Whistleblower & Protected Disclosure Policy¶
| Code | PPL-006 |
| Domain | People & Culture |
| Owner | General Counsel |
| Status | Draft |
| Applicability | External — Whistleblower and protected disclosure obligations for the operating entity's employees. External HR and governance process. |
| Jurisdiction | NZ + AU |
| Business domain | BD11 |
| Review date | 2027-03-25 |
Outside platform boundary
Whistleblower and protected disclosure obligations for the operating entity's employees. External HR and governance process.
Regulations: NZ Protected Disclosures Act · Corporations Act 2001¶
Purpose¶
This policy establishes the bank's framework for receiving, handling, and responding to protected disclosures by workers and other eligible persons, in compliance with the Protected Disclosures (Protection of Whistleblowers) Act 2022 (NZ) and the Corporations Act 2001 (AU). It ensures that individuals who raise genuine concerns about serious wrongdoing are protected from retaliation and that disclosures are investigated promptly and impartially.
Scope¶
This policy applies to all current and former employees, contractors, secondees, officers, and suppliers of the bank. It covers disclosures made internally through the bank's channels, disclosures made to a regulatory body, and disclosures made publicly in accordance with the applicable legislation. The policy applies to concerns about conduct in both New Zealand and Australia.
Policy statements¶
The bank SHALL maintain secure, accessible disclosure channels that allow any eligible person to report a concern about serious wrongdoing. Channels SHALL include a named internal whistleblower officer, an independently operated external reporting hotline, and a mechanism for anonymous reporting where the applicable law permits. All channels SHALL be published in the employee handbook and on the bank's intranet and SHALL be reviewed for accessibility at least annually.
The Whistleblower Officer SHALL be appointed by the General Counsel and SHALL have direct reporting access to the Board Audit and Risk Committee, independent of the executive chain. The Whistleblower Officer SHALL receive specific training in the handling of protected disclosures, including the legal protections available and the bank's obligations to investigate, prior to appointment and at least every two years thereafter.
All disclosures received under this policy SHALL be acknowledged within two business days. The Whistleblower Officer SHALL assess whether the disclosure meets the threshold for a protected disclosure under the applicable legislation and SHALL record the outcome of that assessment. Where the disclosure does not meet the threshold, the individual SHALL be directed to the appropriate internal reporting channel.
The bank SHALL investigate all protected disclosures that allege conduct constituting serious wrongdoing, being conduct that is dishonest, fraudulent, involves a serious risk to public health or safety, constitutes a serious offence, involves a serious contravention of financial services law, or relates to the commission of a crime. Investigations SHALL be conducted by a person independent of the subject of the disclosure. Where the allegations involve senior management, the investigation SHALL be overseen directly by the Board Audit and Risk Committee.
The bank SHALL take all reasonable steps to protect the identity of a discloser. Information about a disclosure SHALL be shared only with those who need to know for the purposes of assessment and investigation. Any inadvertent or deliberate breach of a discloser's confidentiality SHALL be treated as a serious disciplinary matter and investigated accordingly.
The bank SHALL not take, permit, or condone any detrimental action against a person because they have made, or are believed to have made, a protected disclosure. Detrimental action includes dismissal, demotion, harassment, alteration of duties, or any other adverse treatment. Any alleged retaliation SHALL be investigated independently of the original disclosure, and the bank SHALL take remedial action where retaliation is found to have occurred.
Investigation outcomes SHALL be reported to the Board Audit and Risk Committee at least quarterly, in aggregate and de-identified form, with a summary of the number of disclosures received, the nature of allegations, outcomes reached, and any systemic issues identified. Where a disclosure raises matters that require notification to the Financial Markets Authority, APRA, or another regulator, the General Counsel SHALL be notified immediately and the notification SHALL be made without undue delay.
The bank SHALL retain records of all disclosures, assessments, investigations, and outcomes for a minimum of seven years. Records SHALL be stored securely with access restricted to the Whistleblower Officer, General Counsel, and Board Audit and Risk Committee members.
Satisfying modules¶
(No modules assigned yet — manual process)
Part of People & Culture · Governance overview
Compiled 2026-05-22 from source/entities/policies/PPL-006.yaml