THIRD PARTY DUE DILIGENCE POLICY AND PROCEDURES

1. OBJECTIVES

   1. The objective of this Policy and Procedures is to promote compliance with the Malaysian Anti-Corruption Commission Act 2009, Malaysia’s Guidelines on Adequate Procedures, and all other applicable laws, including local anti-corruption laws where PPB Group¹ conducts business.
   2. This Policy and Procedures applies to all PPB Group’s Personnel². Before entering a relationship or renewing an existing relationship with a Business Associate³, or any third party, the Business Sponsors/ Project Sponsors⁴ must comply with the requirements set forth herein. The specific due diligence requirements will vary depending on the risks associated with the Business Associate, or any third party.

2. ROLES AND RESPONSIBILITIES

   1. PB HQ Risk Management & Integrity Department, or the Head of Risk/ Integrity
   1. The PPB Group Berhad’s Risk Management & Integrity Department (“PPBHQ RMID”) or, the Head of Risk/ Integrity at respective Business Units (“Head of Risk/ Integrity”), is responsible for overseeing the design, implementation, advisory and improvement of the Group’s anti-bribery and corruption policies and procedures, including on Due Diligence. Operational departments, such as Procurement, Sales, Marketing, Human Resources (“HR”), Legal, Finance, Information Technology (“IT”) and/ or others, are responsible for supporting the RMID, or the Head of Risk/ Integrity’s administration of the due diligence process. This may include, as necessary, implementing policies and procedures to ensure that the due diligence process is followed.
   2. The PPBHQ RMID or the Head of Risk/ Integrity, is responsible for reviewing and analyzing all reported Red Flags by the Business Sponsors/ Project Sponsors regarding the Business Associate or the relevant third party. If necessary, the PPBHQ RMID or the Head of Risk/ Integrity may request for further information from the Business Sponsors/ Project Sponsors, as specified in PPB's Due Diligence Guidelines for Procurement. The PPBHQ RMID or the Head of Risk/ Integrity may also consult other stakeholders such as Legal, or external counsel (if necessary), when reviewing and analyzing the reported Red Flags.
   2. Personnel
   1. Personnel from the Procurement Department or the relevant Business Sponsors/ Project Sponsors are required to carry out due diligence on Business Associates. They will identify the appropriate level of due diligence by assessing the risk level and the presence of any Red Flags, and to report them immediately as required by PPB’s Due Diligence Guidelines for Procurement.
   2. If requested by the PPBHQ RMID or the Head of Risk/ Integrity, the Business Sponsor/ Project Sponsors will provide a statement of the business case, i.e. justification for establishing a relationship with the proposed Business Associate. The justification should include details such as:
   • the reason for selecting the proposed Business Associate
   • the business need(s)
   • the capabilities of the proposed Business Associate, in comparison with the other players in the market
   • the reasonableness of the proposed compensation/ remuneration
   3. The Business Sponsor/ Project Sponsor will also be responsible for distributing and collecting the Business Associate Due Diligence Questionnaire, when applicable, to/ from the potential Business Associate, or the relevant third party, to obtain the information necessary to conduct a thorough due diligence review.
   4. HR personnel are required to conduct due diligence on prospective hires. Any presence of Red Flags⁵ will need to be reported to Risk/ Integrity Officer, or the Head of Risk/ Integrity or the PPBHQ RMID for review and assessment. Final written approval must be obtained from either the HOC, or the CEO, or the Group MD, before making an offer to the prospective hire.
   5. Company Secretary is responsible to carry out the due diligence on prospective Directors.
   3. Business Associates
   1. The Group expects all its Business Associates working for or on behalf of the Group to be aware of the Group’s relevant policies and procedures, including the Anti-Bribery and Corruption Policy and Procedures and to agree to abide by them as long as they have a business relationship with the Group.
   2. Where possible, the Group shall include standard clauses in contracts with Business Associates, enabling the Group to terminate the contract if bribery or an act of corruption has been proven. Additional clauses may also be included for Business Associates acting on the Group’s behalf where a significant bribery risk has been identified. New Business Associates are also required to declare any Conflict of Interest and sign an Integrity Pact, to conduct business without the use of bribery and corruption.
   3. Business Associates are required to report any suspected instances of bribery and corruption they encounter in their dealings with the Group’s Personnel via the Group’s existing whistleblowing channels, in accordance with instructions set out in the Whistleblowing Policy and Procedures.

