Whistleblowing Policy

1. Purpose

Thinxtra Ltd (Thinxtra) recognizes and respects the importance of protecting the privacy of an individual’s personal information. This statement sets out how Thinxtra aims to protect the privacy of your personal information, your rights in relation to your personal information managed by Thinxtra and the way Thinxtra collects, holds, uses and discloses your personal information.

In handling your personal information, Thinxtra will comply with the Privacy Act 1988 (Cth) (Privacy Act), the 13 Australian Privacy Principles in the Privacy Act and where relevant, the Credit Reporting Code. This policy statement may be updated from time to time.

This policy applies to each of the directors, officers, employees, volunteers, contractors and consultants (“Staff”) of Thinxtra Limited (“Thinxtra”) and its related entities (collectively “Thinxtra Group”).

The purpose of this policy is to foster organisational integrity within Thinxtra Group by encouraging those who become aware of wrongdoing to come forward and report it without fear of retribution (“whistleblower” or “whistleblower”) and to have confidence that disclosures will be handled respectfully, confidentially and on a timely basis.  Disclosures under this policy will help identify wrongdoing that may not be uncovered unless there is a safe and secure means for disclosing wrongdoing. Such disclosures are essential for the maintenance of, and improvements to the risk management and corporate governance framework of Thinxtra Group.

This policy covers:

• what matters can be reported under this policy,
• what a whistleblower should do and how they can expect to be treated,
• what those receiving information from a whistleblower should do, and
• how Thinxtra Group investigates whistleblower disclosures.

The obligations of this policy supplement, but do not replace, Thinxtra Group’s other policies applicable to Staff. Staff must understand and comply with all other applicable policies of Thinxtra Group.

This policy will be made available to all Staff in Thinxtra Group on the HR drive.

2. Disclosable Matters

For the purpose of this policy, wrongdoing or disclosable matters that can be reported, and are protected, under this policy  involve information that the whistleblower has reasonable grounds to suspect*:

• Concerns:
  • misconduct (includes fraud, negligence, default, breach of trust and breach of duty) or
  • an improper state of affairs or circumstances (includes dishonest or unethical behavior and practices, conduct that may cause harm or conduct prohibited by Thinxtra Group’s Code of Ethics or other policies), in relation to Thinxtra or any related body corporate of Thinxtra, or
• Indicates that Thinxtra or any related body corporate of Thinxtra (including their Staff) have engaged in conduct that:
  • is a breach of the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission Act 2001 (Cth) or the National Consumer Credit Protection Act 2009 (Cth),
  • is a breach of any other financial sector laws enforced by ASIC or APRA,
  • is a breach of any law of the Commonwealth that is punishable by imprisonment for a period of 12 months, or
  • represents a danger to the public or the financial system.

*The term “reasonable grounds to suspect” is based on the objective reasonableness of the reasons for the whistleblower’s suspicion. The whistleblower’s motive for making a disclosure or the personal opinion of the person(s) involved does not prevent the whistleblower from qualifying for protection. A mere allegation with no supporting information is not likely to be considered as having “reasonable grounds to suspect”. However, a whistleblower does not need to prove his/her allegations.

Examples of disclosable matters (also known as “qualifying disclosures”) under this policy include things such as:

• Misconduct.
• Illegal conduct such as theft, dealing in, or use of illicit drugs, violence or threatened violence, and criminal damage against property.
• Discrimination, bullying or victimisation.
• Improper states of affairs.
• Corporate corruption.
• Offering or accepting a bribe.
• Financial irregularities.
• Fraud.
• Money laundering.
• Misappropriation of funds.
• Conduct that is a danger, or represents a danger to the public or financial system.

Disclosable Matters Relating to Tax

In addition to the above disclosable matters which are protected under the Corporations Act, disclosure of information relating to tax affairs of the Thinxtra Group by a whistleblower qualifies for protection if the disclosure:

1. Is made to the Commissioner of Taxation and the disclosure considers the information may assist the Commissioner to perform his or her functions under the taxation law in relation to the Thinxtra Group or an associate; or
2. Is made to an Eligible recipient (as that term is defined in the Tax Administration Act 1953 (Cth) (“Tax Act”) and the whistleblower has made reasonable grounds to suspect that the information indicates misconduct, or an improper state of affairs or circumstances, in relation to the tax affairs of the Thinxtra Group or an associate and the whistleblower considers that the information may assist the person to perform functions or duties in relation to the tax affairs of the Thinxtra Group or an Associate.

