AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal

Faculty of Law, UNSW
You are here:  AustLII >> Databases >> University of New South Wales Law Journal >> 2020 >> [2020] UNSWLawJl 29

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Brand, Vivienne --- "Corporate Whistleblowing, Smart Regulation and Regtech: The Coming of the Whistlebot?" [2020] UNSWLawJl 29; (2020) 43(3) UNSW Law Journal 801


CORPORATE WHISTLEBLOWING, SMART REGULATION AND REGTECH: THE COMING OF THE WHISTLEBOT?

VIVIENNE BRAND[*]

The recent evolution of corporate whistleblowing has demonstrated the capacity of effective internal corporate whistleblowing systems to support regulatory aims. Further, theoretical support for the role of internal corporate whistleblowers can be found in the smart regulation paradigm, which points to the potential for whistleblowers to operate as surrogate regulators. In light of this, the potential impact of fast-developing ‘RegTech’ applications on corporate whistleblowing activity has significant regulatory implications. While ‘first’ generation RegTech applications such as improved data analytics already have the capability to assist corporations to implement more efficient internal whistleblowing systems, the rise of second-generation AI-powered RegTech technologies is likely to further disrupt, and potentially transform, the practice of whistleblowing in corporations. As AI advances, internal corporate whistleblowers may be supplemented, or even replaced, by ‘whistlebots’ with the ability to report autonomously, with dramatic implications for the role of whistleblowing as a corporate regulatory device.

I INTRODUCTION

The rapid onset of the so-called Fourth Industrial Revolution[1] has seen a proliferation of potential technological solutions to regulatory problems. In the financial services industry the portmanteau terms ‘FinTech’ and ‘RegTech’ have become common parlance, the latter having been described as a subset of the former ‘that focuses on technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities’.[2] While initially consideration of RegTech focused on financial services contexts, the term appears to have now spread to an expanded scope of sectors and industries, consistent with the general growth in demand for enhanced regulatory compliance tools.[3] It seems likely that over time the term will come to be used as a general descriptor for technologies that can facilitate improved regulatory and compliance functions in a range of corporate contexts. There is also clear potential for technology solutions to improve regulatory and compliance functions both within corporations and as between corporations and regulators. It is in these more general senses that the evolving term ‘RegTech’ is used in this article.

The rise in RegTech has occurred more or less simultaneously with dramatic growth in the recognition given to internal corporate whistleblowers as a regulatory device (both within and beyond the corporation). Corporate whistleblowing is now acknowledged as a very useful tool for exposing wrongdoing while simultaneously assisting in the promotion of good corporate governance.[4] This trend is evidenced in regulatory activity in a range of jurisdictions. In the United States the law ‘has increasingly encouraged whistleblowing as a means of corporate oversight’,[5] and the payment of dramatic rewards to corporate insiders who provide information to the United States Securities and Exchange Commission (‘SEC’) has garnered extensive publicity.[6] Similarly in Canada the Ontario Securities Commission’s introduction of rewards for whistleblowers has been described as changing the regulatory dynamic for corporations in that jurisdiction.[7] The European Union has recently significantly increased protections for whistleblowers across the Union,[8] and while aimed more broadly than corporate whistleblowing, these moves will inevitably stimulate development of internal corporate whistleblowing systems and increase the flow of reports to corporate regulators as well as other enforcement agencies. The reforms have been described as ‘pathbreaking’ and represent the first dedicated European Union legislation on whistleblowing.[9]

In Australia, recent wide-ranging reforms to the corporate whistleblowing regime offer clear recognition of the place of internal corporate whistleblowers in an effective corporate regulatory system, initiating a range of new controls including enhanced protections for whistleblowers and the mandating of internal corporate whistleblowing policies for all larger corporations.[10] These reforms have coincided with revelations of corporate wrongdoing from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (‘BRC’).[11] The BRC has led to significant debate as to the most effective way to regulate Australia’s banks and, by extension, companies generally. As whistleblowers played a crucial role in the calling of the BRC and in other recent high-profile corporate scandals in Australia,[12] whistleblowing is likely to remain relevant in any regulatory responses. This recent example of corporate whistleblowing legislative reform is consistent with the view (one taken by this article) that whistleblowing can fulfil a valuable corporate governance function,[13] and hence offer associated regulatory advantages. In this sense whistleblowing can be seen as an integral part of contemporary corporate internal governance systems generally (with whistleblowing protection becoming an important part of the corporate compliance regulatory picture). Given the significance of corporate activity within the global economy, the associated regulatory advantages have the potential to benefit us all.[14]

The trajectory of recent events suggests it is inevitable that the development of RegTech and the evolution of internal corporate whistleblowing systems will interact,[15] in ways that as yet may be poorly misunderstood. This article attempts to analyse some of the potential outcomes of that interaction, both in the near term and in the context of postulated future developments in technological capacity. In doing so it draws on insights from a branch of regulatory theory, smart regulation, which has particular relevance for the role of whistleblowers in corporate regulatory domains. The article proceeds as follows. Part II briefly outlines the recent evolution of corporate whistleblowing and considers the component parts of a whistleblowing action in a corporate context. Part III introduces the theoretical construct of smart regulation and connects it to whistleblowing concepts. Part IV then considers the potential impact of technology on the operation of whistleblowing systems in corporations, both in the near term (which might be called ‘first generation’ impacts) and in a more advanced artificial intelligence (‘AI’) future (‘second generation’ impacts). Part V integrates smart regulatory theory into a possible RegTech whistleblowing future, in an attempt to better understand the potential impact of technology on whistleblowing’s regulatory capacity in a corporate context. Part VI concludes the article.

II CORPORATE WHISTLEBLOWING

A The Recent Evolution of Corporate Whistleblowing as a Regulatory Device

While it is clear that ‘[u]ncovering undesirable behaviour through detection is a first step in regulatory enforcement’, detection can be a severe problem.[16] Recognition of the capacity of whistleblowers to assist in addressing the detection problem has grown in recent years, with whistleblowers gaining increased regulatory support internationally.[17] It is now widely accepted that employees (and agents and contractors with privileged inside information) have a special capacity to correct the information asymmetries that prevent external regulators from uncovering wrongdoing within organisations, and protections have increased accordingly. In particular, the apparently stellar success of the United States SEC’s whistleblowing bounties program has clearly quantified the potential for corporate whistleblowers to contribute to effective corporate regulatory systems. In the first eight years of the program’s operation:

the SEC has ordered wrongdoers in enforcement matters brought with information from meritorious whistleblowers to pay over $1.7 billion in total monetary sanctions, including more than $901 million in disgorgement of ill-gotten gains and interest, of which approximately $452 million has been, or is scheduled to be, returned to harmed investors.[18]

While the SEC’s figures necessarily relate to disclosures made externally to a regulator, there is clear justification for arguing that good internal corporate whistleblowing systems can operate as part of an overall effective regulatory system. Where internal disclosures allow companies to investigate and respond adequately to evidence of wrongdoing, without the use (and expense) of state-sponsored regulatory interventions, desired regulatory outcomes are achieved at reduced cost. The perceived efficacy of internal corporate whistleblowers as elements of an effective regulatory system is reflected in strategic action by United States regulators to prevent companies relying on restrictive confidentiality clauses as an anti-whistleblowing device (so called ‘pretaliatory enforcement’).[19]

Some empirical support is also available to support the value of internal corporate whistleblowing activity as a force for positive corporate governance outcomes. Increased emphasis on whistleblowing as a regulatory device has prompted research, and the first empirical evidence is now available of a correlation between actively used whistleblowing processes and improved regulatory outcomes. Stubben and Welch have analysed internal whistleblowing reports made available by the world’s largest internal whistleblowing systems provider and demonstrated that companies with greater internal whistleblowing report volume are likely to be subject to fewer lawsuits and government fines.[20]

In Australia, the transition from the passage of the first (largely inadequate and essentially unused) whistleblower protections in the Corporations Act 2001 (Cth) (‘Corporations Act’) in 2004[21] to the implementation of far-ranging reforms in 2019[22] is illustrative of the growth that has occurred in recognition of whistleblowing’s potential as a regulatory mechanism. High-profile instances of corporate wrongdoing in Australia brought to light by the actions of whistleblowers over a period of years,[23] combined with international developments, put strong pressure on Australia’s lawmakers to improve whistleblower protections. The response has been the passage of legislation that amends the Corporations Act to dramatically improve the rights of whistleblowers and the protections offered to them, while imposing new obligations on corporations with respect to provision for, and management of, whistleblowing activity.[24]

Australia’s new whistleblowing provisions offer a useful guide to a contemporary understanding of the efficient working of a corporate whistleblowing regime, both because of their currency and because they implement novel mechanisms.[25] In addition to more predictable reforms such as the introduction of protection for anonymous whistleblowers, creation of compensation rights for whistleblowers who suffer detriment, and imposition of penalties for failure to prevent victimisation of a whistleblower, the reforms turn their attention to internal systems, mandating the presence of internal corporate whistleblowing policies in all larger corporations.[26] Further, in a world first,[27] the legislation requires companies to specify in internal whistleblowing policies how whistleblowers will be protected.[28] This focus on the mechanics of whistleblowing illustrates the regulatory importance accorded by the Australian Parliament to the creation of effective internal whistleblowing structures within corporations, and is consistent with regulatory developments in whistleblowing elsewhere over recent years.[29]

