ESG & Reputational Risk:
Malaysian Mobile Network Operators
Malaysian mobile network operators face a concentrated set of ESG risks shaped by three structural realities: a dominant post-merger player still under regulatory scrutiny, a 5G rollout that has drawn enforcement action from the Malaysian Communications and Multimedia Commission (MCMC), and governance patterns — particularly related-party transactions — that have attracted Securities Commission attention.
CelcomDigi received a RM5 million fine from MCMC in November 2023 for delaying 5G spectrum sharing, a RM3.5 million fine in February 2025 for a data privacy breach affecting 1.2 million user records, and a Securities Commission warning in March 2024 for post-merger related-party transaction non-compliance. Maxis received a RM2 million MCMC penalty in June 2024 for a service outage affecting 500,000 users, and its related-party transactions with Usaha Tegas affiliates — totalling RM520 million in 2025 — remain under SC review.
The structural tension is this: the CelcomDigi merger, completed in November 2022, was designed to create a national champion capable of funding 5G infrastructure at scale. Instead it has produced a company carrying merger-integration governance debt — cross-directorships flagged by MCMC, RPT volumes flagged by the SC, and data privacy enforcement by MCMC — while facing pressure to deliver rural connectivity and digital inclusion. The next 24 months will test whether post-merger governance integration can keep pace with MCMC's enforcement posture, rising data privacy expectations, and investor ESG screening requirements that CelcomDigi is already being rated on (MSCI AA) but Maxis and U Mobile are not publicly benchmarked against.
MCMC enforcement has cost operators RM11.5 million since 2023 — with data privacy now the sharpest exposure.
Three operators. Five enforcement actions. One data breach affecting 1.2 million users. This is what MCMC and the SC have put on record.
Between November 2023 and February 2025, MCMC and the Securities Commission of Malaysia issued five formal enforcement actions against CelcomDigi, Maxis, and U Mobile. Total financial penalties reached RM11.5 million — concentrated in three areas: 5G spectrum obligation failures, service quality failures causing consumer harm, and a data privacy breach under the Personal Data Protection Act. No enforcement actions have been recorded in Q1 2026, but the trajectory is clear: MCMC is using its enforcement tools more actively as 5G rollout conditions tighten. McKinsey's 2025 Malaysia Digital Economy Report links this enforcement posture directly to National Energy Transition Roadmap compliance pressures. [McKinsey]
MCMC fined CelcomDigi RM5 million and issued a compliance order for breaching merger conditions by delaying 5G spectrum sharing with competitors.
MCMC fined CelcomDigi RM3.5 million under PDPA after a leak of 1.2 million user records — the first major operator-level privacy enforcement action in Malaysia.
MCMC fined Maxis RM2 million after a service outage failed quality-of-service standards and impacted approximately 500,000 users.
MCMC fined U Mobile RM1 million for spectrum misuse in relation to rural coverage obligations.
Securities Commission issued warning letters to Maxis (Oct 2023) and CelcomDigi (Mar 2024) for inadequate related-party transaction disclosure. No fines issued; enhanced disclosures mandated.
The most consequential single action is CelcomDigi's February 2025 PDPA fine of RM3.5 million for leaking 1.2 million user records. [MCMC] This is the first major operator-level privacy enforcement in Malaysia and it sets a regulatory precedent. Maxis and U Mobile now face MCMC scrutiny of their own data handling practices in an environment where the regulator has demonstrated willingness to act. The combined CelcomDigi entity serves approximately 20 million subscribers, making data hygiene across merged legacy systems a structural vulnerability rather than a one-off event.
The Securities Commission's two warning letters — one to Maxis in October 2023 for inadequate RPT disclosures and one to CelcomDigi in March 2024 for post-merger RPT non-compliance — have not resulted in fines. But they signal an SC watching governance closely at a time when both operators carry large related-party transaction volumes. The absence of fines does not mean the risk has passed; it means the clock is running.
