Whistleblowing Policy & Procedures

1. Purpose & Commitment

Yoma Strategic Holdings Ltd. (“YSH”, and collectively with its subsidiaries, the “Group”) is committed to maintaining high standards of integrity, accountability, and transparency in its conduct of business. This Whistleblowing Policy and Procedures (the “Policy”) is designed to provide employees, directors, officers, and external stakeholders with accessible, confidential, and secure channels through which they may report concerns about improprieties without fear of retaliation and with an assurance that appropriate actions will be taken if necessary. This Policy demonstrates the Group’s commitment to good governance, investor confidence, and stakeholder trust.

2. Scope & Applicability

This Policy applies to the Group, its employees, including those who are permanent, temporary, or on contract, as well as to directors and officers. It also extends to external stakeholders, including suppliers and contractors, consultants and advisers, customers, business partners, joint venture parties, and community representatives who may be affected by the Group’s operations.

    Concerns may be reported by any of the above parties, provided that such reports are made in good faith.

For the avoidance of doubt, companies incorporated in their respective countries are subject to and must comply with the local laws and regulations governing their operations, including any whistleblowing related laws and regulations. The compliance with local legal and regulatory requirements is paramount and remains applicable regardless of the Group’s global presence or international operations
3. Reportable Improprieties

Reportable improprieties include, but are not limited to:

(a)        fraud, corruption, or bribery;

(b)        breach of laws, regulations, or Group policies;

(c)        unauthorised use or misuse of Group funds, assets, confidential information or authority;

(d)        breach of internal controls, financial controls, or compliance practices;

(e)        abuse of power, conflicts of interest or unethical conduct;

(f)         environmental, social, or governance (ESG) violations;

(g)        workplace health and safety breaches;

(h)        providing false or misleading information to authorities/public bodies;

(i)         obstruction of, or retaliation against, whistleblowing; and

(j)         any other unethical, unlawful, or improper conduct by employees, officers, or third parties linked to the Group.

4. Reporting Channels

Reports can be submitted to the Head of Risk Management and Assurance through any of the following whistleblowing channels. Whistleblowers should report their concerns in good faith.

Whistleblowing reports concerning any director or member of senior management (having designation of “Head/Chief/Managing Director of a Division” and above) may be reported directly to the Chairman of the Audit and Risk Management Committee (“ARMC”) via email at georgethia@yoma.com.mm, or such other email address as may be instructed by the Chairman of the ARMC.

    Anonymous reports are accepted, however, YSH encourages reporting persons to provide their identity where possible to enable effective follow-up and resolution of the matter.
5. Rights & Protections

5.1 Right to Report

All stakeholders have the absolute right to file genuine complaints under this Policy.

5.2 Prohibition of Retaliation

The Group guarantees protection to all stakeholders who raise concerns in good faith under this Policy. No whistleblower shall suffer dismissal, demotion, suspension, harassment, discrimination, termination of contract, blacklisting, coercion, or any form of retaliation as a result of making a report. The Group will take immediate and appropriate action, including disciplinary or contractual measures, against any individual or entity that engages in such reprisals.

5.3 Confidentiality

The Group will make every reasonable effort to protect the identity of whistleblowers. Disclosure of a whistleblower’s identity is permitted only when required by law or regulation, when it is necessary for effective investigation or legal proceedings, or when the complaint is found to be malicious or frivolous.

5.4 Malicious Reporting

Complaints that are frivolous, malicious, mischievous, or false constitute a serious disciplinary offence. Any employee making such a complaint may be subject to disciplinary action, up to and including dismissal. Other stakeholders who submit such complaints may face termination of business relationships and potential legal action.
6. Complaint Procedures

1. Reports must be submitted through the channels described in Section 4 above.

2. All reports will be recorded in a Complaints Register, which shall include details such as the date of submission, the nature of the concern, and other relevant information. The Complaints Register shall be made available for inspection upon request by the ARMC.

3. The Head of Risk Management and Assurance will conduct an initial review of reports received and recommend appropriate remedial, disciplinary, or corrective actions to be taken by the Group.

