Skip to content
AI & Deepfake DetectionNew

AI signals, synthetic media, deepfakes

Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

Compliance8 min read

Whistleblower Compliance in Australia: Corporations Act, AUSTRAC and Documentation Guide 2026

Australian whistleblower documentation obligations: Corporations Act Part 9.4AAA, AUSTRAC suspicious matter reporting, Privacy Act 1988, and ASIC guidance for Australian businesses.

CheckFile Team
CheckFile Teamยท
Illustration for Whistleblower Compliance in Australia: Corporations Act, AUSTRAC and Documentation Guide 2026 โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Regulatory disclaimer: This article is for informational purposes only. Australian whistleblower obligations apply under the Corporations Act 2001 and AML/CTF Act 2006. Consult legal counsel for your specific situation.

Australia has a robust, company-specific whistleblower protection regime under Part 9.4AAA of the Corporations Act 2001, significantly strengthened by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019. Unlike the EU's size-based threshold system, Australian obligations apply to public companies, large proprietary companies, and companies limited by guarantee โ€” regardless of employee count in most cases. This guide covers the documentation requirements your compliance team must maintain.

Who Must Comply: Australian Whistleblower Obligations

Entity type Whistleblower policy required? Source
Public companies (listed and unlisted) Yes Corporations Act s1317AI
Large proprietary companies (revenue โ‰ฅ $50M, assets โ‰ฅ $25M, or 100+ employees) Yes Corporations Act s1317AI
Companies limited by guarantee Yes Corporations Act s1317AI
Registered managed investment schemes Yes Corporations Act
ADIs (Authorised Deposit-taking Institutions) Yes + APRA prudential standards APRA CPS 510
Smaller private companies No mandatory policy, but protections still apply to eligible disclosures Corporations Act

AUSTRAC-regulated entities have additional obligations. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), reporting entities must submit Suspicious Matter Reports (SMRs) to AUSTRAC and maintain documented AML/CTF programs that include internal reporting procedures. As of January 2026, AUSTRAC's amended guidance requires explicitly addressing the protection of employees who raise AML/CTF concerns internally.

Corporations Act Whistleblower Policy: Documentation Requirements

Under section 1317AI of the Corporations Act, entities that must have a whistleblower policy must include the following in a written, publicly available document:

Mandatory policy content

  1. Information about the protections available to whistleblowers under the Corporations Act
  2. Information about the entity's internal mechanisms for making disclosures
  3. Information about how the entity will investigate disclosures
  4. Information about how the entity will protect the confidentiality of disclosures
  5. Information about how the entity will protect whistleblowers from detriment
  6. Information about the availability of external reporting channels (ASIC, ATO, APRA)

ASIC guidance RG 270 (Whistleblower Policies) provides detailed guidance on what must be included in a compliant policy. ASIC has taken enforcement action against companies with inadequate policies.

Record-keeping requirements

Document Retention period
Whistleblower disclosures received 7 years (aligned with Corporations Act general records requirement)
Investigation records and outcomes 7 years
Disclosures to ASIC, ATO, or APRA 7 years
Training records for disclosure officers 7 years
Policy versions and review dates 7 years from each version date

All records related to whistleblower disclosures must be secured with restricted access โ€” only the Whistleblower Protection Officer (WPO) and authorised investigators should have access during an active investigation.

Eligible Disclosures and Protected Conduct

Under Part 9.4AAA, an "eligible whistleblower" is a current or former officer, employee, contractor, supplier, associate, or their relatives or dependants. An "eligible disclosure" is a disclosure that:

  • Is made to ASIC, APRA, the ATO, another prescribed body, or a legal practitioner for the purpose of obtaining legal advice
  • Relates to a contravention of, or concern about, the Corporations Act, the ASIC Act, banking laws, insurance laws, or superannuation laws
  • Is made by an eligible whistleblower who has reasonable grounds to suspect the conduct

Anonymous disclosures are protected under the Corporations Act, provided the whistleblower does not disclose their identity. The protected whistleblower's identity must not be disclosed without their consent, except in limited circumstances (e.g., to ASIC investigators).

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Request a free pilot

AUSTRAC Suspicious Matter Reporting (SMR) Documentation

Financial institutions and other designated reporting entities must submit SMRs to AUSTRAC when they form a suspicion that a matter is relevant to an investigation of, or prosecution for, an offence against any Australian law.

SMR documentation obligations:

Obligation Timeframe Source
File SMR with AUSTRAC As soon as practicable after forming suspicion AML/CTF Act s41
Retain SMR and supporting records 7 years from date of transaction AML/CTF Act s106
Tipping-off prohibition Ongoing AML/CTF Act s123
AML/CTF Program review At least every 3 years AML/CTF Rules

AUSTRAC's tipping-off prohibition under section 123 of the AML/CTF Act is absolute: a reporting entity must not disclose to the subject of an SMR that a report has been made or is being considered. This is more restrictive than most EU member state implementations of the Directive.

