Exhibit 99.1 ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - MARKET RISK PURPOSE The purpose of this policy is to establish Itaú Unibanco Holding’s S.A. (Itau Unibanco) market risk management and control framework, in compliance with the applicable regulations and best market practices. DIRECTIVES The market risk control processes shall support the institution according to principles defined in the Risk and Capital Management Policy. These principles are expressed in the following directives, which state that the Itaú Unibanco´s market risk management and control structure must: - Ensure that the processes and systems adopted to measure, monitor and control market risk exposure are compatible with the nature of the trades, the complexity of the products and the extension of the institution’s market risk exposure level, encompassing all market risk sources and timely disclosing the risk exposure reports to the Business Units and to the Board of Directors; - Establish processes and instruments to measure, monitor and control exposure to market risk for operations included in the trading and banking books; - Ensure compliance of the trades’ classification in the trading and banking portfolios. RESPONSABILITIES Areas of Itaú Unibanco that calculate the market value of positions for managerial and / or accounting purposes, must ensure the use of pricing parameters and models approved by the Market Risk Area of the Holding. Itaú Unibanco has established a structure of deliberative bodies for risk management and control. Their detailed description and composition are presented in a specific policies whose main responsibilities are described below are related to the structure of market risk control Market Risk Control - Establish and maintain the overall Market Risk governance framework; - Daily identify, measure, control, monitor and report market risk exposure to business areas and to the superior commissions; - Measure market risk exposures using at least the following classification of risk factors: interest rates; foreign exchange rates, share prices, commodity prices, credit spreads and implied volatilities; - Determine the criteria for pricing financial instruments and new products. - Develop models for controlling market risk and for pricing of financial instruments - Assess, together with the business areas, the market risk limits aligned with the risk appetite established by the Board of Directors. - Daily monitor the compliance of exposures in respect to the approved limits, warnings and other market risk - Verify compliance of the trades classification criteria in the trading portfolio (negotiation book) and banking portfolio (non- negotiation book); - Conduct backtests to verify the performance of the market risk models - Monitor the stress scenarios designed for the risk factors that are used for controlling market risk; - Perform simulations of extreme market conditions Exhibit 99.1 ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - MARKET RISK PURPOSE The purpose of this policy is to establish Itaú Unibanco Holding’s S.A. (Itau Unibanco) market risk management and control framework, in compliance with the applicable regulations and best market practices. DIRECTIVES The market risk control processes shall support the institution according to principles defined in the Risk and Capital Management Policy. These principles are expressed in the following directives, which state that the Itaú Unibanco´s market risk management and control structure must: - Ensure that the processes and systems adopted to measure, monitor and control market risk exposure are compatible with the nature of the trades, the complexity of the products and the extension of the institution’s market risk exposure level, encompassing all market risk sources and timely disclosing the risk exposure reports to the Business Units and to the Board of Directors; - Establish processes and instruments to measure, monitor and control exposure to market risk for operations included in the trading and banking books; - Ensure compliance of the trades’ classification in the trading and banking portfolios. RESPONSABILITIES Areas of Itaú Unibanco that calculate the market value of positions for managerial and / or accounting purposes, must ensure the use of pricing parameters and models approved by the Market Risk Area of the Holding. Itaú Unibanco has established a structure of deliberative bodies for risk management and control. Their detailed description and composition are presented in a specific policies whose main responsibilities are described below are related to the structure of market risk control Market Risk Control - Establish and maintain the overall Market Risk governance framework; - Daily identify, measure, control, monitor and report market risk exposure to business areas and to the superior commissions; - Measure market risk exposures using at least the following classification of risk factors: interest rates; foreign exchange rates, share prices, commodity prices, credit spreads and implied volatilities; - Determine the criteria for pricing financial instruments and new products. - Develop models for controlling market risk and for pricing of financial instruments - Assess, together with the business areas, the market risk limits aligned with the risk appetite established by the Board of Directors. - Daily monitor the compliance of exposures in respect to the approved limits, warnings and other market risk - Verify compliance of the trades classification criteria in the trading portfolio (negotiation book) and banking portfolio (non- negotiation book); - Conduct backtests to verify the performance of the market risk models - Monitor the stress scenarios designed for the risk factors that are used for controlling market risk; - Perform simulations of extreme market conditions

- Previously assess the market risk inherent to new products and trades, participate in the processes of approval and viability of new products/trades - Continuously revise and improve methodologies and tools used to control market risk; - Establish and disclose the minimum quality criteria to be used for contracting and registering trades from the treasury and the related areas, monitoring its adherence; - Maintain specialized and adequately sized teams to support market risk processes and systems under their authority or being developed by them; - Ensure that all processes under their governance and development management, with direct or indirect impact on market risk processes, are fully documented; - Establish a service level agreement (SLA) for processes under its responsibility and management of development that impact market risk. -To elaboraste and update, at least annualy, the Market Risk public report; Treasury and Related Areas (Brazil and Foreign Units) At the most fundamental level, each individual trader must fully understand the nature of risk in portfolios they manage and the effective management of this risk, ensuring that the risk known by the management, and kept within the established limits. Additionally, the trader is responsible for the entire trading process and its registration in the systems. Treasury and Related Areas have to: - Promptly report to Market Risk Control potential risks identified that were not foreseen during the development of control activities, including P&L discrepancies; - Manage the positions subject to market risk by keeping them within the approved limits and in accordance with the other conditions established in the market risk control framework; - Provide quotations and transfer prices for cash or noncash transactions, on a market-to-market and accrual basis, to the sales channels and the client desks. Finances (International Units) - Conciliate management information used to manage portfolios, results and balances submitted to market risk control and management to ensure the quality and accuracy of management information. Payment and Operation Department (Brazil) - Conciliate management information used to manage portfolios, results and balances submitted to market risk control and management to ensure the quality and accuracy of management information; - Generate, as per provisions by the Market and Liquidity Risk Control Department (DCRML), information needed to control market risk exposures of non-standardized products (TNP) and forward it to the Market Risk Control area. Capital Management (Brazil) - Monitor the Regulatory Capital tier adequacy related to risks taken by the institution, including market risk; Internal Controls, Compliance and Operational Risk Department - validate the market risk models Internal Audit Verify in an independent and periodical manner, the adequacy of the risk identification and management processes. Information Technology - Maintain specialized and appropriately sized teams to support market risk processes and systems being developed by the IT and/or that are under its governance, and for Hosting process defined in specifics service level agreements; - Previously assess the market risk inherent to new products and trades, participate in the processes of approval and viability of new products/trades - Continuously revise and improve methodologies and tools used to control market risk; - Establish and disclose the minimum quality criteria to be used for contracting and registering trades from the treasury and the related areas, monitoring its adherence; - Maintain specialized and adequately sized teams to support market risk processes and systems under their authority or being developed by them; - Ensure that all processes under their governance and development management, with direct or indirect impact on market risk processes, are fully documented; - Establish a service level agreement (SLA) for processes under its responsibility and management of development that impact market risk. -To elaboraste and update, at least annualy, the Market Risk public report; Treasury and Related Areas (Brazil and Foreign Units) At the most fundamental level, each individual trader must fully understand the nature of risk in portfolios they manage and the effective management of this risk, ensuring that the risk known by the management, and kept within the established limits. Additionally, the trader is responsible for the entire trading process and its registration in the systems. Treasury and Related Areas have to: - Promptly report to Market Risk Control potential risks identified that were not foreseen during the development of control activities, including P&L discrepancies; - Manage the positions subject to market risk by keeping them within the approved limits and in accordance with the other conditions established in the market risk control framework; - Provide quotations and transfer prices for cash or noncash transactions, on a market-to-market and accrual basis, to the sales channels and the client desks. Finances (International Units) - Conciliate management information used to manage portfolios, results and balances submitted to market risk control and management to ensure the quality and accuracy of management information. Payment and Operation Department (Brazil) - Conciliate management information used to manage portfolios, results and balances submitted to market risk control and management to ensure the quality and accuracy of management information; - Generate, as per provisions by the Market and Liquidity Risk Control Department (DCRML), information needed to control market risk exposures of non-standardized products (TNP) and forward it to the Market Risk Control area. Capital Management (Brazil) - Monitor the Regulatory Capital tier adequacy related to risks taken by the institution, including market risk; Internal Controls, Compliance and Operational Risk Department - validate the market risk models Internal Audit Verify in an independent and periodical manner, the adequacy of the risk identification and management processes. Information Technology - Maintain specialized and appropriately sized teams to support market risk processes and systems being developed by the IT and/or that are under its governance, and for Hosting process defined in specifics service level agreements;

- Ensure that all systems and processes that are under the IT’s governance and/or that are being developed by them, with direct or indirect impact to market risk processes, are fully documented and in accordance with internal ATEC policies. For Hosting processes, documentation must be in accordance to specific internal ATEC policies. This documentation must be readily available for internal controls and market risk teams; - Establish a service level agreement (SLA) for processes under IT governance and development management impacting market risk. Operations - Ensure that transactions are validated with counterparties or central clearing and settlement houses; - Ensure that front office systems (ticketing) and Back Office systems (processing) are synchronized; - Promptly communicate Market Risk any backdated change either to Front Office or Back Office Systems. GLOSSARY Stress Scenarios: is a description of an extreme exposure situation to the financial market (prices, rates, volatilities, etc.) different from the current one. It can be hypothetical or historical. Cenário de Estresse: é a descrição de uma possível situação extrema do mercado financeiro (preços, taxas, volatilidades, etc.) distinta da atual. Pode ser hipotético ou histórico. Market Risk: is the risk of losses due to market value fluctuations of the positions held by a financial institution, as well as losses of its financial gross profit. Approved by the Board of Directors on 06.21.2018. - Ensure that all systems and processes that are under the IT’s governance and/or that are being developed by them, with direct or indirect impact to market risk processes, are fully documented and in accordance with internal ATEC policies. For Hosting processes, documentation must be in accordance to specific internal ATEC policies. This documentation must be readily available for internal controls and market risk teams; - Establish a service level agreement (SLA) for processes under IT governance and development management impacting market risk. Operations - Ensure that transactions are validated with counterparties or central clearing and settlement houses; - Ensure that front office systems (ticketing) and Back Office systems (processing) are synchronized; - Promptly communicate Market Risk any backdated change either to Front Office or Back Office Systems. GLOSSARY Stress Scenarios: is a description of an extreme exposure situation to the financial market (prices, rates, volatilities, etc.) different from the current one. It can be hypothetical or historical. Cenário de Estresse: é a descrição de uma possível situação extrema do mercado financeiro (preços, taxas, volatilidades, etc.) distinta da atual. Pode ser hipotético ou histórico. Market Risk: is the risk of losses due to market value fluctuations of the positions held by a financial institution, as well as losses of its financial gross profit. Approved by the Board of Directors on 06.21.2018.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - INTEGRATED MANAGEMENT OF OPERATIONAL RISK, INTERNAL CONTROLS AND COMPLIANCE OBJECTIVE Establish the guidelines and responsibilities associated with management structure for Operational Risk, Internal Controls and Compliance, in accordance with the applicable regulations and market’s best practices, applicable rules and regulations. PRINCIPLES Itaú Unibanco is an organization acting integrally. Itaú Unibanco's senior management defines the conduct guidelines and positions considered more appropriate and consistent with the Conglomerate's values and good market practices, which are part of the Itaú Unibanco Code of Ethics and are disseminated through a variety of means, among of which are the Risk Culture. The principles providing the fundamentals of risk management, risk appetite, and how employees should work day-to-day for decision making are described in Risk Management Policy. Among them, the following principles are emphasized: - Risk Culture: the risk culture of Itaú Unibanco goes beyond policies, procedures and processes and strengthens the individual and collective responsibility of all employees in order to do the right thing at the right time and in the right way; and - Ethics and respect for regulation: for Itaú Unibanco, ethics is non-negotiable. Therefore, it promotes an integral institutional environment, guiding the employees to cultivate the ethics in the relationships and in the businesses, and the respect to the norms, taking care of by the reputation of the conglomerate. GUIDELINES Operational Risk, Internal Controls and Compliance Risks are inherent to all the activities of the institution. Effective risk management should be part of employees' day-to-day operations and be compatible with the nature, size, complexity, structure, risk profile and business model of the operations performed, according to the established risk appetite for the Conglomerate, detailed in Conglomerate Risk Appetite Policy. Operational risk management and compliance must encompass existing or new processes, products and services, including relevant outsourced services. Such processes, products and services shall be periodically tested and evaluated for adherence to external standards, commitments made to regulators and, where applicable, internal standards, including requirements related to the Code of Ethics. The notes drawn up by the executive areas, internal and external auditors, and regulators must be monitored in order to ensure their effective treatment by the competent areas. Relevant risks or failures found in existing controls, as well as relevant non-conformities identified by employees, third parties, regulators or external auditors, associated with each individual institution and the Conglomerate, should be periodically reported, internally and externally, Senior Management and External Authorities. Risk reports should be clear, objective and timely and should be reported to senior committees, business unit executives, the CRO and the Board of Directors, so that the level of exposure and compliance with the limits established are monitored. To contribute to adequate risk management, Itaú has a methodology for integrated management of operational risk, internal controls and compliance, consisting of 5 steps: identification, prioritization, risk response, monitoring and reporting; and is detailed in the Integrated Methodology of Internal Controls, Compliance and Operational Risk Policy. Risk Management Model Itaú Unibanco uses the strategy of three lines of defense to operationalize its structure of Operational Risk Management, Internal Controls and Compliance, and to ensure compliance with the guidelines set forth in this policy, through an integrated approach, with a clear division of roles and responsibilities. First Line of Defense ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - INTEGRATED MANAGEMENT OF OPERATIONAL RISK, INTERNAL CONTROLS AND COMPLIANCE OBJECTIVE Establish the guidelines and responsibilities associated with management structure for Operational Risk, Internal Controls and Compliance, in accordance with the applicable regulations and market’s best practices, applicable rules and regulations. PRINCIPLES Itaú Unibanco is an organization acting integrally. Itaú Unibanco's senior management defines the conduct guidelines and positions considered more appropriate and consistent with the Conglomerate's values and good market practices, which are part of the Itaú Unibanco Code of Ethics and are disseminated through a variety of means, among of which are the Risk Culture. The principles providing the fundamentals of risk management, risk appetite, and how employees should work day-to-day for decision making are described in Risk Management Policy. Among them, the following principles are emphasized: - Risk Culture: the risk culture of Itaú Unibanco goes beyond policies, procedures and processes and strengthens the individual and collective responsibility of all employees in order to do the right thing at the right time and in the right way; and - Ethics and respect for regulation: for Itaú Unibanco, ethics is non-negotiable. Therefore, it promotes an integral institutional environment, guiding the employees to cultivate the ethics in the relationships and in the businesses, and the respect to the norms, taking care of by the reputation of the conglomerate. GUIDELINES Operational Risk, Internal Controls and Compliance Risks are inherent to all the activities of the institution. Effective risk management should be part of employees' day-to-day operations and be compatible with the nature, size, complexity, structure, risk profile and business model of the operations performed, according to the established risk appetite for the Conglomerate, detailed in Conglomerate Risk Appetite Policy. Operational risk management and compliance must encompass existing or new processes, products and services, including relevant outsourced services. Such processes, products and services shall be periodically tested and evaluated for adherence to external standards, commitments made to regulators and, where applicable, internal standards, including requirements related to the Code of Ethics. The notes drawn up by the executive areas, internal and external auditors, and regulators must be monitored in order to ensure their effective treatment by the competent areas. Relevant risks or failures found in existing controls, as well as relevant non-conformities identified by employees, third parties, regulators or external auditors, associated with each individual institution and the Conglomerate, should be periodically reported, internally and externally, Senior Management and External Authorities. Risk reports should be clear, objective and timely and should be reported to senior committees, business unit executives, the CRO and the Board of Directors, so that the level of exposure and compliance with the limits established are monitored. To contribute to adequate risk management, Itaú has a methodology for integrated management of operational risk, internal controls and compliance, consisting of 5 steps: identification, prioritization, risk response, monitoring and reporting; and is detailed in the Integrated Methodology of Internal Controls, Compliance and Operational Risk Policy. Risk Management Model Itaú Unibanco uses the strategy of three lines of defense to operationalize its structure of Operational Risk Management, Internal Controls and Compliance, and to ensure compliance with the guidelines set forth in this policy, through an integrated approach, with a clear division of roles and responsibilities. First Line of Defense