4. If a report concerns a director or member of senior management (having designation of “Head/Chief/Managing Director of a Division” and above), the matter shall be escalated directly to the Chairman of the ARMC for review and appropriate action.

5. Investigations may be conducted internally, referred to external auditors, referred to appropriate law enforcement agencies, or conducted by independent inquiry, depending on the nature of the report.

6. All investigation outcomes shall be reported to the ARMC and, where appropriate, to the Board of Directors. Feedback will be provided to the complainant where possible.

6.1 Handling of Conflicts Involving the Risk Management Function

Where a whistleblowing report involves the Risk Management function or otherwise presents a real or perceived conflict of interest, the report shall still be recorded in the Complaints Register. However, no substantive assessment, review, or investigation shall be undertaken by management, other than administrative steps necessary to record, preserve and escalate the report. Such reports must be escalated immediately and directly to the Chairman of the ARMC, who shall determine the appropriate handling, investigation process, and oversight arrangements.
7. Oversight & Governance

The ARMC has ultimate oversight of the whistleblowing framework. The ARMC may conduct or commission investigations, direct management to take remedial or disciplinary actions, and engage external professionals where necessary.

The ARMC shall review whistleblowing matters on a regular basis and at least on a half yearly basis, and more frequently where circumstances warrant. Such reviews may include summaries of whistleblowing reports received, key themes, investigation status, outcomes, and management actions taken. Where necessary, the ARMC may request access to the Complaints Register or specific case records, particularly in cases involving escalation, conflicts of interest, or material risk exposure.

The Complaints Register shall capture key information, including the date of receipt, nature of the concern, reporting channel, escalation or conflict considerations, investigation status, and outcome, to support effective oversight by the ARMC
8. Safeguards

The Group has zero tolerance for any form of harassment, victimisation, or retaliation against a whistleblower who raises a concern in good faith. No action shall be taken against anyone who makes an allegation in good faith, even if it is not subsequently confirmed by investigation. The confidentiality of the whistleblower and the report will be preserved to the fullest extent practicable, subject to the Group’s obligation to conduct a fair and thorough investigation and to comply with applicable laws and regulations.
9. Confidentiality & Anonymity

Whistleblowers may request confidentiality when submitting a report. Anonymous reports will be accepted; however, anonymity may limit the Group’s ability to follow up effectively or conduct a complete investigation. Where disclosure of the complainant’s identity becomes necessary to facilitate investigations, comply with legal requirements or ensure procedural fairness, the Group will take reasonable steps to limit such disclosure to those with a legitimate need to know.

Nothing in this Policy is intended to restrict, prohibit, or discourage whistleblowers from making disclosures to regulators, law enforcement agencies, or other authorities where such disclosures are legally protected or required under applicable laws and regulations.
10. Process Transparency and Feedback

The Group recognises the importance of transparency in the whistleblowing process. Reasonable efforts will be made to acknowledge receipt of a whistleblowing report within an appropriate timeframe and to provide feedback to the whistleblower on the progress or outcome of the matter, subject to confidentiality, legal, and regulatory constraints. The timing and level of feedback will depend on the nature and complexity of the report, but the Group aims to manage whistleblower expectations in a fair, timely, and balanced manner.
11. Communication & Accessibility

This Policy will be circulated internally to all employees of the Group to ensure awareness and understanding across all levels of the organisation. It will also be published on the Company’s official website to allow access by Directors, Officers, and External Stakeholders. In addition, posters and communication materials containing the QR code, hotline number, and whistleblowing email address will be prominently displayed in offices, worksites, and other relevant locations to facilitate easy access for reporting concerns.
12. Definitions

• “Complaint” refers to any report alleging improprieties, obstruction, or reprisals.

• “Improprieties” refers to unethical, unlawful, or improper conduct, or any breach of Group policy.

• “Obstruction” refers to any action that interferes with or discourages whistleblowing.

• “Reprisals” refer to any form of retaliation against a complaint.
13. Policy Endorsement

This Policy was originally endorsed by the ARMC on 3 November 2006 and approved by the Board of Directors on the same date. It was subsequently updated on 8 August 2011, 6 November 2013, and 10 February 2026.