B Identifying the Components of Internal Whistleblowing Activity

In speculating on the possible impact of RegTech on corporate whistleblowing activity it is helpful to briefly consider the structure of contemporary whistleblowing within corporations. Australia’s new corporate whistleblowing provisions offer a ready checklist of the components of a company’s internal whistleblowing system. Section 1317AI(5) of the Corporations Act specifies that a company’s internal whistleblowing policy must provide:

(a) information about the protections available to whistleblowers, including protections under this Part; and

(b) information about to whom disclosures that qualify for protection under this Part may be made, and how they may be made; and

(c) information about how the company will support whistleblowers and protect them from detriment; and

(d) information about how the company will investigate disclosures that qualify for protection under this Part; and

(e) information about how the company will ensure fair treatment of employees of the company who are mentioned in disclosures that qualify for protection under this Part, or to whom such disclosures relate; and

(f) information about how the policy is to be made available to officers and employees of the company; and

(g) any matters prescribed by the regulations for the purposes of this paragraph.

Drawing on this legislated set of requirements, effective whistleblowing structures within a corporation can be seen as comprising a complex range of parts. In addition to the central element of an employee willing and able to make a disclosure of wrongdoing or malfeasance, there will be a recipient of that disclosure, and commonly a structure within the corporation for responding to the disclosure. There may for instance be requirements that the disclosure be reported to a particular responsible officer, and/or be notified to a governing committee, such as an audit committee of the board. There ought also to be provision for support of the whistleblower in the form of guidance or counselling and protection against detriment. Once made, the disclosure will normally lead to the initiation of an investigation process, and that process will need to provide for fair treatment of the parties referred to in the disclosure. Finally, the new Australian provisions suggest the existence of specified procedures for the making of disclosures ought to be advertised to the company’s employees, to ensure awareness of the system and its protections is widely disseminated.

Inherent in this mix of activities is the need for certain administrative tasks to be attended to, including notification of the disclosure to appropriate investigating parties, gathering of evidence and maintenance of confidentiality. There will also be a range of discretionary judgments to be made: for example, does the disclosure warrant serious investigation? What should the range of any resulting internal investigation be? Who within the organisation needs to be apprised of the alleged wrongdoing? Other tasks may involve a mixture of administrative and judgment activities – whether there is a need to report to the whistleblower or others as part of the investigation process, or whether any other reporting activities are triggered by the commencement or conclusion of the investigation, including external reporting obligations (for instance continuous disclosure obligations).[30] Distinguishing between those tasks that are essentially administrative and those that require the exercise of complex judgment is significant in the context of this article’s focus on the potential impact of RegTech. Administrative tasks are more readily susceptible to rapid substitution by an automated or semiautomated process. Tasks requiring the exercise of a greater degree of discretion are less likely to be automated in the near term, although views differ on how quickly such automation could occur.[31] These considerations are discussed further in Part IV.

III SMART REGULATION THEORY

In assessing the possible impact of RegTech on whistleblowing activity it is useful to consider the insights that can be offered by smart regulation, a model of regulatory theory with particular potential to explain the contribution that can be made by whistleblowing to regulatory outcomes. Smart regulation posits that the state is not the only possible enforcement agency in an effective regulatory system, and can benefit from supplementation by other quasi or ‘surrogate’ regulators. Originally proposed by Gunningham in 1998, smart regulation allows for ‘regulatory pluralism that embraces flexible, imaginative and innovative forms of social control’.[32]

A key part of smart regulation’s conceptualisation of a flexible, multi-component regulatory system is a three-sided pyramid proposed by Gunningham and Sinclair, in which each face represents a different source of regulatory intervention. The first face of the pyramid is representative of state regulation, while the second face of the pyramid represents interventions initiated by the regulated entity itself – that is, it represents self-regulation. The third face of the pyramid is representative of regulatory intervention by third parties, both commercial and non-commercial.[33] These ‘third face’ regulatory entities are conceived of as surrogate regulators, whose capacities are brought to bear in supplementing the work of the state, and include for instance insurers, banks and suppliers.[34]

In addition to the three-sided pyramid concept, Gunningham and Sinclair describe five key regulatory design principles for the effective operation of smart regulation.[35] These are: the desirability of multi-instrument rather than single instrument regulatory responses; the advantages of less intervention rather than more wherever possible (to ensure only the necessary level of regulatory intervention occurs); the benefits of responsive escalation of regulatory response while ensuring the state, the company and third parties are involved; the benefits that can be brought to bear by empowering third party surrogate regulators; and the ‘win-win’ outcomes of an appropriate regulatory intervention that encourages regulated entities to not only comply but also to move beyond mere compliance.

A Applying Smart Regulation to Whistleblowing

Applications of each of these design principles can be identified in the context of internal corporate whistleblowing activity. A key advantage of internal corporate whistleblowing activity is its capacity to initiate processes that lead to internal corporate responses to wrongdoing. This automatically increases the number of regulatory instruments brought to bear in relation to a problem. Where internal whistleblowing processes obviate the need for external responses through appropriate early action that is sufficient to respond to a problem, smart regulation’s second design principle of less intervention rather than more wherever possible is respected. The third design principle, of responsive escalation of regulatory response, is consistent with the potential to ensure escalation of an issue is provided for by virtue of internal corporate systems and linked external disclosure protections.

In relation to the fourth principle, it can be seen that effective internal corporate systems have the potential to empower whistleblowers as effective surrogate regulators, supporting the work of the state. Whistleblowers constitute a possible source of surrogate regulators that appear to not have been widely discussed within the smart regulatory paradigm to date, although the place of whistleblowers as valuable third party regulators has been identified within the wider responsive regulation literature.[36] Given that whistleblowers by definition have access to information that assists in uncovering deception and thus assists regulatory outcomes, they offer the potential to make a very real regulatory contribution. Fifthly, the potential for positive outcomes to be associated with whistleblowing for the corporation itself, while also supporting the work of the state, provides an example of ‘win-win’ regulatory outcomes. The capacity of effective internal whistleblowing systems to benefit a corporation’s own governance aims is identified in Part II, together with reference to empirical evidence that is now available to support this argument.

Further, by advocating for multiple points of intervention, initiated by a more diverse set of regulators, smart regulation aims to be flexible and responsive to the trajectory of a regulated matter, enabling both escalation and de-escalation of regulatory intervention based on need. Smart regulation aims to recognise the significance of flexibility in the design of regulatory environments, and the potential for third parties to be part of that design, so that pressures on the regulatee are susceptible to appropriate variation as to both location and intensity.[37] Crucially, this model assumes that ongoing relationships between the regulator and the regulatee can be helpful. Applying this concept in the context of internal corporate whistleblowing systems, it can be readily seen that relationships of this kind might well exist. Where an internal report by a whistleblower leads to a process of investigation, a well-designed system ought to facilitate communication between the company and the reporting employee and take advantage of the capacity of the regulated entity to maintain ongoing contact with the surrogate regulator.

B Whistleblowers as Surrogate Regulators

In Gunningham and Sinclair’s model surrogate regulators are theorised to give government capacity to redirect finite resources to those areas most in need of the state’s regulatory attention, while also enabling the state to act as broker of the third party contributions made by surrogate regulators.[38] Whistleblowers offer a fascinating example of the potential of this kind of surrogate regulation. While not empowered to enforce traditional regulatory controls, whistleblowers can be said to wield de facto regulatory power through a range of mechanisms. One such mechanism currently growing in importance relates to corporate reputation risks. Whistleblowers have significant potential to create negative publicity for corporations through public disclosure of wrongdoing or through tip-offs to regulators, thus creating the risk for corporations of costly and time-consuming external enforcement actions by public regulators (often with concomitant private class actions against the company or its directors). The power of this kind of regulatory impact is amply demonstrated by the work of the Commonwealth Bank of Australia whistleblower Jeff Morris, who as noted above has been largely credited with the calling of the BRC. Particularly in an age of increased social media surveillance, the reputational risks associated with public disclosures being made by an internal corporate whistleblower are substantial.

Further, the potential regulatory power of these mechanisms is reinforced by ongoing developments in the law of directors’ duties with respect to the obligation of directors to attend to the reputation of the companies they govern. Edelman J in Australian Securities and Investments Commission v Cassimatis [No 8] clarified the need for directors to protect the company’s reputation, pointing out that they risk breaching their duties if they expose the company to the risk of reputational harm, even where an underlying breach of the company’s legal obligations may not have occurred.[39] In this context, there is a clear incentive to respond to internal whistleblower reports in a way that minimises the risk of subsequent public disclosure by the whistleblower. The regulatory role of the whistleblower here may be just as important in relation to internal tip-offs that prompt corrective internal action as it is in the context of external disclosures to corporate regulators. Thus it can be argued that internal corporate whistleblower activity increases the incentives corporations have to comply with the regulatory environments to which they are subject and to hence support formal regulatory objectives. A crucial part of their ability to influence internal compliance efforts must be, however, their power to make disclosures outside the corporation where necessary; the concomitant reputational and enforcement risks the company is subject to are key to the whistleblower’s power to influence internal corrective action.