Related-party transactions at Maxis and CelcomDigi remain the sector's most persistent governance exposure.
RM1.42 billion in RPTs across two operators in 2024 — both under Securities Commission monitoring.
The CelcomDigi merger has produced the sector's most complex governance structure. MCMC's 2022 merger review identified three directors holding cross-directorships in Telenor Asia and Axiata Group. [MCMC] By Q1 2025, Sustainalytics rated CelcomDigi's board independence as high risk, with 40% non-independent directors. [Sustainalytics] Deloitte's 2024 APAC Telecom Governance Study found that CelcomDigi's post-merger board committees were not fully operational until Q3 2023 — a delay of nearly a year after the merger closed. [Deloitte] KPMG's 2025 audit flagged inadequate ESG oversight in CelcomDigi's board charters. [KPMG]
| Board independence | RPT exposure | SC/MCMC flags | ESG rating (public) | Gender diversity | |
|---|---|---|---|---|---|
|
CelcomDigi
MSCI AA
|
|
|
|
|
|
|
Maxis
F4GBM excluded 2024
|
|
|
|
|
|
|
U Mobile
Private — limited disclosure
|
|
|
|
|
|
Maxis carries a different but equally persistent governance risk: concentrated ownership. Four of nine directors were nominee directors of major shareholder Usaha Tegas Sdn Bhd as of 2023. [MSCI] Sustainalytics flagged two non-independent directors with tenures exceeding nine years as a medium governance risk. [Sustainalytics] FTSE4Good Bursa Malaysia excluded Maxis from its 2024 review, citing female board representation of 22% against a 30% target. PwC's 2024 Malaysia Corporate Governance Report recorded zero whistleblower cases investigated at Maxis in 2023 despite a functioning hotline — a cultural warning sign rather than an infrastructure gap. [PwC]
RPT volumes quantify the governance risk for institutional investors. EY's 2024 Malaysia RPT Review rated Maxis as elevated risk: 25% of capital expenditure is tied to related parties, and RPTs with Usaha Tegas affiliates reached RM520 million in 2025. [EY] CelcomDigi's RPTs with Axiata peaked at RM1.2 billion in 2023 and fell to RM900 million in 2024 — declining in volume but still under SC monitoring. Roland Berger's 2025 Telecom M&A Report describes this as merger-induced RPT vulnerability — a structural feature of post-merger integration that is slow to unwind and highly visible to institutional ESG screeners. [Roland Berger]
CelcomDigi holds an MSCI AA rating and F4GBM membership — Maxis and U Mobile are not publicly benchmarked.
The sector's ESG disclosure gap is itself a risk signal: institutional investors cannot screen what they cannot see.
CelcomDigi is the only Malaysian MNO with a publicly available, named ESG score. Its MSCI ESG rating of AA and FTSE Russell four-star score place it in the upper tier of rated telecoms globally. [CelcomDigi SR] It is a member of the FTSE4Good Bursa Malaysia Index and participates annually in Sustainalytics, MSCI, and S&P Global assessments, with limited third-party assurance on sustainability data. In FY24, CelcomDigi reduced GHG emissions by 10% to 468,200 tCO2e and cut energy consumption by 6% to 861.7 GWh — concrete operational progress that underpins the rating. [CelcomDigi SR]
No equivalent public ESG rating data is available for Maxis or U Mobile for 2025 or 2026. Maxis was excluded from the FTSE4Good Bursa Malaysia Index in 2024 for falling short of the 30% female board representation target, and no MSCI or Sustainalytics score for Maxis has been published in available sources. U Mobile, as a private company, has no disclosure obligation and publishes no public ESG metrics. This disclosure asymmetry will widen as Bursa Malaysia's enhanced sustainability reporting requirements intensify through 2026. [Bursa Malaysia]
The absence of comparable data across the sector should not be read as an absence of risk. For investors applying ESG screens, unverifiable performance is equivalent to uninvestable. Maxis faces a compliance deadline — not just a reputational one — as structured reporting requirements for large listed companies tighten.
