Exhibit 99.1 ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 60.872.504/0001-23 Publicly-Held Corporation NIRE 35300010230 MARKET RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices. INTRODUCTION Market risk is the possibility of losses arising from the fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices. Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team. Market risk control is based mainly on the following metrics: Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval. For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount. Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank's portfolio using the best available values. These metrics, among others, are used to set thresholds and trigger alerts for the departmentMarket risk is the possibility of losses arising from the fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices. Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team. Market risk control is based mainly on the following metrics: · Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval. For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount. · Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank's portfolio using the best available values. These metrics, among others, are used to set thresholds and trigger alerts for the department. GUIDELINES Market risk control processes shall strictly follow the principles defined in this policy. These principles are reflected on the following guidelines according to which Itaú Unibanco's market risk management and control framework shall: · Ensure the use of integral databases that reflect the business conducted based on duly approved products, which ensure correct information and calculations, from registration to recording in books; · Apply models that reflect best market practices; · Ensure that portfolio pricing is preferably based on quotations observed in financial markets, captured through integral external sources. When there is no price available, the calculation shall be made through a pricing model Exhibit 99.1 ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 60.872.504/0001-23 Publicly-Held Corporation NIRE 35300010230 MARKET RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices. INTRODUCTION Market risk is the possibility of losses arising from the fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices. Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team. Market risk control is based mainly on the following metrics: Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval. For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount. Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank's portfolio using the best available values. These metrics, among others, are used to set thresholds and trigger alerts for the departmentMarket risk is the possibility of losses arising from the fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices. Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team. Market risk control is based mainly on the following metrics: · Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval. For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount. · Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank's portfolio using the best available values. These metrics, among others, are used to set thresholds and trigger alerts for the department. GUIDELINES Market risk control processes shall strictly follow the principles defined in this policy. These principles are reflected on the following guidelines according to which Itaú Unibanco's market risk management and control framework shall: · Ensure the use of integral databases that reflect the business conducted based on duly approved products, which ensure correct information and calculations, from registration to recording in books; · Apply models that reflect best market practices; · Ensure that portfolio pricing is preferably based on quotations observed in financial markets, captured through integral external sources. When there is no price available, the calculation shall be made through a pricing model

that represents a fair valuation of positions. In such cases, these assessments shall be consistent and verifiable, and market benchmarks and data used in the assessment shall be regularly reviewed. · Calculate the results of marked-to-market portfolio positions following bank’s model governance. · Have risk control functions responsible for defining and applying pricing parameters, independently from the business areas. · Establish and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk: - Are compatible with the nature of transactions, the complexity of products and the size of the institution's exposure to market risk; - Contain all sources of market risk, and - Generate timely risk exposure reports for the business units, the institution’s executive board and the Board of Directors; KEY ROLES AND RESPONSIBILITIES The Market Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below. Board of Directors: - define the institution's risk appetite and review it annually. High Market and Liquidity Risk Committee: - define the authority levels related to market risk control and review them annually. - monitor market risk indicators by making the necessary decisions and following the risk appetite. Chief Risk Officer: - responsible for market risk management at Itaú Unibanco. Market Risk Control: - identify, measure, control, monitor and report exposure to market risk to business areas and report to high committees; - monitor the exposure conformity with the approved limits, alerts and other market risk control measures, informing possible nonconformity to the relevant authority levels and requesting an action plan for conforming it; - maintain specialized and adequately-sized teams to support market risk processes and systems under its governance and development management. - calculate the managerial results of positions and disclose them to the functions that would enable monitoring and support in decision making. Business Areas: Employees are at least expected to fully understand the nature of the risk in the portfolios under their management and the effective management of this risk, ensuring transparency to desk managers and conformity with the established limits. MARKET RISK CONTROL The Market Risk control at Itaú Unibanco is conducted through governance and processes ensuring that: · The institution is operating in accordance with the risk appetite defined by the Board of Directors, reviewed and approved annually based on a limit and alert framework. The limits are sized by assessing the projected balance sheet results, size of equity, liquidity, complexity and market volatility, as well as the institution's risk appetite. · The use of limits is reported by the Market Risk function to the Business Areas and to the bank's executives. Alerts serve as pre-set limit indicators. · The institution's limit and alert framework is composed of aggregate metrics that monitor and limit the risk in a global and granular way, in order to avoid excessive concentration of risk in one single risk factor. that represents a fair valuation of positions. In such cases, these assessments shall be consistent and verifiable, and market benchmarks and data used in the assessment shall be regularly reviewed. · Calculate the results of marked-to-market portfolio positions following bank’s model governance. · Have risk control functions responsible for defining and applying pricing parameters, independently from the business areas. · Establish and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk: - Are compatible with the nature of transactions, the complexity of products and the size of the institution's exposure to market risk; - Contain all sources of market risk, and - Generate timely risk exposure reports for the business units, the institution’s executive board and the Board of Directors; KEY ROLES AND RESPONSIBILITIES The Market Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below. Board of Directors: - define the institution's risk appetite and review it annually. High Market and Liquidity Risk Committee: - define the authority levels related to market risk control and review them annually. - monitor market risk indicators by making the necessary decisions and following the risk appetite. Chief Risk Officer: - responsible for market risk management at Itaú Unibanco. Market Risk Control: - identify, measure, control, monitor and report exposure to market risk to business areas and report to high committees; - monitor the exposure conformity with the approved limits, alerts and other market risk control measures, informing possible nonconformity to the relevant authority levels and requesting an action plan for conforming it; - maintain specialized and adequately-sized teams to support market risk processes and systems under its governance and development management. - calculate the managerial results of positions and disclose them to the functions that would enable monitoring and support in decision making. Business Areas: Employees are at least expected to fully understand the nature of the risk in the portfolios under their management and the effective management of this risk, ensuring transparency to desk managers and conformity with the established limits. MARKET RISK CONTROL The Market Risk control at Itaú Unibanco is conducted through governance and processes ensuring that: · The institution is operating in accordance with the risk appetite defined by the Board of Directors, reviewed and approved annually based on a limit and alert framework. The limits are sized by assessing the projected balance sheet results, size of equity, liquidity, complexity and market volatility, as well as the institution's risk appetite. · The use of limits is reported by the Market Risk function to the Business Areas and to the bank's executives. Alerts serve as pre-set limit indicators. · The institution's limit and alert framework is composed of aggregate metrics that monitor and limit the risk in a global and granular way, in order to avoid excessive concentration of risk in one single risk factor.