In summary, applying a smart regulatory paradigm lens suggests there are a range of theoretical arguments for recognising the potential of corporate whistleblowing to enhance regulatory outcomes. Combined with the clear growth that is occurring in the practical development of whistleblowing as a corporate regulatory mechanism, strong arguments can be made for the future of internal corporate whistleblowing systems as a key regulatory device. In this context it is valuable to consider the potential enhancements of corporate whistleblowing systems that might be expected as RegTech applications develop.

IV REGTECH AND WHISTLEBLOWING

As noted above, while beginning its life as a form of technological aide to complex contemporary financial regulatory systems, RegTech has now assumed a much wider relevance across a range of market sectors. In its initial incarnations RegTech focused on technologically enhanced human interpretation and application of the vast regulatory compliance requirements inherent in modern financial systems. However this initial state of RegTech is now predicted to be disrupted by the arrival of AI-powered RegTech solutions that use predictive technologies and deep learning to facilitate improved regulatory compliance outcomes.[40] As suggested at the outset of this article, it seems likely that as RegTech continues to evolve it will come to encompass a broad range of compliance and regulatory mechanisms. This section considers some of the issues that may arise as the initial first-generation stage and, much more dramatically, the forthcoming second-generation form of RegTech play out in the context of corporate whistleblowing as a regulatory device. It also suggests that along the way issues are likely to arise in relation to both the technical complexity inherent in all complex systems and the ethical concerns that are associated with increased reliance on technology (particularly AI).

This analysis distinguishes between those technologies, such as improved data analytics, that are already in widespread use in corporations to enhance regulatory outcomes, and those that can be conceived of but are not yet widely available (and may not be for some time). While it is to some extent artificial to discriminate between current technologies and those that are incipient, since technological development is necessarily continuous and incomplete at any point in time, this article argues for the significance of the distinction as it reinforces a key potential difference between the capacity of RegTech to enhance current whistleblowing systems, on the one hand, and the possibility of a technologically transformed future whistleblowing environment on the other. The initial discussion that follows considers the potential for technologically assisted whistleblowing using current technologies, while the second section of the discussion is concerned with the potential for a technologically transformed whistleblowing future.

A First Generation RegTech Implications for Whistleblowing

A range of technologies can be said to be comprised within the existing portmanteau term ‘RegTech’, including applications such as blockchain and graph databases.[41] However a major initial RegTech contribution appears to have been its capacity to manage large amounts of data more efficiently to enhance regulatory compliance outcomes.[42] Managing large amounts of data well has an inherent benefit of improving levels of transparency. It has been said for instance that Big Data analytics is a form of information technology that is ‘bound to improve information flows and processing within our econom[y’s] main players, namely corporations’.[43] This optimism cannot completely overshadow the risk that RegTech could of course itself be subverted to achieve anti-compliance outcomes. RegTech data analysis is for instance capable of being manipulated in a phenomenon that has been described as ‘anti-RegTech’ (as was the case in the notorious Volkswagen emissions scandal where ‘defeat devices’ in cars sensed regulatory tests and reduced outputs to meet regulatory controls).[44]

However, notwithstanding the potential for abuse it seems likely that dramatically improved information dissemination and analysis could be of immediate assistance in enhancing existing whistleblowing systems. Whistleblowing is a form of information transfer that improves transparency within corporations. Improved information flows and processing are at the core of effective management of whistleblowing, both from the point of view of reducing the need for whistleblowing (since information asymmetries may be addressed without whistleblowing) and from the perspective of the need to deal efficiently and well with those disclosures that are made. It is worth noting in this respect the following comments made in regulatory guidance recently released by the Australian Securities and Investments Commission on compliance with Australia’s reformed corporate whistleblowing regime: ‘[i]t is good practice for an entity to have appropriate information technology resources and organisational measures for securing the personal information they receive, handle and record as part of their whistleblower policy’.[45]

There is clear potential for first-generation RegTech to assist Australian corporations to ensure they are operating in a way that demonstrates ‘good practice’ in this regard. Automatic, anonymous capture of reports and systemised funnelling of those reports to key points in a company’s compliance structure ought, for example, to help reduce the risk of loss of information. Implementation of more advanced technology systems is also possible – Big Data, enhanced analytics and improved information dissemination could all be useful here. Sophisticated data analysis might be used, for instance, to analyse activities within industry segments to which a corporation belongs, and match expected whistleblowing data reporting rates with internal data on the company’s operations to predict gaps in reporting (a kind of ‘reverse whistleblowing’). This could occur both within companies and be applied by external regulators. Given it is already commonplace for AI to generate and suggest expert decisions,[46] this application would appear to be straightforward, and indeed it is has been argued that technology is already ‘reducing the need to rely on human whistle-blowers’.[47] The United Kingdom’s Financial Conduct Authority for example uses ‘management information to identify any gaps in the intelligence it receives from whistleblowers, such as sectors of the industry from which it receives fewer disclosures than might be expected’.[48] Similar analyses are no doubt already being undertaken in some corporations worldwide, but this level of sophistication is as yet unlikely to have penetrated the vast majority of entities, given the relatively recent rise of whistleblowing as an internal corporate governance mechanism (amongst other factors).

Further, the creation of large internal whistleblowing activity datasets over time within a corporation could be used to model likely future patterns of disclosure or high-risk components of a business. Such an approach might also be expected to assist with effective identification of high-value tips within the vast amount of information that can be generated by an internal corporate whistleblowing system,[49] enabling unreliable information to be more readily discounted. Alternatively data analytics could assist in the investigation phase of an internal (or external) whistleblower disclosure, providing supporting evidence of wrongdoing, and enabling rapid testing of allegations by reference to a wider base of data than could easily be accessed by more traditional methods. Similarly, there is clear capacity for technology to assist in provision by companies of information to potential whistleblowers, thus facilitating the development of active and effective internal systems. Mechanisms for internal reporting could be highly automated and simple whistleblower queries could be responded to promptly. It may also be possible to more easily facilitate anonymous reporting, a goal of any effective internal whistleblowing system.[50] Existing data on high-risk areas for wrongdoing or disclosure could be used to guide distribution of increased levels of information on a company’s whistleblowing procedures and protections. Where the provision of a range of whistleblowing information is mandated by law,[51] this obligation could be supported by automated systems expeditiously and efficiently.

These potential technological enhancements of existing whistleblower mechanisms within corporations can been seen as essentially administrative in nature. In terms of the administrative versus judgment demarcation discussed in Part II, enhanced data analysis and improved information dissemination of the kind outlined here do not appear to involve more complex tasks inherently requiring the exercise of judgment. It is the strategic use of complex data that is more likely to require judgment and discretion, and that component of whistleblowing activity within corporations probably remains (for now at least) within the remit of managers rather than machines. Current technologies are arguably insufficiently advanced to allow corporations to attempt to automate more sensitive processes such as decision-making in relation to appropriate responses to whistleblowing disclosures, the investigation of disclosures, or provision for protection of whistleblowers from retaliation. The capacity of current RegTech to assist Australian companies to comply with more sophisticated components of their new statutory obligations is therefore, for now, relatively limited.[52]

B Second Generation RegTech and Whistleblowing

The potential for incipient technologies, and for AI in particular, to supplement human whistleblowers is however fascinating. While a universally agreed definition of AI has not been arrived at,[53] the European Commission’s High-Level Expert Group on Artificial Intelligence has described it as

systems designed by humans that, given a complex goal, act in the physical or digital dimension by perceiving their environment through data acquisition, interpreting the collected structured or unstructured data, reasoning on the knowledge, or processing the information, derived from this data and deciding the best action(s) to take (according to pre-defined parameters) to achieve the given goal. AI systems can either use symbolic rules or learn a numeric model, and they can also be designed to learn to adapt their behaviour by analysing how the environment is affected by their previous actions.[54]

The potential for an AI system to be integrated into whistleblowing systems within a corporation to facilitate existing whistleblowing activity is obvious. An AI system could be tasked to receive reports from a whistleblower, provide an initial response based on predetermined algorithms, and potentially begin investigations by disseminating data requests to relevant components of the organisation. But how far could this integration extend? Could an AI whistleblowing system for instance undertake sophisticated interpretation of data, engage in consequential reasoning in relation to it, in an iterative process, and make recommendations about the progress of a matter? If AI can facilitate whistleblowing in the way it has been predicted to facilitate other internal corporate processes, then this sort of development ought to be possible. How exactly that transition might play out is interesting to consider, with a range of implications (both positive and negative) being conceivable at this point.

