As a responsible business, we have a duty to uphold international human rights laws and standards across all aspects of our operations, supply chains, and business relationships i.e. our employees, clients, suppliers and local communities.

Human rights are fundamental freedoms that must be equally and fairly applied to every individual regardless of race, gender, nationality, religion or any other personal characteristics. This includes promoting fair labour practices and treating all communities with respect, not only as an ethical obligation but also as a social license to operate. By adhering to these principles, we aim to build our reputation as a responsible corporate citizen, which will help to build stakeholder trust for years to come.

Countries, regulators, and lawmakers are increasingly recognising and establishing the right to a safe and healthy environment as a fundamental human right. As such, CIMB’s human rights management incorporates environmental considerations, ensuring a holistic approach to safeguarding the wellbeing of individuals and communities.

Governance

The Group Chief Sustainability Officer (GCSO) and the Group Sustainability Council (GSC) are responsible for managing human rights risks. The Board, through the Board Group Sustainability Council (BGSC), formerly known as the Group Sustainability and Governance Committee (GSGC), has the ultimate accountability for human rights in the organisation.

Implementation of our Human Rights policy extends to all aspects of our business and is executed by business units and business enablers:

Group Sustainability oversees the implementation of the Human Rights Policy and Procedure across all aspects of our business. Group Sustainability conducts control testing on these policies and procedures to proactively identify areas for improvement
Group Corporate Assurance Division conducts periodic audits to maintain accountability and effectiveness of our policies
Relationship Managers from non-retail lines of business conduct Basic Sustainability Due Diligence, which includes a human rights due diligence, on clients in compliance with our Group Sustainability Financing Policy. For cases where a high risk of human rights is identified, Group Sustainability conducts an Enhanced Sustainability Due Diligence
Group Strategic Procurement conducts and oversees the sustainability due diligence, including human rights due diligence, on vendors/suppliers during the RFP process and during onboarding of new vendors whereby vendors/suppliers are required to acknowledge the Vendor Code of Conduct
CIMB Foundation and our Corporate Social Responsibility function conducts the sustainability due diligence when onboarding new partners
Group Human Resources manages complaints received related to employees and unions

Our Group Human Rights Policy

The policy aims to provide clarity and transparency on human rights management across the Group. Our Human Rights policy provides guidance on identifying, assessing, and managing salient human rights risks that present the most severe potential negative impacts. This ensures consistency between internal practices and external expectations, including legal and regulatory obligations and voluntary commitments to respect and protect human rights.

Within the broader scope of human rights, we focus on issues and risks that are most pertinent to our operations and activities. Our policy not only covers requirements for our own operations, but also encompasses requirements for our business relations such as our clients, suppliers and partners. The policy has been rolled out across the Group in 2023. Read our Group Human Rights Policy here.

CIMB commits to continuous human rights due diligence to identify, prevent, and mitigate adverse human rights impacts across the Group through collaborations with our stakeholders. This is done using a risk-based approach, with the greatest attention paid to the areas of greatest risk to the Group and the most salient impacts on people, particularly vulnerable groups.

Commitments and Frameworks

We commit to uphold and comply with:

The International Bill of Human Rights, including the Universal Declaration of Human Rights (UDHR), International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social and Cultural Rights (ICESCR);
UN Guiding Principles on Business and Human Rights (UNGP);
ILO Declaration on Fundamental Principles and Rights at Work;

With regards to labour rights, we commit to the following:

Avoid causing or contributing to labour rights violations as per national legislation standards. In the event where there is a discrepancy between national, regional, and international standards, we will engage with stakeholders to explore approaches that respect international standards.
Respect the rights of our employees, including:
- Freedom of representation;
- Right to collective bargaining;
- A safe and healthy work environment, including safety from any forms of harassment, including sexual harassment;
- Fair recruitment and other people practices;
- Preventing modern slavery; and
- Respecting regulations on minimum wage and maximum working hours.
Eliminate discrimination in the workplace and promote diversity and inclusion.
Avoid contributing to, and assist in the prevention of human trafficking.