It is represented by the Business and Support areas. Its employees are directly responsible for the management of the risks associated with its operations, as well as for the execution of controls and implementation of corrective measures for the proper treatment of risks. In the First Line of Defense, the employees of the Legal Department are also included. Second Line of Defense It is represented by the functions of risk control and coordination of the compliance function, which: - are subordinated to the Control and Risk and Finance Management Area (ACGRF); - are fully segregated from internal audit and legal audit activities; and - are independent in the exercise of their functions, have direct communication with any administrator, including the members of the Board of Directors and the Audit Committee, as well as with any collaborator, and have access to any necessary information within the scope of their responsibilities. It is prohibited to the areas that make up the second line of defense, the management of any business in any unit that could compromise its independence or generate conflicts of interest. For the same reason, your goals and compensation in any unit cannot be related to the performance of the business areas. Third Line of Defense It is represented by the Internal Audit. RESPONSIBILITIES Common responsibilities to all areas of Itaú Unibanco - To comply with external and internal standards and watch over the reputation of the institution. - To know and follow the guidelines of this Policy. - To know and follow the guidelines of the Integrity and Ethics Program, disseminate in their teams their principles and guidelines and stimulate the expected attitudes and behaviors. - To conduct the integrity and ethics training and risk management provided by Itaú Unibanco. - To annually sign the term “Policies of Corporate Integrity” certifying its knowledge and agreement with the established in this Policy. - To define, implement, continuously comply with and update its own policies and procedures for adherence to the regulations, according to Governance of Conglomerate Documents Policy. - To identify and discuss in the Conglomerate good practices and trends observed in the domestic and international markets, for continuous process improvement of Itaú Unibanco. - To communicate any fact or suspicious of violation regarding the provisions set forth herein. Board of Directors The Board of Directors shall: - Approve: a) the guidelines, strategies and policies regarding operational risk, internal controls and compliance, to ensure a clear understanding of the roles and responsibilities for all levels of the Conglomerate; and b) the position of the DEROC in the organizational structure of the institution in order to avoid possible conflicts of interest, especially with the business areas. - To provide the necessary means for activities related to the integrated management of operational risk, internal controls and compliance to be adequately exercised, including the availability of resources to allocate sufficient personnel with the necessary training and experience. - To meet with DEROC, at least on an annual basis, as part of the effectiveness evaluation of integrated management of operational risk, internal controls and compliance. - Ensure: a) proper management of this policy; b) effectiveness and continuity of implementation of this policy; c) communication of this policy to all relevant employees and outsourced service providers; d) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and e) Adoption of corrective measures for operational risk failures, internal controls and compliance identified. It is represented by the Business and Support areas. Its employees are directly responsible for the management of the risks associated with its operations, as well as for the execution of controls and implementation of corrective measures for the proper treatment of risks. In the First Line of Defense, the employees of the Legal Department are also included. Second Line of Defense It is represented by the functions of risk control and coordination of the compliance function, which: - are subordinated to the Control and Risk and Finance Management Area (ACGRF); - are fully segregated from internal audit and legal audit activities; and - are independent in the exercise of their functions, have direct communication with any administrator, including the members of the Board of Directors and the Audit Committee, as well as with any collaborator, and have access to any necessary information within the scope of their responsibilities. It is prohibited to the areas that make up the second line of defense, the management of any business in any unit that could compromise its independence or generate conflicts of interest. For the same reason, your goals and compensation in any unit cannot be related to the performance of the business areas. Third Line of Defense It is represented by the Internal Audit. RESPONSIBILITIES Common responsibilities to all areas of Itaú Unibanco - To comply with external and internal standards and watch over the reputation of the institution. - To know and follow the guidelines of this Policy. - To know and follow the guidelines of the Integrity and Ethics Program, disseminate in their teams their principles and guidelines and stimulate the expected attitudes and behaviors. - To conduct the integrity and ethics training and risk management provided by Itaú Unibanco. - To annually sign the term “Policies of Corporate Integrity” certifying its knowledge and agreement with the established in this Policy. - To define, implement, continuously comply with and update its own policies and procedures for adherence to the regulations, according to Governance of Conglomerate Documents Policy. - To identify and discuss in the Conglomerate good practices and trends observed in the domestic and international markets, for continuous process improvement of Itaú Unibanco. - To communicate any fact or suspicious of violation regarding the provisions set forth herein. Board of Directors The Board of Directors shall: - Approve: a) the guidelines, strategies and policies regarding operational risk, internal controls and compliance, to ensure a clear understanding of the roles and responsibilities for all levels of the Conglomerate; and b) the position of the DEROC in the organizational structure of the institution in order to avoid possible conflicts of interest, especially with the business areas. - To provide the necessary means for activities related to the integrated management of operational risk, internal controls and compliance to be adequately exercised, including the availability of resources to allocate sufficient personnel with the necessary training and experience. - To meet with DEROC, at least on an annual basis, as part of the effectiveness evaluation of integrated management of operational risk, internal controls and compliance. - Ensure: a) proper management of this policy; b) effectiveness and continuity of implementation of this policy; c) communication of this policy to all relevant employees and outsourced service providers; d) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and e) Adoption of corrective measures for operational risk failures, internal controls and compliance identified.

The evaluation of the Board of Directors on these items shall be carried out based on the annual report prepared by the DEROC, periodic meetings with the DEROC, and annual evaluation made by the Audit Committee. Audit Committee The Audit Committee shall: - Validate the Integrated Operational Risk Management, Internal Controls and Compliance Management Policy prior to submission for approval by the Board of Directors. - Evaluate, at least annually, the structure of Integrated Management of Operational Risk, Internal Controls and Compliance, at least in relation to the following aspects: a) responsibilities – clarification regarding their role, scope and responsibilities. Clear division of the responsibilities of the people involved in compliance and operational risk functions, in order to avoid possible conflicts of interest, especially with the business areas of the institution; b) Independence - (i) if hierarchical positioning is adequate and segregation of operational and business areas; and (ii) whether the mandates are being duly exercised as regards the definition of scope, execution of the work and communication of its results; c) Structures and resources – (i) organizational structure (organization chart) consistent with the needs of the Conglomerate and (ii) allocation of sufficient, adequately trained and experienced personnel to carry out activities related to the respective functions; d) Effectiveness of integrated operational risk management, internal controls and compliance; and e) Adherence to regulation and good practices. - Verify the performance of: a) communication of this policy to all relevant employees and outsourced service providers; b) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for failures in internal controls and compliance identified. First Line of Defense - To evaluate external and internal standards, as well as monitor changes in the regulatory environment; and verify the impact that the applicable regulation may have on their processes and procedures, and the need for action plans to ensure their adherence. - To advise and advise the Conglomerate's managers and collaborators, directing specific solutions related to the compliance with external standards according to Compliance – Regulatory Adherence Management Policy. - To inform and train relevant employees and outsourced service providers in matters related to compliance. - To submit to Product Evaluation Governance any new product or change of existing product affecting Itaú Unibanco and/or its customers, as provided in Corporate Product Evaluation Policy and in the respective product policies of each segment, ensuring the conformity of the products and processes with applicable internal and external standards. - To relate to regulators, responding to their requests, and issuing to them the reports due, according to Relationship with Regulating Bodies, Self-Regulators, Supervisors and Supervisors Policy. - To identify, measure, evaluate and manage operational risk and compliance events, which may influence the strategic and operational purposes of the Conglomerate. - To maintain an effective control environment, through preventive and detective approaches, in relation to the activities carried out internally and to the relevant outsourced activities under its coordination; their financial, operational and management information systems; compliance with applicable external and internal standards. The control environment must be consistent with the nature, size, complexity, structure, risk profile and business model of the operations performed, in order to ensure the effective management of its risks, including compliance, while maintaining the exposure to risks at acceptable levels according to the risk appetite established for the Conglomerate, detailed in Conglomerate Risk Appetite Policy. - To manage operational risk losses. - To document and store information related to losses associated with operational and compliance risk and report them to the Internal Controls and Operational Risk Board (DCIRO), according to Operational Risk Events Database Policy . - To define and implement the action plans for addressing the notes made by internal and external auditors, regulators, internal controls and compliance. - To report to the Executive Board on Operational Risk and Compliance (DEROC) the relevant operational risk events associated with each individual institution and the Conglomerate and their deviations from the tolerance levels established and approved by the Risk and Capital Management Committee (CGRC), with minimum annual frequency. The evaluation of the Board of Directors on these items shall be carried out based on the annual report prepared by the DEROC, periodic meetings with the DEROC, and annual evaluation made by the Audit Committee. Audit Committee The Audit Committee shall: - Validate the Integrated Operational Risk Management, Internal Controls and Compliance Management Policy prior to submission for approval by the Board of Directors. - Evaluate, at least annually, the structure of Integrated Management of Operational Risk, Internal Controls and Compliance, at least in relation to the following aspects: a) responsibilities – clarification regarding their role, scope and responsibilities. Clear division of the responsibilities of the people involved in compliance and operational risk functions, in order to avoid possible conflicts of interest, especially with the business areas of the institution; b) Independence - (i) if hierarchical positioning is adequate and segregation of operational and business areas; and (ii) whether the mandates are being duly exercised as regards the definition of scope, execution of the work and communication of its results; c) Structures and resources – (i) organizational structure (organization chart) consistent with the needs of the Conglomerate and (ii) allocation of sufficient, adequately trained and experienced personnel to carry out activities related to the respective functions; d) Effectiveness of integrated operational risk management, internal controls and compliance; and e) Adherence to regulation and good practices. - Verify the performance of: a) communication of this policy to all relevant employees and outsourced service providers; b) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for failures in internal controls and compliance identified. First Line of Defense - To evaluate external and internal standards, as well as monitor changes in the regulatory environment; and verify the impact that the applicable regulation may have on their processes and procedures, and the need for action plans to ensure their adherence. - To advise and advise the Conglomerate's managers and collaborators, directing specific solutions related to the compliance with external standards according to Compliance – Regulatory Adherence Management Policy. - To inform and train relevant employees and outsourced service providers in matters related to compliance. - To submit to Product Evaluation Governance any new product or change of existing product affecting Itaú Unibanco and/or its customers, as provided in Corporate Product Evaluation Policy and in the respective product policies of each segment, ensuring the conformity of the products and processes with applicable internal and external standards. - To relate to regulators, responding to their requests, and issuing to them the reports due, according to Relationship with Regulating Bodies, Self-Regulators, Supervisors and Supervisors Policy. - To identify, measure, evaluate and manage operational risk and compliance events, which may influence the strategic and operational purposes of the Conglomerate. - To maintain an effective control environment, through preventive and detective approaches, in relation to the activities carried out internally and to the relevant outsourced activities under its coordination; their financial, operational and management information systems; compliance with applicable external and internal standards. The control environment must be consistent with the nature, size, complexity, structure, risk profile and business model of the operations performed, in order to ensure the effective management of its risks, including compliance, while maintaining the exposure to risks at acceptable levels according to the risk appetite established for the Conglomerate, detailed in Conglomerate Risk Appetite Policy. - To manage operational risk losses. - To document and store information related to losses associated with operational and compliance risk and report them to the Internal Controls and Operational Risk Board (DCIRO), according to Operational Risk Events Database Policy . - To define and implement the action plans for addressing the notes made by internal and external auditors, regulators, internal controls and compliance. - To report to the Executive Board on Operational Risk and Compliance (DEROC) the relevant operational risk events associated with each individual institution and the Conglomerate and their deviations from the tolerance levels established and approved by the Risk and Capital Management Committee (CGRC), with minimum annual frequency.