1 Natural Language Processing

Certain types of AI may be particularly significant for whistleblowing. Natural language processing, a form of AI that focuses on language,[55] is one of these aspects. If whistleblowing hotlines are able to use AI to take and respond to calls, there is likely to be the capacity not just to automate the administrative task of recording information, but also the judgment tasks of assessing the severity of a matter, its urgency, the support needs of the whistleblower, and associated discretionary matters. Sufficiently nuanced automation of the analysis of the crucial early stages of a whistleblower report could, for instance, greatly assist corporations to ensure they have cost-effective mechanisms for identifying whistleblowers who are distressed or anxious, facilitating a timely response and potentially reducing the risk of an allegation of detriment by a whistleblower.[56]

Apps are already available to assist in analysis of ethics reports to hotlines;[57] advertising for one such app suggests the app will ‘get keywords and entities for analysis, using Natural Language Understanding’. Meanwhile AI can already be used to recognise tone and other ancillary indicators. The Australian Securities and Investments Commission is testing a program to use AI to improve its monitoring activities, through listening to sales calls and picking up on tone and hesitation from the purchaser to indicate pressured selling techniques.[58] Similarly private providers advertise that they can facilitate conversations between large numbers of employees on anonymous platforms, producing data for analysis with AI in order to analyse themes.[59] It is readily conceivable that cultural themes identified by large dataset analysis of this kind could be triangulated with other forms of information captured within a corporation to improve identification of risks previously hidden from sight, replacing some of the judgment work currently undertaken by compliance officers and internal audit teams. Given the capacity of whistleblowers within a corporation to bring wrongdoing to light, the value of semi-automated systems that can provide fast and efficient analysis of whistleblower disclosures is clear.

2 Blended Decision-Making in Whistleblowing

Literature has begun to appear on the self-managing corporation, with the argument being made that given the already common examples of AI producing suggested expert decisions it is a short step to AI making decisions autonomously – and hence to the idea of the next generation of AI being capable of taking over the management of business organisations.[60] Predictions of a forthcoming transition from combined AI and human boards to AI-only management of corporations anticipate that AI will perform at a level superior to current human-based systems.[61] However the level of confidence in AI’s effective development of nuanced judgment that is inherent in this prediction seems at its most attenuated in respect of judgments requiring the highest levels of discretion and ethical analysis. Tasks requiring minimal judgment are well-suited to AI applications.[62] While it would appear that some management tasks requiring more discretion may also be susceptible to replacement by AI functions, there is less than complete agreement on this point.[63]

Whistleblowing within corporations, historically an area of significant ethical complexity,[64] therefore appears an unlikely site for complete takeover by AI systems in the near future and blended combinations of AI functionality and human intervention may be the norm at first. We are likely to see the development, at least initially and perhaps over some years, of combined human/AI whistleblowing systems within corporations, which enable the benefits of increased data analysis and algorithmic approaches to supplement human judgment to facilitate increased levels of effective disclosure. This could occur on what might be called two sides of the internal whistleblowing disclosure equation: the whistleblower’s ‘supply’ side and the corporation’s ‘demand’ side.

Within the range of activities described in Part II in relation to whistleblowing perhaps those most obviously susceptible to automation on the demand side are the data collation activities, the taking of simple reports and the internal transmission of reports to supervisory departments or individuals. On the supply side, individual internal whistleblowers may be able to access enhanced reports and larger aggregated data sets that enable them to triangulate their concerns and make reports with a higher degree of confidence and detail; they may also be able to gain access to information about internal whistleblowing procedures and protections more readily, and on terms of increased anonymity when compared with human-operated systems.

More complex tasks on the demand side, such as counselling of individual whistleblowers, investigation of reports, fair treatment of those the subject of reports, avoidance of detriment, and preparation of any public statements require levels of judgment and discretion that are likely to remain beyond the scope of AI processes for longer. Whistleblowers might also feel more comfortable disclosing sensitive material to a human recipient than a robot, at least until the presence of bots within workplaces becomes commonplace; automated systems might also lack sufficient empathy to be attractive recipients of disclosures and creating the necessary level of whistleblower trust in automated systems may be hard to achieve. It is therefore possible that the presence of a non-human recipient of whistleblowing disclosures could have negative implications for rates of whistleblowing. Further, inappropriate decisions by automated systems on the demand side might also put the corporation at risk of tripping over statutory requirements that require the exercise of judgment. A corporation might be at risk, for instance, of allegations that it has caused detriment to the whistleblower through responses that have had inadvertent impacts on reputation of the kind no artificial system is yet able to anticipate.[65] Automated systems may also lack the ‘sociological imagination’ to discern the true significance of reports – an issue that bureaucracies struggle with[66] and that may be replicated by RegTech.

From the point of view of supply, individual whistleblowers might conceivably benefit from sophisticated algorithmic advice on the risks of a potential disclosure, or from improved blended AI/human management systems that respond more appropriately, fairly and consistently to whistleblowing reports while maintaining some human elements (again, empathy may be perceived to be more present where individuals are involved in crucial aspects of the process).

3 The Arrival of Whistlebots?

Whatever the timeline for a transition to AI-assisted whistleblowing, the potential for AI, natural language processing and other technologies to work together to supplement the role of whistleblowers is clear. Implicit in those developments is the potential for bots (‘whistlebots’, to coin a term)[67] to ultimately assume some of the roles for which corporations are currently reliant on the voluntary activities of human whistleblowers. That is, notwithstanding current limitations on the capacity of AI to self-manage whistleblowing activity, it is conceivable that in the future companies will be able to draw not just on the whistleblowing reports made by employees but also the whistleblowing reports made to, or by, machines. The most dramatic impact AI might have on the supply side of the disclosure equation in the future could be to not support human activity, but to replace it. Indeed there appear to be existing providers of online corporate whistleblowing services that use bots, albeit only to receive reports.[68] There seems no reason to doubt that in time whistlebots might themselves generate internal company reports on wrongdoing, based upon aggregated evidence and intelligent analysis. Further, these reports have the potential to be more reliable than the reports provided by human whistleblowers, given the algorithmic capacities of a whistlebot.

Crucially, given the whistlebot’s machine status, it is also likely those reports will be more frequent. One of the most striking aspects of whistleblowing discourse is the contrast between universal agreement on the value of whistleblowing in uncovering wrongdoing on the one hand,[69] and the dramatic negative impacts of whistleblowing for the discloser on the other.[70] The all too frequently distressing repercussions of blowing the whistle inevitably reduce the number of reports made by employees. Shaming, lost job opportunities, bullying, harassment and exclusion are all impacts that are keenly felt by individuals who are frequently persecuted following the making of disclosures. Yet those repercussions are inextricably linked to the human identity of the whistleblower. A radical difference between a human whistleblower and a whistlebot is the reduced capacity of a disembodied bot to be victimised, shamed, excluded and humiliated.[71] Notwithstanding arguments for the human rights of robots[72] this distinction could be transformative in the context of whistleblowing as a corporate regulatory device.

Inevitably, a fully autonomous whistleblowing robot would need to be able to exercise a high degree of judgment; if it is true that ‘[n]obody can predict with certainty ... whether AI’s involvement in the future will also extend to the crucial area of judgment work’[73] then it is impossible to say now that whistlebots could eventuate in any complete sense. But how different future whistleblowing activity might become if it is possible for whistleblowers to be robots, unaffected by the vast majority of potential risks faced by whistleblowers, and free of ‘[t]he heart-ache and the thousand natural shocks/That flesh is heir to’.[74] The calculus undertaken by a robot in deciding to make a disclosure would presumably be based solely on objective factors (such as the quality of the evidence, the potential risks of non-disclosure and the potential cost implications of an unnecessary disclosure) without any countervailing risk weighting for potential personal repercussions. Such a transition would represent a significant development in the evolution of whistleblowing as a regulatory tool. There may be real advantages in the source of disclosures having, to adopt a corporate phrase, ‘neither bodies to be punished, nor souls to be condemned’.[75] Whistleblowers may then be expected to, as corporations were famously said to do by Edward, First Baron Thurlow, ‘do as they like’.[76]

C Technical Complexity

Notwithstanding the exciting potential of AI and whistlebots to transform corporate whistleblowing activity, risks and complexities would be inherent in any RegTech whistleblowing future. A risk associated with any increased automation of whistleblowing activities is the potential for larger data sets, complex algorithms and artificially intelligent whistlebots to create worlds of such technical complexity that disclosures are buried, rather than disseminated to relevant decision-making points within an organisation. Writing in the context of regulatory theory, Baldwin and Black note that accountability can be a problem when assessments of relevance are perceived as uncontentious and technical.[77] In these environments policymaking issues are likely to be buried ‘deep within administrative processes’, with the result that transparency and accountability become problematic,[78] and no doubt effective compliance with external regulatory systems could also be compromised.[79]

