.

When did you last review whether your disclosure program is fit for purpose? If you’re not sure, that’s a good place to start. Get in touch with Report It Now™.