Compliance

Compliance

CPF places a strong focus on following all laws and regulations that apply to its business, as well as complying with the Code of Business Conduct. To support this, the Company has implemented a Compliance Policy that all directors, executives, and employees at every level must follow. This policy helps promote sustainable growth and strengthens the trust and confidence of shareholders and other stakeholders.

The Corporate Compliance Office serves as the central function responsible for coordinating compliance-related matters with relevant units. In addition, Compliance Champions have been appointed for each business and key function, both domestically and internationally*, to facilitate coordination and support effective governance. The Company’s compliance management process can be summarized as follows:

  1. Identification and Monitoring of Regulatory Requirements: Compilation of key laws, regulations, and requirements relevant to business operations, corporate-level key policies, and significant business license conditions, as well as monitoring newly issued or amended regulatory requirements in Thailand and overseas that may impact the business, and communicating such information to the management of each business unit.
  2. Compliance Risk Assessment: Assessment of compliance risks to prioritize regulatory requirements with which the Company must comply.
  3. Communication and Awareness: Communication to enhance knowledge, understanding, and awareness of the importance of regulatory compliance in business operations.
  4. Compliance Review: Review of compliance with applicable regulations through self-assessment questionnaires and other appropriate methods.
  5. Reporting: Regular reporting of compliance performance summaries to the Executive Committee, the Audit and Risk Management Committee, and/or relevant executives.
  6. Monitoring and Continuous Improvement: Follow-up on identified issues to ensure improvements are implemented in accordance with established action plans, together with providing additional recommendations to enhance work processes in compliance with applicable regulations.
  7. Management of Non-Compliance Cases: Management of identified non-compliance cases to mitigate impacts and prevent recurrence.

*Remark: Covers operations in Thailand, Vietnam, India, Cambodia, the Philippines, Malaysia, Laos, Sri Lanka, the United Kingdom, Russia, Türkiye, Belgium, the United States, and Canada (excluding the business of Hylife Group Holding Ltd. in Canada).

Compliance Management Process

Compliance Management Process Compliance Management Process
Click to Enlarge

To ensure employees follow the Company’s policies and meet legal and regulatory requirements, CPF requires all employees to take the CPF Fundamental Courses. Current employees must complete five required courses every year. New employees must complete eleven required courses within 60 days before their probation evaluation.

Five Fundamental Courses for Existing Employees
1. CPF Code of Conduct
2. Personal Data Protection Act
3. CPF Compliance
4. Fairtrade Competition
5. Cybersecurity

Eleven Courses for New Employees

01
CPF Code of Conduct
02
Personal Data Protection Act
03
CPF Compliance
04
ESG Fundamental
05
CPF Integrated Value Chain
06
Net-Zero SBT 101
07
CPF SHE&EN Standard
08
Basic Digital Literacy
09
Basic Risk Management
10
Be Aware of Cyber Threats
11
AI Basic by Microsoft

Remark: Further details on regulatory compliance can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance, under the section “Regulatory Compliance.”

CPF Code of Conduct

The Code of Business Conduct serves as a key corporate governance mechanism that reinforces ethical operating standards across the organization. It also functions as an oversight tool for the Board of Directors and is integrated with risk management and regulatory compliance, enabling Governance, Risk, and Compliance (GRC) to operate in a coordinated and systematic manner.

The Company communicates and provides training on its Code of Business Conduct to all executives and employees through multiple communication channels, including business unit meetings and online platforms such as HR-eXp, CPF Connect, and CPF Family, as well as through new employee orientation programs and e-learning systems.

CPF’s Code of Business Conduct

is structured into four categories comprising 17 key topics.

01
Integrity
  • Avoidance of Conflict of Interest
  • Prevention of Fraud, Bribery and Corruption
  • Handling Gifts and Hospitality
  • Fairtrade Competition
  • Maintaining Transparency
02
Quality
  • Delivery of Quality Products and Services
  • Sustainable Resource Management
  • Ethical Procurement
  • Responsible Sales and Marketing
03
People
  • Promoting Mutual Respect and Fair Treatment
  • Promoting Equal Opportunity, Diversity and Inclusion
  • Personal Information Protection
  • Occupational Health and Safety Management in the Workplace
  • Human Resource Development
04
Assets
  • Corporate Information Management
  • Insider Trading
  • Anti-Money Laundering Practices

In 2025, 100% of current employees have completed training in business ethics under the Fundamental Corporate Governance Program.