- To promptly communicate to the area of operational risk, internal controls, compliance, or Ombudsman, whenever it identifies changes in relation to the norms and regulations in force, or risks not foreseen in the development of control activities. - To establish contingency plans containing the strategies to be adopted to ensure conditions of continuity of activities and to limit losses arising from operational risk, in accordance with the guidelines established in the Corporate Continuity Policy. Second Line of Defense Control and Risk Management and Finance Area (ACGRF) Disclose and enforce the decisions, policies and strategies for operational risk management, internal controls and compliance to the Business and Support areas and the Chief Risk Officers (CROs) of the international units. Ensure that Risk Control, Compliance and Internal Control teams have appropriate authority, and are appropriate both in resources and knowledge, and to provide necessary training and training, as set forth in Risk Management Policy. Communicate to the Audit Committee and Board of Directors changes of the Directors of the DEROC. Wholesale Finance Board Conduct the calculation and allocation of capital to operational risk by Business Unit and Support by the Alternative Standardized Approach (ASA). Conduct the calculation and allocation of economic capital to operational risk (ICAAP). Monitor the adequacy of the Reference Equity (PR) level in relation to the operational risk assumed by the Conglomerate. Executive Director of Operational Risk and Compliance (DEROC) It is composed of the Corporate Compliance Officer (DCC), the Internal Controls and Operational Risks Board (DCIRO), and the Corporate Security Directorate (DSC). In the International Units, there is a local and independent structure responsible for the control of operational and compliance risks, under the responsibility of the local CROs, which report to the DEROC. DEROC atribuition, through its structures of Internal Controls and Risks (OCIRs) and Compliance: To support the first line of defense in observing your direct responsibilities. To disseminate standards of integrity and ethical culture as part of the Conglomerate's risk and control culture and disseminate good practices and policies related to the integrated management of Operational Risk, Internal Controls and Compliance. To guide and advise the Conglomerate's managers and collaborators, directing specific solutions on compliance with internal standards related to the Integrity and Ethics Program. To advise and advise the Conglomerate's managers and collaborators, directing specific solutions related to the compliance with external norms according to the Compliance - Regulatory Adherence Management Policy. To evaluate incentives to comply with rules and regulations in the various systems of variable remuneration of the conglomerate, including administrators. To develop and make available the methodologies, tools, systems, infrastructure and governance required to support the integrated management of Operational Risk, Internal Controls and Compliance in the activities of the Conglomerate and relevant outsourcers, based on size, complexity, structure, risk profile and Conglomerate business. Prioritize the identified operational risk and compliance events according to their severity (high, moderate or low), measure and monitor the conglomerate's exposure to those risks. To ensure periodic review and updating of internal controls, so that measures related to new or previously unaccounted operational risk events are incorporated. To certify the efficiency of the control and compliance environment of the First Line of Defense, through monitoring programs, control tests, independently reporting the residual risk. Periodically review and monitor the addressing of the notes made by internal and external audits (including those originating from the report of noncompliance with legal and regulatory provisions) and regulators. To ensure the existence of product and service evaluation governance, as well as to evaluate in advance the operational and compliance risk involved in its alteration and creation, as provided in Corporate Product Evaluation Policy and in the respective policies (APs) of each segment. To ensure governance of Operational Risk, Internal Controls and Compliance issues, by means of reporting to the Collegiate bodies of the Conglomerate, in accordance with Structure of Itaú Unibanco Holding SA Policy , including the Board of Directors, Audit Committee, Board of Directors and CGRC. - To promptly communicate to the area of operational risk, internal controls, compliance, or Ombudsman, whenever it identifies changes in relation to the norms and regulations in force, or risks not foreseen in the development of control activities. - To establish contingency plans containing the strategies to be adopted to ensure conditions of continuity of activities and to limit losses arising from operational risk, in accordance with the guidelines established in the Corporate Continuity Policy. Second Line of Defense Control and Risk Management and Finance Area (ACGRF) Disclose and enforce the decisions, policies and strategies for operational risk management, internal controls and compliance to the Business and Support areas and the Chief Risk Officers (CROs) of the international units. Ensure that Risk Control, Compliance and Internal Control teams have appropriate authority, and are appropriate both in resources and knowledge, and to provide necessary training and training, as set forth in Risk Management Policy. Communicate to the Audit Committee and Board of Directors changes of the Directors of the DEROC. Wholesale Finance Board Conduct the calculation and allocation of capital to operational risk by Business Unit and Support by the Alternative Standardized Approach (ASA). Conduct the calculation and allocation of economic capital to operational risk (ICAAP). Monitor the adequacy of the Reference Equity (PR) level in relation to the operational risk assumed by the Conglomerate. Executive Director of Operational Risk and Compliance (DEROC) It is composed of the Corporate Compliance Officer (DCC), the Internal Controls and Operational Risks Board (DCIRO), and the Corporate Security Directorate (DSC). In the International Units, there is a local and independent structure responsible for the control of operational and compliance risks, under the responsibility of the local CROs, which report to the DEROC. DEROC atribuition, through its structures of Internal Controls and Risks (OCIRs) and Compliance: To support the first line of defense in observing your direct responsibilities. To disseminate standards of integrity and ethical culture as part of the Conglomerate's risk and control culture and disseminate good practices and policies related to the integrated management of Operational Risk, Internal Controls and Compliance. To guide and advise the Conglomerate's managers and collaborators, directing specific solutions on compliance with internal standards related to the Integrity and Ethics Program. To advise and advise the Conglomerate's managers and collaborators, directing specific solutions related to the compliance with external norms according to the Compliance - Regulatory Adherence Management Policy. To evaluate incentives to comply with rules and regulations in the various systems of variable remuneration of the conglomerate, including administrators. To develop and make available the methodologies, tools, systems, infrastructure and governance required to support the integrated management of Operational Risk, Internal Controls and Compliance in the activities of the Conglomerate and relevant outsourcers, based on size, complexity, structure, risk profile and Conglomerate business. Prioritize the identified operational risk and compliance events according to their severity (high, moderate or low), measure and monitor the conglomerate's exposure to those risks. To ensure periodic review and updating of internal controls, so that measures related to new or previously unaccounted operational risk events are incorporated. To certify the efficiency of the control and compliance environment of the First Line of Defense, through monitoring programs, control tests, independently reporting the residual risk. Periodically review and monitor the addressing of the notes made by internal and external audits (including those originating from the report of noncompliance with legal and regulatory provisions) and regulators. To ensure the existence of product and service evaluation governance, as well as to evaluate in advance the operational and compliance risk involved in its alteration and creation, as provided in Corporate Product Evaluation Policy and in the respective policies (APs) of each segment. To ensure governance of Operational Risk, Internal Controls and Compliance issues, by means of reporting to the Collegiate bodies of the Conglomerate, in accordance with Structure of Itaú Unibanco Holding SA Policy , including the Board of Directors, Audit Committee, Board of Directors and CGRC.

To report to the Board of Executive Officers, the Audit Committee and the Board of Directors the relevant non-compliance situations and the relevant control deficiencies associated with each individual institution and the Conglomerate, identified by the lines of defense, regulators or external audit, according to Structure of Itaú Unibanco Holding S.A Policy. To report periodically information on compliance status to senior committees, business unit executives, the CRO and the Board of Directors. To communicate to the senior committees, business unit executives, the CRO, the Audit Committee, the CA and the CGRC the relevant risks or failures found in existing controls as well as the relevant nonconformities identified by the lines of defense, regulators or external audit, associated with each individual institution and the Conglomerate. DCIRO atribuitions: To validate, independently, policies and processes for certification purposes, as described in specific corporate Policy To validate the operational risk classification of projects that require technological development. To validate the implementation of the action plans of the internal audit points, moderate not SOX, as described in the Internal Audit Policy. To maintain documented and stored information on losses associated with operational risk, incurred by the Conglomerate and other institutions, and reported in the committees when applicable or as described in corporate internal Policy. To create operational risk scenarios to estimate the exposure of the institution to events of rare and high severity risk, but considered plausible, and provide information on potential risk, generating estimates of losses, considering, when necessary, the impact of the simultaneous occurrence of multiple operational risk events. This responsibility applies to units in Brazil. To coordinate the development activities of business continuity plans. To coordinate the activities of Operational Risk and Internal Controls and their attribution in the areas of Business and Support. DCC atribuitions: To maintain evidence of approval of this Policy by the Board of Directors. To define principles and guidelines for dissemination of the Compliance Culture, including training. To present needs related to the allocation of sufficient, adequately trained personnel with the necessary experience to carry out activities related to the Compliance function. To manage the process of elaboration, standardization, annual review, approval and publication of institutional policies, making them accessible to employees and other stakeholders, in compliance with the regulatory guidelines, according to the specific internal Policy. To conduct the monitoring of Personal Investment Policies and the Securities Trading Policy issued by Itaú Unibanco Holding S.A., in order to avoid non-compliance with legislation, internal guidelines and good market practices. To validate the regulatory risk classification of projects that require technological development. To send promptly to the Board of Directors and to the Audit Committee relevant information on changes in the regulatory environment and results of compliance activities and on material compliance failures that may generate significant legal or reputational risks, regulatory sanctions or financial losses predominantly arising from regulatory risks. The reports should consider aspects as: assessments made, changes in compliance risks or in the related control environment, identified deficiencies and relevant notes and respective action plans. Prepare an annual report containing a summary of the results of activities related to compliance issues, main conclusions, recommendations and action plans adopted, as well as the actions taken by the Board of Directors. The report should be forwarded to the Audit Committee and Board of Directors to support the evaluation of the effectiveness of compliance management and should be kept at the disposal of the Central Bank for at least five years. Optionally, request the execution of activities by other areas, remaining responsible for the orientation and evaluation of the results. Coordinate the compliance function, which is: Regulatory Adherence Management, according to Compliance – Regulatory Compliance Management Policy, which includes: (i) identification of regulators, and other entities in Brazil and abroad that guide the institution's markets; (ii) establishment, together with other pertinent areas of the institution, of processes for capturing and evaluating laws, regulations, regulations, resolutions, instructions, circulars, codes, compromise terms, conduct adjustment terms, recommendations; (iii) definition of the methodology for legislative analysis and monitoring of the adequacy of the Institution to the applicable legislation, regulation and self-regulation, identifying responsible and deadlines for implementation of the action plan to ensure adherence and compliance; and (iv) the establishment of criteria and methodology for monitoring (periodic monitoring), identification and assessment of compliance risks, including risks arising from inappropriate or unlawful conduct. To report to the Board of Executive Officers, the Audit Committee and the Board of Directors the relevant non-compliance situations and the relevant control deficiencies associated with each individual institution and the Conglomerate, identified by the lines of defense, regulators or external audit, according to Structure of Itaú Unibanco Holding S.A Policy. To report periodically information on compliance status to senior committees, business unit executives, the CRO and the Board of Directors. To communicate to the senior committees, business unit executives, the CRO, the Audit Committee, the CA and the CGRC the relevant risks or failures found in existing controls as well as the relevant nonconformities identified by the lines of defense, regulators or external audit, associated with each individual institution and the Conglomerate. DCIRO atribuitions: To validate, independently, policies and processes for certification purposes, as described in specific corporate Policy To validate the operational risk classification of projects that require technological development. To validate the implementation of the action plans of the internal audit points, moderate not SOX, as described in the Internal Audit Policy. To maintain documented and stored information on losses associated with operational risk, incurred by the Conglomerate and other institutions, and reported in the committees when applicable or as described in corporate internal Policy. To create operational risk scenarios to estimate the exposure of the institution to events of rare and high severity risk, but considered plausible, and provide information on potential risk, generating estimates of losses, considering, when necessary, the impact of the simultaneous occurrence of multiple operational risk events. This responsibility applies to units in Brazil. To coordinate the development activities of business continuity plans. To coordinate the activities of Operational Risk and Internal Controls and their attribution in the areas of Business and Support. DCC atribuitions: To maintain evidence of approval of this Policy by the Board of Directors. To define principles and guidelines for dissemination of the Compliance Culture, including training. To present needs related to the allocation of sufficient, adequately trained personnel with the necessary experience to carry out activities related to the Compliance function. To manage the process of elaboration, standardization, annual review, approval and publication of institutional policies, making them accessible to employees and other stakeholders, in compliance with the regulatory guidelines, according to the specific internal Policy. To conduct the monitoring of Personal Investment Policies and the Securities Trading Policy issued by Itaú Unibanco Holding S.A., in order to avoid non-compliance with legislation, internal guidelines and good market practices. To validate the regulatory risk classification of projects that require technological development. To send promptly to the Board of Directors and to the Audit Committee relevant information on changes in the regulatory environment and results of compliance activities and on material compliance failures that may generate significant legal or reputational risks, regulatory sanctions or financial losses predominantly arising from regulatory risks. The reports should consider aspects as: assessments made, changes in compliance risks or in the related control environment, identified deficiencies and relevant notes and respective action plans. Prepare an annual report containing a summary of the results of activities related to compliance issues, main conclusions, recommendations and action plans adopted, as well as the actions taken by the Board of Directors. The report should be forwarded to the Audit Committee and Board of Directors to support the evaluation of the effectiveness of compliance management and should be kept at the disposal of the Central Bank for at least five years. Optionally, request the execution of activities by other areas, remaining responsible for the orientation and evaluation of the results. Coordinate the compliance function, which is: Regulatory Adherence Management, according to Compliance – Regulatory Compliance Management Policy, which includes: (i) identification of regulators, and other entities in Brazil and abroad that guide the institution's markets; (ii) establishment, together with other pertinent areas of the institution, of processes for capturing and evaluating laws, regulations, regulations, resolutions, instructions, circulars, codes, compromise terms, conduct adjustment terms, recommendations; (iii) definition of the methodology for legislative analysis and monitoring of the adequacy of the Institution to the applicable legislation, regulation and self-regulation, identifying responsible and deadlines for implementation of the action plan to ensure adherence and compliance; and (iv) the establishment of criteria and methodology for monitoring (periodic monitoring), identification and assessment of compliance risks, including risks arising from inappropriate or unlawful conduct.