Similarly, it may be that automation of whistleblowing reports may result in judgment and accountability being ceded to artificial entities that are as yet insufficiently evolved for the task, resulting in important data and insights being lost to the key decision-makers within a corporation. This has implications for the liability of directors, managers and other employees in the context of contemporary whistleblowing protections that may require fair treatment of whistleblowers. Fairness standards commonly require that reasons be given for decisions, indicating the obvious problems that may arise when an opaque algorithmic whistlebot is a key decision-maker. Directors and senior managers within corporations are also obliged to act with care and diligence; a key statutory defence involves directors showing they have made an appropriate level of investigation of underlying information.[80] In an automated whistleblowing world directors and others might lack access to the data and algorithmic reasoning needed to discharge these requirements adequately. Further, an acknowledged problem with AI is the tendency of those relying upon it to do so even when an AI-generated response is less appropriate than a human-derived decision. It seems that in part the opacity of AI decision-making mechanisms prompts human users to defer to those systems; a ‘general misunderstanding that AI has superior intelligence to humans’[81] creates inherent risk. There are fundamental risks to be considered in what Yeung has described as ‘the rise of algorithmic power’, with the significant questions it poses for the capacity of algorithms ‘to expand, reinforce, and redistribute power, authority, and resources’.[82]

There are of course clear parallels between this risk and the problems encountered daily by complex organisations that attempt, via human means, to collect and analyse reports and disclosures with a view to monitoring for wrongdoing. Perhaps the only point that can be made now is that care will need to be taken to ensure that any trend to automation of whistleblowing activity within an organisation takes account of the risks associated with treating information sorting and analysis as an uncontentious, technical activity. While these risks are germane to the march of AI solutions through organisations generally, they may be particularly acute in the context of whistleblowing, given the sensitivities and inherent confidentiality and secrecy components of that activity.

D Ethical Concerns

There are also significant ethical questions to be considered as part of an assessment of the impact of AI on whistleblowing.[83] Thurlow’s quote provides a useful metaphor for the potential and the risks of the Fourth Industrial Revolution for whistleblowing. Thus, a whistlebot’s lack of soul might point to lack of capacity for the judgment and the discretionary response to grey areas and nuance necessary for whistleblowing actions to be handled appropriately – a significant potential limitation. However, the whistlebot’s lack of a body to be kicked can point to the invincibility of a whistlebot; it can blow the whistle and keep doing so even where no human (or very few) would risk the consequences or be able to maintain the strength – clearly a positive implication.

The vulnerability of AI to biases is well-known,[84] pointing to the potential limitations of whistlebots that might be programmed to make assessments based on erroneous assumptions or outdated cultural values, or could be manipulated by programmers in inappropriate ways. Various forms of technical failure would also presumably be inherent risks within any whistlebot environment. These limitations all pose significant risks for any regulatory system into which whistlebots were integrated.

Further, issues of identification and confidentiality are raised by the potential rise of AI whistleblowing. Given the well-known risks of blowing the whistle, enabling whistleblowers to remain anonymous is frequently seen as the most efficient and appropriate way of encouraging disclosures. The recent wide-ranging legislative reform of private sector whistleblowing regulation in Australia has, for instance, removed an earlier requirement that whistleblowers disclose their identity in order to gain protection.[85] In this context, the capacity of AI to compile and analyse large amounts of varied data raises an important concern – the risk of a whistleblower’s confidentiality being violated.[86] The potential for AI to identify individuals and the ethical implications of that potential have been recognised by the European Commission in its ‘Ethics Guidelines for Trustworthy AI’, where it comments that ‘AI enables the ever more efficient identification of individual persons by both public and private entities’, and for anonymous data to ‘be re-personalised’.[87]

Where AI is able to determine the identity of a potential whistleblower, clear potential exists for pro-whistleblowing policy objectives to be subverted and for whistleblowers to be put at risk. A range of incentives may readily be imagined that could tempt internal parties within a corporation to attempt to identify a whistleblower. Particularly where significant incentives exist for whistleblowers to take their information to external enforcement agencies, as is the case with the high-profile (and highly remunerative) SEC’s whistleblower bounty scheme,[88] the risk to corporations of employees making external disclosures of wrongdoing is high. Corporations may therefore have much to gain by being able to identify those employees who are raising concerns within the corporation and might be on the cusp of taking their concerns to external regulators. Equally concerning is the potential for AI to incorrectly ‘reverse engineer’ a whistleblower’s identity, leading to the false identification of someone – possibly a co-worker in a similar area of the corporation – as a whistleblower, with the potential for negative repercussions for an unconnected employee.

While an investigation of the ethical complexities of automated whistleblowing is beyond the immediate concerns of this article, there are clearly important factors to be analysed in understanding the implications of ceding complex issues of judgment and discretion to a machine rather than retaining those elements of whistleblowing within a human framework.

E The Endgame?

At the other end of the AI whistleblowing story, far from the current beginning moments of the narrative, there is presumably the possibility of what might be described as the holy grail of internal corporate whistleblowing systems – complete internal corporate transparency. That is, if, following a period of blended human/whistlebot activity, we achieve a level of AI functionality in whistleblowing practice within organisations that enables whistlebots to identify and disclose all wrongdoing, inefficiency and poor practice, will there be a role left for human whistleblowers at all? And beyond that, if the predictions of self-managed AI corporations are accurate, will the need for whistleblowing of any kind, AI or otherwise, be removed? That is, is whistleblowing a necessary incident of the human condition, with our failings and foibles and vulnerabilities to greed and vice, that will be done away with by the advent of pure machine self-regulation? It has been suggested that AI is likely to achieve, and even exceed, human capacities in work requiring judgment.[89] Will advances in AI ultimately lead to a utopian environment of complete transparency entailing the obsolescence of whistlebots themselves, since all systems will be efficient, transparent and devoid of human error or fallibility?

In the context of autonomous vehicles it has been suggested that 90% of motor vehicle accidents are the result of human error.[90] The obvious corollary of that statistic ought to be that autonomous vehicles will eventually dramatically reduce the rate of accidents. While there are a number of reasons why self-driving cars may not be able to obviate all risks of collision, at least not yet,[91] there is clear potential for dramatic improvement. Might rates of internal corruption, inefficiency and unintentional error in corporations be similarly reduced or removed by the impact of AI? It is interesting to contemplate whether, in the driverless corporation, whistleblowing might come to be seen as a redundant artefact of earlier human systems. There is also a need to consider the negative implications to be accounted for in the loss of human self-consciousness in a whistleblower, with a potential concomitant loss of sensitivity to the need to blow the whistle only in ethically or socially defensible instances. Might the advent of whistlebots lead to unrestricted whistleblowing that is destructive of trust within organisations? A human decision to make a disclosure may account more carefully for the very good reasons to be thoughtful and careful when analysing whether a decision to break a confidence is justified.[92]

There are clearly many complex ethical and technical issues to be contemplated in any analysis of a whistlebot future. At least for now such a future seems sufficiently remote to enable it to be overlooked, and for the focus to remain on the capacity of RegTech to enhance existing whistleblowing structures within corporations and thus address wider regulatory goals. It is to this question that the next section turns.

V REGTECH AND SMART REGULATION

It can readily be perceived that any increase in the efficiency of whistleblowing structures within corporations is likely to lead to improved regulatory outcomes. Regulatory interventions in recent years to provide for powerful reward incentives (in the United States and Canada particularly) and for dramatically improved protection regimes (as has occurred in Australia) support this thesis. This article argues that RegTech developments are likely to further facilitate the development of corporate whistleblowing as an important regulatory device. In this context, smart regulatory theory provides a helpful theoretical construct for analysing the potential impact of RegTech on whistleblowing and corporate regulation.

A number of Gunningham and Sinclair’s five regulatory design principles discussed above[93] are relevant here. In relation to the second design principle, the advantages of less intervention rather than more are clearly supported by any enhancement of internal corporate whistleblowing systems that facilitate issues being disclosed and dealt with efficiently, precluding the need for escalation (including to external parties). Many aspects of a possible RegTech future can be identified that ought to facilitate more effective internal systems and hence an ultimately less interventionist regulatory approach. The capacity for semi-automated internal systems (with enhanced provision for anonymity) to encourage increased reports is readily apparent. In turn Big Data and predictive analytics ought to assist corporations in interpreting and verifying disclosures, reducing the prohibitively heavy administrative load currently associated with increased internal whistleblowing activity.

Improved dissemination of information in relation to whistleblowing systems within corporations (at least where mandated),[94] as well as predictive analytics to help identify gaps in reports will also assist in ensuring effective internal systems, while more effective data flows and the plurality of information points that technologically enhanced whistleblowing systems can provide will assist. In due course, second generation RegTech whistleblowing possibilities such as natural language processing of reports and blended decision-making in relation to responses ought to add to the capacity for companies to deal responsively with whistleblowing reports (and to identify areas of non-reporting), facilitating early detection and resolution of issues before external regulators are required.