Privacy Act 1988 and Australian Privacy Principles (APPs)

Whistleblower data is personal information subject to the Privacy Act 1988 and the Australian Privacy Principles (APPs). Key obligations for whistleblowing channel operators:

  • APP 3 (Collection): Collect only personal information that is reasonably necessary for the legitimate business purpose (investigating the disclosure)
  • APP 6 (Use and Disclosure): Use whistleblower information only for the purpose for which it was collected
  • APP 11 (Security): Take reasonable steps to protect whistleblower personal information from misuse, interference, loss, and unauthorised access
  • APP 1 (Open and Transparent Management): Update your privacy policy to describe how you handle whistleblower disclosures

The OAIC (Office of the Australian Information Commissioner) has published guidance on whistleblower privacy. A Privacy Impact Assessment (PIA) is recommended before deploying a new whistleblowing platform.

Identity Verification in the Australian Context

For Australian entities, identity verification relevant to whistleblower and KYC contexts uses:

Document Use
Australian passport Primary identity document
Driver's licence (state/territory) Secondary ID for most KYC purposes
ImmiCard Visa holders' identity document
Tax File Number (TFN) Tax identification (must not be used as general ID)
ABN/ACN Business entity identification

CheckFile supports 3,200+ document types across 32 jurisdictions. For Australian financial institutions, the KYC verification module supports document verification aligned with AUSTRAC's customer identification requirements and the Digital Transformation Agency's Trusted Digital Identity Framework (TDIF).

Building an Australia-Compliant Whistleblower Programme

Key differences from the EU framework that Australian compliance teams must address:

  1. Entity type, not size: Australia triggers obligations based on company type (public, large proprietary), not employee count
  2. Mandatory policy publication: The policy must be available to officers, employees, and contractors โ€” effectively a public document
  3. Designated Whistleblower Protection Officer (WPO): ASIC recommends (though does not mandate) a named WPO
  4. AUSTRAC tipping-off: Absolute prohibition, stricter than most EU implementations

A practical checklist for Australian compliance:

  • Adopt and publish a Corporations Act-compliant whistleblower policy (required for public and large proprietary companies)
  • Appoint a WPO and document the appointment
  • Establish intake procedures with restricted-access records (7-year retention)
  • Complete PIA before deploying whistleblowing platform (Privacy Act recommendation)
  • Establish SMR filing procedures for AUSTRAC-regulated entities with 7-year retention
  • Train eligible recipients on their obligations under the Corporations Act
  • Annual policy review and version control

Integrate this into your compliance risk assessment and our document compliance guide for a complete governance framework.

Frequently Asked Questions

Does a small private Australian company need a whistleblower policy?

Not by law if it is a small proprietary company (below the "large proprietary" thresholds: revenue below $50M, assets below $25M, fewer than 100 employees). However, the Corporations Act's whistleblower protections apply to disclosures made to any company, regardless of whether a formal policy is required. Best practice is to have a basic policy in place even if not legally required.

What happens if we breach the tipping-off prohibition under the AML/CTF Act?

Tipping off under section 123 of the AML/CTF Act is a criminal offence carrying up to 2 years' imprisonment or a fine of up to 100 penalty units (currently $33,000 AUD). AUSTRAC actively enforces this prohibition. All staff involved in AML/CTF compliance must be trained on the prohibition, and records of training must be maintained.

All records required under the AML/CTF Act โ€” including SMRs, customer identification records, and transaction records โ€” must be retained for 7 years from the relevant date (date of transaction, date of identification, or date of SMR filing). Records must be in English or readily translatable into English.

Does ASIC actively enforce the whistleblower policy requirements?

Yes. ASIC has issued infringement notices and commenced enforcement actions against companies with inadequate or non-existent whistleblower policies. Penalties for non-compliance include civil penalties of up to $1.1 million for companies and $222,000 for individuals. ASIC publishes enforcement outcomes on its website.

Can anonymous disclosures be made under the Australian regime?

Yes. The Corporations Act explicitly protects anonymous disclosures. An eligible whistleblower can make a disclosure without identifying themselves, and the disclosure is still protected. The receiving person or body cannot attempt to identify the anonymous discloser.

Stay informed

Get our compliance insights and practical guides delivered to your inbox.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Compliance8 min

Suspicious Matter Reports under AML/CTF Act: AUSTRAC Compliance Guide 2026

How to file Suspicious Matter Reports (SMRs) with AUSTRAC in Australia in 2026: AML/CTF Act 2006 obligations, 3-business-day and 24-hour deadlines, TTRs, Privacy Act 1988, and penalties.

Read
Compliance10 min

Insurance KYC Compliance in Australia 2026: AUSTRAC, ASIC, and AML/CTF Act

Australian life insurers are reporting entities under the AML/CTF Act 2006. Complete guide: AUSTRAC obligations, APRA governance, Privacy Act 1988, and TFN verification.

Read
Compliance9 min

FATF Travel Rule for Crypto VASPs: Australia Compliance Guide 2026

AUSTRAC Travel Rule for crypto VASPs in Australia: AML/CTF Act obligations, AUD 1,000 threshold, DCE registration, KYC documentation, TFN requirements, and Privacy Act 1988 compliance.

Read