· The limits are amounts that the business areas must mandatorily observe, while the alerts are metrics that send a signal to the institution and, through clearly defined governance, establish procedures to be adopted if an alert is triggered. · The mark-to-market (pricing) of positions shall be based on quotations captured from external sources or, if this is not possible, calculated based models developed and validated according to guidelines established in specific policies. · Information on prices and traded positions is stored in one single historical and corporate database, with controls that ensure its integrity and completeness, and with functionalities that allow historical information to be consulted. · The models used capture the correct sensitivity, the market oscillations by applying compliance tests periodically to the total portfolio and sub-portfolios, including all risk categories. Their results shall be analyzed and used to improve the models and manage the institution's risk. In addition, the managerial result shall be used to verify compliance of the market risk measurement models. · The measurement of potential risk in extreme market situations complementing statistical risk measures. Through the application of stress tests to all positions of portfolios of financial and non-financial companies. In addition to positions in the portfolio that do not have prices directly observed in the market, which are not liquid or are assessed through an internal pricing model, particularly securities and derivatives, apply prudential adjustments correcting possible MtM errors, and following the relevance and materiality criteria. Approved by the Board of Directors on 14/12/2018. · The limits are amounts that the business areas must mandatorily observe, while the alerts are metrics that send a signal to the institution and, through clearly defined governance, establish procedures to be adopted if an alert is triggered. · The mark-to-market (pricing) of positions shall be based on quotations captured from external sources or, if this is not possible, calculated based models developed and validated according to guidelines established in specific policies. · Information on prices and traded positions is stored in one single historical and corporate database, with controls that ensure its integrity and completeness, and with functionalities that allow historical information to be consulted. · The models used capture the correct sensitivity, the market oscillations by applying compliance tests periodically to the total portfolio and sub-portfolios, including all risk categories. Their results shall be analyzed and used to improve the models and manage the institution's risk. In addition, the managerial result shall be used to verify compliance of the market risk measurement models. · The measurement of potential risk in extreme market situations complementing statistical risk measures. Through the application of stress tests to all positions of portfolios of financial and non-financial companies. In addition to positions in the portfolio that do not have prices directly observed in the market, which are not liquid or are assessed through an internal pricing model, particularly securities and derivatives, apply prudential adjustments correcting possible MtM errors, and following the relevance and materiality criteria. Approved by the Board of Directors on 14/12/2018.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 60.872.504/0001-23 Publicly-Held Corporation NIRE 35300010230 PUBLIC ACCESS REPORT-INTEGRATED OPERATIONAL RISK MANAGEMENT AND INTERNAL CONTROLS OBJETIVE Establish guidelines and responsibilities associated with operational risk management and internal controls, observing good market practices, applicable standards and regulations. INTRODUCTION We're all risk managers. Risks are inherent to all activities of the Institution and are part of the employees day-to-day, being present in the processes, existing or new products and services including outsourced services. Managing operational risks properly is an essential condition for the sustainability of Itaú Unibanco's business. The Central Bank of Brazil defines operational risk as the possibility of loss occurrence resulting from an external event or from error, defect or inadequacy of internal processes, persons or systems. It also includes the legal risk associated with inadequacy or deficiency in contracts signed by the Institution, the penalties on the grounds of non-compliance with legal provisions and reimbursement for damages to third parties arising from activities developed by the Institution. ” Proper management of operational risk entails the identification of risks inherent to the activities, projects, products or services, and its prioritization, according to the level of criticality (importance), taking into account impacts on the objectives of the process or organization. Once risks are prioritized, response measures are taken, i.e. actions addressing each of the identified risks, in order to fit them into acceptable levels of exposure. Such actions may include the implementation of preventive controls in order to reduce the possibility of materializing the risk, or involve controls aimed at the detection of materialization. The decision to share a risk may be taken by transferring the activity partially or totally, such as outsourcing the activity, for example. The risks mentioned can also be avoided by simply going for the discontinuity of the risk-generating activity, or assumed, in which case the decision must be to not adopt additional control measures in relation to existing ones GUIDELINES The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate. The specific guidelines related to operational risk management and internal controls are defined below. Operational risk management model Itaú Unibanco adopts the strategy of the three defense lines to operationalize its risk management structure. Identification of operational risks Operational risks that may influence the achievement of the Strategic and operational objectives defined by the conglomerate shall be continuously identified and updated. The identification scope includes the operational risks inherent in the conglomerate's activities, existing or new products and services, including outsourced services. Risk identification can occur at any time in the design of a new process, project or product as well as during its existence. For this, one must evaluate the inherent risk, that is, disregard from the context the existence of any control activity, evaluating to which failures risk identification scope is subject to and, therefore, could affect the planned result (objectives). Exposure to rare and high-severity operational risk events, but considered plausible, is assessed by creating scenarios, providing information on the potential risk, generating loss estimates and considering, where necessary, the impact of the simultaneous occurrence of multiple operational risk events. Prioritization of operational risks The operational risks identified are prioritized according to their level of impact on the Board and/or Conglomerate. In order to assist in the proper impact assessment, it is important to consider the various impact possibilities and their scope, such as: ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 60.872.504/0001-23 Publicly-Held Corporation NIRE 35300010230 PUBLIC ACCESS REPORT-INTEGRATED OPERATIONAL RISK MANAGEMENT AND INTERNAL CONTROLS OBJETIVE Establish guidelines and responsibilities associated with operational risk management and internal controls, observing good market practices, applicable standards and regulations. INTRODUCTION We're all risk managers. Risks are inherent to all activities of the Institution and are part of the employees day-to-day, being present in the processes, existing or new products and services including outsourced services. Managing operational risks properly is an essential condition for the sustainability of Itaú Unibanco's business. The Central Bank of Brazil defines operational risk as the possibility of loss occurrence resulting from an external event or from error, defect or inadequacy of internal processes, persons or systems. It also includes the legal risk associated with inadequacy or deficiency in contracts signed by the Institution, the penalties on the grounds of non-compliance with legal provisions and reimbursement for damages to third parties arising from activities developed by the Institution. ” Proper management of operational risk entails the identification of risks inherent to the activities, projects, products or services, and its prioritization, according to the level of criticality (importance), taking into account impacts on the objectives of the process or organization. Once risks are prioritized, response measures are taken, i.e. actions addressing each of the identified risks, in order to fit them into acceptable levels of exposure. Such actions may include the implementation of preventive controls in order to reduce the possibility of materializing the risk, or involve controls aimed at the detection of materialization. The decision to share a risk may be taken by transferring the activity partially or totally, such as outsourcing the activity, for example. The risks mentioned can also be avoided by simply going for the discontinuity of the risk-generating activity, or assumed, in which case the decision must be to not adopt additional control measures in relation to existing ones GUIDELINES The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate. The specific guidelines related to operational risk management and internal controls are defined below. Operational risk management model Itaú Unibanco adopts the strategy of the three defense lines to operationalize its risk management structure. Identification of operational risks Operational risks that may influence the achievement of the Strategic and operational objectives defined by the conglomerate shall be continuously identified and updated. The identification scope includes the operational risks inherent in the conglomerate's activities, existing or new products and services, including outsourced services. Risk identification can occur at any time in the design of a new process, project or product as well as during its existence. For this, one must evaluate the inherent risk, that is, disregard from the context the existence of any control activity, evaluating to which failures risk identification scope is subject to and, therefore, could affect the planned result (objectives). Exposure to rare and high-severity operational risk events, but considered plausible, is assessed by creating scenarios, providing information on the potential risk, generating loss estimates and considering, where necessary, the impact of the simultaneous occurrence of multiple operational risk events. Prioritization of operational risks The operational risks identified are prioritized according to their level of impact on the Board and/or Conglomerate. In order to assist in the proper impact assessment, it is important to consider the various impact possibilities and their scope, such as:

· Financial: assess the representativeness of the financial impact that the exposure to the operational risk can generate in the business and/or the organisation. Risks that may lead to significant errors in the accounting statements are classified in Sarbanes-Oxley Law (SOX). · Image/Reputation: evaluate the possible negative impact on national and international media (visibility and dissemination), as well as the damage to the brand and its possibility of reversal. · Legal/Regulatory: evaluate the possibilities of generating regulatory non-compliance, as well as the possibility of entailing fines, warnings, audits, administrative procedures or losses of operating licenses. · Customers: evaluate the volume of customers impacted, the segments or distribution channels involved. Response to operational risk Responding to operational risk means defining what action will be taken in relation to the identified risk. Some possible actions: · Mitigation: establish actions that reduce the probability of operational risk materializing in the process or actions that decrease the impact produced. · Sharing: establish actions that aim at reducing the impact and/or likelihood of the risk occurring through the transfer or, in some cases, the sharing of a part of the risk. It may involve outsourcing activities or hiring insurance, for example. · Avoid: establish actions that eliminate the probability of the risk materializing. It may involve discontinuity of risk- driven activity/operation. · Assume: no action is established to reduce the impact and / or likelihood of the risk occurring. In this case, risk- taking governance should be observed. Actions requiring technological development must be validated by the second line of defense as to their risk classification and must be associated with risk notes, Compliance notes and/or internal audit notes. Monitoring of the level of exposure to operational risks Exposure to the relevant operational risks shall be monitored by the organization by means of risk indicators in accordance with the established tolerance levels. Operational risk Notes, internal and external audits shall be carried out and periodically monitored by the first line of defense. The second line of defense should validate the implementation of the action plans of the Operational Risk notes of moderate and high level, according to the operational risk pointing management policy, as well as moderate internal audit points, according to internal policies. Reporting of operational risks High-risk notes identified by the lines of Defense, regulators or external audit shall be communicated to top commissions, business unit executives, Chief Risk Officers (CROs), Audit Committee, Board of Directors and Risk Committee. The communication of notes from Internal Audit must comply with internal policies. Communication of operational risk management actions The description of the operational risk management structure is made available by means of a public access report, approved by the Board of Directors. Additionally, a summary of the description of the operational risk management structure and Internal Controls is published along with the accounting statements. The decisions, policies and strategies defined for managing the operational risk of international units are disclosed to the Chief Risk Officers (CROs). Management of operational risk loss base All areas of Itaú Unibanco are exposed to operational risk events, and Business Units (first line of Defense) are responsible for identifying such events and associated loss values, in order to compose the operational loss database (BDPO). Expenses and provisions related to operational risk events that impact the bank's profit and loss accounts shall be reported to the BDPO. · Financial: assess the representativeness of the financial impact that the exposure to the operational risk can generate in the business and/or the organisation. Risks that may lead to significant errors in the accounting statements are classified in Sarbanes-Oxley Law (SOX). · Image/Reputation: evaluate the possible negative impact on national and international media (visibility and dissemination), as well as the damage to the brand and its possibility of reversal. · Legal/Regulatory: evaluate the possibilities of generating regulatory non-compliance, as well as the possibility of entailing fines, warnings, audits, administrative procedures or losses of operating licenses. · Customers: evaluate the volume of customers impacted, the segments or distribution channels involved. Response to operational risk Responding to operational risk means defining what action will be taken in relation to the identified risk. Some possible actions: · Mitigation: establish actions that reduce the probability of operational risk materializing in the process or actions that decrease the impact produced. · Sharing: establish actions that aim at reducing the impact and/or likelihood of the risk occurring through the transfer or, in some cases, the sharing of a part of the risk. It may involve outsourcing activities or hiring insurance, for example. · Avoid: establish actions that eliminate the probability of the risk materializing. It may involve discontinuity of risk- driven activity/operation. · Assume: no action is established to reduce the impact and / or likelihood of the risk occurring. In this case, risk- taking governance should be observed. Actions requiring technological development must be validated by the second line of defense as to their risk classification and must be associated with risk notes, Compliance notes and/or internal audit notes. Monitoring of the level of exposure to operational risks Exposure to the relevant operational risks shall be monitored by the organization by means of risk indicators in accordance with the established tolerance levels. Operational risk Notes, internal and external audits shall be carried out and periodically monitored by the first line of defense. The second line of defense should validate the implementation of the action plans of the Operational Risk notes of moderate and high level, according to the operational risk pointing management policy, as well as moderate internal audit points, according to internal policies. Reporting of operational risks High-risk notes identified by the lines of Defense, regulators or external audit shall be communicated to top commissions, business unit executives, Chief Risk Officers (CROs), Audit Committee, Board of Directors and Risk Committee. The communication of notes from Internal Audit must comply with internal policies. Communication of operational risk management actions The description of the operational risk management structure is made available by means of a public access report, approved by the Board of Directors. Additionally, a summary of the description of the operational risk management structure and Internal Controls is published along with the accounting statements. The decisions, policies and strategies defined for managing the operational risk of international units are disclosed to the Chief Risk Officers (CROs). Management of operational risk loss base All areas of Itaú Unibanco are exposed to operational risk events, and Business Units (first line of Defense) are responsible for identifying such events and associated loss values, in order to compose the operational loss database (BDPO). Expenses and provisions related to operational risk events that impact the bank's profit and loss accounts shall be reported to the BDPO.