Similarly, the desired fifth principle – ‘win-win’ smart regulation outcomes – appears likely in any increase in the use of RegTech solutions to ensure compliance with whistleblowing regulations while also facilitating better internal information flows and disclosure of malfeasance and inefficiency. The ability to make use of AI approaches to match whistleblowing systems to the needs of a particular company or group of companies ought to significantly enhance the capacity of corporations to design whistleblowing that provides tailored ‘wins’ from an internal corporate governance perspective. Complex and important corporate governance issues such as managing an organisation’s culture might for instance be supported by semi-automated whistleblowing systems that encourage and facilitate – in a sophisticated and tailored way – employee feedback and response to that feedback. Further, as a general point, whenever effective internal resolution of an issue enables a company to reduce the regulatory burden imposed by external enforcement actions, the company has experienced a ‘win’ (as has, of course, the regulator).

Other arguments in support of RegTech’s potential contribution to smart regulation principles can also be imagined. However, it is perhaps in relation to the fourth design principle – the benefits that can be brought to bear by empowering third party surrogate regulators – that RegTech has the most to offer in the context of corporate whistleblowing regulation. As noted, smart regulation pays attention to the significance of flexibility in the design of regulation, and the potential for third parties to be part of that design, so that regulated parties are susceptible to varied pressures that are appropriate both as to location and intensity.[95] Thus, smart regulation stresses the importance of ensuring the state, the regulated entity (ie the company) and third parties are all involved in a regulatory matrix, represented by a three-sided pyramid.[96] Both first and second generation RegTech solutions offer real potential to strengthen the contribution of that multi-part regulatory structure and to improve on a solely human-based whistleblowing system design.

It is argued in this article that first and second generation RegTech impacts on whistleblowing are likely to offer enhancements to companies’ internal whistleblowing systems. In turn those benefits ought to support both a company’s capacity to operate as an effective self-regulator within smart regulation’s model, and at the same time facilitate the capacity of whistleblowers to act as surrogate regulators. The potential for transition from human disclosers to whistlebots is a fascinating aspect of this theoretical analysis. Not only a potential additional surrogate regulator, but one with exceptional capabilities, a disembodied bot would, as suggested above, be invulnerable to the limiting effects of shame, exclusion and victimisation. In a world of whistlebots, the difficulty of legislating for effective protection and support for whistleblowers – arguably the most significant limitation on the efficacy of whistleblowing as a regulatory device – becomes a redundant problem. In turn the capacity of whistleblowing to form a powerful supplement to existing conceptions of the smart regulatory pyramid is dramatically enhanced.

VI CONCLUSION

The recent evolution of corporate whistleblowing has demonstrated the capacity of effective internal corporate whistleblowing systems to support regulatory aims, while theoretical support for the role of whistleblowers in a regulatory system can be found in Gunningham and Sinclair’s smart regulation paradigm. Smart regulation offers a range of design principles that can be applied to corporate whistleblowing activity to illustrate the capacity of whistleblowers to contribute to enhanced regulatory outcomes. Where whistleblowers within a corporation are empowered to bring wrongdoing to light, both through internal whistleblowing activity and ultimately through external disclosure where needed, the regulatory and compliance goals of the state as well as the company are supported. A smart regulation lens demonstrates the very significant potential of internal corporate whistleblowers to operate as surrogate regulators.

Fast-developing technology-based regulatory solutions are likely to interact with the potential of whistleblowers to operate as surrogate regulators in interesting ways. First generation RegTech applications drawing particularly on improved data analytics already have the capability to assist corporations to implement more efficient internal whistleblowing systems. It seems uncontroversial to suggest that the rise of second-generation AI-powered RegTech technologies that use predictive analytics, natural language processing and deep learning will further disrupt, and transform, the practice of whistleblowing within corporations, and as between corporations and regulators. Almost certainly the impacts will be more wide-reaching than we can currently comprehend, and are likely to carry with them both technical and ethical complexities. Fascinatingly, as AI advances, the potential exists for internal corporate whistleblowers to be supplemented, or even replaced, by automated whistleblowers – ‘whistlebots’, with the ability to report autonomously within a corporation and/or to external regulators, and to dramatically enhance internal corporate transparency.

Given the value that whistleblowers bring to regulatory design, the capacity to harness AI to replace vulnerable human whistleblowers with disembodied bots is significant. A persistent problem in the encouragement of corporate whistleblowers has been the level of personal risk associated with blowing the whistle – risk that is inextricably connected with the human state. If the potential exists to replace human whistleblowers with whistlebots, even for some limited purposes as yet, the ability of whistleblowers to operate as surrogate regulators to support the regulatory efforts of the state and the corporation is dramatically enhanced.

One of the most important regulatory claims of whistleblowing is that it can assist in addressing the detection problem, by uncovering wrongdoing that would not otherwise be perceivable. AI may bring more of those hidden spaces to light than has previously been thought possible with human agency. In short, it seems likely that the advent of the Fourth Industrial Revolution will be as significant for whistleblowing as it promises to be for many other realms of regulatory activity. Indeed, this article suggests that given whistleblowing’s particular vulnerability as a corporate regulatory device to the vicissitudes of human existence, the arrival of technologically enhanced whistleblowing may ultimately be more significant for whistleblowing than for some other fields of human endeavour.


[*] Associate Professor, Flinders University. I am grateful for the valuable contributions made by the anonymous reviewers.

[1] For a brief description of this concept, see Klaus Schwab, ‘The Fourth Industrial Revolution, by Klaus Schwab’, World Economic Forum (Web Page) <https://www.weforum.org/about/the-fourth-industrial-revolution-by-klaus-schwab>.

[2] Christopher Woolard, ‘The FCA’s Regional FinTech Engagement’ (Speech, Leeds Digital Festival, 26 April 2017).

[3] Giangiacomo Olivi and Francesco Armaroli, ‘European Union: Bridging the Gap between RegTech and Artificial Intelligence’, Mondaq (Web Page, 17 December 2018) <http://www.mondaq.com/italy/x/764606/fin+tech/Bridging+the+gap+between+RegTech+and+Artificial+Intelligence+an+Italian+perspective> .

[4] Sulette Lombard, Vivienne Brand and Janet Austin, ‘Introduction’ in Sulette Lombard, Vivienne Brand and Janet Austin (eds), Corporate Whistleblowing Regulation: Theory, Practice, and Design (Springer, 2019) viii, ix; Vivienne Brand and Sulette Lombard, ‘Good Governance Practice in Relation to Corporate Whistleblowing’ (2015) 67(1) Governance Directions 10, 10; Janet P Near and Terry Morehead Dworkin, ‘Responses to Legislative Changes: Corporate Whistleblowing Policies’ (1998) 17(14) Journal of Business Ethics 1551, 1559; Harold Hassink, Meinderd de Vries and Laury Bollen, ‘A Content Analysis of Whistleblowing Policies of Leading European Companies’ (2007) 75(1) Journal of Business Ethics 25, 26; Dave Ebersole, ‘Blowing the Whistle on the Dodd-Frank Whistleblower Provisions’ (2011) 6(1) Ohio State Entrepreneurial Business Law Journal 123, 137; Gladys Lee and Neil Fargher, ‘Companies’ Use of Whistle-Blowing to Detect Fraud: An Examination of Corporate Whistle-Blowing Policies’ (2013) 114(2) Journal of Business Ethics 283, 285.

[5] Richard Moberly, ‘Confidentiality and Whistleblowing’ (2018) 96(3) North Carolina Law Review 751, 752.

[6] For a recent summary of the full extent of the multi-million dollar rewards paid to individuals under the SEC’s Whistleblower Program, see Securities and Exchange Commission (US), 2018 Annual Report to Congress: Whistleblower Program (Report, 2018) (‘SEC Annual Report to Congress’).

[7] Kevin O’Brien and Geoffrey Grove, ‘Ontario Securities Commission Announces First Ever Whistleblower Awards’, Osler (Blog Post, 1 March 2019) <https://www.osler.com/en/blogs/risk/march-2019/ontario-securities-commission-announces-first-ever-whistleblower-awards>.

[8] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons Who Report Breaches of Union Law [2019] OJ L 305/17.

[9] Transparency International Liaison Office to the European Union, ‘Historic Day for Whistleblowers as EU Agrees Pathbreaking Legislation’ (Media Release, 12 March 2019).

[10] See especially Corporations Act 2001 (Cth) ss 1317AD, 1317ADA, 1317AE, 1317AI (‘Corporations Act’), as inserted by Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) sch 1 pt 1 item 9 (‘Enhancing Whistleblower Protections Act’).

[11] See generally Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, February 2019).

[12] See, eg, the Commonwealth Bank of Australia whistleblower Jeff Morris and the Securency whistleblower Brian Hood. For a precis of the story of Jeff Morris, see Anne Barker, ‘Banking Royal Commission: Speaking Out against CBA Had “Horrific Impact” on Whistleblower’, ABC News (online, 30 November 2017) <www.abc.net.au/news/2017-11-30/banking-whistleblower-jeff-morris-tells-of-horrific-impact/9212536>. Securency whistleblower Brian Hood is discussed in Royce Millar, ‘After Securency: RBA Whistleblower Case Highlights Calls for Federal ICAC’, The Sydney Morning Herald (online, 24 June 2016) <www.smh.com.au/politics/federal/after-securency-rba-whistleblower-casehighlights-calls-for-federal-icac-20160624-gpr019.html>.

