Business Practices

The protection of personal data privacy is overseen by the Regulatory Advisory Committee, which includes the Chief Executive Officer and senior executives from the legal and corporate security departments, supported by the Data Protection Committee and local implementation teams. Employees are required to collect personal data in a lawful, fair and transparent manner, adhering to the data protection laws applicable in their jurisdiction.

Personal data must be collected solely for specified, clear and legitimate purposes, and measures should be taken to ensure that the data is accurate and up-to-date. Employees are expected to handle personal data lawfully, fairly, and transparently, ensuring compliance with relevant data protection laws. Access to personal data is restricted to employees whose roles necessitate its use for job responsibilities.

All personal data will be deleted when it is no longer necessary. For instance, customer personal data provided through application forms, the internet, or other means will be erased two years after the termination of the service subscription. Individuals have the right to access or amend their personal data. Security measures, such as pseudonymisation and encryption, are implemented to prevent unlawful processing, accidental loss, destruction or damage. The Group also conducts privacy impact assessments for new products, technologies, and business operations to meet regulatory requirements and manage privacy risks. The use of personal data by third parties is closely monitored, with access granted on a “need-to-know” basis.

To ensure secure online transactions for customers, the Group obtained the Certificate of Compliance with the Payment Card Industry Data Security Standard (PCI DSS v4.0 – Merchants) during the Reporting Period. PCI DSS is a global standard that establishes a baseline of technical and operational requirements for protecting account data. This certification demonstrates that the Group’s services provide a secure environment for accepting, processing, storing or transmitting credit card information.

The Group periodically reviews and updates its policies to facilitate timely communication with employees. To acknowledge and confirm their compliance with all applicable Group policies, employees are required to submit an annual self-declaration. This reinforces employees’ commitment to upholding the Group’s policies and regulatory requirements.

The Group has implemented an information security framework that outlines specific roles and responsibilities, including those of the Head of IT Security and Compliance, Information Security Custodian, and Information Owner.

To maintain high IT quality and identify potential vulnerabilities in the network, the Group conducts annual network assessments and penetration testing for both web and mobile applications. The results of these assessments are submitted to internal audit assurance for review as necessary.

The Group has limited the use of corporate information and put in place appropriate security measures based on the value and sensitivity of the information, with access only granted to those with clear business justifications. Each business unit is required to develop an information security incident response plan that outlines the personnel responsible for addressing incidents, the communication processes with both internal and external stakeholders, and the technological tools and resources utilised to identify and recover compromised data. In the event of an incident, details regarding any compromised or potentially compromised data, along with the steps taken to address the situation and the resolution process, must be reported to relevant parties, including the Legal & Regulatory Affairs Department, Information Owner, Information Security Custodian, and any affected business units within the Group.

The Group has also created operational continuity and contingency planning, requiring business units to develop business continuity plans that ensure the confidentiality, integrity and availability of information during security incidents. Policies, standards and guidelines for data and information backup and recovery have been implemented to ensure data is backed up regularly. All storage media must be carefully stored and organised, and any recovery efforts should be requested beforehand and conducted under supervision. Additionally, data backup restoration tests and validations are mandated annually.

Anti-Fraud & Anti-Bribery (“AFAB”) Policy and Code of Ethics (the “Code”)

The Code of Ethics specifically addresses the management of conflicts of interest, emphasising that employees must remain vigilant and avoid situations that could lead to such conflicts. Employees are required to promptly report any instances or activities that may involve potential conflicts of interest to the Human Resources Department. Such cases will be reviewed by the heads of the relevant departments, along with teams from the Human Resources, Legal and Regulatory Affairs, and Corporate Security, to determine appropriate actions. Non-compliance with the Code of Ethics may result in disciplinary actions, and any violations will be reported to regulatory authorities as deemed necessary.

Designated whistleblowing channels have been established for employees and third parties to report any illegal or unethical incidents that violate laws or the Code of Ethics. All reports will be treated as confidential to the extent possible as allowed by law.

Additionally, the Code of Ethics underscores the Group's commitment to business integrity, requiring employees to maintain high standards of honesty and transparency in interactions. The Group enforces a zero-tolerance policy towards all forms of bribery. The Anti-Fraud and Anti-Bribery Policy covers any improper payments, kickbacks or other bribery-related activities, explicitly prohibiting employees from using Group funds or assets for political or charitable contributions and sponsorships.