3. DUE DILIGENCE PROCEDURES

   1. The extent of the due diligence that needs to be conducted shall depend on the risk level of the Business Associates, or other relevant third parties.
   2. The following are the steps to conducting a due diligence on Business Associates:
   1. Step 1 – Determination of Due Diligence Level: Using the Third-Party Risk Criteria and Red Flag list, as specified in the PPB Due Diligence Guidelines for Procurement , the Business Sponsors/Project Sponsors will determine the type of due diligence that needs to be conducted. Depending on the nature of the risk, a due diligence review may be conducted either prospectively or retrospectively on a Business Associate.
   2. Step 2 – Due Diligence Review: The Business Sponsor/ Project Sponsor shall be responsible in ensuring the information and relevant documents provided by the Business Associate is complete and adequate. Subsequently, the information should be submitted to the Procurement Department, or the department responsible over the procurement function, for further review and assessment. If necessary, Procurement Department or the department overseeing the procurement function may consult or seek feedback from other relevant internal stakeholders in order to complete their review/ assessment.For Red Flags, please refer to Step 3 below.
   3. Step 3 – Risk Mitigation: For High-Risk Business Associates, after completion of Step 2 above, Procurement Department or the department in charge of procurement, will share with the Business Sponsor/ Project Sponsor on the feedback received from the other relevant internal stakeholders, for their further action. If the Business Sponsor/ Project Sponsor wishes to pursue/ continue with the transaction, they will need to justify their intention and provide risk mitigating actions.
      
      In the event any Red Flag involving bribery or corruption (including fraud, theft, embezzlement), or those specified in PPB Due Diligence Guidelines for Procurement is identified, it must be escalated to the Risk/ Integrity Officer, or the Head of Risk/ Integrity, or to PPBHQ RMID, for further assessment.
   4. Step 4 – Final Decision: Based on the results of the appropriate level of due diligence review, to obtain the final approval as specified in the PPB Due Diligence Guidelines for Procurement.
      