Whistleblowing Policy – Frequently Asked Questions (FAQ)

Whistleblowing means reporting concerns about potentially illegal, unethical, or improper behavior within the Group.

    Employees, directors, officers, and external stakeholders are often best placed to notice when something is wrong. Reporting helps protect the Group, its people, its reputation, and supports a culture of integrity and accountability.

 

    Impropriety includes any unlawful, unethical, or improper conduct, such as:
  • fraud, corruption, or bribery;
  • breach of laws, regulations, or Group policies;
  • unauthorised use or misuse of Group funds, assets, confidential information or authority;
  • breach of internal controls, financial controls, or compliance procedures;
  • abuse of power, conflicts of interest, or unethical conduct;
  • environmental, social, or governance (ESG) violations;
  • workplace health and safety breaches;
  • providing false or misleading information to authorities/public bodies;
  • obstruction of, or retaliation against, whistleblowing; and
  • any other unethical, unlawful, or improper conduct by employees, officers, or third parties linked to the Group.

This Policy aims to:

  • encourage stakeholders to raise concerns with confidence and without fear;
  • provide secure and confidential reporting channels;
  • guarantee protection from retaliation for reports made in good faith; and
  • ensure that reported concerns are assessed, investigated, and addressed appropriately.

Any employee, director, officer, or external stakeholder (such as suppliers, contractors, consultants, business partners, joint venture parties, or community representatives) can report concerns if:

  • the report is made in good faith;
  • the reporting person has reasonable grounds to believe the information is true; and
  • the report is made without malice or personal gain.
You may report to the Head of Risk Management and Assurance through any of these secure channels: Whistleblowing reports concerning any director or member of senior management (having designation of “Head/Chief/Managing Director of a Division” and above) may be reported directly to the Chairman of the Audit and Risk Management Committee (“ARMC”) via email at georgethia@yoma.com.mm, or such other email address as may be instructed by the Chairman of the ARMC.
    Anonymous reports are accepted, however, YSH encourages reporting persons to provide their identity where possible to enable effective follow-up and resolution of the matter.
  • All reports are logged in a secure Complaints Register.
  • The Head of Risk Management and Assurance reviews each case.
  • If a report involves a director, senior management, the Risk Management function, or presents a conflict of interest, it is escalated immediately to the Chairman of the ARMC.
  • Investigations may be conducted internally, referred to external auditors, referred to appropriate law enforcement agencies, or conducted by independent inquiry, depending on the nature of the matter.
  • Where possible and appropriate, feedback will be provided to the reporting person, subject to legal and confidentiality constraints.
  • The ARMC oversees the whistleblowing framework and receives regular updates from the Head of Risk Management and Assurance.

The Group guarantees protection for all whistleblowers who raise concerns in good faith. No such whistleblower shall suffer dismissal, demotion, suspension, harassment, discrimination, contract termination, blacklisting, coercion, or any other form of retaliation as a result of making a report.

    Confidentiality will be preserved to the fullest extent practicable. Allegations made in good faith remain protected even if they are not ultimately substantiated.

The Policy encourages the use of internal reporting channels so that concerns can be addressed promptly and effectively. However, nothing in the Policy restricts or prohibits whistleblowers from making disclosures to regulators, law enforcement agencies, or other authorities where such disclosures are legally protected or required under applicable laws and regulations.


Whistleblowers may request confidentiality when making a report. Anonymous reports are accepted, although anonymity may limit the Group’s ability to follow up effectively or conduct a full investigation.

    Where disclosure of a whistleblower’s identity becomes necessary to facilitate investigations, comply with legal requirements, or ensure procedural fairness, the Group will take reasonable steps to limit such disclosure to those with a legitimate need to know.

The Group treats all reports seriously and investigates them thoroughly. However, frivolous, malicious, mischievous, or knowingly false reports are considered serious misconduct. Employees who make such reports may be subject to disciplinary action, up to and including dismissal. Other stakeholders may face termination of business relationships and potential legal action.