Constance Hotels Services Limited | Annual Report 2025

121 ANNUAL REPORT 2025

7.2. Compliance Function

Enhancements were made to the Group’s risk management reporting framework through the implementation of a data analytics dashboard (Power BI), enabling improved visibility, monitoring, and reporting of key risk indicators to Management and the Board. The Compliance Function continued to strengthen CHSL’s compliance culture through structured training initiatives. Regulatory compliance induction sessions were introduced for newly onboarded Head Office employees. A customised data protection training programme was delivered in collaboration with BDO to designated Head Office employees and appointed Data Champions across the hotels. Additionally, a mandatory “Regulatory Compliance” training programme was rolled out across all properties, achieving a completion rate exceeding 70%. The CO further strengthened professional capabilities through participation in a data protection workshop organised by the Data Protection Office (Mauritius). Data protection compliance was maintained through timely management of Data Subject Requests (DSRs), review of data processing agreements with third-party processors, and the conduct of quarterly data protection surveys across the organisation. The Compliance team ensured the protection of intellectual property rights across jurisdictions through successful trademark registrations and applications, including filings with the European Union Intellectual Property Office and the Intellectual Property Office of the United Kingdom. A Group Compliance Review was conducted by PwC during the year under review to evaluate the effectiveness of CHSL’s compliance framework. The CO coordinated the review and monitored the implementation of the resulting action plan. The Compliance Officer liaised with the Company’s lawyers where necessary and reviewed contracts, disclaimers, and agreements for various departments to ensure alignment with corporate compliance standards. In 2025, the CO presented four reports to the Corporate Governance Committee, two reports to the Data Protection Steering Committee, and two reports on Enterprise Risk Management to the Audit and Risk Management Committee. The CO also attended two meetings of the IT Steering Committee.

The main role of the Compliance function is to assist the Board, Management and Line Managers in discharging their compliance and risk management responsibilities by providing the appropriate framework within which the business activities of the Company and its employees comply with applicable laws, rules, regulations, industry and country codes of good governance, and the Company’s Charters, Codes, Policies, Standards. and Procedures. The Compliance function primarily covers: Corporate Governance, Compliance (legal, regulatory, and ethical), Risk Management, Data Protection and Anti Money Laundering/Combatting the Financing of Terrorism and Proliferation (AML/CFT)

During the year under review, the Compliance team diligently monitored legal and regulatory updates across all jurisdictions of operation and provided timely guidance to relevant employees to ensure appropriate implementation of required actions. In Mauritius, several legislative and regulatory developments were identified and communicated to the relevant stakeholders. These included the increase in annual company registration fees, the introduction of tax settlement requirements in foreign currency for businesses deriving more than 50% of their revenue in foreign exchange, changes to Immigration Act, the introduction of a EUR 3 per night tourist fee, and the extension of the validity period of the Hotel Certificate from one to three years. The CO initiated and coordinated the transfer process of the existing liquor licence from Tekoma Hotel Ltd to Sakoa Hotel Ltd with the Mauritius Revenue Authority (MRA). In the Maldives, following amendments to the Maldives Tourism Act, Airport Taxes and Fees Act, and Foreign Currency Act, the necessary measures were implemented, including the mandatory deposit or transfer of all foreign currency revenues into a local bank account in the Maldives and compliance with the applicable conversion requirements into Maldivian Rufiyaa. Additionally, amendments to the Goods and Services Tax Act were noted, whereby the TGST rates were increased from 16% to 17%. During the year under review, a comprehensive review of CHSL’s corporate policies was conducted to ensure alignment with evolving legal, regulatory, and governance requirements. Updates were implemented where necessary to strengthen internal controls and promote best practices across the organisation. The CO ensures effective communication of new and updated policies and procedures to all concerned stakeholders. The Compliance team effectively monitored the contract management system to ensure timely renewals of all contracts and licences, thereby supporting business operations while maintaining legal compliance. The CO conducted a complete review of employment contracts for Mauritian hotels, following recommendations from the HR audit. Proposed amendments were submitted to legal advisors for validation. As part of the automated contract generation project, the CO reviewed and updated the Marketing Agreement in collaboration with the IT team. The annual request for disclosure of conflicts of interest was launched across the organisation and required website disclosures were updated.

The Compliance function, which forms part of the Company’s second line of defence, falls under the responsibility of the Compliance Officer (CO), who works in collaboration with the Group Head of Corporate Affairs (HCA) to implement the Company’s Compliance and Risk Management Programme. The CO reports, on a functional basis, to the Audit and Risk Management Committee, the Corporate Governance Committee, and the Data Protection Steering Committee of the Company. The CO operates in accordance with the guiding documents approved by the Company’s Board of Directors, namely: the Compliance Charter, CO Handbook, CO Accountabilities and the CO Professional Standards and Guidelines.

Legal & Regulatory Compliance – Applicable laws, rules and regulations in all operating jurisdictions – Data Protection legislation (including DPA 2017 and EU GDPR where applicable) – AML/CFT requirements

Compliance Framework & Standards – Charters, Codes, Policies, Standards and Procedures – Contract Management governance framework – Standards, legal disclaimers, and approved documentation

High-level Oversight and Reporting – Maintain appropriate compliance documentation and records – Report regularly to senior management – Report to relevant Board committees – Provide independent compliance oversight

– Code of Ethics & Conduct – Disclosure requirements

Communication & Training – Monitor and communicate legal and regulatory developments – Communicate other compliance-related obligations – Conduct employee awareness to: ▪ Promote a culture of integrity and ethical conduct ▪ Mitigate compliance risks Identification and Reporting of Non Compliance – Quarterly Compliance Reports – Quarterly Data Protection Reports – Incident Registers – Health & Safety Incident reporting – Litigation and court case monitoring – Direction communications (email/verbal reporting channels)

Risk Management – Maintain the ERM framework – Facilitate periodic risk assessment

– Maintain a group risk register – Monitor mitigation measures – Bottom-up and top-down risk communication – Monitor Business Continuity Planning

Compliance Function

Consultation and Advisory Role – Liaise with external legal advisors, data protection office and regulatory authorities – Review legal documentation (including contracts) – Monitor implementation of internal audit and regulatory recommendations – Advise management on the application and impact of new legislation

Compliance Tools and Systems – Contract management system – Risk Register – Incident Register – Power BI – Qualtrics (surveys)

– Conflict of interest disclosures – Data breach/incident reports