Where the disclosure of information qualifies for protection under the Tax Act the whistleblower will have the benefit of substantially similar protections as are under the Corporations Act, including in relation to maintaining confidentiality, protecting the identity of the disclosure, the whistleblower being protected against certain actions, victimisation being prohibited and the court having the power to make compensation orders in favour of the whistleblower.

Personal Work-related Grievances

Personal work-related grievances are generally not disclosable matters (subject to the exceptions noted below). These are generally grievances relating to a Staff’s current or former employment or engagement that have implications for that person personally and that do not have broader implications for the Thinxtra Group.

Examples of personal work-related grievances include:

• an interpersonal conflict between the whistleblower and another employee; and
• decisions that do not involve a breach of workplace laws:
  • about the engagement, transfer or promotion of the whistleblower;
  • about the terms and conditions of engagement of the whistleblower; or
  • to suspend or terminate the engagement of the whistleblower or otherwise to discipline the whistleblower.

However, some types of personal work-related grievances will be disclosable matters under this policy, for example, where a personal work-related grievance includes information about misconduct or reveals improper systemic issues within the Thinxtra Group.

3. Who May Make a Report?

Anyone who is or has been in a relationship with Thinxtra Group can be an eligible whistleblower, specifically any current or former:

• an officer or an employee of Thinxtra Group,
• someone who has supplied goods or services to Thinxtra (paid or unpaid) or an employee of such a supplier,
• someone who is an associate of Thinxtra, or
• a spouse, relative or dependent of any of the above individuals.

For the purposes of this policy a reference to a “whistleblower” assumes that the whistleblower is one of the above eligible whistleblowers.

4. How to Make a Report and to Whom

If a whistleblower believes that an instance of wrongdoing has occurred at Thinxtra Group, he/she is encouraged to report the incident to Thinxtra’s Whistleblower Protection Officer (“WPO”), but he/she could also make the report to:

• ASIC (Australian Securities and Investments Commission), APRA (Australian Prudential and Regulatory Authority) or, for tax matters, the Commissioner of Taxation,
• an officer or senior managers of Thinxtra (eg, CEO or CFO),
• an auditor or actuary of the Thinxtra Group,
• a journalist or a parliamentarian for “public interest disclosures” or “emergency disclosures” (see below for more details).

In this policy, recipients of reports of wrongdoing are referred to as “eligible recipients”.

A whistleblower should avoid reporting to anyone whom he/she thinks may be implicated or involved in the suspected wrongdoing.

The WPO is available and receptive to receiving relevant information on a confidential basis and may be contacted directly by emailing [email protected]. Contact can also be made anonymously by calling [0407 293 670]. Contact can be made during or outside of business hours. The current WPO is James Hains.

When making a disclosure, a whistleblower may do so anonymously. Whilst he/she is encouraged to share his/her identity when making a disclosure, he/she is not required to do so. The eligible recipient will investigate the matters raised in the disclosure as thoroughly as possible, however, the investigation may be affected if that person is unable to revert to the whistleblower with questions due to the disclosure having been made anonymously.

“Public interest disclosures” are disclosures of information to a journalist or a parliamentarian in relation to which:

• At least 90 days have passed since the whistleblower made the disclosure of information to ASIC, APRA or another relevant Commonwealth body.
• The whistleblower does not have reasonable grounds to believe that action is being, or has been taken, in relation to his/her disclosure.
• The whistleblower has reasonable grounds to believe that making a further disclosure of the information is in the public interest.
• Before making the public interest disclosure, the whistleblower has given written notice to the Commonwealth body to which the previous disclosure was made that includes sufficient information to identify the previous disclosure and states that the whistleblower intends to make a public interest disclosure.

“Emergency disclosures” are disclosures of information to a journalist or parliamentarian where:

• the whistleblower has previously made a disclosure of the information to ASIC, APRA or another relevant Commonwealth body,
• the whistleblower has reasonable grounds to believe that the information concerns a substantial and imminent danger to the health or safety of one or more persons or to the natural environment,
• before making the emergency disclosure, the whistleblower has given written notice to the Commonwealth body to which the previous disclosure was made that includes sufficient information to identify the previous disclosure and states that the whistleblower intends to make
• an emergency disclosure, and
• the extent of the information disclosed in the emergency disclosure is no greater than is necessary to inform the journalist or parliamentarian of the substantial and imminent danger.