Capital allocation for operational risk The conglomerate uses the standard alternative approach (ASA) in the calculation and allocation of regulatory capital for operational risk. In addition, the calculation and allocation of economic capital for operational risk [ICAAP] is carried out. The adequacy of the level of reference assets [PR], in relation to the operational risk assumed by the conglomerate, should be regularly monitored. MAIN ROLES AND TASKS Management Board: The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate. Audit Committee: - Supervise internal control and risk management processes. Higher Commission on operational risk: - Know the risks of the processes and business of Itaú Unibanco, define the guidelines for the management of operational risks and evaluate the results of carried out work. Compliance and Operational Risk Committee: - Monitor and promote the development and implementation of the guidelines approved and defined by CSRO for each Executive Area, discuss the main risks and potential of the Business Areas, as well as the action plans proposed for mitigation. Internal committee for Operational Risk: - Discuss matters relating to operational risks and internal controls of each business unit, which will be taken to a higher level in the Compliance and Operational Risk Committees. Chief Risk Officer: - Responsible for operational risk management within the institution. Internal controls and operational risk: Inserted in the second line of Defense, the structure is represented by the overseers who act as officers of internal controls and risks (OCIRs) and, together with their teams, are responsible for: Support the first line of defense in observing their direct responsibilities. · Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to Support Integrated Operational Risk Management and internal controls in the relevant conglomerate and outsourced activities; · Coordinate the activities of Operational Risk and Internal Controls are next to the areas of Business and Support, being independent in the exercise of its functions and having direct communication with any director or employee, as well as access to any necessary information within the scope of their responsibilities. For this reason, it is forbidden to conduct the management of any business that may compromise its independence. Business/Support areas: - Prime responsibility for identifying, prioritizing, responding to risk, monitoring and reporting operational risk events that may influence the achievement of the defined strategic and operational objectives. Internal Audit - Verify, independently and periodically, the adequacy of the processes and procedures for identifying and managing risks, in accordance with the guidelines established in internal policies. Approved by the Board of Directors on 12/14/2018. Capital allocation for operational risk The conglomerate uses the standard alternative approach (ASA) in the calculation and allocation of regulatory capital for operational risk. In addition, the calculation and allocation of economic capital for operational risk [ICAAP] is carried out. The adequacy of the level of reference assets [PR], in relation to the operational risk assumed by the conglomerate, should be regularly monitored. MAIN ROLES AND TASKS Management Board: The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate. Audit Committee: - Supervise internal control and risk management processes. Higher Commission on operational risk: - Know the risks of the processes and business of Itaú Unibanco, define the guidelines for the management of operational risks and evaluate the results of carried out work. Compliance and Operational Risk Committee: - Monitor and promote the development and implementation of the guidelines approved and defined by CSRO for each Executive Area, discuss the main risks and potential of the Business Areas, as well as the action plans proposed for mitigation. Internal committee for Operational Risk: - Discuss matters relating to operational risks and internal controls of each business unit, which will be taken to a higher level in the Compliance and Operational Risk Committees. Chief Risk Officer: - Responsible for operational risk management within the institution. Internal controls and operational risk: Inserted in the second line of Defense, the structure is represented by the overseers who act as officers of internal controls and risks (OCIRs) and, together with their teams, are responsible for: Support the first line of defense in observing their direct responsibilities. · Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to Support Integrated Operational Risk Management and internal controls in the relevant conglomerate and outsourced activities; · Coordinate the activities of Operational Risk and Internal Controls are next to the areas of Business and Support, being independent in the exercise of its functions and having direct communication with any director or employee, as well as access to any necessary information within the scope of their responsibilities. For this reason, it is forbidden to conduct the management of any business that may compromise its independence. Business/Support areas: - Prime responsibility for identifying, prioritizing, responding to risk, monitoring and reporting operational risk events that may influence the achievement of the defined strategic and operational objectives. Internal Audit - Verify, independently and periodically, the adequacy of the processes and procedures for identifying and managing risks, in accordance with the guidelines established in internal policies. Approved by the Board of Directors on 12/14/2018.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-COMPLIANCE POLICY OBJETIVE Establish the guidelines and main tasks associated with Compliance role, observing good market practices and applicable regulations. INTRODUCTION Compliance role aims at preventing and mitigating the exposure of Itaú Unibanco to situations of non-compliance with internal and external standards (Compliance risk), responsible for aspects of governance, compliance certification, conduct, and transparency. Compliance risk is the risk of legal or regulatory sanctions, financial losses or damage to reputation, arising out of the lack of compliance with legal and regulatory provisions, market standards, local and international commitments through codes of self-regulation, technical standards, codes of conduct or internal policies. Itaú Unibanco adopts the strategy of three lines of defense to operationalize its risk management structure (including Compliance) and to ensure compliance with the guidelines provided in this policy, with clear division of roles and responsibilities. 1. The first line of Defense is represented by the business and support areas. Its employees are responsible for risk management and adherence to standards associated with its activities, as well as for the implementation of the controls and by the implementation of corrective measures for proper treatment of risks. 2. The Second line of Defense is represented by risk control functions, which are completely segregated from the activities of the internal and legal audit, having independence in the exercise of its functions. It has direct communication with the administrators, including the members of the Board of Directors and the Audit Committee, as well as with any employee. They have access to any information required under its responsibilities. It is forbidden, in Brazil and abroad, to the areas that make up the second line of Defense, the management of any business or process that may compromise its independence or generate conflicts of interest. For the same reason, its goals and pay cannot be related to the performance of business areas. 3. The third line of Defense is represented by the Internal Audit, which provides an independent assessment of the institution's activities by means of audit techniques. It allows management to assess the adequacy of controls, the effectiveness of risk management, the reliability of accounting statements and compliance with standards and regulations GUIDELINES About Compliance function Compliance risk management should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated regarding compliance with applicable standards, commitments made with regulators and requirements related to the Code of ethics, where applicable to internal standards. The Compliance function is performed by the Executive Board of Operational Risk and compliance, reporting to the Finance and risk area and acting independently from the other support and business areas of the conglomerate. In the international units, there are local and independent structures responsible for the control of operational and Compliance risks, under the responsibility of the local CROs, who report to the Executive Board of Operational Risk and Compliance. The notes raised by the Executive areas, internal and external audits, regulators and other supervisory and supervisory entities must be followed up on, so that their effective treatment is guaranteed by the competent areas. Compliance Risk reports shall be clear, objective and timely, and shall be reported to senior commissions, business unit executives, Vice president of risks, risk and Capital Management Committee, Audit Committee and Board of directors, so that the established exposure levels and limits of framework are monitored. In international units, Compliance Risk Reports should be reported to the relevant forums of each unit. ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-COMPLIANCE POLICY OBJETIVE Establish the guidelines and main tasks associated with Compliance role, observing good market practices and applicable regulations. INTRODUCTION Compliance role aims at preventing and mitigating the exposure of Itaú Unibanco to situations of non-compliance with internal and external standards (Compliance risk), responsible for aspects of governance, compliance certification, conduct, and transparency. Compliance risk is the risk of legal or regulatory sanctions, financial losses or damage to reputation, arising out of the lack of compliance with legal and regulatory provisions, market standards, local and international commitments through codes of self-regulation, technical standards, codes of conduct or internal policies. Itaú Unibanco adopts the strategy of three lines of defense to operationalize its risk management structure (including Compliance) and to ensure compliance with the guidelines provided in this policy, with clear division of roles and responsibilities. 1. The first line of Defense is represented by the business and support areas. Its employees are responsible for risk management and adherence to standards associated with its activities, as well as for the implementation of the controls and by the implementation of corrective measures for proper treatment of risks. 