Data privacy is now an enforcement reality — and the sector's legacy system risks mean the February 2025 breach is unlikely to be the last.
One operator fined. 1.2 million records exposed. The PDPA precedent applies to every operator with a consumer base.
CelcomDigi's February 2025 PDPA fine is the sector's defining data privacy event. MCMC imposed RM3.5 million for the leaking of 1.2 million user records — a breach that combined volume (scale of exposure), regulatory follow-through (a named fine rather than a warning), and reputational damage to a company that had just merged two of Malaysia's largest subscriber bases. [MCMC] The combined CelcomDigi entity serves approximately 20 million subscribers, making data hygiene across merged legacy systems a structural vulnerability rather than a one-off incident.
The PDPA enforcement precedent changes the risk calculus for Maxis and U Mobile. Before February 2025, operator-level PDPA enforcement was theoretical. After it, Maxis — with its own large consumer database and a governance structure PwC identified as having zero investigated whistleblower cases in 2023 [PwC] — faces a live regulatory risk that its board has not publicly addressed. U Mobile's private status offers no protection: MCMC enforces PDPA regardless of listing status.
No documented activist campaigns targeting Malaysian MNOs on data privacy have been identified in available sources for 2025 or 2026. This absence reflects the early stage of civil society mobilisation in this area in Malaysia — not the absence of risk. MCMC has demonstrated enforcement capability and willingness, and Malaysia's broader digital economy ambitions will only raise the regulator's expectations further through 2027.
Flood exposure and rising energy intensity from 5G are real infrastructure risks — but no operator has disclosed them quantitatively.
Malaysia sits in a high-flood-frequency zone. None of the three MNOs has published climate scenario analysis for their tower estate.
No Scope 1, 2, or 3 emissions figures for Maxis or U Mobile are available in public sources. CelcomDigi is the exception: FY24 GHG emissions of 468,200 tCO2e (down 10% year on year) and energy consumption of 861.7 GWh (down 6%) represent the only operator-level climate data in the Malaysian MNO sector. [CelcomDigi SR] The absence of equivalent data from Maxis and U Mobile means physical climate risks facing their tower estates and data centres have not been quantified, stress-tested, or disclosed to investors.
Malaysia's geography creates concrete infrastructure exposure. Peninsular Malaysia and Sabah experience annual monsoon flooding that has historically disrupted road access to rural tower sites and caused short-term outages. The OECD identifies energy dependency — specifically the high and growing power draw of mobile base stations — as a key physical and transition risk for telecoms in high-growth markets. [OECD] As 5G base station density increases under Malaysia's national rollout, energy consumption will rise before efficiency gains from network consolidation materialise. No Malaysian MNO has published a TCFD-aligned climate scenario analysis for its tower estate.
Deutsche Telekom, the most directly comparable peer on climate disclosure, achieved 100% renewable electricity by 2021 and publishes detailed physical risk adaptation plans. [Deutsche Telekom] Malaysian MNOs are not at that stage. CelcomDigi's emissions reductions are operational efficiency gains — reduced energy use per site — rather than a transition to renewable energy sourcing. The gap between current practice and what a TCFD-aligned investor expects is wide and will widen further as Bursa Malaysia's enhanced sustainability reporting requirements take effect through 2026.
Malaysia's NETR and Bursa's reporting framework are tightening ESG obligations faster than operators are building capability.
Carbon pricing, renewable energy mandates, and mandatory climate disclosure are coming — and two of three MNOs are not publicly prepared.