We also adopt principles and recommendations laid out in recognised international, regional and local frameworks, including:

The UN Environment Programme Finance Initiative (UNEP FI) Principles for Responsible Banking;
UN Sustainable Development Goals;
Bank Negara Malaysia’s Value-Based Intermediation Financing and Investment Impact Assessment Framework and Association of Banks in Malaysia’s ESG Principles

Our Policy in Action

Identification and Assessment of Risks

CIMB commits to continuous human rights due diligence in our business operations as well as supply chain to identify, prevent, and mitigate adverse human rights impacts across the Group. We employ a variety of mechanisms to identify human rights risk, including but not limited to:

High-Level Human Rights Risks in CIMB’s Business: Conduct scans on human rights risks associated with the geographical locations of business operations, taking into consideration the possible localised risks and sector-specific risks. We collaborate with stakeholders in regions where the business operates, such as grassroots NGOs and CSOs as well as government agencies, to gain deeper insights on potential human rights risks and to validate our findings;

Employee-Related Risks: Leverage on various existing employee engagement channels such as townhalls, surveys, union representations and other employee engagements;

Client-Related Risk (for clients within scope of the Group Sustainable Financing Policy): As part of the Sustainability Due Diligence, assess human rights risk for all financing and capital raising deals across all sectors before financing is approved, during annual financing reviews, before contract renewals, and in response to Trigger Events* as part of the basic sustainability due diligence (BSDD) process. An enhanced sustainability due diligence (ESDD) will be carried out in cases where the client fails the BSDD, or whenever a Trigger Event* takes place.

Supplier and Vendor Related Risks: Conduct sustainability due diligence for all new vendors/outsourcing partners during the onboarding of vendors/ outsourcing partners and whenever a Trigger Event* takes place.

*Trigger Events are material adverse incidents or events related to environmental and social risks involving CIMB’s business relations, raised by regulators, news and media, Non-Governmental Organisations, and recognised sustainability information providers, etc. Trigger events are incidents that were not taken into account during the onboarding or review of an existing business relation.

Once human rights risks in our business operations, lending and investment operations, and our supply chains are identified through the mechanisms above, the risks are assessed based on their severity and likelihood via our saliency assessment. When conducting our saliency assessment, we are largely guided by the UNGP and the UNEP FI Human Rights Toolkit for Financial Institutions. The salience assessment includes:

The severity of a human rights risk by considering:
- Scope: Assessing the extent of the impact and how widespread it would be;
- Scale: Evaluating the seriousness of the impact;
- Irremediability: Examining the difficulty in rectifying the resulting harm
The likelihood of each risk, assessing the probability of its occurrence

Each risk will be rated in terms of its severity and likelihood, where risks rated highly on both are considered salient human rights risks to the Bank and used as a starting point to put in place mitigating strategies across the Group. The outcome of the saliency assessment will be publicly published on our website as part of our commitment to transparency in our human rights risk management.

Periodic reviews of salient human rights risks will be undertaken to account for changes in our business and our operating environment. We are currently completing our next cycle of the saliency assessment and expect to publish our findings by end of 2025.

Prevention and Mitigation of Risks

We are committed to mitigating the salient risks identified in our assessment through the implementation (or enhancement) of relevant policies and procedures. Our primary objective is to avoid or prevent the risks whenever feasible. Should avoidance or prevention not be achievable, our policies and procedures explicitly detail measures for mitigating the identified risks.

Employees

We commit to protecting the rights of our employees. This includes their right to freedom of association, collective bargaining, and ensuring we operate in accordance with local legislation and regulations. As of December 2024, 40% of employees Group-wide were covered under employee unions. We regularly engage employees through focus groups, surveys and town halls. We also regularly engage with union representatives. Topics of discussion include group-wide strategic initiatives, career development, performance management, and working conditions. Additionally, these engagement sessions provide a platform to discuss strategies to prevent and mitigate employee-related human rights risks.

Maintaining work-life balance is essential for employee wellbeing, productivity, and long-term engagement. While there may be occasions when business needs require employees to work beyond their normal hours, we adhere to the maximum working hours stipulated in the Employment Act, and employees are compensated in accordance with Employment Act, and any prevailing Collective Agreements or Terms and Conditions of employment.

All employees of CIMB Group are entitled to paid annual leave based on their employment grade and years of continuous service, in accordance with our Annual Leave Policy and aligned with applicable local regulations. A portion of annual leave is compulsory and must be taken by all employees within the calendar year. This requirement supports employee wellbeing and ensures adequate rest. The number of compulsory leave days is communicated annually and must be scheduled accordingly.

We comply with the respective employment laws and regulations in each country where we operate. This includes adhering to applicable notice periods, consultation requirements, and employee entitlements in the event of any major workforce restructuring or termination exercise. 

CIMB is dedicated to building a workplace where all employees, regardless of gender, are recognised, valued and compensated equitably for their contributions. In July 2025, we announced that all our permanent employees in Malaysia are currently earning above the national living wage threshold of RM3,100 per month as outlined in the Employee Provident Fund’s Belanjawanku Expenditure Guide. This commitment fully supports the Ministry of Finance’s Government-Linked Companies Empowerment and Reform (“GEAR-uP”) initiative in championing equitable, market-based compensation practices, underscoring CIMB’s strong commitment to fair and inclusive compensation practices, ensuring every employee in Malaysia is able to achieve a dignified standard of living. 