The Group is committed to treating all business partners with fairness, honesty and professionalism. The Group has established a Purchasing Policy and Supplier Code of Conduct to govern the selection and renewal of suppliers. Contractors or suppliers with a history of bribery or corruption will not be considered for collaboration with the Group. To ensure thoroughness, the Group assigns adequately skilled individuals to conduct due diligence during the selection and renewal processes for contractors and suppliers.

Whistleblowing

To maintain high standards of business integrity, honesty, fairness, and transparency, the Group has developed a Whistleblowing Policy and established confidential reporting channels for employees and third parties. This policy addresses all forms of impropriety, misconduct and malpractice, including but not limited to criminal offenses, discrimination, harassment, environmental damage and violations of legal or regulatory requirements, as well as breaches of the Group's rules, policies or internal controls.

All employees and relevant stakeholders, including customers, suppliers, creditors and debtors, are strongly encouraged to report any suspicions of misconduct, malpractice or fraud via the confidential reporting channels. Investigations on incidents or suspected incidents of fraud and corruption are conducted in a timely and highly confidential manner. Internal Audit assumes responsibility for reviewing each reported incident and promptly escalating significant incidents to the Audit Committee. A summary of reported incidents, alongside relevant statistics including the outcomes of independent investigations and actions taken, is presented to the Chief Financial Officer on a quarterly basis. As for substantiated concerns, appropriate disciplinary actions, including verbal or written warnings and termination of employment, are taken following due management consideration. Any violations of laws and regulations are reported to the police or other law enforcement organisations as applicable. The Whistleblowing Policy is readily accessible on the Company’s website and intranet, providing detailed information about the reporting process and procedures.

The Group places a high priority on maintaining confidentiality throughout the investigation process and protecting whistleblowers. The identity of the whistleblower will remain confidential unless consent is given. Any harassment or victimisation of a whistleblower will be considered as misconduct and may lead to dismissal or other disciplinary actions.

Business partners and suppliers play a crucial role in the Group’s journey towards sustainability. In view of this, the Group has integrated sustainability principles into its procurement process. The Group has established Supplier Code of Conduct, Acknowledgement of Supplier Code of Conduct, Sustainability Questionnaire, Guidance on Environmental Protection and Occupational Health and Safety Standards, and a Business Partner Evaluation process. Recognising the importance of supplier engagement, the Group continually strives to strengthen its collaboration with business partners and suppliers. During the Reporting Period, the Group distributed CDP questionnaires to selected business partners and suppliers to understand their carbon emission and sustainability performance. This initiative enhances the Group’s carbon measurement across the value chain and facilitates better tracking of the progress in its carbon reduction efforts.

Supplier code of conduct

The Group has established the Supplier Code of Conduct which serves as a guide for its business partners and suppliers, aiming to foster broader enhancements in sustainability practices and performance for the interests of stakeholders concerned as well as communities served by the Group. The Supplier Code of Conduct has been developed taking into consideration various international charters and conventions, such as the United Nation’s Universal Declaration of Human Rights and the International Labour Organisation Conventions. It outlines standards specifically for the Group’s business partners and suppliers, encompassing specific criteria and benchmarks regarding environmental performance, ethics, health and safety, quality and regulatory compliance. The Supplier Code of Conduct alongside the Purchasing Policy, Business Partner Evaluation Policy, Anti-Fraud and Anti-Bribery Policy as well as other related controls and procedures, provides clear direction and guidelines in terms of the Group’s evaluation and engagement with its business partners and suppliers. The Group regularly conducts adequate assessments and evaluations for the selected business partners and suppliers involved. Compliance with the Supplier Code of Conduct is mandatory for those falling within the scope of the Business Partner Evaluation Policy.

The Group encourages its suppliers to regularly evaluate their own compliance as well as that of their business partners and their suppliers, and to share their compliance status with the Group upon request. If any violations of this Supplier Code of Conduct are identified, the Group will work with them to address the issue. The Group expects the affected business partners and suppliers to create a corrective action plan to achieve compliance with the Supplier Code of Conduct. If they fail to develop or implement this plan, the Group may terminate the business relationship.

Supplier screening and assessments

The Group has invited selected business partners and suppliers to provide information on their sustainability performance by completion of the Sustainability Questionnaire. The questionnaire addresses the adoption of relevant practices and policies in areas such as sustainability governance, environmental protection, ISO adoption, health and safety, human rights, supply chain management and information security, and form part of the supplier evaluation process.

Following the Group’s introduction of the ISO management system in designated locations, the Group has actively engaged with its suppliers to facilitate the implementation of similar systems or acquisition of related certifications.