Anti-Corruption and Anti-Bribery

The Company has established an Anti-Corruption and Anti-Bribery Policy to serve as a strict framework for personnel to adhere to, with the aim of fostering an organizational culture and core values free from corruption and bribery, thereby supporting sustainable business operations. Compliance with the policy is regularly reviewed to ensure alignment with evolving business conditions and applicable laws and regulations at both national and international levels. The Company also communicates its Anti-Corruption and Anti-Bribery Policy to employees at all levels through a variety of channels, including orientation programs for directors and new employees, electronic newsletters (e-newsletters), the CPF Connect mobile application, internal communication media, and e-learning platforms. In addition, both online and offline learning materials are made available to personnel in all countries where the Company operates to ensure proper understanding and effective implementation of the policy. All personnel are required to review and refresh their knowledge and understanding of the policy at least once a year.

As of 2025, 100% of employees—from operational-level staff to the highest level of executives—in both Thailand and overseas operations had completed anti-corruption training.

In addition, the Company has established channels for whistleblowing and the submission of complaints in cases where inappropriate conduct or violations of the Code of Business Conduct are identified, as well as for receiving feedback from employees. The Company ensures fairness and protection for employees who refuse to engage in acts involving corruption or bribery, or who report corruption-related matters associated with the Company.

In 2025, the Company received two complaints related to corruption. Appropriate disciplinary actions were taken against the offenders in accordance with the Company’s regulations, and internal control measures were reviewed and strengthened as deemed appropriate. Furthermore, no cases of fraud or corruption involving an amount exceeding 5% of shareholders’ equity as of 31 December 2025 were identified in relation to any significant subsidiary that would have a material adverse impact on the Company’s reputation or financial position.

As a member of the Thai Private Sector Collective Action Against Corruption (CAC), the Company’s operations in Thailand have been certified under the CAC program since 18 August 2017. The Company renewed this certification for the second time on 31 March 2024. Each certification lasts three years from the date it is approved by the CAC Steering Committee. In addition, the Company received the CAC Change Agent Award 2025 in recognition of its support for and capacity-building of business partners, particularly small and medium-sized enterprises (SMEs), to participate in the CAC SME Program, thereby strengthening collective efforts to combat corruption.

CPF places strong emphasis on anti-corruption and anti-bribery practices and therefore encourages its business partners to operate based on good corporate governance, ethical conduct, and compliance with applicable laws and international standards. These efforts contribute to the development of a transparent food supply chain, which is essential to enhancing the Company’s credibility and trust among all stakeholder groups, both internal and external. Furthermore, such initiatives help expand opportunities and strengthen the competitiveness of SMEs, enabling them to achieve stable and sustainable growth.

Anti-Corruption Participation

Employees joined forces in demonstrating their commitment to anti-corruption efforts at the International Anti-Corruption Day 2025 event, held on Saturday, 6 September 2025, under the theme “No Corruption, No Progress… Is It Really True?”. The event aimed to raise awareness and encourage society to recognize the challenges posed by corruption in Thailand, as well as to foster collaboration in various forms to help eradicate corruption in a sustainable manner.

Remark: Further details can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance, under the section “Anti-Corruption and Anti-Bribery.”

Cybersecurity and Information Protection

The Company places strong emphasis on cybersecurity and data protection to safeguard the continuity of business operations. The Technology and Cybersecurity Committee periodically reviews cybersecurity risk management policies to ensure alignment with strategic business objectives and organizational context, while proactively addressing emerging threats and maintaining compliance with applicable laws, regulations, and international standards. These policies establish comprehensive guidelines for managing technology and cybersecurity risks across Information Technology (IT), Operational Technology (OT), and Artificial Intelligence (AI) systems, in accordance with the NIST Cybersecurity Framework (CSF) 2.0. The framework encompasses the following core functions: The Govern function focuses on establishing governance structures that ensure continuous oversight and reporting of cybersecurity performance. The Identify function involves defining critical information assets, understanding risk context to prioritize appropriate measures, including vulnerability management. The Protect function is dedicated to deploying preventive measures to mitigate identified cyber risks. The Detect function ensures that systems are monitored effectively to identify potential threats promptly. Finally, the Respond and Recover function emphasizes executing incident response and recovery strategies to restore operations swiftly and efficiently.