      Personnel are not permitted to proceed with any transactions or dealings with a Business Associate, or other third party, until all Red Flags have been addressed and all risks that may impact the Group, including financial, legal, corruption and reputational risks, have been adequately mitigated.
   5. Step 5 – Documentation: The Procurement Department, Business Sponsor/ Project Sponsor or the relevant stakeholders shall be responsible for maintaining an electronic file containing all information gathered or materials created as part of the due diligence process. That file must be retained in accordance with the Group’s official document retention policy or for seven years from the last transaction (whichever is longer).
   3. There may be distinctions between the due diligence processes for Business Associates above, and other different company activities, such as recruitment or for projects. The following (below) provides the distinct approaches and the procedures for each activity:
   1. Personnel
   • Approach
   • The Due Diligence process on Personnel should be conducted depending on their proposed functions and corresponding bribery risk.
   • Bribery and corruption-related Due Diligence checks should be incorporated into existing HR functions. Some actions that can be taken while conducting Due Diligence include:
   • Verifying the accuracy of a prospective Personnel’s qualifications.
   • Obtaining satisfactory references from a prospective Personnel’s former employers.
   • Taking reasonable steps to ascertain if a prospective Personnel has been involved in bribery.
   • Verifying that the Group is not offering employment to a prospective Personnel in return for preferential treatment.
   • Taking reasonable steps to identify the prospective Personnel’s relationship with public officials, if any.
   • Procedures
   • HR will conduct Due Diligence on all prospective Personnel. However, HR may work in collaboration with the department manager looking to hire. HR also identifies existing Personnel (transfer or promotion) requiring Due Diligence.
   • HR will assess the Due Diligence results to decide to whether or not to proceed or continue with the relationship with the Personnel:
   • If the Due Diligence results reveal the Personnel poses an unacceptable risk level, the relationship with the prospective Personnel shall be terminated or HR will take appropriate administrative action; or
   • If the Due Diligence results reveal the Personnel poses an acceptable risk level, HR will identify and implement any mitigating controls to further reduce the risk level. HR will then proceed with the usual HR procedures.
   • For employee who is subject to promotion or transfer, HR will document any action taken, and continue to monitor the employee for any changes in risk level. HR shall retain documented information that:
   • Describes the Due Diligence checks carried out
   • Describes any action taken as a result of the check
   • Describes the monitoring actions to be taken
   2. Projects, Transactions and Activities
   • Approach
   • Things to take into consideration:
     • Structure, nature, and complexity of the activities (e.g. direct or indirect sale, level of discount, contract award and tender procedures)
     • Financing and payment arrangements
     • Scope of the organization’s engagement and available resources
     • Level of control and visibility
     • Business Associates and other third parties involved (including links between any parties and the authorities)
     • Competence and qualifications of the parties involved
     • Client’s reputation
     • Location
     • Reports in the market, in the press, or online (adverse news).
   • Procedures
   • HOD/ Manager/ Project Team/ Project Lead identifies projects, transactions or activities that require Due Diligence check:
     • High risk projects, transactions or activities based on the Bribery Risk Assessment.
     • A bribery incident that involves a project, transaction, or activity in question such as when a project/ transaction/ activity achieved certain criteria that would classify it as high risk⁶.
   • The HOD/ Manager/ Project Team/ Project Lead will conduct a Due Diligence check that is appropriate with the risk level identified based on the Bribery Risk Assessment and the bribery incident. The HOD/ Manager/ Project Team/ Project Lead will document the results of the Due Diligence check.
   • The HOD/ Manager/ Project Team/ Project Lead will assess the Due Diligence results to decide as to whether or not to proceed or continue with the project, transaction or activity:
     • If the Due Diligence results reveal the project, transaction or activity poses a risk level that is unacceptable, the project, transaction or activity may be terminated; or
     • If the Due Diligence reveals a risk level that is acceptable, the HOD/ Manager/ Project Team/ Project Lead must identify and implement the mitigating controls before continuing with the project, transaction, or activity.
   • The HOD/ Manager/ Project Team/ Project Lead will document the action taken and continue with the projects. HOD/ Manager/ Project Team/ Project Lead shall retain documented information that:
     • Describes the Due Diligence check carried out.
     • Describes any action taken as a result of the check.
     • Describes the monitoring actions to be taken.
   • The HOD/ Manager/ Project Team/ Project Lead to monitor the project, transaction, or activity for any changes in risk level.
   3. Others - Charitable Donations and Sponsorships
      • All requests for Charitable Donations and Sponsorships must be channelled to the Sustainability Department (PPBHQ)/ Corporate Affairs Department (FFM Group)/ Public Relations and Branding Department (GSC Group) or the Marketing Communications Department (PPB Properties), and shall be subject to a Due Diligence check. Please refer to the respective Business Units CSR Policy for detailed information on managing donations and sponsorship requests.
      • The Due Diligence check should determine if the recipient of a Charitable Donation and/ or Sponsorship is a legitimate organization, and that the Charitable Donation or Sponsorship is not used as a cover for bribery and corruption.
      • For more information on Charitable Donations and Sponsorship, please refer to PPB Group’s Charitable Donations and Sponsorship Policy and Procedures.
   4. Other Significant areas requiring Due Diligence Check

   In certain areas, enhanced/ additional Due Diligence check may be required as a matter of legal responsibility, or as key components of business strategy. The following explores specific areas where Due Diligence checks are required:

   1. Anti-Money Laundering / Countering Financing of Terrorism (AML/ CFT)
      • Money laundering generally occurs when the criminal origin or nature of money or assets is hidden in legitimate business dealings or when legitimate funds are used to support criminal activities, whereas terrorism financing occurs when funds are used for purposes of terrorism such as financing terror activities and terrorists’ properties.
      • Malaysia’s legislature applies stringent, extra-terrestrial anti-money laundering and anti-terrorism financing laws, which are enshrined within the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001.
      • The Group is committed to comply with all international anti-money laundering and anti-terrorism financing legislations and will ensure full co-operation with enforcement agencies and competent authorities in the event of an investigation of money laundering and terrorism financing activities
      • Due Diligence for AML/ CFT:
        • When engaging Business Associates or embarking on projects, certain factors may create higher risks for the Group, such as Business Associates from high-risk countries or industries. If such risks are identified, enhanced measures to manage and mitigate them must be taken. The measures will vary depending on the type and level of risk, and considerations of what is appropriate and reasonable should be considered.
        • High risk Business Associates and projects associated with higher risk countries should be subjected to an enhanced Due Diligence check to determine the precise risk-level that Group may be exposed to. When conducting a Due Diligence check to determine the AML/ CFT-related risks, Personnel should aim to:
        • Understand the business and background of the Business Associate; and
        • Determine the origin and destination of money, property and/ or services prior to entering into a commercial relationship.
      • Potential red flags: “Red flags” are suspicious factors that may lead one to believe a Business Associate is involved in money laundering or terrorism financing practices. The following red flags (non-exhaustive list) may prompt enhanced Due Diligence check on a Business Associate, to ensure the Group enters a partnership fully informed:
      • Usage of cash or occasional transactions that involve large sums more than amounts specified by Bank Negara Malaysia under its sectoral guidelines or relevant circular.
      • Facts and circumstances with reasonable grounds for suspecting a possible case of terrorism financing.
      • High net worth individuals.
      • Places of origin known for high rates of crime (for example drug producing, human trafficking or smuggling) and terrorism activities.
      • Countries or jurisdictions with inadequate anti-terrorism financing and anti-money laundering laws and regulations, which are under Financial Action Task Force (FATF)⁷ Blacklist (High-Risk Jurisdictions subject to a Call for Action) or Grey List (Jurisdictions Under Increased Monitoring), e.g. Democratic People’s Republic of Korea, Iran, etc.
      • Countries listed on sanctions lists, issued by governments or international bodies.
      • Politically Exposed Persons (“PEPs”) ⁸.
      • Businesses/ activities identified by the FATF as being vulnerable to higher risks for money laundering and terrorism financing.
      • A third-party intermediary becomes involved in a transaction for no clear reason.
      • The identity of a party involved in the transaction is difficult to establish or is undisclosed.
      • An organisation is used by a third party and the ultimate ownership is concealed or difficult to establish.
      • A party is evasive as to the source or destination of funds.
      • A party asks for exemption from this ABAC Policy.
      • A party wishes to engage in a transaction that appears to lack business sense.
      • The information provided by a third party that identifies a legitimate source for funds is false, misleading, or substantially incorrect.
      • Upon request, the third-party refuses to identify or fails to indicate any legitimate source for his or her funds and other assets; and
      • Without reasonable explanation, the size or pattern of transactions is out of line with any pattern that had previously emerged.
      • If a Personnel encounters any suspicious activity that raises a question on the legitimacy of a person or organization with whom the Group does business, the activities the person or organization is engaged in or his/ her/ its source of funds, the issue should be raised immediately with the RMID or respective entities Head of Risk/ Integrity or the Risk/ Integrity Officer.
      • For more information on AML/ CFT, please refer to PPBHQ RMID, or the Head of Risk/ Integrity.
   2. Mergers and Acquisitions (M&A)
   • Mergers and acquisitions present both business opportunities and risks for the Group. In particular, the Group can be held accountable for the actions of an acquired entity, so anti-corruption Due Diligence checks should be conducted both prior to and after an acquisition, to evaluate the target entity’s internal controls and third-party relationships.
   • Failure to identify and perform a thorough Due Diligence assessment on the target entity may result in severe consequences and risk to the Group, including being subject to regulatory sanctions and potential reputational damage.
   • For more information on M&A, please refer to the Finance Department.




Footnote

1. Refers to PPB Group Berhad and its subsidiaries.

2. Includes directors and employees.

3. For purposes of this Policy, the term “Business Associates” includes, but not limited to, suppliers, vendors, contractors, agents, service providers, consultants, advisers, distributors, joint venture, or partners consortia parties, and any other third party acting for or on behalf of PPB Group.

4. Means the relevant Personnel/ Department in the Company that wants to work or effect a transaction with a Business Associate.

5. Red Flags in recruitment process includes (but not limited to) prospective hires with criminal history, e.g. convicted bribery and/ or corruption offenses, a declared bankrupt, or is a Politically Exposed Person (PEP), or otherwise related/ connected to one.

6. For high-risk criteria, please refer to the PPB’s Due Diligence Guidelines for Procurement.

7. The Financial Action Task Force (FATF) is the global money laundering and terrorist financing watchdog: https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/?hf=10&b=0&s=desc(fatf_releasedate)

8. Politically Exposed Persons (PEPs)includes individuals (foreign and domestic) who hold or held a prominent public function, such as the head of state or government, senior politicians, senior government legislative, judicial, air force, naval or military officials, senior executives of state-owned corporations, or important political party officials. The term also includes persons who are or have been entrusted with a prominent function by an international organisation which refers to members of senior management. For example, directors, deputy directors and members of the Board or equivalent functions.