We conduct capacity-building sessions to ensure that employees are aware of their rights as well as the channels in place to raise grievances. In cases where deliberate human rights infringements are found to be conducted by any employee, actions are taken in line with our Group Disciplinary Action and Misconduct Policy.

Non-Individual Customers

Where we identify that a client has material human rights risk as an outcome of the ESDD process, we engage the client, using our leverage as a financier to recommend and encourage the client to implement measures for mitigating the risks. Depending on identified deficiencies in mitigating human rights risks, we may request the client to establish a human rights policy, conduct human rights due diligence, and/or implement a grievance mechanism to allow for remediation. Action plans are recommended taking into consideration best practices as well as feasibility, timeline, resources, capacity and other relevant factors. We conduct periodic tracking of these time-bound action plans to ensure implementation.

In cases where agreed action plans are consistently missed without a reasonable explanation, or we have assessed that unmitigated human rights risks are too high, or there is a deliberate and repeated infringement of human rights by the client based on factual evidence, we will seek to distance ourselves from the client within a reasonable and practical timeframe.

To support our high-risk clients in their journey to implement policies and processes to prevent and mitigate human rights risks, we further conduct capability-building and engagement sessions from time to time.

Suppliers

We communicate our human rights expectations to all suppliers through our Vendor Code of Conduct. Where we identify suppliers as high risk, we conduct engagements and capability-building from time to time. We use our leverage to encourage high-risk suppliers identified to improve their human rights risk management policies and practices.

Where we have assessed through the sustainability due diligence process that the human rights risks are very high, or there is repeated failure by the supplier to meet our human rights requirements stated in the Vendor Code of Conduct, or there is deliberate and repeated infringement of human rights based on factual evidence made, we will seek to distance ourselves from the supplier within a reasonable and practical timeframe.

Our Assessment and Measures Taken

The percentage of clients and suppliers assessed and mitigation measures taken are outlined in the table below. 

Category	Percentage of total assessed in 2024	Percentage of total assessed in 2024 where risks have been identified	Percentage of those assessed in 2024 with mitigation actions taken
Own Operations (% of clients)	97%	3%	43%
Contractors and Tier 1 Suppliers (% of contractors or Tier 1 suppliers)	75%	0%	0%

Human Rights and Environmental Grievance Mechanism

Aligning with the third pillar of the United Nations Guiding Principles on Business and Human Rights, our Grievance Mechanism serves as a structured process to address and resolve human rights and environmental concerns effectively and transparently.

Our Grievance Mechanism is open to all, including CIMB employees, employees of our suppliers and clients, and communities affected by CIMB's operations or those of our business partners, such as indigenous peoples or communities living near a client’s facility. By providing a platform for all stakeholders, we aim to uphold transparency, accountability, accessibility and fairness in addressing human rights complaints.

Channels

The channels below are categorised based on their availability to different groups of complainants.

Complainants by groups	Channels
All complainants	Email to sustainability@cimb.com; Submit a feedback form through the CIMB website here. Email to whistleblowing@cimb.com OR send via post to the Chairman, Group Audit Committee, CIMB Group Holdings Berhad at 17th Floor Menara CIMB, No. 1 Jalan Stesen Sentral 2, Kuala Lumpur. This is only for wrongdoing of a CIMB employee. This Whistleblowing Channel is jointly and exclusively managed by the Audit Committee Chair of CIMB Group Holdings Berhad and the Group Chief Internal Auditor of CIMB Group.
Complainants who are current and former employees of CIMB	Based on the nature, type or category of human rights complaint to be made; Email to epicc.culture@cimb.com; Email, phone or write directly to: - Chairman of CIMB Group Holdings Berhad, - Group Audit Committee, - Group Chief Executive Officer - Group Chief People Officer and/or - Group Chief Internal Auditor "Have Your Say" mailbox; Grievance process as provided in Collective Agreements signed with respective unions.
Complainants who are current suppliers	During supplier engagement sessions.

Complainants by groups

Channels

All complainants

Email to sustainability@cimb.com;

Submit a feedback form through the CIMB website here.

Email to whistleblowing@cimb.com OR send via post to the Chairman, Group Audit Committee, CIMB Group Holdings Berhad at 17th Floor Menara CIMB, No. 1 Jalan Stesen Sentral 2, Kuala Lumpur. This is only for wrongdoing of a CIMB employee. This Whistleblowing Channel is jointly and exclusively managed by the Audit Committee Chair of CIMB Group Holdings Berhad and the Group Chief Internal Auditor of CIMB Group.