Cybersecurity and Information Protection
Click to Enlarge

The Company maintains ISO 27001 and ISO 27701 certifications for Information Security and Privacy Management. To foster a strong cybersecurity culture, regular information Security and Cybersecurity awareness trainings are conducted. In addition, Role-based Training Programs are tailored to operational requirements. Employees also participate in simulated phishing, smishing, and quishing exercises to strengthen their ability to recognize and respond to cyber threats, as well as to promptly report cyber incidents.

Furthermore, virtual cyber threat response exercises, including Cyber-Drills and Incident Response Tabletop Exercises, are conducted to enhance organizational preparedness and strengthen the Business Continuity Plan and related operational processes.

The Company is committed to protecting the personal data of customers, partners, employees, and stakeholders in strict compliance with applicable data protection laws and regulatory guidelines. A comprehensive Personal Data Protection Policy has been established and implemented, supported by a dedicated Personal Data Protection Officer unit responsible for continuous compliance monitoring, periodic inspections, and awareness programs on proper data handling practices.

Target and Performance
2025 Target 2025 Performance
Number of incidents related to the cybersecurity 0 0

Remark: For more information, please refer to 2025 Annual Report (Form 56-1 One Report); Part 1 Business Operation and Performance, page 53 – 54.

Whistleblowing and Complaint Mechanisms

The Company has established a Whistleblowing and Grievance Policy, together with clearly defined procedures for the submission and management of whistleblowing reports and complaints. These procedures are designed to ensure integrity, transparency, and alignment with international standards. The Company has also implemented measures to protect whistleblowers, complainants, and reporting parties, thereby providing employees, stakeholders, and external parties with appropriate channels to report concerns or complaints regarding legal violations, breaches of the Code of Business Conduct, corruption or bribery, or violations of rights through channels designated by the Company.

Internal Party

Reporting Non-Compliance Cases
Complaint Handling Process
  • The Corporate Compliance Office, in collaboration with relevant functions related to the reported case, reviews the information and evidence as reported.
  • For issues not involving employee disciplinary matters, the Corporate Compliance Office works with relevant functions to manage each case in order to mitigate impacts, provide remediation to affected parties (if any), and improve work processes to prevent recurrence.
  • For cases involving employee disciplinary matters, the case is referred to the Internal Audit Office for further action in accordance with the Whistleblowing and Grievance Policy.
  • A summary report is submitted to the Board of Directors and/or relevant executives for acknowledgement and further consideration.

Internal and External Parties, and Stakeholders

Whistleblowing and Complaint Reporting Channels
Complaint Handling Process
  • The Internal Audit Office, or an assigned function, collects facts and reviews information and evidence related to whistleblowing reports or complaints.
  • Where the allegations are found to have reasonable grounds, the matter is referred to the Company’s fact-finding investigation and disciplinary process.
  • A summary report is submitted to the Audit and Risk Management Committee and/or relevant executives for acknowledgment and further action.

In 2025, the Company received a total of 150 complaints through various channels. The breakdown of complaints is as follows:

  • Corruption-related issues: 2 cases
  • Non-compliance with regulations or inappropriate behavior: 18 cases
  • Product issues: 7 cases
  • Community/environmental impact issues: 16 cases

The Company has taken disciplinary action, in line with its internal rules, against the individuals involved in the violations. The Company has also reviewed and strengthened its internal controls to ensure employees follow operating procedures and to prevent misconduct, including corruption, bribery, discrimination, harassment, conflicts of interest, money laundering, and misuse of insider information. The details and actions taken are outlined below:

Category Number of Cases Management Measures
Verbal Warning (Employee) Written Warning (Employee) Suspension (Employee) Dismissal (Employee)
1. Fraud 2 - - - 2
2. Non-compliance with work regulations 18 21 7 1 3
3. Corruption and Bribery - - - - -
4. Discrimination and Harassment - - - - -
5. Conflict of Interest - - - - -
6. Money laundering and insider trading - - - - -