Ensuring the existence of defined processes to comply with specific regulations, as those listed below, being responsible for the definition, development, maintenance and continuous improvement of Compliance Programs appropriate to the nature, size, complexity, structure, risk profile and business model of the institution and in accordance with the evolution of the regulatory environment. When not directly responsible, assist in the development of processes, and systems, evaluating and following them: - Integrity and Ethics Program, which has its guidelines defined in Integrity and Ethics Policy and Corporate Policy on Corruption Prevention; - Customer Relationship Program, whose established guidelines are contained in Institutional Relations Policy with Clients and Users of Financial Products and Services; - Monitoring of Abusive Practices (Trade Surveillance), under guidelines contained in Policy on Trading and Intermediation of Securities – DGA; - Information Barriers Program, under the guidelines set out in Segregation of Activities Policy – DGA; - Socio-environmental Program, with guidelines contemplated in the policies Sustainability Policy and Socio-environmental Responsibility; - Information Security System, with guidelines in Corporate Information Security Policy; - Prevention and Combating Money Laundering, with guidelines contemplated in the Prevention of Illicit Acts Policy; - Commercial Prohibitions and Penalties, on which procedures must be ensured to prevent the institution from carrying out business and payments with prohibited or sanctioned parts; with guidelines contemplated in the Policy [[HF-16-300]] - Prevention of Unlawful Acts; - Corporate Crisis Management Program, with guidelines contemplated in the Corporate Crisis Management Policy; - Business Continuity Program with guidelines included in the Corporate Continuity Policy. Relationship management with regulators: to coordinate the relationship and reporting to regulators, to follow the actions originated from the commitments assumed, facilitating the sharing of information and ensuring the consistency of institutional positioning according to Relationship with Regulatory Bodies, Self-Regulators, Supervisors and Supervisors Policy. DSC atribuitions: - To coordinate the program of prevention of illicit acts, including money laundering and terrorism, in accordance with the guidelines described in Policy for Prevention and Combat of Unlawful Acts; - To coordinate the Information Security System, with guidelines contained in Corporate Information Security Policy; and - To coordinate the Corporate Crisis Management Program, with guidelines contemplated in the Corporate Crisis Management Policy. Third Line of Defense Independently and periodically verify the adequacy of processes and procedures for identifying and managing risks, including integrated management of operational risk, internal controls and compliance, in accordance with the guidelines established in the Internal Audit Policy and submit the results of its notes to the Audit Committee. COMPLAINT CHANNEL Any employee or third party who encounters a fact or suspected violation of a guideline, law, risk in lawsuits, regulations or standards shall promptly communicate the fact to the competent channels available in the Itaú Unibanco Code of Ethics. WHISTLEBLOWERS PROTECTION a) Directors and employees can not perform retaliatory acts against those who, in good faith: (i) denounce or manifest a complaint, suspicion, doubt or concern regarding possible violations of the guidelines of this Policy; and (ii) provide information or assistance in the determination of such possible violations. b) Anonymous manifestations must be accepted by the Channels of Denunciation and anonymity must be preserved. Identified manifestations are also accepted. c) Confidential treatment and protection of the identity of the complainant is ensured. d) Disciplinary sanction should be applied to administrators or employees who have proven to attempt or retaliate against anyone who, in good faith, reports possible violations of the guidelines of this Policy. e) Disciplinary sanction must be applied to administrators or collaborators who have been proven to use in bad faith when communicating possible violations of the guidelines of this Policy or to communicate facts that are known to be false. Ensuring the existence of defined processes to comply with specific regulations, as those listed below, being responsible for the definition, development, maintenance and continuous improvement of Compliance Programs appropriate to the nature, size, complexity, structure, risk profile and business model of the institution and in accordance with the evolution of the regulatory environment. When not directly responsible, assist in the development of processes, and systems, evaluating and following them: - Integrity and Ethics Program, which has its guidelines defined in Integrity and Ethics Policy and Corporate Policy on Corruption Prevention; - Customer Relationship Program, whose established guidelines are contained in Institutional Relations Policy with Clients and Users of Financial Products and Services; - Monitoring of Abusive Practices (Trade Surveillance), under guidelines contained in Policy on Trading and Intermediation of Securities – DGA; - Information Barriers Program, under the guidelines set out in Segregation of Activities Policy – DGA; - Socio-environmental Program, with guidelines contemplated in the policies Sustainability Policy and Socio-environmental Responsibility; - Information Security System, with guidelines in Corporate Information Security Policy; - Prevention and Combating Money Laundering, with guidelines contemplated in the Prevention of Illicit Acts Policy; - Commercial Prohibitions and Penalties, on which procedures must be ensured to prevent the institution from carrying out business and payments with prohibited or sanctioned parts; with guidelines contemplated in the Policy [[HF-16-300]] - Prevention of Unlawful Acts; - Corporate Crisis Management Program, with guidelines contemplated in the Corporate Crisis Management Policy; - Business Continuity Program with guidelines included in the Corporate Continuity Policy. Relationship management with regulators: to coordinate the relationship and reporting to regulators, to follow the actions originated from the commitments assumed, facilitating the sharing of information and ensuring the consistency of institutional positioning according to Relationship with Regulatory Bodies, Self-Regulators, Supervisors and Supervisors Policy. DSC atribuitions: - To coordinate the program of prevention of illicit acts, including money laundering and terrorism, in accordance with the guidelines described in Policy for Prevention and Combat of Unlawful Acts; - To coordinate the Information Security System, with guidelines contained in Corporate Information Security Policy; and - To coordinate the Corporate Crisis Management Program, with guidelines contemplated in the Corporate Crisis Management Policy. Third Line of Defense Independently and periodically verify the adequacy of processes and procedures for identifying and managing risks, including integrated management of operational risk, internal controls and compliance, in accordance with the guidelines established in the Internal Audit Policy and submit the results of its notes to the Audit Committee. COMPLAINT CHANNEL Any employee or third party who encounters a fact or suspected violation of a guideline, law, risk in lawsuits, regulations or standards shall promptly communicate the fact to the competent channels available in the Itaú Unibanco Code of Ethics. WHISTLEBLOWERS PROTECTION a) Directors and employees can not perform retaliatory acts against those who, in good faith: (i) denounce or manifest a complaint, suspicion, doubt or concern regarding possible violations of the guidelines of this Policy; and (ii) provide information or assistance in the determination of such possible violations. b) Anonymous manifestations must be accepted by the Channels of Denunciation and anonymity must be preserved. Identified manifestations are also accepted. c) Confidential treatment and protection of the identity of the complainant is ensured. d) Disciplinary sanction should be applied to administrators or employees who have proven to attempt or retaliate against anyone who, in good faith, reports possible violations of the guidelines of this Policy. e) Disciplinary sanction must be applied to administrators or collaborators who have been proven to use in bad faith when communicating possible violations of the guidelines of this Policy or to communicate facts that are known to be false.