A whistleblower can contact Thinxtra’s WPO or an independent legal adviser to ensure that the whistleblower understands the criteria for making a public interest or emergency disclosure that qualifies for whistleblower protection.

5. Protections Available to Whistleblowers

Thinxtra Group prohibits all forms of detriment against a whistleblower as a result of a disclosure. These include:

• termination of employment,
• harassment, bullying or intimidation,
• personal or financial disadvantage,
• unlawful discrimination,
• harm or injury, including psychological harm,
• damage to a person’s reputation,
• damage to a person’s property,
• damage to a person’s business or financial position,
• express, implied, conditional or unconditional threat (the whistleblower does not have to actually fear that the threat will be carried out),
• alteration of the whistleblower’s position or duties to his or her disadvantage, or
• any other conduct that constitutes retaliation.

In addition, whistleblowers could benefit from:

• identity protection,
• potential compensation and other remedies, and
• civil, criminal and liability protection.

Thinxtra Group has appointed the WPO whose role is to oversee the protection of whistleblowers and potential whistleblowers from detriment. The WPO will take all reasonable steps to protect a whistleblower and other people who may become involved in an investigation of a disclosure from all forms of detriment and will take action it considers appropriate where such conduct is identified.

Identity Protection

It is illegal for a person to identify a whistleblower or any information that is likely to lead to the identification of the whistleblower except:

• to disclose the identity to ASIC, APRA, a member of the Australian Federal Police, a legal practitioner (to obtain legal advice about whistleblower provisions in the Corporations Act) or any other person/body permitted by the Corporations Regulations 2001 (Cth),
• with the consent of the whistleblower,
• if the information contained in a disclosure does not identify the whistleblower’s identity, Thinxtra Group has taken all reasonable steps to reduce the risk that the whistleblower will be identified from the information and it is reasonably necessary for investigating the issues raised in the disclosure, or
• ASIC, APRA or the Australian Federal Police can disclose the identity of the whistleblower, or information that is likely to lead to the identification of the whistleblower, to a Commonwealth, State or Territory authority to help the authority in the performance of its functions or duties.

A whistleblower may lodge a complaint with the Thinxtra WPO about a breach of confidentiality or with a regulator such as ASIC or APRA for investigation.

Thinxtra Group has adopted the following measures to ensure the identity protection of the whistleblower.

• All paper and electronic documents and other materials relating to disclosures are stored securely.
• All information relating to a disclosure can only be accessed by those directly involved in managing and investigating the disclosure.
• Only a restricted number of people who are directly involved in handling and investigating a disclosure are made aware of a whistleblower’s identity or information that is likely to lead to the identification of the whistleblower.
• Communications and documents relating to the investigation of a disclosure are not sent to an email address or to a printer that can be accessed by other staff.
• Each person who is involved in handling and investigating a disclosure is reminded that they should keep the identity of the whistleblower and the disclosure confidential and that an unauthorised disclosure of a whistleblower’s identity may be a criminal offence.

Compensation and Other Remedies for the Whistleblower

A whistleblower (or any other employee or person affected) can seek compensation and other remedies through the courts if they suffer loss, damage or injury because of a disclosure and Thinxtra Group fails to prevent a person from causing the detriment.

Thinxtra Group encourages whistleblowers to seek independent legal advice in this regard.

Civil, Criminal and Administrative Liability Protection

A whistleblower is protected from each of the following in relation to his/her disclosure.

• Civil liability (e.g. any legal action against the whistleblower for breach of an employment contract, duty of confidentiality or another contractual obligation).
• Criminal liability (e.g. attempted prosecution of the whistleblower for unlawfully releasing information, or other use of the disclosure against the whistleblower in a prosecution (other than for making a false disclosure)).
• Administrative liability (e.g. disciplinary action for making the disclosure).

6. How Thixtra will Investigate Qualifying Disclosures

What should recipients of disclosures do?