2. The Second line of Defense is represented by risk control functions, which are completely segregated from the activities of the internal and legal audit, having independence in the exercise of its functions. It has direct communication with the administrators, including the members of the Board of Directors and the Audit Committee, as well as with any employee. They have access to any information required under its responsibilities. It is forbidden, in Brazil and abroad, to the areas that make up the second line of Defense, the management of any business or process that may compromise its independence or generate conflicts of interest. For the same reason, its goals and pay cannot be related to the performance of business areas. 3. The third line of Defense is represented by the Internal Audit, which provides an independent assessment of the institution's activities by means of audit techniques. It allows management to assess the adequacy of controls, the effectiveness of risk management, the reliability of accounting statements and compliance with standards and regulations GUIDELINES About Compliance function Compliance risk management should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated regarding compliance with applicable standards, commitments made with regulators and requirements related to the Code of ethics, where applicable to internal standards. The Compliance function is performed by the Executive Board of Operational Risk and compliance, reporting to the Finance and risk area and acting independently from the other support and business areas of the conglomerate. In the international units, there are local and independent structures responsible for the control of operational and Compliance risks, under the responsibility of the local CROs, who report to the Executive Board of Operational Risk and Compliance. The notes raised by the Executive areas, internal and external audits, regulators and other supervisory and supervisory entities must be followed up on, so that their effective treatment is guaranteed by the competent areas. Compliance Risk reports shall be clear, objective and timely, and shall be reported to senior commissions, business unit executives, Vice president of risks, risk and Capital Management Committee, Audit Committee and Board of directors, so that the established exposure levels and limits of framework are monitored. In international units, Compliance Risk Reports should be reported to the relevant forums of each unit.

To contribute to the proper risk management, Itaú Unibanco has a risk management methodology consisting of 5 steps: identification, prioritization, Risk Response, Monitoring and reporting. MAIN ROLES AND TASKS Common to all areas of Itaú Unibanco - Conduct the integrity and Ethics and Risk Management Training provided by Itaú Unibanco. - Sign, yearly, the Form “Corporate Integrity Policies , confirming knowledge and agreement to what is established in this policy. - Define, implement and comply with policies and procedures for adherence to regulations. - Take account of the provisions laid down by the internal policies of the conglomerate. - Report fact or suspicion of violation of the provisions of this policy. Management Board The Management Board shall be responsible for:: - Approve: a) Compliance guidelines, strategies and policies, with the aim of ensuring a clear understanding of the roles and responsibilities at all levels of the conglomerate; and b) DEROC's position in the organizational structure of the institution, in order to avoid possible conflicts of interest, mainly with the business areas. - Provide the necessary means for activities related to the Compliance function to be performed properly, including the availability of resources for personnel allocation in sufficient quantity, with the necessary experience and training. - Meet with DEROC at least on an annual basis as part of the assessment of the effectiveness of Integrated Operational Risk Management, internal controls and Compliance. - Ensuring: a) appropriate management of this policy; b) effectiveness and continuity of implementation of this policy; c) communication of this policy to all relevant employees and third party service providers; d) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified Compliance failures. The evaluation of these items by the Board of Directors will be held on the basis of regular meetings and the annual report prepared by DEROC, as well as by the annual assessment made by the Audit Committee. Audit Committee: The Audit Committee must: - Validate Compliance policy before it is sent for approval by the Board of Directors. - Evaluate, at least annually, the Compliance structure in relation to the following aspects: a) clear definition of the tasks, roles and responsibilities of Compliance function, avoiding possible conflicts of interest, mainly with the business areas of the institution; b) positioning in the appropriate hierarchical level, independent and segregated of operational and business areas, with duly exercised mandate regarding the definition of scope, execution of the work and communication of its results; c) organizational structure consistent with the needs of the conglomerate and staff allocation in sufficient quantity, adequately trained and experienced to carry out the activities related to their respective functions; d) effectiveness of Compliance Management; and e) adhesion of the structure to the applicable adjustment. - Verify the performance of: a) communication of this policy to all relevant employees and third party service providers; To contribute to the proper risk management, Itaú Unibanco has a risk management methodology consisting of 5 steps: identification, prioritization, Risk Response, Monitoring and reporting. MAIN ROLES AND TASKS Common to all areas of Itaú Unibanco - Conduct the integrity and Ethics and Risk Management Training provided by Itaú Unibanco. - Sign, yearly, the Form “Corporate Integrity Policies , confirming knowledge and agreement to what is established in this policy. - Define, implement and comply with policies and procedures for adherence to regulations. - Take account of the provisions laid down by the internal policies of the conglomerate. - Report fact or suspicion of violation of the provisions of this policy. Management Board The Management Board shall be responsible for:: - Approve: a) Compliance guidelines, strategies and policies, with the aim of ensuring a clear understanding of the roles and responsibilities at all levels of the conglomerate; and b) DEROC's position in the organizational structure of the institution, in order to avoid possible conflicts of interest, mainly with the business areas. - Provide the necessary means for activities related to the Compliance function to be performed properly, including the availability of resources for personnel allocation in sufficient quantity, with the necessary experience and training. - Meet with DEROC at least on an annual basis as part of the assessment of the effectiveness of Integrated Operational Risk Management, internal controls and Compliance. - Ensuring: a) appropriate management of this policy; b) effectiveness and continuity of implementation of this policy; c) communication of this policy to all relevant employees and third party service providers; d) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified Compliance failures. The evaluation of these items by the Board of Directors will be held on the basis of regular meetings and the annual report prepared by DEROC, as well as by the annual assessment made by the Audit Committee. Audit Committee: The Audit Committee must: - Validate Compliance policy before it is sent for approval by the Board of Directors. - Evaluate, at least annually, the Compliance structure in relation to the following aspects: a) clear definition of the tasks, roles and responsibilities of Compliance function, avoiding possible conflicts of interest, mainly with the business areas of the institution; b) positioning in the appropriate hierarchical level, independent and segregated of operational and business areas, with duly exercised mandate regarding the definition of scope, execution of the work and communication of its results; c) organizational structure consistent with the needs of the conglomerate and staff allocation in sufficient quantity, adequately trained and experienced to carry out the activities related to their respective functions; d) effectiveness of Compliance Management; and e) adhesion of the structure to the applicable adjustment. - Verify the performance of: a) communication of this policy to all relevant employees and third party service providers;

b) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for identified Compliance failures. First line of Defense - Inform and empower employees and third party service providers relevant to Compliance issues; - Relate to regulatory, self-regulatory, supervisory and supervisory bodies, taking into account their requests and issuing to them the reports due; - Identify, measure, evaluate and manage Compliance risk events that may influence the achievement of the conglomerate's strategic and operational objectives; - Maintain an effective control environment, consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining the risk exposure at acceptable levels, as the risk appetite established for the Conglomerate; - Define and implement the action plans for addressing non-compliance notes made by internal and external audits, internal controls, Compliance, regulators, self-regulatory and other supervisory and supervisory bodies; - Report promptly to the Compliance area when identifying changes in relation to existing standards and regulations or risks of Compliance not foreseen by the control activities; and - Maintain compliance with local and international regulatory standards and requirements. Second line of Defense Risk and Finance Area - Calculate, monitor and control the operational limits established by the regulators to ensure the regulatory adhesion of Itaú Unibanco, even when there is no obligation of periodic submission to the regulator. Operational Risk and Compliance Executive Board It is the responsibility of the Executive Board of operational risks and Compliance, through the Corporate Compliance and internal controls and operational risk boards: Support the first line of defense in observing their direct responsibilities. - Disclose standards of integrity and ethics as part of the conglomerate's risk culture and controls, and disseminate best practices and policies related to Compliance function; - Guide and advise the managers and employees of the conglomerate, directing specific solutions on compliance with internal standards related to the integrity and Ethics Program; - Guide and advise the managers and employees of the conglomerate, directing specific solutions related to compliance with external standards; - Assess the incentives to comply with regulations and commitments made with regulators and report these results to the Remuneration and Audit Committees; - Ensure that the teams responsible