DISCIPLINARY PENALTIES Failure to comply with any guidelines or principles established in this Policy is subject to disciplinary sanctions, administrative or criminal measures, without prejudice to other penalties or measures in accordance with the legislation in force. RELATED DOCUMENTS Basel Committee on Banking Supervision - Compliance and the compliance function in Banks (April 2005) Resolution No. 2554/98 of the National Monetary Council: provides for the implementation and implementation of a system of internal controls Resolution No. 4557/17 of the National Monetary Council: provides on the structure of risk management and the capital management structure Resolution No. 4595/17 of the National Monetary Council: provides for the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil. GLOSSARY Alternative Standardized Approach (ASA): the Conglomerate uses the ASA approach for the calculation and reporting of its operational risk regulatory capital, both of which are carried out by the Management Control and Budget Management Board. For management purposes, the calculation of managerial capital may consider the information of bases of risk events, indicators, business continuity plans and scenarios, among others. Relevant third-party service providers: its relevance is classified by the Purchasing area, according to analysis of operational risk, business continuity, financial, labor and reputational relevance. Products: products, specific operations, specific structures, services and processes, for any business segment. External Authorities: executive, legislative and judicial powers; public ministry; regulators; self-regulators; class entities and consumer protection agencies. Regulators: regulators, self-regulators, supervisors, inspectors and representative entities of the sectors of operation of the Conglomerate in Brazil and abroad. Retaliation: any act of retaliation, persecution, retaliation or revenge practiced due to denunciations or manifestations of doubts, suspicions or contestations of possible violations of this Policy or of illegal and unethical actions. Examples of retaliation are: threats, poor evaluation, “blacklisting”, suspension application, shutdown, among others. Approved by the Board of Directors on 12/15/2017. DISCIPLINARY PENALTIES Failure to comply with any guidelines or principles established in this Policy is subject to disciplinary sanctions, administrative or criminal measures, without prejudice to other penalties or measures in accordance with the legislation in force. RELATED DOCUMENTS Basel Committee on Banking Supervision - Compliance and the compliance function in Banks (April 2005) Resolution No. 2554/98 of the National Monetary Council: provides for the implementation and implementation of a system of internal controls Resolution No. 4557/17 of the National Monetary Council: provides on the structure of risk management and the capital management structure Resolution No. 4595/17 of the National Monetary Council: provides for the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil. GLOSSARY Alternative Standardized Approach (ASA): the Conglomerate uses the ASA approach for the calculation and reporting of its operational risk regulatory capital, both of which are carried out by the Management Control and Budget Management Board. For management purposes, the calculation of managerial capital may consider the information of bases of risk events, indicators, business continuity plans and scenarios, among others. Relevant third-party service providers: its relevance is classified by the Purchasing area, according to analysis of operational risk, business continuity, financial, labor and reputational relevance. Products: products, specific operations, specific structures, services and processes, for any business segment. External Authorities: executive, legislative and judicial powers; public ministry; regulators; self-regulators; class entities and consumer protection agencies. Regulators: regulators, self-regulators, supervisors, inspectors and representative entities of the sectors of operation of the Conglomerate in Brazil and abroad. Retaliation: any act of retaliation, persecution, retaliation or revenge practiced due to denunciations or manifestations of doubts, suspicions or contestations of possible violations of this Policy or of illegal and unethical actions. Examples of retaliation are: threats, poor evaluation, “blacklisting”, suspension application, shutdown, among others. Approved by the Board of Directors on 12/15/2017.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - LIQUIDITY RISK Objective To establish the liquidity risk management and control structure adopted by Itaú Unibanco Holding S.A., in compliance with the applicable regulations and best market practices. Guidelines The Liquidity Risk management and control processes should adhere to the principles defined by the institution. In compliance with the risk appetite, defined by the board of directors, the liquidity risk limits structure should be proposed to the Market and Liquidity Risks Superior Commission after duly deliberation regarding the liquidity risk metrics and limits. The liquidity risk exposure should be measured across all financial positions of Itaú Unibanco’s companies, along with the possible contingent and/or unexpected exposures, such as the ones that may arise from settlement services, provisions for letters of credits and guarantees, credit products approved and not used. The main liquidity risk control metric is the reserve which is composed by: - Domestic available resources; - International available resources; - All positions that are immediately convertible (D0) into funds. Itau Unibanco has a liquidity contingency plan, which clearly defines the actions that should be taken in order to reestablish appropriate liquidity levels in different stress scenarios. The business units, whether in Brazil or abroad, must ensure that approved decisions, policies and strategies are properly implemented. Rules The Liquidity Risk control processes should have at least the following steps: - Assessment of the Liquidity Risk Exposure - Monitoring, Control and Report - Contingency and Recovery Plan RESPONSIBILITIES Itaú Unibanco has established a structure of authorities and supervisory committees for risk management and control. In addition to the mentioned structure, the areas, whose main responsibilities are described below, are related to the liquidity risk control structure. Liquidity Risk Control - Defines the reserve composition, according to the directives established by the senior management; - Identifies, evaluates, monitors, controls and reports, on a daily basis, the liquidity risk exposure for different holding periods, contemplating at least the trades that have a term inferior to 90 days; - Proposes the liquidity risk limits; - Monitors the contingency plan and the established limits and informs eventual limit excesses to the approval authorities (Treasury, Integrated Capital Management, CRO and board); - Assesses the liquidity risk individually for each of the countries where the bank operates and in the currencies to which they are exposed; ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - LIQUIDITY RISK Objective To establish the liquidity risk management and control structure adopted by Itaú Unibanco Holding S.A., in compliance with the applicable regulations and best market practices. Guidelines The Liquidity Risk management and control processes should adhere to the principles defined by the institution. In compliance with the risk appetite, defined by the board of directors, the liquidity risk limits structure should be proposed to the Market and Liquidity Risks Superior Commission after duly deliberation regarding the liquidity risk metrics and limits. The liquidity risk exposure should be measured across all financial positions of Itaú Unibanco’s companies, along with the possible contingent and/or unexpected exposures, such as the ones that may arise from settlement services, provisions for letters of credits and guarantees, credit products approved and not used. The main liquidity risk control metric is the reserve which is composed by: - Domestic available resources; - International available resources; - All positions that are immediately convertible (D0) into funds. Itau Unibanco has a liquidity contingency plan, which clearly defines the actions that should be taken in order to reestablish appropriate liquidity levels in different stress scenarios. The business units, whether in Brazil or abroad, must ensure that approved decisions, policies and strategies are properly implemented. Rules The Liquidity Risk control processes should have at least the following steps: - Assessment of the Liquidity Risk Exposure - Monitoring, Control and Report - Contingency and Recovery Plan RESPONSIBILITIES Itaú Unibanco has established a structure of authorities and supervisory committees for risk management and control. In addition to the mentioned structure, the areas, whose main responsibilities are described below, are related to the liquidity risk control structure. Liquidity Risk Control - Defines the reserve composition, according to the directives established by the senior management; - Identifies, evaluates, monitors, controls and reports, on a daily basis, the liquidity risk exposure for different holding periods, contemplating at least the trades that have a term inferior to 90 days; - Proposes the liquidity risk limits; - Monitors the contingency plan and the established limits and informs eventual limit excesses to the approval authorities (Treasury, Integrated Capital Management, CRO and board); - Assesses the liquidity risk individually for each of the countries where the bank operates and in the currencies to which they are exposed;

- Performs simulations of the cash flow behavior under idiosyncratic and systemic stress conditions; - Evaluates the risks related to new products before their approval; - Discloses the information required by the regulatory entities; - Reports, in a periodic manner, the main liquidity risk controls in Brazil and in the International Units, to the approval authorities; - Reports, in a timely manner, to the collegiate bodies, situations of significant drops in liquidity and the relevant aspects of the action plans; - Submits for approval of the Board of Director, the liquidity contingency plan (Brazil), at least once a year. Institutional Treasury - Centralizes the liquidity risk management of Itaú Unibanco, ensuring proper and sufficient liquidity levels; - Analyzes current and future liquidity and reserve levels for the scenarios defined by the liquidity risk control area; - Observes eventual restrictions related to liquidity transfer and foreign exchange, due to operational problems or imposition of a country’s government; - Manages structural assets’ and liabilities’ risks; - Establishes, along with the products and commercial areas, funding strategies that provide proper diversification of fund sources and maturity terms, in compliance with the Institutional Treasury Management policy; - Establishes transfer prices in order to attend cash needs and optimize risk management of the assets and liabilities, as directed by the Institutional Treasury Management policy; - Proposes limits, strategies and a contingency plan based on cash flow simulations under stress conditions; - Monitors regulatory requirements; - Coordinates the Comitê de Caixa (Cash Management Committee); - Submits the requested liquidity information to the relevant committees. Treasury Operations - Reserve Control - Identifies, evaluates, monitors and alerts the needs of intraday cash; - Carries out and monitors the messaging flow. Information Technology - Maintains specialized and appropriately sized teams to support liquidity risk management processes and systems (whether developed by IT or under its own governance); - Ensures that all systems and processes within its governance, with direct or indirect impact on liquidity risk processes, are fully documented and in accordance with internal IT policies; - Establishes service level agreements (SLA) for processes within its governance that impact liquidity risk management. Internal Audit - Verifies, in an independent and periodical manner, the adequacy of the risk identification and management processes. Approved by the Board of Directors in 03.29.2018. - Performs simulations of the cash flow behavior under idiosyncratic and systemic stress conditions; - Evaluates the risks related to new products before their approval; - Discloses the information required by the regulatory entities; - Reports, in a periodic manner, the main liquidity risk controls in Brazil and in the International Units, to the approval authorities; - Reports, in a timely manner, to the collegiate bodies, situations of significant drops in liquidity and the relevant aspects of the action plans; - Submits for approval of the Board of Director, the liquidity contingency plan (Brazil), at least once a year. Institutional Treasury - Centralizes the liquidity risk management of Itaú Unibanco, ensuring proper and sufficient liquidity levels; - Analyzes current and future liquidity and reserve levels for the scenarios defined by the liquidity risk control area; - Observes eventual restrictions related to liquidity transfer and foreign exchange, due to operational problems or imposition of a country’s government; - Manages structural assets’ and liabilities’ risks; - Establishes, along with the products and commercial areas, funding strategies that provide proper diversification of fund sources and maturity terms, in compliance with the Institutional Treasury Management policy; - Establishes transfer prices in order to attend cash needs and optimize risk management of the assets and liabilities, as directed by the Institutional Treasury Management policy; - Proposes limits, strategies and a contingency plan based on cash flow simulations under stress conditions; - Monitors regulatory requirements; - Coordinates the Comitê de Caixa (Cash Management Committee); - Submits the requested liquidity information to the relevant committees. Treasury Operations - Reserve Control - Identifies, evaluates, monitors and alerts the needs of intraday cash; - Carries out and monitors the messaging flow. Information Technology - Maintains specialized and appropriately sized teams to support liquidity risk management processes and systems (whether developed by IT or under its own governance); - Ensures that all systems and processes within its governance, with direct or indirect impact on liquidity risk processes, are fully documented and in accordance with internal IT policies; - Establishes service level agreements (SLA) for processes within its governance that impact liquidity risk management. Internal Audit - Verifies, in an independent and periodical manner, the adequacy of the risk identification and management processes. Approved by the Board of Directors in 03.29.2018.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - CREDIT RISK PURPOSE To set the structure and operation of credit risk control in Itaú Unibanco Holding S.A. (Itaú Unibanco), observing the applicable regulations, best market practices and enforcement of corporate decisions by the business units. STRUCTURE OF CREDIT RISK MANAGEMENT The Board of Directors (CA) sets the guidelines and monitors strategies and policies for credit risk Credit risk management is the responsibility of all Business Units. They are the ones that assume the risk, in their daily operations, with a view to profitable business. Centralized control of credit risk is performed independently by the Control and Risk Management and Finance Area (ACGRF), segregated from the Business Units and from the unit that executes the internal audit activity as required by the regulations. The structure enables continuous and integrated credit risk management and must consider both trading and non-trading portfolio transactions ACGRF defines and proposes, in line with Business Units, corporate policies, indicators and strategies for credit risk management throughout Itaú Unibanco (Brazil and International Units). Business Units and International Units must ensure that the decisions, policies and approved strategies are applied. The structure of commissions and committees serves as a forum to ensure that management and control activities are transparent. They are: committees, superior commissions and Business Unit commissions. The structure must predict systems, routines and procedures to identify, measure, assess, monitor, report, control and mitigate the exposure to credit risk, both individually and in the aggregate level of operations with similar characteristics Established guidelines must be applied to credit risk, counterparty risk, country risk, the possibility of disbursements to pay suretyship, guarantees, loan commitments and other similar operations and the possibility of losses due to the non compliance with obligations related to the settlement of operations involving bilateral flows, RESPONSIBILITIES Itaú Unibanco has set up a structure of commissions and committees to control and manage risk. In addition to the mentioned structure, the areas whose main responsibilities are described below are related to the structure of credit risk control. Credit Risk Control - To define the centralized credit risk control setting and disclose credit decisions, corporate policies and credit risk management strategies to Business Units and CROs of International Units. - To define and review, on an annual basis, the policies, strategies and procedures that establish operational limits, risk mitigation mechanisms and procedures to keep the exposure to credit risk in acceptable levels by the management and approve them by the applicable approval authorities; - To establish guidelines to define the group with common economic interest and/or borrowers or counterparties with similar characteristics (connected counterparties); - To establish maximum limits/boundaries aligned to the Bank’s risk appetite to perform operations both individually and in the aggregate level of connected counterparties; ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT - CREDIT RISK PURPOSE To set the structure and operation of credit risk control in Itaú Unibanco Holding S.A. (Itaú Unibanco), observing the applicable regulations, best market practices and enforcement of corporate decisions by the business units. STRUCTURE OF CREDIT RISK MANAGEMENT The Board of Directors (CA) sets the guidelines and monitors strategies and policies for credit risk Credit risk management is the responsibility of all Business Units. They are the ones that assume the risk, in their daily operations, with a view to profitable business. Centralized control of credit risk is performed independently by the Control and Risk Management and Finance Area (ACGRF), segregated from the Business Units and from the unit that executes the internal audit activity as required by the regulations. The structure enables continuous and integrated credit risk management and must consider both trading and non-trading portfolio transactions ACGRF defines and proposes, in line with Business Units, corporate policies, indicators and strategies for credit risk management throughout Itaú Unibanco (Brazil and International Units). Business Units and International Units must ensure that the decisions, policies and approved strategies are applied. The structure of commissions and committees serves as a forum to ensure that management and control activities are transparent. They are: committees, superior commissions and Business Unit commissions. The structure must predict systems, routines and procedures to identify, measure, assess, monitor, report, control and mitigate the exposure to credit risk, both individually and in the aggregate level of operations with similar characteristics Established guidelines must be applied to credit risk, counterparty risk, country risk, the possibility of disbursements to pay suretyship, guarantees, loan commitments and other similar operations and the possibility of losses due to the non compliance with obligations related to the settlement of operations involving bilateral flows, RESPONSIBILITIES Itaú Unibanco has set up a structure of commissions and committees to control and manage risk. In addition to the mentioned structure, the areas whose main responsibilities are described below are related to the structure of credit risk control. Credit Risk Control - To define the centralized credit risk control setting and disclose credit decisions, corporate policies and credit risk management strategies to Business Units and CROs of International Units. - To define and review, on an annual basis, the policies, strategies and procedures that establish operational limits, risk mitigation mechanisms and procedures to keep the exposure to credit risk in acceptable levels by the management and approve them by the applicable approval authorities; - To establish guidelines to define the group with common economic interest and/or borrowers or counterparties with similar characteristics (connected counterparties); - To establish maximum limits/boundaries aligned to the Bank’s risk appetite to perform operations both individually and in the aggregate level of connected counterparties;