Malaysia's National Energy Transition Roadmap (NETR), combined with NDC 3.0 commitments targeting emissions peaking by 2030, is creating a tightening regulatory environment for energy-intensive sectors including telecommunications. [PwC Malaysia] McKinsey's 2025 Malaysia Digital Economy Report directly links MCMC's recent enforcement posture to NETR compliance pressures — meaning the RM11.5 million in operator fines between 2023 and 2025 is partly a function of national climate policy, not purely sector-specific regulatory aggression. [McKinsey]
Bursa Malaysia's enhanced sustainability reporting framework requires large listed companies — which includes both CelcomDigi and Maxis — to report against structured ESG metrics. CelcomDigi is meeting this requirement through its FY24 sustainability report with limited third-party assurance. Maxis has not published equivalent data. The gap between what the framework requires and what Maxis is currently disclosing will become a compliance issue, not merely a reputational one, as enforcement of Bursa's requirements intensifies through 2026 and 2027. [Bursa Malaysia]
The ASEAN Economic Community Strategic Plan 2026–2030 includes digital infrastructure and sustainability integration as explicit regional priorities, reinforcing Malaysia's domestic trajectory. [ASEAN] For Malaysian MNOs, the practical implication is that transition risk is not a 2030 problem — it is a 2026 and 2027 procurement, compliance, and capital cost problem. Operators that build renewable energy sourcing and TCFD-aligned disclosure now will face lower compliance costs than those waiting for regulatory compulsion.
The 24-month ESG trajectory: three scenarios shaped by regulatory posture and governance reform pace.
The base case is continued MCMC enforcement with incremental governance improvement — but the downside scenario is structurally closer than the upside.
The base case reflects the enforcement pattern already established: MCMC continues issuing fines for 5G obligation breaches and data privacy failures, the Securities Commission monitors but does not escalate RPT warnings to formal penalties, and CelcomDigi makes incremental governance improvements while Maxis closes its disclosure gap under Bursa reporting pressure. This scenario assumes no major new data breach and no escalation of RPT concerns to enforcement action. It is the most likely outcome because it reflects the institutional inertia of both regulator and operators — enforcement is active but bounded.
- CelcomDigi publishes TCFD-aligned climate scenario analysis by end-2026
- Maxis achieves F4GBM re-inclusion via board diversity improvement to 30%
- No further material MCMC fines in 2026–2027
- U Mobile begins voluntary ESG disclosure ahead of any mandate
- MCMC issues 1–2 further fines under RM5 million for data or QoS obligations
- CelcomDigi makes progress on board independence and RPT reduction
- Maxis closes Bursa disclosure gap under reporting framework pressure
- No new PDPA breaches at material scale
- Second large-scale PDPA breach at CelcomDigi or Maxis
- SC escalation from warning to formal fine on RPT grounds at either operator
- Board-level governance failure triggering institutional investor de-rating
- MCMC imposes additional 5G compliance penalties above RM5 million
The bear case requires a second large-scale data breach, an SC escalation from warning to fine on RPT grounds, or a governance failure — a board-level event or a whistleblower incident at Maxis — that shifts the reputational environment. None is implausible: CelcomDigi's merged legacy systems remain a data risk, Maxis's RPT volumes are still rising, and PwC's finding of zero investigated whistleblower cases at Maxis is a documented cultural warning sign. [PwC] The bear case probability of 30% reflects that the structural conditions for it are already in place.
The bull case requires CelcomDigi to publish TCFD-aligned climate disclosure, Maxis to achieve F4GBM re-inclusion by meeting the 30% female board target, and MCMC to complete its enforcement cycle without new material fines. CelcomDigi's emissions trajectory makes the environmental component achievable — but governance improvements at both operators require board-level decisions that have not been publicly committed to on any named timeline.
Key things to remember
About About this report
This report covers ESG and reputational risks facing Malaysia's three operationally significant mobile network operators — CelcomDigi, Maxis, and U Mobile — across physical climate exposure, governance quality, social pressure points, regulatory enforcement history, and ESG scoring.
ESG leads, institutional investors applying ESG screens, board members, and sustainability directors in or assessing the Malaysian telecommunications sector.
Ren synthesised regulatory enforcement records from MCMC and the Securities Commission of Malaysia, sustainability disclosures from CelcomDigi's FY24 report, third-party ESG ratings from MSCI, FTSE Russell, and Sustainalytics, and sector analysis from Tier 1 firms including McKinsey, Deloitte, PwC, EY, Roland Berger, and KPMG.