Complainants who are current and former employees of CIMB

Based on the nature, type or category of human rights complaint to be made;

Email to

epicc.culture@cimb.com;

Email, phone or write directly to:

- Chairman of CIMB Group Holdings Berhad,

- Group Audit Committee,

- Group Chief Executive Officer

- Group Chief People Officer and/or

- Group Chief Internal Auditor

"Have Your Say" mailbox;

Grievance process as provided in Collective Agreements signed with respective unions.

Complainants who are current suppliers

During supplier engagement sessions.

Scope

The following criteria will determine whether a complaint is admitted into CIMB's Human Rights Grievance Mechanism:

1. Relevance: The complaint must involve an alleged negative human rights impact related to CIMB Group’s operations, lending/financing activities, or business relationships (e.g., clients and suppliers).

Refer to the table below for examples of issues that do not meet our criteria.

Complainants	Examples of non-human rights complaints (non-exhaustive)
CIMB employees/ Employees of CIMB’s clients/ Employees of CIMB’s suppliers	Disagreements over performance reviews, promotion decisions and/or benefits; Disputes on compensation that do not relate to discrimination due to personal characteristics such as gender and race; Complaints on workplace conditions not related to health and safety.
CIMB non-individual clients	Dissatisfaction with regard to products or services rendered; Disputes over contract terms.
CIMB suppliers	Dissatisfaction over onboarding and RFP processes; Disputes over contract terms.
Communities	Noise or traffic issues due to a CIMB client’s industrial or commercial activities; Concerns that a CIMB client’s development or business activities may negatively affect local property values; Concerns about the economic competition of new businesses to local businesses; Aesthetic concerns stemming from the construction of new buildings.

2. Eligibility to Lodge a Human Rights Complaint: A human rights complaint can be submitted by the individual whose rights are affected or their representatives, which may include not-for-profit organisations, civil society organisations, or legal firms from any country.

3. Timing of the Incident: If the human rights complaint is against an external party with a business relationship with CIMB, the alleged human rights violation must have occurred when CIMB maintained that relationship.

4. Consent from Business Relations: CIMB is bound by confidentiality obligations and must obtain a client’s consent before disclosing any information related to them. Where consent is not given, CIMB will still conduct an internal investigation as part of its human rights due diligence, but will not be able to share any information with the complainant.

5. Vexatious Complaints: Human rights complaints deemed vexatious (intentionally harassing or disruptive without a legitimate purpose) will not be entertained. The Human Rights Lead will make this determination, which will be approved by the Group Chief Sustainability Officer (GCSO).

6. Escalating Complaints: If the complaint meets the criteria of another complaints channel (internal employee grievance mechanism or Anti-Money Laundering), it will be escalated to the more appropriate channel.

7. Court Cases: If the human rights complaint is the subject of an ongoing court case, CIMB will defer processing it until the case is concluded.

If a complaint falls outside the criteria of this mechanism, CIMB will inform the complainant of its non-acceptance and provide guidance on other potential avenues for resolution.

Human Rights Complaints Process

We aim to resolve complaints within 12 months. However, this timeline does not include the implementation of any remediation measures, which will vary on a case-by-case basis depending on the complexity and nature of the issue.

Remediation

Central to our remediation efforts is prioritising the rights-holder’s interests while ensuring feasibility within the Bank’s regulatory and contractual obligations. Remedies may include apologies, restitution, rehabilitation, financial or non-financial compensation and the prevention of harm.

When we discover that a human rights abuse has occurred, we will take appropriate steps to ascertain whether we have caused or contributed to the adverse human rights impact.

When we have directly caused these impacts, we are responsible for resolving the issue and providing remedy.

Where we have contributed to an adverse human rights impact, we will provide mechanisms for grievances to be raised and strive to contribute to remediation, where necessary and appropriate, ensuring no penalty, dismissal, or reprisal.

Where we have not caused or contributed to an adverse impact, but are directly linked to it through our products, operations or services, we recognise that we can play a role in remediation, for example, by engaging with our clients about their grievance mechanisms and remediation pathway.

Stage	Process
Receive	A human rights complaint is received through any of the channels shared above.
Assess	The human rights complaint is assessed against the criteria to determine its eligibility for acceptance. For complaints involving a non-individual client, CIMB will seek their consent to disclose the relationship and participate in this Grievance Mechanism. The complainant will be informed accordingly on the status of acceptance of the complaint.
Investigate	CIMB will investigate the human rights complaint, striving to engage in dialogue with the complainant or their representatives and our business relations (where applicable) throughout the process.
Respond	We will provide the complainant with periodic written updates throughout the process.
Remediate	If CIMB determines that it has caused, contributed to, or is linked to any adverse impacts, we will strive to remediate the impact, to the extent of our contribution and accountability.

I'm looking for