for carrying out Compliance functions have appropriate authority and that they are adequate, both in resources and in knowledge, through a structured training program; - Categorize Compliance themes according to their severity and monitor the conglomerate's exposure to these risks; - Certify the efficacy of the Compliance control environment of the first line of defense by means of monitoring and testing programs, reporting the results to the High Administration and regulatory bodies, when requested; - Review and monitor the action plans adopted for addressing notes made by internal and external audits and regulatory bodies; - Report to the Board of Directors, the Audit Committee, the risk and Capital Management Committee and the Board of Directors the relevant situations that are non-compliant; - Supervise the international units in the evaluation of adherence to the corporate guidelines, as well as in the adoption of the Compliance methodology and consolidated monitoring and reporting to the Matrix; - Coordinate implementation, monitoring and evolution of corporate integrity and Ethics Program in international units; and - Coordinate governance of International Regulation Compliance Programs relevant to the conglomerate. b) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for identified Compliance failures. First line of Defense - Inform and empower employees and third party service providers relevant to Compliance issues; - Relate to regulatory, self-regulatory, supervisory and supervisory bodies, taking into account their requests and issuing to them the reports due; - Identify, measure, evaluate and manage Compliance risk events that may influence the achievement of the conglomerate's strategic and operational objectives; - Maintain an effective control environment, consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining the risk exposure at acceptable levels, as the risk appetite established for the Conglomerate; - Define and implement the action plans for addressing non-compliance notes made by internal and external audits, internal controls, Compliance, regulators, self-regulatory and other supervisory and supervisory bodies; - Report promptly to the Compliance area when identifying changes in relation to existing standards and regulations or risks of Compliance not foreseen by the control activities; and - Maintain compliance with local and international regulatory standards and requirements. Second line of Defense Risk and Finance Area - Calculate, monitor and control the operational limits established by the regulators to ensure the regulatory adhesion of Itaú Unibanco, even when there is no obligation of periodic submission to the regulator. Operational Risk and Compliance Executive Board It is the responsibility of the Executive Board of operational risks and Compliance, through the Corporate Compliance and internal controls and operational risk boards: Support the first line of defense in observing their direct responsibilities. - Disclose standards of integrity and ethics as part of the conglomerate's risk culture and controls, and disseminate best practices and policies related to Compliance function; - Guide and advise the managers and employees of the conglomerate, directing specific solutions on compliance with internal standards related to the integrity and Ethics Program; - Guide and advise the managers and employees of the conglomerate, directing specific solutions related to compliance with external standards; - Assess the incentives to comply with regulations and commitments made with regulators and report these results to the Remuneration and Audit Committees; - Ensure that the teams responsible for carrying out Compliance functions have appropriate authority and that they are adequate, both in resources and in knowledge, through a structured training program; - Categorize Compliance themes according to their severity and monitor the conglomerate's exposure to these risks; - Certify the efficacy of the Compliance control environment of the first line of defense by means of monitoring and testing programs, reporting the results to the High Administration and regulatory bodies, when requested; - Review and monitor the action plans adopted for addressing notes made by internal and external audits and regulatory bodies; - Report to the Board of Directors, the Audit Committee, the risk and Capital Management Committee and the Board of Directors the relevant situations that are non-compliant; - Supervise the international units in the evaluation of adherence to the corporate guidelines, as well as in the adoption of the Compliance methodology and consolidated monitoring and reporting to the Matrix; - Coordinate implementation, monitoring and evolution of corporate integrity and Ethics Program in international units; and - Coordinate governance of International Regulation Compliance Programs relevant to the conglomerate.

It is the sole responsibility of the Board of Corporate Compliance: - Maintain proof of the approval of this document by the Management Board; - Define principles and guidelines for the dissemination of the culture of Compliance, including training; - Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to support Compliance in the relevant conglomerate and outsourced activities; - Manage the process of capturing, screening, impact assessment and compliance monitoring; - Coordinate governance of policies and procedures of Itaú Unibanco, in accordance with applicable regulations and market best practices; - Monitor policies of personal investments and Securities Trading Policy of Itaú Unibanco Holding S. A; - Report on a timely basis relevant information, both of the results of the assessments of Compliance undertaken that have identified failures in materials, and significant changes in the regulatory environment; - Sending annual report to the Audit Committee and the Board of Directors, containing a summary of the results of activities related to Compliance issues, main conclusions, recommendations and action plans adopted for treatment of the deficiencies identified; - Manage Trade Surveillance and integrity programs; - Coordinate the relationship with regulators, self-regulators and other inspection entities and supervisors, monitoring the actions arising from the commitments undertaken, facilitating information sharing and ensuring the consistency of institutional positioning. First line of Defense Verify, independently and periodically, the adequacy of processes and procedures for the identification and management of risks, including the integrated management of operational risk, internal controls and Compliance, according to the guidelines set forth in internal documents, and submit the results from its notes to the Audit Committee. Approved by the Board of Directors on 02/28/2019. It is the sole responsibility of the Board of Corporate Compliance: - Maintain proof of the approval of this document by the Management Board; - Define principles and guidelines for the dissemination of the culture of Compliance, including training; - Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to support Compliance in the relevant conglomerate and outsourced activities; - Manage the process of capturing, screening, impact assessment and compliance monitoring; - Coordinate governance of policies and procedures of Itaú Unibanco, in accordance with applicable regulations and market best practices; - Monitor policies of personal investments and Securities Trading Policy of Itaú Unibanco Holding S. A; - Report on a timely basis relevant information, both of the results of the assessments of Compliance undertaken that have identified failures in materials, and significant changes in the regulatory environment; - Sending annual report to the Audit Committee and the Board of Directors, containing a summary of the results of activities related to Compliance issues, main conclusions, recommendations and action plans adopted for treatment of the deficiencies identified; - Manage Trade Surveillance and integrity programs; - Coordinate the relationship with regulators, self-regulators and other inspection entities and supervisors, monitoring the actions arising from the commitments undertaken, facilitating information sharing and ensuring the consistency of institutional positioning. First line of Defense Verify, independently and periodically, the adequacy of processes and procedures for the identification and management of risks, including the integrated management of operational risk, internal controls and Compliance, according to the guidelines set forth in internal documents, and submit the results from its notes to the Audit Committee. Approved by the Board of Directors on 02/28/2019.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Companhia Aberta NIRE 35300010230 LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the liquidity risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices. INTRODUCTION Liquidity risk is the possibility of the institution being unable to honor its obligations effectively. Liquidity risk may arise when there is a mismatch between cash flows (assets and liabilities) that affects daily transactions or generate significant losses. Example: Customer A deposits R$100.00. Customer B requests a loan of R$100.00 for a period of one year. At this point the bank transfers the amount deposited by customer A to customer B. After a few days Customer A requests the withdrawal of the amount deposited. If the bank does not have this amount available it will not be able to honor its commitment, presenting a liquidity problem. Significant losses may occur if the bank decides to sell an asset, on a timely basis, to generate cash and honor its commitment to Customer A. Liquidity risk is controlled by a department that is independent from the business areas. The purpose is to compare assets (usually the most liquid) with financial obligations (generally shorter-term maturities) and ensure that cash equivalents are sufficient to meet its obligations. The liquidity risk is controlled in accordance with the Limit Framework established by the Board of Directors and by the Higher Committees. GUIDELINES Liquidity risk management and control processes shall strictly follow the principles defined in this policy. The liquidity risk measurement shall cover all financial transactions of Itaú Unibanco's companies, as well as possible contingent exposures (exposures with no estimated date) or unexpected exposures (changes in cash inflow or outflow). These situations are commonly caused by: - settlement services (e.g. significant decrease in tax collection, settlement of bank payment slips or bank transfers); - granting of pledges and guarantees (e.g. customers executing pledges and/or guarantees due to failure to repay loans); - acquired and unused lines of credit (e.g. increased use of overdraft limits or credit cards); The main measure used for controlling liquidity risk shall be reserve, which is composed of: - cash equivalents in