[13] See, eg, Sulette Lombard and Vivienne Brand, ‘Whistleblowing and Corporate Governance: Regulating to Reap the Governance Benefits of “Institutionalised” Whistleblowing’ (2018) 36(1) Company and Securities Law Journal 29, 31, and the commentary cited there. See also Olivia Dixon, ‘“Pretaliatory” Enforcement Action for Chilling Whistleblowing through Corporate Agreements: Lessons from North America’ (2018) 46(3) Federal Law Review 427, 428. See also recent empirical evidence finding a possible link between whistleblowing and effective corporate governance in Stephen R Stubben and Kyle T Welch, ‘Evidence on the Use and Efficacy of Internal Whistleblowing Systems’ (2020) 58(2) Journal of Accounting Research 473, 513.

[14] One recent study has suggested, for instance, that of the top 100 revenue generators in the world economy, 71 are corporations: Milan Babic, Jan Fichtner and Eelke M Heemskerk, ‘States versus Corporations: Rethinking the Power of Business in International Politics’ (2017) 52(4) International Spectator 20, 27–8.

[15] Indeed the foreseeability of future interactions between whistleblowing and RegTech is illustrated by the publication of a chapter on this idea while this article was under review: see Kieran Pender, Sofya Cherkasova and Anna Yamaoka-Enkerlin, ‘Compliance and Whistleblowing: How Technology Will Replace, Empower and Change Whistleblowers’ in Jelena Madir (ed), FinTech: Law and Regulation (Edward Elgar, 2019) 326.

[16] Robert Baldwin and Julia Black, ‘Really Responsive Regulation’ (2008) 71(1) Modern Law Review 59, 77.

[17] See, eg, Vivienne Brand, ‘Still “Insufficient or Irrelevant”: Australia’s Foreign Bribery Corporate Whistleblowing Regulation’ [2016] UNSWLawJl 38; (2016) 39(3) University of New South Wales Law Journal 1072, 1074–5. Transparency International predicted 2019 might be a landmark year for whistleblower protection: ‘World Whistleblower Day 2019: Is This a Landmark Year for Whistleblower Protection?’, Transparency International (Web Page, 20 June 2019) <https://www.transparency.org/news/feature/world_whistleblower_day_2019_is_this_a_landmark_year_for_whistleblower_prot>.

[18] SEC Annual Report to Congress (n 6) 1.

[19] See the discussion of this phenomenon in Dixon (n 13).

[20] See Stubben and Welch (n 13) 513.

[21] Corporations Act pt 9.4AAA, as inserted by Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (Cth) sch 4 pt 2. For criticisms, see generally Parliamentary Joint Committee on Corporations and Financial Services, Parliament of Australia, Whistleblower Protections (Report, September 2017). As to the provisions being essentially unused, see Explanatory Memorandum, Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2017 (Cth) 8 [1.8].

[22] See Enhancing Whistleblower Protections Act.

[23] Vivienne Brand, ‘Ethics and Corporate Whistleblowing Rewards in Australia’ (2018) 33(3) Australian Journal of Corporate Law 402, 404.

[24] The new provisions in pt 9.4AAA of the Corporations Act are also supported by a very detailed regulatory guide issued by the Australian Securities and Investments Commission in November 2019 in relation to compliance with the legislation’s whistleblower policy requirements: Australian Securities and Investments Commission, ‘Regulatory Guide 270: Whistleblowing Policies’ (Guide, 13 November 2019).

[25] This guidance is particularly welcome since understandings of what constitutes whistleblowing activity can vary, and there is ‘no universally-accepted definition of a whistleblower’: Pender, Cherkasova and Yamaoko-Enkerlin (n 15) 327 [15.02].

[26] See Enhancing Whistleblower Protections Act. See especially Corporations Act ss 1317AAE, 1317AC, 1317AD, 1317AE, 1317AI.

[27] See AJ Brown, ‘New Corporate Whistleblower Protections Worth the Scramble’, Griffith News (Web Page, 3 December 2018) <https://news.griffith.edu.au/2018/12/03/new-corporate-whistleblower-protections-worth-the-scramble/>.

[28] Corporations Act s 1317AI(5), as inserted by Enhancing Whistleblower Protections Act sch 1 pt 1 item 9.

[29] See, eg, Department of Justice (US), Justice Manual (online at 9 June 2020) [9-28.800] on the need for internal compliance programs that are ‘adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees’ and Ministry of Justice (UK), ‘The Bribery Act 2010: Guidance’ (Guidance, 11 February 2012) 22, on ‘“speak up” or “whistle blowing” procedures’ as part of a bribery prevention program. See also Australian Securities Exchange Corporate Governance Council, ‘Corporate Governance Principles and Recommendations’ (Principles and Recommendations, February 2019) 17 [Recommendation 3.3], on the need for companies to have internal whistleblowing policies.

[30] For instance, of the kind provided for in section 674 of the Corporations Act and rule 3.1 of the ASX, Listing Rules (at 1 December 2019).

[31] See, eg, the classification on this basis undertaken in relation to corporate management by Martin Petrin, ‘Corporate Management in the Age of AI’ [2019] (3) Columbia Business Law Review 965.

[32] Neil Gunningham and Darren Sinclair, ‘Smart Regulation’ in Peter Drahos (ed), Regulatory Theory: Foundations and Applications (Australian National University Press, 2017) 133, 133 (‘Smart Regulation’).

[33] Ibid 135.

[34] Ibid; Neil Gunningham and Darren Sinclair, ‘Designing Environmental Policy’ in Neil Gunningham, Peter Grabosky and Darren Sinclair (eds), Smart Regulation: Designing Environmental Policy (Oxford University Press, 1998) 375, 389 (‘Designing Environmental Policy’).

[35] Gunningham and Sinclair, ‘Smart Regulation’ (n 32) 134–5. See also Gunningham and Sinclair, ‘Designing Environmental Policy’ (n 34) 387–422.

[36] See, eg, the work on employees as third party regulators in Vibeke Lehmann Nielsen and Christine Parker, ‘To What Extent Do Third Parties Influence Business Compliance?’ (2008) 35(3) Journal of Law and Society 309. See also the work on individuals as enforcers in Yuval Feldman and Orly Lobel, ‘Individuals as Enforcers: The Design of Employee Reporting Systems’ (Public Law and Legal Theory Working Paper No 15-10, Bar-Ilan University, October 2010); Yuval Feldman and Orly Lobel, ‘Decentralized Enforcement in Organizations: An Experimental Approach’ (2008) 2(2) Regulation and Governance 165. I am also indebted to Dr Sulette Lombard for suggesting there may be potential to use smart regulation in a whistleblowing context.

[37] See generally Gunningham and Sinclair, ‘Smart Regulation’ (n 32) 135.

[38] Ibid 135, 139.

[39] [2016] FCA 1023; (2016) 336 ALR 209, 301–2 [481]–[483], 370 [834].

[40] Olivi and Armaroli (n 3).

[41] Jarred McGinnis, ‘Regtech: What’s the Technology behind It?’, Global Banking and Finance Review (Web Page, 14 October 2016) <https://www.globalbankingandfinance.com/regtech-whats-the-technology-behind-it/>.

[42] The first category of service providers listed on Deloitte’s ‘Analysis: RegTech Universe 2020’ is those who ‘[e]nable automated data distribution and regulatory reporting through big data analytics, real time reporting and cloud’: ‘RegTech Universe 2020’, Deloitte (Web Page, 3 January 2020) <https://www2.deloitte.com/lu/en/pages/technology/articles/regtech-companies-compliance.html>.

[43] ‘Law & Business Downtown Seminar: From FinTech to RegTech to CorpTech’, University of Sydney (Web Page, 16 April 2019) <http://sydney.edu.au/news/law/457.html?eventid=11935> . See generally Luca Enriques, ‘Financial Supervisors and RegTech: Four Roles and Four Challenges’, Oxford Business Law Blog (Blog Post, 9 October 2017) <https://www.law.ox.ac.uk/business-law-blog/blog/2017/10/financial-supervisors-and-regtech-four-roles-and-four-challenges>.

[44] Jack Nelson, ‘The Rise of Anti-RegTech?’, Lexology (Blog Post, 5 April 2017) <https://www.lexology.com/library/detail.aspx?g=86320a8b-c385-4c29-b39c-c7dec328ce54>.

[45] Australian Securities and Investments Commission (n 24) 44 [RG 270.147].

[46] Petrin (n 31) 968.

[47] Pender, Cherkasova and Yamaoko-Enkerlin (n 15) 328 [15.06].