- To establish guidelines for credit reorganization, governance of the information required to understand the risk, frequent assessment of the guarantee sufficiency degree and detection and prevention of quality deterioration of transactions, accessible to people involved in the credit granting and management process; - To establish credit recovery corporate guidelines, including monitoring of recovery portfolio and report of exceptions to the proper forum; - To define criteria and procedures to identify and monitor exposures characterized as problematic assets; - To monitor the exposure to credit risk, bearing in mind the maintenance of the exposure to credit risk in levels considered acceptable by the institution’s management; - To promote the continuous monitoring of the Bank’s portfolio and strategies adopted, reporting to the top management the evidences of quality deterioration of transactions and possible exceptions to the established rules; - To frequently report to the top management the main portfolio performance indicators; the portfolio concentration in activity sectors and other homogeneous risk groups; the exposures with economic groups bearing the highest credit limits approved; the exposures with economic groups presenting excessive risk due to evidences of credit quality deterioration; and high relevance credit renegotiations; - To assess transactions/portfolio, taking into account market conditions, macroeconomic perspectives, changes in markets, products, effects of sector and geographic concentration; - To define policies containing the responsibilities for storing information referring to losses related to credit risk and credit recovery; - To previously analyze the credit risk involved in the change and creation of new products; - To define the counterparty’s credit risk guidelines and procedures that describe processes and routines used to measure such risk; - To establish indicators that measure the effectiveness of policies and strategies adopted in relation to the performance of risk management, reporting the result to the top management; - To manage the process of preparation and review of credit risk institutional policies, complying with regulatory guidelines and reviewing them at least on an annual basis. Credit Risk Modeling - To define policies and procedures which establish the criteria used in the internal credit risk classification, - To estimate loan losses, using consistent and prudent criteria. - To monitor the performance of credit risk models - To document models used in credit risk management Market Risk Modeling - To develop models to measure the counterparty’s credit risk. Finance - To monitor the adequacy of Reference Equity (PR) level in relation to the credit risk taken by the institution; - To establish policies and carry out simulations of extreme conditions (stress tests), , comprehending economic cycles, change of market and liquidity conditions, including violation of assumptions, whose results must be considered upon the establishment or review of policies and limits; - To define rules for calculating the Provision for Doubtful Debtors (PDD), complying with applicable rules and regulations, - To assess the sale or transfer of financial assets related to the retention of credit risks. - To publish, in the accounting statements, the description of the credit risk management structure and/or appoint the localization of the document containing such description. - To publish the document that discloses the information referring to risk management, including the description of the credit risk management structure Internal Controls and Compliance (Brazil and International Units) - Define policies and procedures for managing and validating models and internal credit risk management procedures. - To validate, and approve, in proper forums, models used in credit risk management. Business Units (Brazil and International Units) - To establish guidelines for credit reorganization, governance of the information required to understand the risk, frequent assessment of the guarantee sufficiency degree and detection and prevention of quality deterioration of transactions, accessible to people involved in the credit granting and management process; - To establish credit recovery corporate guidelines, including monitoring of recovery portfolio and report of exceptions to the proper forum; - To define criteria and procedures to identify and monitor exposures characterized as problematic assets; - To monitor the exposure to credit risk, bearing in mind the maintenance of the exposure to credit risk in levels considered acceptable by the institution’s management; - To promote the continuous monitoring of the Bank’s portfolio and strategies adopted, reporting to the top management the evidences of quality deterioration of transactions and possible exceptions to the established rules; - To frequently report to the top management the main portfolio performance indicators; the portfolio concentration in activity sectors and other homogeneous risk groups; the exposures with economic groups bearing the highest credit limits approved; the exposures with economic groups presenting excessive risk due to evidences of credit quality deterioration; and high relevance credit renegotiations; - To assess transactions/portfolio, taking into account market conditions, macroeconomic perspectives, changes in markets, products, effects of sector and geographic concentration; - To define policies containing the responsibilities for storing information referring to losses related to credit risk and credit recovery; - To previously analyze the credit risk involved in the change and creation of new products; - To define the counterparty’s credit risk guidelines and procedures that describe processes and routines used to measure such risk; - To establish indicators that measure the effectiveness of policies and strategies adopted in relation to the performance of risk management, reporting the result to the top management; - To manage the process of preparation and review of credit risk institutional policies, complying with regulatory guidelines and reviewing them at least on an annual basis. Credit Risk Modeling - To define policies and procedures which establish the criteria used in the internal credit risk classification, - To estimate loan losses, using consistent and prudent criteria. - To monitor the performance of credit risk models - To document models used in credit risk management Market Risk Modeling - To develop models to measure the counterparty’s credit risk. Finance - To monitor the adequacy of Reference Equity (PR) level in relation to the credit risk taken by the institution; - To establish policies and carry out simulations of extreme conditions (stress tests), , comprehending economic cycles, change of market and liquidity conditions, including violation of assumptions, whose results must be considered upon the establishment or review of policies and limits; - To define rules for calculating the Provision for Doubtful Debtors (PDD), complying with applicable rules and regulations, - To assess the sale or transfer of financial assets related to the retention of credit risks. - To publish, in the accounting statements, the description of the credit risk management structure and/or appoint the localization of the document containing such description. - To publish the document that discloses the information referring to risk management, including the description of the credit risk management structure Internal Controls and Compliance (Brazil and International Units) - Define policies and procedures for managing and validating models and internal credit risk management procedures. - To validate, and approve, in proper forums, models used in credit risk management. Business Units (Brazil and International Units)

- To ensure that limits are respected, subject to the risk appetite established by the Holding Company. - To propose and review credit granting policies, complying with Itaú Unibanco’s guidelines and market, macroeconomic and product perspectives, among others. - To ensure that the criteria and procedures for granting and managing credit are observed. - To apply the credit risk model approved to the right audience. - To ensure that the Holding Company’s policies for credit recovery are observed. - To store documents and information on loan losses, even when the losses are recovered. - To monitor and report on the loan portfolio and exceptions both at the individual level and for groups of transactions with similar features. - To comply with the Governance of assessment of new transaction types and credit risk products and verification of adequacy of procedures and controls adopted by the institution. - To maintain a sufficient number of qualified staff in the credit area and in the securities and derivatives trading area. - To ensure that the Holding Company’s compensation policies are observed, so as not to encourage behavior incompatible with the level of risk expected. Internal Audit - To periodically verify, in an independent and objective manner, processes and procedures of risk, control and governance management, Approved by the board of Directors on 02.22.2018 - To ensure that limits are respected, subject to the risk appetite established by the Holding Company. - To propose and review credit granting policies, complying with Itaú Unibanco’s guidelines and market, macroeconomic and product perspectives, among others. - To ensure that the criteria and procedures for granting and managing credit are observed. - To apply the credit risk model approved to the right audience. - To ensure that the Holding Company’s policies for credit recovery are observed. - To store documents and information on loan losses, even when the losses are recovered. - To monitor and report on the loan portfolio and exceptions both at the individual level and for groups of transactions with similar features. - To comply with the Governance of assessment of new transaction types and credit risk products and verification of adequacy of procedures and controls adopted by the institution. - To maintain a sufficient number of qualified staff in the credit area and in the securities and derivatives trading area. - To ensure that the Holding Company’s compensation policies are observed, so as not to encourage behavior incompatible with the level of risk expected. Internal Audit - To periodically verify, in an independent and objective manner, processes and procedures of risk, control and governance management, Approved by the board of Directors on 02.22.2018

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT CAPITAL MANAGEMENT POLICY PURPOSE Establishing the capital management process adopted by Itaú Unibanco Holding S.A. (Itaú Unibanco), complying with the applicable regulations and the best market practices. GUIDELINES The capital management process must support the institution in accordance with the principles defined in the Risk and Capital Management. These principles are reflected in the following guidelines and, according to them, the capital management of Itaú Unibanco must: · to ensure that policies and strategies for capital management are clearly documented and establish mechanisms and procedures designed to maintain the Capital Requirements (PRE), the Level I and the Main Capital Principal compatible with the risks incurred by institutions; · to keep systems, routines and procedures to the Capital management; · be compatible with the nature of the operations, the complexity of the products and the services being offered, and the dimension of the risk exposure; · ensure that the Capital Management strategies and policies, as well as the capital plan, are submitted to the Board of Directors, at least on an annual basis, for review and approval, in order to determine its compatibility with the strategic plan of the institution and the market conditions; · to generate timely management reports for the institution's office, the risk committee and the board of directors, pointing out possible weaknesses in the capital management structure and actions to correct them and the adequacy of PR, Level I and principal Capital levels to risks incurred; · to ensure that the Solvency and Liquidity Regularization Plan for SUSEP is complied with if there is a possible situation of insolvency or non liquidity by one or more insurance companies, assuring that areas involved in the asset management are informed to define the corrective action proposal, as well as to submit it to impact assessment. · clearly define the governance and the responsibilities of the capital management process and disclose decisions and policies related to this process for the impacted areas, as well as to monitor the regulatory capital of the international units. The business units and international units must ensure that the decisions and policies approved are properly implemented. RULES Steps of the Capital Management Process The capital management process in Itaú Unibanco is defined as an on-going and prospective process composed of: a) the identification and analysis of the material risks to which Itaú Unibanco is exposed, and assessment of the capital needed to face those risks; b) a capital plan which considers the strategic guidelines, the economic environment, the regulations and the risk appetite of the institution; c) stress tests, aimed at analyzing the impact of serious events on the capital level of Itaú Unibanco; d) a capital contingency plan, maintained for cases when the capital sources turn out to be unavailable or insufficient; e) the internal monitoring and assessment of capital adequacy and periodical management reports. The internal capital adequacy assessment process (ICAAP) embodies all of the elements as listed above, as well as their components. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Open Company NIRE 35300010230 PUBLIC ACCESS REPORT CAPITAL MANAGEMENT POLICY PURPOSE Establishing the capital management process adopted by Itaú Unibanco Holding S.A. (Itaú Unibanco), complying with the applicable regulations and the best market practices. GUIDELINES The capital management process must support the institution in accordance with the principles defined in the Risk and Capital Management. These principles are reflected in the following guidelines and, according to them, the capital management of Itaú Unibanco must: · to ensure that policies and strategies for capital management are clearly documented and establish mechanisms and procedures designed to maintain the Capital Requirements (PRE), the Level I and the Main Capital Principal compatible with the risks incurred by institutions; · to keep systems, routines and procedures to the Capital management; · be compatible with the nature of the operations, the complexity of the products and the services being offered, and the dimension of the risk exposure; · ensure that the Capital Management strategies and policies, as well as the capital plan, are submitted to the Board of Directors, at least on an annual basis, for review and approval, in order to determine its compatibility with the strategic plan of the institution and the market conditions; · to generate timely management reports for the institution's office, the risk committee and the board of directors, pointing out possible weaknesses in the capital management structure and actions to correct them and the adequacy of PR, Level I and principal Capital levels to risks incurred; · to ensure that the Solvency and Liquidity Regularization Plan for SUSEP is complied with if there is a possible situation of insolvency or non liquidity by one or more insurance companies, assuring that areas involved in the asset management are informed to define the corrective action proposal, as well as to submit it to impact assessment. · clearly define the governance and the responsibilities of the capital management process and disclose decisions and policies related to this process for the impacted areas, as well as to monitor the regulatory capital of the international units. The business units and international units must ensure that the decisions and policies approved are properly implemented. RULES Steps of the Capital Management Process The capital management process in Itaú Unibanco is defined as an on-going and prospective process composed of: a) the identification and analysis of the material risks to which Itaú Unibanco is exposed, and assessment of the capital needed to face those risks; b) a capital plan which considers the strategic guidelines, the economic environment, the regulations and the risk appetite of the institution; c) stress tests, aimed at analyzing the impact of serious events on the capital level of Itaú Unibanco; d) a capital contingency plan, maintained for cases when the capital sources turn out to be unavailable or insufficient; e) the internal monitoring and assessment of capital adequacy and periodical management reports. The internal capital adequacy assessment process (ICAAP) embodies all of the elements as listed above, as well as their components.