Brazil (federal government bonds, cash, deposits in the Central Bank of Brazil, any asset that could be immediately traded and converted into cash without significant loss in value); - cash equivalents overseas (assets that could be immediately traded and converted into cash abroad without significant loss in value, such as currency in kind, cash equivalents in other banks) - all assets immediately convertible (D0) into means of payment. Liquidity Risk Control includes contingency and liquidity recovery plans to clearly define liquidity recovery actions in different stress scenarios. KEY ROLES AND RESPONSIBILITIES The Liquidity Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below. Board of Directors: - define the institution's risk appetite and review it annually. High Market and Liquidity Risk Committee: ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Companhia Aberta NIRE 35300010230 LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the liquidity risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices. INTRODUCTION Liquidity risk is the possibility of the institution being unable to honor its obligations effectively. Liquidity risk may arise when there is a mismatch between cash flows (assets and liabilities) that affects daily transactions or generate significant losses. Example: Customer A deposits R$100.00. Customer B requests a loan of R$100.00 for a period of one year. At this point the bank transfers the amount deposited by customer A to customer B. After a few days Customer A requests the withdrawal of the amount deposited. If the bank does not have this amount available it will not be able to honor its commitment, presenting a liquidity problem. Significant losses may occur if the bank decides to sell an asset, on a timely basis, to generate cash and honor its commitment to Customer A. Liquidity risk is controlled by a department that is independent from the business areas. The purpose is to compare assets (usually the most liquid) with financial obligations (generally shorter-term maturities) and ensure that cash equivalents are sufficient to meet its obligations. The liquidity risk is controlled in accordance with the Limit Framework established by the Board of Directors and by the Higher Committees. GUIDELINES Liquidity risk management and control processes shall strictly follow the principles defined in this policy. The liquidity risk measurement shall cover all financial transactions of Itaú Unibanco's companies, as well as possible contingent exposures (exposures with no estimated date) or unexpected exposures (changes in cash inflow or outflow). These situations are commonly caused by: - settlement services (e.g. significant decrease in tax collection, settlement of bank payment slips or bank transfers); - granting of pledges and guarantees (e.g. customers executing pledges and/or guarantees due to failure to repay loans); - acquired and unused lines of credit (e.g. increased use of overdraft limits or credit cards); The main measure used for controlling liquidity risk shall be reserve, which is composed of: - cash equivalents in Brazil (federal government bonds, cash, deposits in the Central Bank of Brazil, any asset that could be immediately traded and converted into cash without significant loss in value); - cash equivalents overseas (assets that could be immediately traded and converted into cash abroad without significant loss in value, such as currency in kind, cash equivalents in other banks) - all assets immediately convertible (D0) into means of payment. Liquidity Risk Control includes contingency and liquidity recovery plans to clearly define liquidity recovery actions in different stress scenarios. KEY ROLES AND RESPONSIBILITIES The Liquidity Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below. Board of Directors: - define the institution's risk appetite and review it annually. High Market and Liquidity Risk Committee:

- define the authority levels related to liquidity risk control and review them annually. - monitor liquidity risk indicators by making the necessary decisions and following the risk appetite. - submit the liquidity contingency plan (Brazil) to the Board of Directors for approval, at least annually; Chief Risk Officer: - responsible for liquidity risk management at Itaú Unibanco. Liquidity Risk Control - define the breakdown of the reserve, in accordance with the guidelines established by the senior management; - identify, assess, monitor, control and report exposure to liquidity risk on a daily basis. - propose liquidity risk limits; - monitor the contingency and recovery plans, as well as the limits established for each plan and communicate possible deviations to the respective authority levels. - perform liquidity risk simulations under stress conditions. - periodically report the main liquidity risk controls in Brazil and at the External Units, and, on a timely basis, any sudden liquidity decrease situations and significant aspects of measures in progress to committees, Treasury department, Supervising Department of Integrated Capital Management, CRO, and the Board of Directors; On a timely basis, communicate any possible deviations of both the managerial risk appetite and the Contingency and Recovery triggers to the Supervising Department of Integrated Capital Management, of the daily LCR indicator, ensuring support to the monitoring of the Recovery Plan; - in relation to risk appetite metrics, monitor, analyze and report any information in the Risk Appetite Report, in addition to communicating the material aspects to those involved, such as: committee decisions, request for action plans, and warnings about matters for attention. - maintain specialized and adequately-sized teams to support liquidity risk processes and systems under its governance and development management. Institutional Treasury (Brazil and International) - centralize Itaú Unibanco's liquidity risk management, ensuring adequate and sufficient liquidity levels; - Reserve Pilot - identify, assess, monitor and alert any cash requirements for transactions conducted during the day; Information Technology - maintain specialized and adequately-sized teams to support the liquidity risk processes and systems that are under its governance, and management of technology development, and the Hosting processes defined in specific service agreements. LIQUIDITY RISK CONTROL The Liquidity Risk control at Itau Unibanco includes measurement, monitoring, control and reporting of exposure levels, as well as contingency and liquidity recovery plans. Liquidity risk exposure measurement is based on the daily analysis of cash flow evolution and compliance with the regulatory ratios, as described below: - Projected cash flow (Going Concern Scenario): shows expected cash flows considering the company has the ability to continue as a going concern under normal conditions; - Portfolio Settlement Scenario (run-off): shows the expected cash flows considering the settlement of current portfolios and the company ceasing to continue as a going concern. - LCR – Liquidity Coverage Ratio: shows that high quality liquid assets of the prudential conglomerate are sufficient to withstand a severe liquidity crisis for a period of 30 days, according to assumptions defined by the Central Bank of Brazil; and - Net Stable Funding Ratio (NSFR): shows that the prudential conglomerate has available stable funds higher than those required by cash outflows in a 1-year stress scenario. - define the authority levels related to liquidity risk control and review them annually. - monitor liquidity risk indicators by making the necessary decisions and following the risk appetite. - submit the liquidity contingency plan (Brazil) to the Board of Directors for approval, at least annually; Chief Risk Officer: - responsible for liquidity risk management at Itaú Unibanco. Liquidity Risk Control - define the breakdown of the reserve, in accordance with the guidelines established by the senior management; - identify, assess, monitor, control and report exposure to liquidity risk on a daily basis. - propose liquidity risk limits; - monitor the contingency and recovery plans, as well as the limits established for each plan and communicate possible deviations to the respective authority levels. - perform liquidity risk simulations under stress conditions. - periodically report the main liquidity risk controls in Brazil and at the External Units, and, on a timely basis, any sudden liquidity decrease situations and significant aspects of measures in progress to committees, Treasury department, Supervising Department of Integrated Capital Management, CRO, and the Board of Directors; On a timely basis, communicate any possible deviations of both the managerial risk appetite and the Contingency and Recovery triggers to the Supervising Department of Integrated Capital Management, of the daily LCR indicator, ensuring support to the monitoring of the Recovery Plan; - in relation to risk appetite metrics, monitor, analyze and report any information in the Risk Appetite Report, in addition to communicating the material aspects to those involved, such as: committee decisions, request for action plans, and warnings about matters for attention. - maintain specialized and adequately-sized teams to support liquidity risk processes and systems under its governance and development management. Institutional Treasury (Brazil and International) - centralize Itaú Unibanco's liquidity risk management, ensuring adequate and sufficient liquidity levels; - Reserve Pilot - identify, assess, monitor and alert any cash requirements for transactions conducted during the day; Information Technology - maintain specialized and adequately-sized teams to support the liquidity risk processes and systems that are under its governance, and management of technology development, and the Hosting processes defined in specific service agreements. LIQUIDITY RISK CONTROL The Liquidity Risk control at Itau Unibanco includes measurement, monitoring, control and reporting of exposure levels, as well as contingency and liquidity recovery plans. Liquidity risk exposure measurement is based on the daily analysis of cash flow evolution and compliance with the regulatory ratios, as described below: - Projected cash flow (Going Concern Scenario): shows expected cash flows considering the company has the ability to continue as a going concern under normal conditions; - Portfolio Settlement Scenario (run-off): shows the expected cash flows considering the settlement of current portfolios and the company ceasing to continue as a going concern. - LCR – Liquidity Coverage Ratio: shows that high quality liquid assets of the prudential conglomerate are sufficient to withstand a severe liquidity crisis for a period of 30 days, according to assumptions defined by the Central Bank of Brazil; and - Net Stable Funding Ratio (NSFR): shows that the prudential conglomerate has available stable funds higher than those required by cash outflows in a 1-year stress scenario.