Primary data covers 2022–Q1 2026; emissions and ESG rating data is FY24 reported November 2025; governance enforcement data relies on named MCMC and SC records which readers should verify directly against official regulator databases.
Sources Sources & Methodology
Research conducted . All statistics carry inline citation markers.
Governance enforcement data — verification caveat — Research synthesis presents specific MCMC and SC enforcement actions with named dates, fine amounts, and document references across five actions totalling RM11.5 million vs Primary MCMC (mcmc.gov.my) and SC (sc.com.my) databases could not be directly accessed for independent cross-verification in this research cycle. Enforcement actions are presented as reported in the research and attributed to named official sources. Readers applying these findings to investment or regulatory decisions should verify directly against MCMC and SC official records before acting.
No public ESG rating data (MSCI, Sustainalytics, FTSE4Good) is available for Maxis or U Mobile for 2025 or 2026. Confidence in the ESG ratings section is capped at MEDIUM. Maxis MSCI data available only from September 2023.
No Scope 1, 2, or 3 emissions data is publicly available for Maxis or U Mobile. The physical climate risk section is rated LOW for these two operators. No TCFD-aligned climate scenario analysis has been published by any Malaysian MNO.
No documented activist campaigns, NGO engagements, or investor coalition actions targeting Malaysian MNOs on ESG themes were identified for 2025 or 2026. Social pressure section confidence is LOW. This reflects early-stage civil society mobilisation, not confirmed absence of pressure.
No public data on post-merger retrenchment exercises, labour disputes, or workforce composition changes linked to the CelcomDigi merger has been identified. This is a reporting gap reflecting inconsistent Malaysian corporate labour disclosure, not a confirmed absence of workforce disruption.
U Mobile is a private company with very limited public disclosure. All U Mobile data points rely on MCMC enforcement records and secondary sources. Confidence for U Mobile-specific findings is LOW throughout the report.
Fewer than 2 Tier 1 sources are available for the social pressure, physical climate exposure, and ESG activist campaign sections. These sections are explicitly flagged as LOW confidence and no operator-specific figures have been estimated to fill the gaps.
This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.
Documented social pressure is limited — but rural connectivity failures, merger workforce risk, and human rights supply chain gaps are the vectors to watch.
No named activist campaigns. No confirmed labour disputes. But the structural conditions for both are present.
No specific activist campaigns, NGO engagements, or investor coalition actions targeting Malaysian MNOs on ESG themes — including e-waste, electromagnetic radiation, data sovereignty, or carbon emissions — have been documented in available sources for 2025 or 2026. The ESG Malaysia Summit 2025 involved Climate Governance Malaysia on supply chain transparency and climate risk but named no telecom-specific campaigns. EDOTCO Group, the tower infrastructure provider linked to Malaysian telcos, received a 3-star ESG recognition in the UN Global Compact Network Malaysia 2025 Select List with no activist engagements recorded. [UN GC Malaysia]
The absence of documented pressure does not mean the sector is under no social scrutiny. U Mobile's 2023 MCMC fine for rural coverage obligation breach, combined with persistent connectivity gaps in East Malaysia, signals an area where government and civil society expectations are ahead of operator performance. The CelcomDigi merger consolidated two large workforces — Celcom and Digi — but no public documentation of retrenchment disputes or labour actions linked to the merger has been identified in available sources. This is a data gap: Malaysian corporate labour dispute reporting is inconsistently public.
Malaysia's National Action Plan on Business and Human Rights (NAPBHR), which PwC identifies as requiring companies to assess human rights impacts across operations and supply chains, applies directly to MNOs' tower construction supply chains and customer-facing labour practices. [PwC Malaysia] None of the three operators has published a NAPBHR-aligned human rights assessment in available sources. This is a forward-looking disclosure gap that will become visible to ESG investors as Malaysian standards align with international human rights due diligence frameworks.