Additionally, Itaú Unibanco has a contingency plan whose goal is reestablishing adequate capital and liquidity levels above the minimum regulatory levels through strategies in face of severe stress shocks of systemic or idiosyncratic aspect. Identification of the risks and assessment of materiality The ICAAP must, at least annually, identify the risks to which Itaú Unibanco is exposed, and the potential risks that might arise due to its strategic objectives during the subsequent 12 months period at least. Every risk that is identified must be assessed regarding its materiality for the institution. The analysis of the materiality of each identified risk must comply with, at least, the following criteria: I - the risk is accounted for in the risk appetite statement; II -the possibility that the risk may generate a significant financial impact; III -the possibility that the risk may cause a significant non-quantifiable impact. Assessment of the need of allocated capital for material risks For the risks contemplated at the Required Reference Equity (PRE) (pillar 1 risks), Itaú Unibanco should, at least annually, assess the adequacy of the allocated capital for each risk category. Regarding the other material risks (Pillar 2 risks), Itaú Unibanco must, at least annually, assess the need of additional capital for the coverage of each risk individually. For the risks that require additional capital, internal quantifying methods are used to assess the amount of additional capital needed. Internal methodologies for quantifying additional capital, as well as any correlations or diversification effects, must be independently validated by the technical validation area or by an independent area appointed for this end. The justifications for not requiring capital allocation should also be validated by an independent designated area. Capital Plan Itaú Unibanco’s capital plan must be consistent with its strategic purposes, aimed at ensuring adequate and sustainable levels of capital, including, in its development, the limits of the risk appetite statement and the economic environment and regulatory analyses. The capital planning must also take into account the contingency plan, as well as the financial and capital projections (which considers the dividends distribution policy, among other issues) for at least the 3 years subsequent to the considered date, elucidating the main sources of capital. Capital Stress Tests Itaú Unibanco must perform stress tests aimed at understanding the impact of serious incidents over the capitalization level of the institution. The stress scenarios must be approved by the Board of Directors and the results from the stress tests must be considered for the definition of the business and capital strategies of Itaú Unibanco. The capital management structure should provide for the evaluation of the capital impacts based on the definition of severe scenarios chosen by the Institution and include it in the results of the stress test program. The stress test process is described on Internal Policy. Contingency Capital Plan Itaú Unibanco must have a capital contingency plan in place for cases where capital sources turn out to be unfeasible or insufficient, or for unforeseen cases that might affect the institution’s capital adequacy. The contingency plan must at least define its triggering capital limits, as well as the corresponding governance, in addition to contingency actions and the respective persons responsible for them, so as to maintain the proper level of capitalization of Itaú Unibanco in an adverse situation. The areas involved in the capital management process must be capable of executing the contingency plan, whenever it is activated. Monitoring and Assessing the Capital Adequacy and periodical management reports The indexes of Main Capital, Level 1 Capital and Total Capital, either budgeted or actual, must be monitored and reported in the Capital Committee (CCap), at least bimonthly, in order to assure the adequacy of the current and future capital levels, as well as their adherence to the limits established by the risk appetite statement of Itaú Unibanco. The capital adequacy, by comparing the regulatory allocated capital (Reference Net Equity) and the capital estimated through internal methodologies (includes Pillar 1 and Pillar 2 risks’ capital) must be monitored, at least, annually. The capital adequacy management reports, with the budgeted and actual capital levels, must be calculated and submitted to the Board of Directors. All documents must be kept in a safe network and with access control for at least five years. Additionally, Itaú Unibanco has a contingency plan whose goal is reestablishing adequate capital and liquidity levels above the minimum regulatory levels through strategies in face of severe stress shocks of systemic or idiosyncratic aspect. Identification of the risks and assessment of materiality The ICAAP must, at least annually, identify the risks to which Itaú Unibanco is exposed, and the potential risks that might arise due to its strategic objectives during the subsequent 12 months period at least. Every risk that is identified must be assessed regarding its materiality for the institution. The analysis of the materiality of each identified risk must comply with, at least, the following criteria: I - the risk is accounted for in the risk appetite statement; II -the possibility that the risk may generate a significant financial impact; III -the possibility that the risk may cause a significant non-quantifiable impact. Assessment of the need of allocated capital for material risks For the risks contemplated at the Required Reference Equity (PRE) (pillar 1 risks), Itaú Unibanco should, at least annually, assess the adequacy of the allocated capital for each risk category. Regarding the other material risks (Pillar 2 risks), Itaú Unibanco must, at least annually, assess the need of additional capital for the coverage of each risk individually. For the risks that require additional capital, internal quantifying methods are used to assess the amount of additional capital needed. Internal methodologies for quantifying additional capital, as well as any correlations or diversification effects, must be independently validated by the technical validation area or by an independent area appointed for this end. The justifications for not requiring capital allocation should also be validated by an independent designated area. Capital Plan Itaú Unibanco’s capital plan must be consistent with its strategic purposes, aimed at ensuring adequate and sustainable levels of capital, including, in its development, the limits of the risk appetite statement and the economic environment and regulatory analyses. The capital planning must also take into account the contingency plan, as well as the financial and capital projections (which considers the dividends distribution policy, among other issues) for at least the 3 years subsequent to the considered date, elucidating the main sources of capital. Capital Stress Tests Itaú Unibanco must perform stress tests aimed at understanding the impact of serious incidents over the capitalization level of the institution. The stress scenarios must be approved by the Board of Directors and the results from the stress tests must be considered for the definition of the business and capital strategies of Itaú Unibanco. The capital management structure should provide for the evaluation of the capital impacts based on the definition of severe scenarios chosen by the Institution and include it in the results of the stress test program. The stress test process is described on Internal Policy. Contingency Capital Plan Itaú Unibanco must have a capital contingency plan in place for cases where capital sources turn out to be unfeasible or insufficient, or for unforeseen cases that might affect the institution’s capital adequacy. The contingency plan must at least define its triggering capital limits, as well as the corresponding governance, in addition to contingency actions and the respective persons responsible for them, so as to maintain the proper level of capitalization of Itaú Unibanco in an adverse situation. The areas involved in the capital management process must be capable of executing the contingency plan, whenever it is activated. Monitoring and Assessing the Capital Adequacy and periodical management reports The indexes of Main Capital, Level 1 Capital and Total Capital, either budgeted or actual, must be monitored and reported in the Capital Committee (CCap), at least bimonthly, in order to assure the adequacy of the current and future capital levels, as well as their adherence to the limits established by the risk appetite statement of Itaú Unibanco. The capital adequacy, by comparing the regulatory allocated capital (Reference Net Equity) and the capital estimated through internal methodologies (includes Pillar 1 and Pillar 2 risks’ capital) must be monitored, at least, annually. The capital adequacy management reports, with the budgeted and actual capital levels, must be calculated and submitted to the Board of Directors. All documents must be kept in a safe network and with access control for at least five years.

Contingency Plan The contingency plan must include at least the following: description of the institution’s critical roles and key services; monthly indicator monitoring program related to possible risks to solvency and liquidity, informing the high management through committees (CCap, CGRC and CSRML); severe stress scenarios of systemic and idiosyncratic aspect that menace the institution’s feasibility; strategies of capital and liquidity recovery, their financial impacts, risks for execution and possible mitigators; and a communication plan for all stakeholders. Areas involved in the capital, liquidity and pricing management process must be able to perform the actions of the contingency plan whenever it is used. All processes and responsibilities of the contingency plan are set forth in the operational manual revised annually by the Integrated Capital Management Superintendence, which is forwarded to areas involved in the process. Solvency and Liquidity Regularization Plan – SUSEP The Solvency and Liquidity Regularization Plan’s indicator is the Capital Sufficiency Measurement, monthly calculated as per CNSP Resolution No. 321. The action plan must address the following topics: deadlines and goals; identification of factors that contributed to the insufficiency, as well as the identification of problems related to assets and liabilities, business growth, extraordinary exposure to risks, product diversity, reinsurance and other relevant factors, in addition to the corrective action proposal. If the insufficiency last for three months in a row or if it occurs in the months corresponding to the disclosure (June or December), the schedule will be engaged: As of the receipt of SUSEP notification, the insurance company has 45 calendar days to present a corrective action plan. Solvency - If the plan is refused, the insurance company will have two more attempts of 45 calendar days to present a new plan proposal. In case of refusal, the Tax Management Plan will begin, i.e., direct intervention of SUSEP; - If the plan is accepted, the insurance company will have 18 months to execute it and restore the solvency level, which can be extended to up to 9 months. Liquidity - If the plan is refused, it will follow the same procedure adopted for the Solvency; - If approved, the insurance company will have 9 months to execute the plan and restore the liquidity level, which can be extended to up to 6 months. The Integrated Capital Management Superintendence will carry out the communication plan to the areas of asset management of the insurer group (Actuarial, Corporate Tax, Financial Planning, Products and CAAF Treasury) as of the first month of insufficiency as an alert in order to analyze risk situations. Once the action plan is defined, SGIC will assess the impacts of the proposal so that the decision is resolved in applicable committees to validate and perform said plan. Independent Validation The ICAAP must be validated independently, in regard to the technique and in regard to the adequacy of the processes and controls. The technical validation must assess methodologies and models involved in the ICAAP, comprising at least: I - the internal methodologies for quantification Pillar 1 and Pillar 2 risks capital; II - the stress tests models; III - the correlation estimates, when used; IV - the coverage, consistency, integrity and reliability of the models and methodologies used in the ICAAP. The independent validation process, related to the processes and controls, must assess the information and processes of the ICAAP, considering at least: I - the governance, processes and reports structure for managing risks and capital; II - the inclusion of all material risks; III - the coverage, consistency, integrity and reliability of the processes and controls used in the ICAAP and the independence of their sources; IV - the consistency and the reliability of the information that composes the ICAAP report. The independent validation process must be performed, at least, every three years and, particularly, whenever a relevant change in the ICAAP or in the risk profile of the institution takes place. The results from this process must be disclosed in the independent validation report of the ICAAP. Contingency Plan The contingency plan must include at least the following: description of the institution’s critical roles and key services; monthly indicator monitoring program related to possible risks to solvency and liquidity, informing the high management through committees (CCap, CGRC and CSRML); severe stress scenarios of systemic and idiosyncratic aspect that menace the institution’s feasibility; strategies of capital and liquidity recovery, their financial impacts, risks for execution and possible mitigators; and a communication plan for all stakeholders. Areas involved in the capital, liquidity and pricing management process must be able to perform the actions of the contingency plan whenever it is used. All processes and responsibilities of the contingency plan are set forth in the operational manual revised annually by the Integrated Capital Management Superintendence, which is forwarded to areas involved in the process. Solvency and Liquidity Regularization Plan – SUSEP The Solvency and Liquidity Regularization Plan’s indicator is the Capital Sufficiency Measurement, monthly calculated as per CNSP Resolution No. 321. The action plan must address the following topics: deadlines and goals; identification of factors that contributed to the insufficiency, as well as the identification of problems related to assets and liabilities, business growth, extraordinary exposure to risks, product diversity, reinsurance and other relevant factors, in addition to the corrective action proposal. If the insufficiency last for three months in a row or if it occurs in the months corresponding to the disclosure (June or December), the schedule will be engaged: As of the receipt of SUSEP notification, the insurance company has 45 calendar days to present a corrective action plan. Solvency - If the plan is refused, the insurance company will have two more attempts of 45 calendar days to present a new plan proposal. In case of refusal, the Tax Management Plan will begin, i.e., direct intervention of SUSEP; - If the plan is accepted, the insurance company will have 18 months to execute it and restore the solvency level, which can be extended to up to 9 months. Liquidity - If the plan is refused, it will follow the same procedure adopted for the Solvency; - If approved, the insurance company will have 9 months to execute the plan and restore the liquidity level, which can be extended to up to 6 months. The Integrated Capital Management Superintendence will carry out the communication plan to the areas of asset management of the insurer group (Actuarial, Corporate Tax, Financial Planning, Products and CAAF Treasury) as of the first month of insufficiency as an alert in order to analyze risk situations. Once the action plan is defined, SGIC will assess the impacts of the proposal so that the decision is resolved in applicable committees to validate and perform said plan. Independent Validation The ICAAP must be validated independently, in regard to the technique and in regard to the adequacy of the processes and controls. The technical validation must assess methodologies and models involved in the ICAAP, comprising at least: I - the internal methodologies for quantification Pillar 1 and Pillar 2 risks capital; II - the stress tests models; III - the correlation estimates, when used; IV - the coverage, consistency, integrity and reliability of the models and methodologies used in the ICAAP. The independent validation process, related to the processes and controls, must assess the information and processes of the ICAAP, considering at least: I - the governance, processes and reports structure for managing risks and capital; II - the inclusion of all material risks; III - the coverage, consistency, integrity and reliability of the processes and controls used in the ICAAP and the independence of their sources; IV - the consistency and the reliability of the information that composes the ICAAP report. The independent validation process must be performed, at least, every three years and, particularly, whenever a relevant change in the ICAAP or in the risk profile of the institution takes place. The results from this process must be disclosed in the independent validation report of the ICAAP.