The scenarios described in the previous section shall be calculated on a daily basis and made available to the liquidity management function. The use of liquidity risk limits shall be checked against approved limits. The control shall be performed and reported on a daily basis to the Institutional Treasury and the senior management. Deviations from the limits and ratios determined shall be reported by liquidity risk control to the senior management, relevant departments for immediate exposure adjustment, and relevant committees. The purpose of the contingency and recovery plans is to restore adequate liquidity levels and preserve the viability of Itaú Unibanco, in response to stress scenarios. The plans shall contain a list of actions to be implemented, contemplating volumes, deadlines and owners. The contingency plan actions shall contemplate a criticality level scale. The order of actions must be determined based on how easy the implementation is, taking into account the characteristics of the market. Approved by the Board of Directors on 14/12/2018. The scenarios described in the previous section shall be calculated on a daily basis and made available to the liquidity management function. The use of liquidity risk limits shall be checked against approved limits. The control shall be performed and reported on a daily basis to the Institutional Treasury and the senior management. Deviations from the limits and ratios determined shall be reported by liquidity risk control to the senior management, relevant departments for immediate exposure adjustment, and relevant committees. The purpose of the contingency and recovery plans is to restore adequate liquidity levels and preserve the viability of Itaú Unibanco, in response to stress scenarios. The plans shall contain a list of actions to be implemented, contemplating volumes, deadlines and owners. The contingency plan actions shall contemplate a criticality level scale. The order of actions must be determined based on how easy the implementation is, taking into account the characteristics of the market. Approved by the Board of Directors on 14/12/2018.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-CREDIT RISK OBJETIVE This document aims to establish the structure and actions of credit risk control of Itaú Unibanco Holding S. A. (Itaú Unibanco), while observing applicable regulations, best practices and implementation of business decisions by the Business Units. INTRODUCTION A credit risk is a loss risk arising from non-compliance by the policy holder, issuer or counter party with financial obligations. That is, the possibility of losses caused by the non-payment of contracted amounts (”Default ). Credit risk control processes shall support the institution in strict compliance with the principles set out in internal policies. The centralized control of credit risk is carried out independently by the risk and finance area [ARF], segregated from the business units and the Executive area of the internal audit activity. In international units, the independent structure responsible for local risk control is under the responsibility of the Local Chief Risk Officers (Local CROs), supporting the CRO of Itaú Unibanco Holding. The structure enables the continuous and integrated management of credit risk and shall consider both transactions classified in the trading book and those classified in the non-trading book. GUIDELINES According to Central Bank determinations, risk management should be integrated, enabling identification, measurement, evaluation, monitoring, reporting, Control and mitigation of credit risk. Credit risk management structures shall be proportionate to the size and relevance of risk exposure, be compatible with the business model, the nature of operations and the complexity of Itaú Unibanco's products, services, activities and processes. To this end, they must maintain specialized and teams with appropriate sizes to support credit risk processes and systems that are under its governance. The credit risk management structure should provide for: Clearly documented policies and strategies for Risk Management, which establish limits and procedures to maintain risk exposure in accordance with internal policy. They shall also take into account prior identification of credit risks inherent to: · New products and services; · Relevant changes in existing products or services; · Significant changes in the institution's processes, systems, operations and business model; · Hedge strategies and risk-taking initiatives; · Significant corporate reorganizations; and · Changes in the macroeconomic outlook. · Monitoring processes, in order to identify points of non-compliance with credit risk management policies, containing the respective justifications and actions expected to resolve divergences; · Systems, routines and procedures for credit risk management, including its updates; · Periodic management reports for the board as well as for other forums where the topic of credit risk is on the agenda. The established guidelines must be applied to the credit risk of the counter party, the country of occurrence of disbursements to honor guarantees, sureties, co-obligations, loan commitments or other operations of a similar nature and of losses associated with the non-fulfillment of obligations relating to the settlement of transactions involving bilateral flows, including the trading of financial assets, or derivatives. ROLES AND TASKS Credit Risk Control ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-CREDIT RISK OBJETIVE This document aims to establish the structure and actions of credit risk control of Itaú Unibanco Holding S. A. (Itaú Unibanco), while observing applicable regulations, best practices and implementation of business decisions by the Business Units. INTRODUCTION A credit risk is a loss risk arising from non-compliance by the policy holder, issuer or counter party with financial obligations. That is, the possibility of losses caused by the non-payment of contracted amounts (”Default ). Credit risk control processes shall support the institution in strict compliance with the principles set out in internal policies. The centralized control of credit risk is carried out independently by the risk and finance area [ARF], segregated from the business units and the Executive area of the internal audit activity. In international units, the independent structure responsible for local risk control is under the responsibility of the Local Chief Risk Officers (Local CROs), supporting the CRO of Itaú Unibanco Holding. The structure enables the continuous and integrated management of credit risk and shall consider both transactions classified in the trading book and those classified in the non-trading book. GUIDELINES According to Central Bank determinations, risk management should be integrated, enabling identification, measurement, evaluation, monitoring, reporting, Control and mitigation of credit risk. Credit risk management structures shall be proportionate to the size and relevance of risk exposure, be compatible with the business model, the nature of operations and the complexity of Itaú Unibanco's products, services, activities and processes. To this end, they must maintain specialized and teams with appropriate sizes to support credit risk processes and systems that are under its governance. The credit risk management structure should provide for: Clearly documented policies and strategies for Risk Management, which establish limits and procedures to maintain risk exposure in accordance with internal policy. They shall also take into account prior identification of credit risks inherent to: · New products and services; · Relevant changes in existing products or services; · Significant changes in the institution's processes, systems, operations and business model; · Hedge strategies and risk-taking initiatives; · Significant corporate reorganizations; and · Changes in the macroeconomic outlook. · Monitoring processes, in order to identify points of non-compliance with credit risk management policies, containing the respective justifications and actions expected to resolve divergences; · Systems, routines and procedures for credit risk management, including its updates; · Periodic management reports for the board as well as for other forums where the topic of credit risk is on the agenda. The established guidelines must be applied to the credit risk of the counter party, the country of occurrence of disbursements to honor guarantees, sureties, co-obligations, loan commitments or other operations of a similar nature and of losses associated with the non-fulfillment of obligations relating to the settlement of transactions involving bilateral flows, including the trading of financial assets, or derivatives. ROLES AND TASKS Credit Risk Control

Must: · Define the centralized credit risk control environment; · Annually review policies, strategies and procedures establishing operational limits, risk mitigation mechanisms and procedures to maintain credit risk exposure at acceptable levels for the administration, and approve them at qualified authority; and · Disclose credit decisions, corporate policies and strategies for management of credit risk to Business Units and CROs of international units. Modelling credit and Market Risk Must contribute to the implementation of credit risk control activities, following the tasks set out in the Model Risk Policy. Finance Define rules for conducting simulations and calculations in line with applicable standards and regulations, and publish accounting statements and other reports that help and complement the Control and management of credit risk. Boards in Risk and Finance Area Responsible for decision making in accordance with the specific characteristics of each forum, taking into account risk mitigation in order to maintain credit risk exposure at levels acceptable to the administration. Business Units (Brazil and International Units): At the most fundamental level, it is expected of each employee to understand fully the nature of the risk in the portfolios under its management, and effectively manage their risks, ensuring that it is transparent to the administration, and is framed within the rules and limits established. For each of the control processes of the Credit Risk provided for in this policy there should be a more detailed description in the respective manuals of procedures, responsibilities and assignments of each of the units involved. GOVERNANCE OF CREDIT RISK CONTROL Governance of Economic Groups Define governance of creation and change of economic groups in Itaú Unibanco Holding for credit risk management purposes. Counter party credit risk Itaú Unibanco understands the credit risk of the counter party as the possibility of a counter party failing to comply with obligations relating to the settlement of transactions involving the trading of financial assets at bilateral risk. It covers derivative financial instruments, transactions to be settled, asset loans and committed transactions. Country Risk Management In addition to the external units, Itaú Unibanco maintains relationships with policyholders, emitters, counter parties and guarantors from different locations around the world, regardless of whether it has an external unit in the location of the policyholder, issuer, counter party or guarantor. In this way the Country Risk is a risk