If an eligible recipient receives a qualifying disclosure from a whistleblower, his/her responsibilities include the following:

• An eligible recipient must not disclose the identity of the whistleblower (if it is known to the eligible recipient) to anyone without the whistleblower’s consent.
• The eligible recipient will immediately notify the WPO of the qualifying disclosure, the WPO will appoint a Whistleblower Investigations Officer (“WIO”) (who may be the WPO or someone else) as appropriate.
• If the situation warrants immediate action—for example, obvious theft has taken place, security is at risk, or immediate recovery is possible—management and nonmanagerial staff receiving reports should immediately contact the CEO if the WPO cannot immediately be reached.
• The WPO/WIO will consult with the Human Resources representative, as appropriate, to determine if any immediate personnel actions are necessary.
• The WPO must acknowledge the disclosure within 3 business days after the disclosure was received by the eligible recipient if the whistleblower can be contacted.
• The WPO must provide assurance to the whistleblower that Thinxtra Group is committed to protecting the confidentiality of the whistleblower’s identity and explain the procedures Thinxtra Group has in place for ensuring confidentiality.
• The WPO must explain that people may guess the whistleblower’s identity if, for example, the whistleblower has previously mentioned to other people that he/she is considering making a disclosure or if he/she is one of a very small number of people with access to the information.
• The WPO (with input from Thinxtra Board, audit or risk committee and external advisers as required) must determine whether the disclosure falls under this policy, and if so whether a formal investigation is required. If a formal investigation is required, the WPO (with input from
• Thinxtra Board, audit or risk committee and external advisers as required) will determine:
  • the nature and scope of investigation,
  • the person(s) within and/or outside Thinxtra Group that should lead the investigation
  • the nature of any technical, financial or legal advice that may be required to support the investigation, and
  • the timeframe for the investigation.
• Any investigation into what happened should be conducted objectively and neutrally.
• Thinxtra Group may establish a risk assessment framework and procedures for assessing and controlling the risk of detriment.
• The WPO must ensure appropriate records and documentation for each step in the process are maintained.
• The WPO should outline support services that are available to whistleblowers (counselling or other professional or legal services) and explain strategies to help the whistleblower to minimise and manage stress or other challenges resulting from the disclosure or its
• nvestigations.
• The WPO or the WIO must provide regular updates on the investigation to the whistleblower and inform him/her of the outcome of the investigation.
• As a general rule, the eligible recipient should never contact an individual suspected of wrongdoing (according to the disclosure which the eligible recipient has received) to determine facts or demand restitution.

The following general rules and principles should be adhered to whenever possible and should be used as a general guide for investigatory procedures in all cases:

• The WPO will report directly to the Thinxtra board or audit or risk committee (if available) and will have direct access to independent advisers.
• The WIO (if not the WPO) will report directly to the CEO or an officer with responsibility for legal, compliance or risk matters.
• Any inquiries from the media must be directed to the CEO.
• Any inquiries (if any) pertaining to or resulting from the suspected activity or its investigation, from any suspected individual, his or her representative (including legal representative) must be directed to the board, audit or risk committee or CEO as appropriate.
• In any cases involving allegations against the CEO, the CEO’s responsibilities as described here will be handled by the Board (excluding the CEO if he/she is also a director).
• In any cases involving allegations against (or implicating) the WPO, their responsibilities as described here will be handled by the CEO.
• The assigned investigator/investigation team will have access to all resources of Thinxtra and external counsel to ensure a fair and accurate investigation of the allegations and will appropriately document its findings and make recommendations for resolution of the matter, to the CEO or the Board (if the CEO is the subject of an allegation). The CEO or the Board will normally make final decisions on the matter and direct which actions need to be taken in response to any findings concluding that fraudulent, illegal or improper activities have occurred.
• Documents and evidence pertaining to the investigation, including any report and recommendations will be maintained during the investigation. Documents and evidence relating to a closed investigation will confidentially remain in Thinxtra Group’s files.
• The investigation is closed when the CEO or the Board (if the CEO is the subject of an allegation) has deemed the investigation is complete and a plan for final resolution of the matter, which includes any appropriate corrective or responsive action steps, has been approved (taking into account the recommendations of the WIO).
• Thinxtra Group will review the results of any investigation with responsible management as necessary, and will make recommendations for improvement to the systems of internal control as needed.
• The CEO will provide a report on activity under this policy to the Board for each case (except in cases where the CEO was the subject of a disclosure).

7. Terms and Conditions

This policy does not form a part of any terms and conditions of employment or contract of engagement and may be revoked, amended or replaced by Thinxtra at any time.

8. Availability of this Policy and Training

This policy will be made available to all Staff via the Google Drive, handbook & induction process. Regular training in relation to this policy, processes and procedures will be provided to every employee.

9. Review

The Board of Thinxtra will review this policy at least once a year to ensure its continued relevance and effectiveness. Frequent reviews are necessary to ensure that all relevant subordinate legislation is incorporated into the policy soon after it is made (note that matters prescribed by regulation must be dealt with in the policy).