The Contingency Plan must be submitted to an independent review process at least every three years or whenever there is a relevant change in the economic and financial scenario, operational strategies, business model, organizational structure or processes linked to critical roles and key services. The review must involve the assessment of critical roles and key services, the adequacy and solidity of the monitoring program and stress scenarios, barrier mapping and risks to the efficiency of contingency and governance strategies and other criteria and procedures associated to the operationalization of the plan. Documentation st The ICAAP report must be prepared annually, with end-of-year information (December 31 ) and submitted to the Central th Bank of Brazil until April 30 of the subsequent year, after being duly approved by the Board of Directors. Through approving the ICAAP report, the Board of Directors also approves: · - The identification of the material risks, the definition of the additional capital need for the material risks and the internal methodologies for quantifying the material risks to be capitalized; · -The capital plan, for both normal and stressed market conditions; · - The contingency capital plan; · - The internal assessment of capital adequacy; · -The independent validation of processes and controls of the ICAAP. · The audit findings and conclusions should be reported to the Board of Directors. · All Internal Capital Adequacy Assessment Process (ICAAP) documentation must be kept in a secure network and with access control for at least 5 years. · The capital management structure must be evidenced in a public access report, with minimum annual frequency, as well as in explanatory notes and in the Risk and Capital Management Document. · The Contingency Plan document must be annually reviewed and approved by the Board of Directors in order to ensure that strategies remain updated and feasible in face of organizational, competition or systemic changes. The Capital Integrated Management Superintendence is responsible for keeping all Contingency Plan documents in a safe network and with Access control for at least five years. · SGIC is also responsible for annually reviewing the SUSEP Solvency and Liquidity Regularization Plan to ensure the governance among asset management areas of the insurer group in a possible situation of solvency and/or liquidity insufficiency. RESPONSIBILITIES Itaú Unibanco organized a structure of committees and commissions for managing and controlling risks, as well as for capital management, whose attributions and compositions are established below. Finance and Risks Management and Control Area Finance Office · To coordinate the Capital Committee; · To coordinate the ICAAP and prepare and submit the annual report to the Board of Directors approval; · To ensure that the documentation required for ICAAP is maintained for 5 years; · To analyze the capital need for material risks and propose capital allocation; · To propose and approve in proper forum the internal capital measurement methodologies for material risks to be capitalized; · To calculate the regulatory capital and estimate the capital need arising from internal methodologies; · To coordinate the preparation of the capital plan; · To coordinate the preparation and maintenance of the capital contingency plan; · To coordinate the simulations of severe events and their impacts on capital; · To ensure methodologies and processes used in capital management and ICAAP and filing of ICAAP’s annual reports are documented; The Contingency Plan must be submitted to an independent review process at least every three years or whenever there is a relevant change in the economic and financial scenario, operational strategies, business model, organizational structure or processes linked to critical roles and key services. The review must involve the assessment of critical roles and key services, the adequacy and solidity of the monitoring program and stress scenarios, barrier mapping and risks to the efficiency of contingency and governance strategies and other criteria and procedures associated to the operationalization of the plan. Documentation st The ICAAP report must be prepared annually, with end-of-year information (December 31 ) and submitted to the Central th Bank of Brazil until April 30 of the subsequent year, after being duly approved by the Board of Directors. Through approving the ICAAP report, the Board of Directors also approves: · - The identification of the material risks, the definition of the additional capital need for the material risks and the internal methodologies for quantifying the material risks to be capitalized; · -The capital plan, for both normal and stressed market conditions; · - The contingency capital plan; · - The internal assessment of capital adequacy; · -The independent validation of processes and controls of the ICAAP. · The audit findings and conclusions should be reported to the Board of Directors. · All Internal Capital Adequacy Assessment Process (ICAAP) documentation must be kept in a secure network and with access control for at least 5 years. · The capital management structure must be evidenced in a public access report, with minimum annual frequency, as well as in explanatory notes and in the Risk and Capital Management Document. · The Contingency Plan document must be annually reviewed and approved by the Board of Directors in order to ensure that strategies remain updated and feasible in face of organizational, competition or systemic changes. The Capital Integrated Management Superintendence is responsible for keeping all Contingency Plan documents in a safe network and with Access control for at least five years. · SGIC is also responsible for annually reviewing the SUSEP Solvency and Liquidity Regularization Plan to ensure the governance among asset management areas of the insurer group in a possible situation of solvency and/or liquidity insufficiency. RESPONSIBILITIES Itaú Unibanco organized a structure of committees and commissions for managing and controlling risks, as well as for capital management, whose attributions and compositions are established below. Finance and Risks Management and Control Area Finance Office · To coordinate the Capital Committee; · To coordinate the ICAAP and prepare and submit the annual report to the Board of Directors approval; · To ensure that the documentation required for ICAAP is maintained for 5 years; · To analyze the capital need for material risks and propose capital allocation; · To propose and approve in proper forum the internal capital measurement methodologies for material risks to be capitalized; · To calculate the regulatory capital and estimate the capital need arising from internal methodologies; · To coordinate the preparation of the capital plan; · To coordinate the preparation and maintenance of the capital contingency plan; · To coordinate the simulations of severe events and their impacts on capital; · To ensure methodologies and processes used in capital management and ICAAP and filing of ICAAP’s annual reports are documented;

· To request a new independent validation process whenever there are relevant changes in ICAAP or in the institution’s risk profile; · To prepare short and long term capital projections to define the capital budget; · To monitor capital adequacy in view of the capital need estimate arising from internal assessment, as well as from current and future capital indexes and adherence to limits established by risk appetite; · To prepare management reports about the capital adequacy assessment result and executed and projected capital indexes; · To report and disclose information requested by the Brazilian regulating authority and monitor the information report adequacy to local regulating authorities (International Units); · To propose capital limits and governance to enable the capital contingency plan, as well as contingency actions and their respective responsible departments; · To monitor capital sources; · To measure the capital needed to bear the risks of each business unit; · To monthly inform the Regulatory Capital to the Investors Relation to monitor Itau Unibanco Holding’s financial covenants; · To propose actions to optimize capital requirement and capital structure; · To assess the need to issue capital instruments and/or change capital breakdown; · To manage the process of preparation, revision and approval of capital management policies, · To coordinate the preparation of the Risk and Capital Management Document, as defined in specific regulations, as well as explanatory notes that explain the concept of capital management; · To monitor the preparation of the international unit’s Risk and Capital Management Document (Pillar III). · To coordinate the drafting and monitoring of the Bank Recovery Plan; · To communicate to areas related to the Insurance management, in a possible situation of insolvency or non liquidity, about the need of developing contingency corrective actions, as well as assessing impacts and submitting the decision to be approved by executive committees associated to plans to be developed, additionally to the Board of Directors. · To control the ICAAP schedule of the international units with the Holding; · To assist international units in the preparation of the ICAAP document, when required by local regulations, proposing and validating their capital quantification methodologies and justification of non-capital requirements; · To monitor the capital level of international units. Risks · Too coordinate risk identification procedures; · To prepare a methodology to assess material risks and submit the results to the Board of Directors to decide on the materiality; · To update ICAAP’s annual report sections referring to material risks management process, risk governance and action plans defined to the subsequent year; · To request a new independent validation process whenever there are relevant changes in ICAAP or in the institution’s risk profile. Validation Unit of the Risk Models · To technically validate, in an independent manner, the methodologies and models used in the ICAAP. Business Units · To provide for the Wholesale Finance and Credit and Modeling Offices, the necessary information for measuring the required capital. · To manage the business operations, observing the guidelines of the capital budget. Treasuries Office · To plan the issuance of capital instruments, along with the Finance Area; · To request a new independent validation process whenever there are relevant changes in ICAAP or in the institution’s risk profile; · To prepare short and long term capital projections to define the capital budget; · To monitor capital adequacy in view of the capital need estimate arising from internal assessment, as well as from current and future capital indexes and adherence to limits established by risk appetite; · To prepare management reports about the capital adequacy assessment result and executed and projected capital indexes; · To report and disclose information requested by the Brazilian regulating authority and monitor the information report adequacy to local regulating authorities (International Units); · To propose capital limits and governance to enable the capital contingency plan, as well as contingency actions and their respective responsible departments; · To monitor capital sources; · To measure the capital needed to bear the risks of each business unit; · To monthly inform the Regulatory Capital to the Investors Relation to monitor Itau Unibanco Holding’s financial covenants; · To propose actions to optimize capital requirement and capital structure; · To assess the need to issue capital instruments and/or change capital breakdown; · To manage the process of preparation, revision and approval of capital management policies, · To coordinate the preparation of the Risk and Capital Management Document, as defined in specific regulations, as well as explanatory notes that explain the concept of capital management; · To monitor the preparation of the international unit’s Risk and Capital Management Document (Pillar III). · To coordinate the drafting and monitoring of the Bank Recovery Plan; · To communicate to areas related to the Insurance management, in a possible situation of insolvency or non liquidity, about the need of developing contingency corrective actions, as well as assessing impacts and submitting the decision to be approved by executive committees associated to plans to be developed, additionally to the Board of Directors. · To control the ICAAP schedule of the international units with the Holding; · To assist international units in the preparation of the ICAAP document, when required by local regulations, proposing and validating their capital quantification methodologies and justification of non-capital requirements; · To monitor the capital level of international units. Risks · Too coordinate risk identification procedures; · To prepare a methodology to assess material risks and submit the results to the Board of Directors to decide on the materiality; · To update ICAAP’s annual report sections referring to material risks management process, risk governance and action plans defined to the subsequent year; · To request a new independent validation process whenever there are relevant changes in ICAAP or in the institution’s risk profile. Validation Unit of the Risk Models · To technically validate, in an independent manner, the methodologies and models used in the ICAAP. Business Units · To provide for the Wholesale Finance and Credit and Modeling Offices, the necessary information for measuring the required capital. · To manage the business operations, observing the guidelines of the capital budget. Treasuries Office · To plan the issuance of capital instruments, along with the Finance Area;

· To perform the issuances of capital instruments and reporting the evolution to the CSRML. · To monitor the supplementary and level II capital sources, to notify the ACGRF about the availability and estimated cost of these instruments, and to provide inputs for the budgeting process; · To propose actions for the optimization of the required capital assessment and the capital structure; Executive Office of Operational Risks and Compliance · To validate, in an independent manner, the processes and controls of the ICAAP; · To support management in gathering information for preparing the annual ICAAP report, including the International Units. · To report the independent validation of the processes and controls to the management of risks and capital, in order to compose the annual ICAAP report, including the results from the independent technical validation of models and methodologies, and submitting it to the Board of Directors. Internal Audit · To verify, in an independent and periodical manner, the adequacy of the capital management process, · To report the results of the independent assessment of the effectiveness of the risk and capital management process, in order to compose the annual ICAAP report. International Units – Risk Control and/or Financial Area · To prepare, when required by the local regulator, the international unit’s ICAAP report and forward it for assessment by the Holding Company’s Finance and Risks Management and Control Area (ACGRF) – Wholesale Finance of Holding Office; · To prepare, when required by the local regulator, the international unit’s Risk and Capital Management report and forward it for follow up by the Holding’s Finance Area - Wholesale Finance Office. · To report to the Wholesale Finance Office, at least quarterly, the unit’s level and capital projections and the explanations of this index’s variation, according to the local regulator. · To submit to the Wholesale Finance Office any changes in corporate rules and events that impact the capital. RELATED DOCUMENTS Circular 3.547, of July 7th, 2011, by the Central Bank of Brazil. Circular Letter BACEN 3.774, of July 14, 2016. CMN Resolution 4.557, of February 23, 2017 and 4.388, of December 18, 2014. GLOSSARY Risks of Pillar I: risks covered by the Required Reference Net Worth or, that is to say, risks of credit, market (portfolio of negotiations) and operational. Risks of Pillar II: all of the other risks not covered by the Required Reference Net Worth. Regulatory Capital: it is the minimum capital that must be kept, in order to assure the solvency of the institution, inclusively covering the International Units according to the regulations of the respective country abroad. Approved by the board of Directors on 2018.09.27. · To perform the issuances of capital instruments and reporting the evolution to the CSRML. · To monitor the supplementary and level II capital sources, to notify the ACGRF about the availability and estimated cost of these instruments, and to provide inputs for the budgeting process; · To propose actions for the optimization of the required capital assessment and the capital structure; Executive Office of Operational Risks and Compliance · To validate, in an independent manner, the processes and controls of the ICAAP; · To support management in gathering information for preparing the annual ICAAP report, including the International Units. · To report the independent validation of the processes and controls to the management of risks and capital, in order to compose the annual ICAAP report, including the results from the independent technical validation of models and methodologies, and submitting it to the Board of Directors. Internal Audit · To verify, in an independent and periodical manner, the adequacy of the capital management process, · To report the results of the independent assessment of the effectiveness of the risk and capital management process, in order to compose the annual ICAAP report. International Units – Risk Control and/or Financial Area · To prepare, when required by the local regulator, the international unit’s ICAAP report and forward it for assessment by the Holding Company’s Finance and Risks Management and Control Area (ACGRF) – Wholesale Finance of Holding Office; · To prepare, when required by the local regulator, the international unit’s Risk and Capital Management report and forward it for follow up by the Holding’s Finance Area - Wholesale Finance Office. · To report to the Wholesale Finance Office, at least quarterly, the unit’s level and capital projections and the explanations of this index’s variation, according to the local regulator. · To submit to the Wholesale Finance Office any changes in corporate rules and events that impact the capital. RELATED DOCUMENTS Circular 3.547, of July 7th, 2011, by the Central Bank of Brazil. Circular Letter BACEN 3.774, of July 14, 2016. CMN Resolution 4.557, of February 23, 2017 and 4.388, of December 18, 2014. GLOSSARY Risks of Pillar I: risks covered by the Required Reference Net Worth or, that is to say, risks of credit, market (portfolio of negotiations) and operational. Risks of Pillar II: all of the other risks not covered by the Required Reference Net Worth. Regulatory Capital: it is the minimum capital that must be kept, in order to assure the solvency of the institution, inclusively covering the International Units according to the regulations of the respective country abroad. Approved by the board of Directors on 2018.09.27.