[48] Bank of England Prudential Regulation Authority and Financial Conduct Authority, ‘Financial Incentives for Whistleblowers’ (Research Note, July 2014) 6.

[49] Baldwin and Black for instance refer to the ‘good deal of unreliable information’ with which regulators have to deal as a result of their unavoidable need to rely on hotlines and whistleblowing processes: Baldwin and Black (n 16) 77; similar costs result from too many ‘false positives’ within a corporate compliance system: Pender, Cherkasova and Yamaoko-Enkerlin (n 15) 333 [15.18].

[50] The Australian Securities and Investments Commission’s recently released ‘Regulatory Guide 270: Whistleblowing Policies’, for instance, points to the capacity of external whistleblowing providers to ensure whistleblowers ‘receive updates on the status of their disclosure while retaining anonymity’, thus encouraging more whistleblowing activity: Australian Securities and Investments Commission (n 24) 23–4 [RG 270.72]. Similar arguments exist in relation to the capacities of automated systems.

[51] As is the case in the new Corporations Act s 1317AI(5).

[52] For instance, the obligation on corporations to avoid causing any detriment to the whistleblower (Corporations Act s 1317AC(1)) is a broad concept requiring the exercise of considerable judgment on the part of the corporation.

[53] Petrin (n 31) 968 n 9.

[54] High-Level Expert Group on Artificial Intelligence, European Commission, ‘Ethics Guidelines for Trustworthy AI’ (Guidelines, 8 April 2019) 36 (citations omitted).

[55] Dmitriy Genzel, ‘What Are the Differences between AI, Machine Learning, NLP, and Deep Learning?’, Forbes (online, 23 September 2016) <https://www.forbes.com/sites/quora/2016/09/23/what-are-the-differences-between-ai-machine-learning-nlp-and-deep-learning/#7519cc3274fa>.

[56] The obligation to avoid detriment occurs in Corporations Act s 1317AC(1).

[57] See, eg, the ‘Hello Ethics’ app described at: ‘About Us’, Hello Ethics (Web Page) <https://www.helloethics.com/en/index.html#about>.

[58] James Eyers, ‘ASIC Gets Tough on “Regtech”’, Australian Financial Review (online, 27 March 2019) <https://www.afr.com/companies/financial-services/asic-gets-tough-on-regtech-20190327-p5182j>.

[59] James Eyers, ‘Banking Royal Commission: Regtech Software a Pathway for Post-Hayne Compliance’, Australian Financial Review (online, 1 February 2019) <https://www.afr.com/technology/regtech-software-a-pathway-for-posthayne-compliance-20190201-h1aq6c>. See especially the claims made by private provider Platos: ‘PLATOS is a powerful AI-moderated conversation platform ... built for large-scale, deliberative discussion with your most important stakeholders’: ‘Bringing People Together: Virtual Forums for Leading in Challenging Times’, Platos (Web Page) <https://www.platos.io/>.

[60] Petrin (n 31) 969.

[61] Ibid 970.

[62] Ibid 980.

[63] Ibid.

[64] See, eg, the debates in W Michael Hoffman and Mark S Schwartz, ‘The Morality of Whistleblowing: A Commentary on Richard T De George’ (2015) 127(4) Journal of Business Ethics 771; Richard T De George, ‘A Response to My Critics’ (2015) 127(4) Journal of Business Ethics 789.

[65] See the specific (and wide) definition of ‘detriment’ in s 1317ADA of the Corporations Act; this definition includes psychological harm, a concept it can readily be imagined will be difficult to adequately program a bot to avoid.

[66] Robert Eli Rosen, ‘The Sociological Imagination and Legal Ethics’ (2016) 19(1) Legal Ethics 97.

[67] In the context of corporate disclosures at least. According to a Google search however there is a ‘five-piece jam/funk/jazz/rock band based in Boston, MA’ of this name: ‘Who We Are’, Whistlebot (Web Page) <https://www.whistlebotband.com/>.

[68] See, eg, the Hello Ethics website, ‘@Halloobot: The Hello Ethics Chatbot’, Hello Ethics (Web Page) <https://www.helloethics.com/en/index.html#service>, which describes ‘Halloobot’, a bot that is ‘intelligent’ and ‘can learn from previous reports’.

[69] See, eg, Whistleblower Protections (n 21), illustrated also by the recommendations of influential international bodies: Organisation for Economic Co-operation and Development, G20 Anti-corruption Action Plan: Protection of Whistleblowers (Report, 2011) 2 (this study was endorsed by G20 Leaders at the 2011 G20 Summit in Cannes); Commission on Corporate Responsibility and Anti-corruption, International Chamber of Commerce, ‘ICC Rules on Combating Corruption’ (Rules, 2011) art 7.

[70] See, eg, Richard T De George, Business Ethics (Prentice Hall, 7th ed, 2010) 303; Geoffrey Christopher Rapp, ‘Beyond Protection: Invigorating Incentives for Sarbanes-Oxley Corporate and Securities Fraud Whistleblowers’ (2007) 87(1) Boston University Law Review 91, 95–6, 118–19; James Gobert and Maurice Punch, ‘Whistleblowers, the Public Interest, and the Public Interest Disclosure Act 1998(2000) 63(1) Modern Law Review 25, 34–6.

[71] A similar point is made in relation to algorithms not being able to be ‘personally victimised or directly retaliated against’: Pender, Cherkasova and Yamaoko-Enkerlin (n 15) 337 [15.27].

[72] Questions of ‘human’ rights for robots are beyond the scope of this article but offer a fascinating avenue for further analysis and investigation.

[73] Petrin (n 31) 993.

[74] Hamlet, Prince of Denmark, Act III Scene I, in William Shakespeare, The Oxford Shakespeare Complete Works (Oxford University Press, 1959) 886.

[75] John Poynder (ed), Literary Extracts from English and Other Works; Collected during Half a Century: Together with Some Original Matter (John Hartchard & Son, 1844) vol 1, 268. See also John C Coffee Jr, ‘“No Soul to Damn: No Body to Kick”: An Unscandalized Inquiry into the Problem of Corporate Punishment’ (1981) 79(3) Michigan Law Review 386.

[76] Poynder (n 75) 268.

[77] Baldwin and Black (n 16) 67.

[78] Ibid.

[79] With negative implications for a company’s discharge of its obligations under the whistleblowing controls of pt 9.4AAA of the Corporations Act.

[80] Corporations Act s 180(1), and the business judgment defence in s 180(2). For directors only, s 189 is also relevant here; this provision relates to reliance by directors on the advice of employees and advisers, raising still further issues in relation to the introduction of non-human elements into the corporate liability system – an issue with which corporate law as a whole will need to grapple as AI advances.

[81] Alan Dignam, ‘Artificial Intelligence: The Very Human Dangers of Dysfunctional Design and Autocratic Corporate Governance’ (Legal Studies Research Paper No 314/2019, Queen Mary University of London, 2019) 25.

[82] Karen Yeung, ‘Algorithmic Regulation: A Critical Interrogation’ (2018) 12(4) Regulation and Governance 505, 519.

[83] Whistleblowing itself raises complex ethical questions of course: see, eg, the discussion in Sissela Bok, Secrets: On the Ethics of Concealment and Revelation (Oxford University Press, 1982) 219–25; Brand, ‘Ethics and Corporate Whistleblowing Rewards in Australia’ (n 23).

[84] Bias represents a particularly pernicious problem within AI. As a recent report on bias in AI has noted, ‘[r]emedying bias in AI systems is almost impossible when these systems are opaque’: Sarah Myers West, Meredith Whittaker and Kate Crawford, AI Now Institute, Discriminating Systems: Gender, Race, and Power in AI (Report, April 2019) 4.

[85] Corporations Act s 1317AG, as inserted by Enhancing Whistleblower Protections Act sch 1 pt 1 item 9.

[86] With implications for Australian corporations subject to obligations to keep the identity of whistleblowers confidential from other employees: Corporations Act s 1317AAE(1).

[87] ‘Ethics Guidelines for Trustworthy AI’ (n 54) 33–4.

[88] Awards of up to USD50 million have been made under the scheme: Securities and Exchange Commission (US), ‘SEC Announces Its Largest-Ever Whistleblower Awards’ (Press Release 2018-44, 19 March 2018).

[89] Petrin (n 31) 994–5.

[90] See, eg, Peter Hancock, ‘Are Autonomous Cars Really Safer than Human Drivers?’, The Conversation (online, 2 February 2018) <http://theconversation.com/are-autonomous-cars-really-safer-than-human-drivers-90202> .

[91] Ibid.

[92] See, eg, the discussion on related issues in Bok (n 83) 221.

[93] Gunningham and Sinclair, ‘Smart Regulation’ (n 32) 134–5. See also Gunningham and Sinclair, ‘Designing Environmental Policy’ (n 34) 387–422.

[94] As they are by the Australian reforms: Corporations Act s 1317AI.

[95] See generally Gunningham and Sinclair, ‘Smart Regulation’ (n 32) 135.

[96] Ibid.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJl/2020/29.html