present in the institution. Such risk is defined, for Itaú Unibanco, as the risk of losses resulting from non-compliance of financial obligations, within the terms agreed by borrowers, issuers, counter parties or guarantors, as a result of actions taken by the government of the country where the borrower, issuer, counter party or guarantor, or events on political-economic and social related to this country. Monitoring of Credit Portfolio Portfolio monitoring means monitoring indicators related to the total of active credit operations. In general terms, indicators referring to the balance of the active portfolio, credit granting in the month (also known as harvest) and default indicators (balance in arrears in relation to the balance of the portfolio or harvest) are followed during monitoring. Portfolio monitoring aims at verifying the financial health of credit operations by adjusting credit strategies to the conglomerate's risk appetite. Must: · Define the centralized credit risk control environment; · Annually review policies, strategies and procedures establishing operational limits, risk mitigation mechanisms and procedures to maintain credit risk exposure at acceptable levels for the administration, and approve them at qualified authority; and · Disclose credit decisions, corporate policies and strategies for management of credit risk to Business Units and CROs of international units. Modelling credit and Market Risk Must contribute to the implementation of credit risk control activities, following the tasks set out in the Model Risk Policy. Finance Define rules for conducting simulations and calculations in line with applicable standards and regulations, and publish accounting statements and other reports that help and complement the Control and management of credit risk. Boards in Risk and Finance Area Responsible for decision making in accordance with the specific characteristics of each forum, taking into account risk mitigation in order to maintain credit risk exposure at levels acceptable to the administration. Business Units (Brazil and International Units): At the most fundamental level, it is expected of each employee to understand fully the nature of the risk in the portfolios under its management, and effectively manage their risks, ensuring that it is transparent to the administration, and is framed within the rules and limits established. For each of the control processes of the Credit Risk provided for in this policy there should be a more detailed description in the respective manuals of procedures, responsibilities and assignments of each of the units involved. GOVERNANCE OF CREDIT RISK CONTROL Governance of Economic Groups Define governance of creation and change of economic groups in Itaú Unibanco Holding for credit risk management purposes. Counter party credit risk Itaú Unibanco understands the credit risk of the counter party as the possibility of a counter party failing to comply with obligations relating to the settlement of transactions involving the trading of financial assets at bilateral risk. It covers derivative financial instruments, transactions to be settled, asset loans and committed transactions. Country Risk Management In addition to the external units, Itaú Unibanco maintains relationships with policyholders, emitters, counter parties and guarantors from different locations around the world, regardless of whether it has an external unit in the location of the policyholder, issuer, counter party or guarantor. In this way the Country Risk is a risk present in the institution. Such risk is defined, for Itaú Unibanco, as the risk of losses resulting from non-compliance of financial obligations, within the terms agreed by borrowers, issuers, counter parties or guarantors, as a result of actions taken by the government of the country where the borrower, issuer, counter party or guarantor, or events on political-economic and social related to this country. Monitoring of Credit Portfolio Portfolio monitoring means monitoring indicators related to the total of active credit operations. In general terms, indicators referring to the balance of the active portfolio, credit granting in the month (also known as harvest) and default indicators (balance in arrears in relation to the balance of the portfolio or harvest) are followed during monitoring. Portfolio monitoring aims at verifying the financial health of credit operations by adjusting credit strategies to the conglomerate's risk appetite.

Portfolio Review and Credit Processes The review's mission is to carry out an assessment of the quality and integrity of the credit process of each business unit, covering the quality assessments of the concession, the rating award and the post-concession stage. Approved by the Board of Directors on 03/28/2019. Portfolio Review and Credit Processes The review's mission is to carry out an assessment of the quality and integrity of the credit process of each business unit, covering the quality assessments of the concession, the rating award and the post-concession stage. Approved by the Board of Directors on 03/28/2019.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-CAPITAL MANAGEMENT OBJETIVE Establish capital management for Itaú Unibanco Holding S. A. (Itaú Unibanco), in compliance with applicable regulations and best practices. INTRODUCTION For any company to operate, it needs to have capital, which is the investment made by shareholders. In addition, the resources that the company generates and that are not distributed, being kept in its assets, are also called capital. For financial institutions, the Central Bank of Brazil demands a minimum capital (required capital), which is the capital required to meet the risks to which institutions are exposed, ensuring their solvencies. Capital Management is a key instrument for the sustainability of the banking system. Risk identification, evaluation, control, mitigation and monitoring methods support financial institutions at adverse times. Itaú Unibanco considers capital Management essential for the decision-making process, contributing to the optimization and efficiency in the use of Capital in its operations. This management considers companies controlled by Itaú Unibanco in Brazil and abroad. Changes in the global financial environment, such as market integration, the emergence of new transactions and products, increased technological sophistication and new regulations make financial activities and their risks increasingly complex. Additionally, knowledge arising from past financial crises reinforces the importance of risk management (hyperlink to Risk Policy) and capital management to strengthen the financial health of the banking industry. The Brazilian participation in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international prudential standards in the Brazilian regulatory framework. Aligned with this perspective, Itaú Unibanco invests in continuous improvement of capital management processes and practices, in accordance with international market, regulatory and supervisory benchmarks. The management of Itaú Unibanco's capital is in a continuous process of planning, evaluation, control, and monitoring of necessary capital to face the risks relevant to the company and to support the capital demands required by the regulator, or those defined internally by the Institution, with the objective of optimizing the allocation of capital. The areas defined in the capital management structure are jointly or individually responsible for: · Identification of the risks to which the institution is exposed and analysis of their materiality; · Assessment of the capital required to bear the risks; · Development of methodologies for additional capital quantification; · Capital quantification and internal capital adequacy assessment; · Internal capital adequacy assessment process [ICAAP]; · Capital Index projection; · Calculation of the reference assets [PR] and calculation of the capital indexes; · Preparation of the capital plan and contingency plan; · Preparation of the recovery plan; · Monitoring of the solvency and liquidity regulation plan for SUSEP companies; · Stress tests; · Calculation of the global systemic importance Index [ISG]; · Preparation of the quarterly risk management and capital Report – Pillar 3. The management structure of the capital of Itaú Unibanco allows monitoring and control of capital maintained by the Institution, the assessment of the need for capital to face the risks to which the Institution is exposed, and the planning of targets and capital requirement, considering the strategic objectives of the Institution and/ or adverse situations. With this, Itaú Unibanco adopts a forward-looking stance, anticipating the need for capital arising from possible changes in market conditions. ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-CAPITAL MANAGEMENT OBJETIVE Establish capital management for Itaú Unibanco Holding S. A. (Itaú Unibanco), in compliance with applicable regulations and best practices. INTRODUCTION For any company to operate, it needs to have capital, which is the investment made by shareholders. In addition, the resources that the company generates and that are not distributed, being kept in its assets, are also called capital. For financial institutions, the Central Bank of Brazil demands a minimum capital (required capital), which is the capital required to meet the risks to which institutions are exposed, ensuring their solvencies. Capital Management is a key instrument for the sustainability of the banking system. Risk identification, evaluation, control, mitigation and monitoring methods support financial institutions at adverse times. Itaú Unibanco considers capital Management essential for the decision-making process, contributing to the optimization and efficiency in the use of Capital in its operations. This management considers companies controlled by Itaú Unibanco in Brazil and abroad. Changes in the global financial environment, such as market integration, the emergence of new transactions and products, increased technological sophistication and new regulations make financial activities and their risks increasingly complex. Additionally, knowledge arising from past financial crises reinforces the importance of risk management (hyperlink to Risk Policy) and capital management to strengthen the financial health of the banking industry. The Brazilian participation in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international prudential standards in the Brazilian regulatory framework. Aligned with this perspective, Itaú Unibanco invests in continuous improvement of capital management processes and practices, in accordance with international market, regulatory and supervisory benchmarks. The management of Itaú Unibanco's capital is in a continuous process of planning, evaluation, control, and monitoring of necessary capital to face the risks relevant to the company and to support the capital demands required by the regulator, or those defined internally by the Institution, with the objective of optimizing the allocation of capital. The areas defined in the capital management structure are jointly or individually responsible for: · Identification of the risks to which the institution is exposed and analysis of their materiality; · Assessment of the capital required to bear the risks; · Development of methodologies for additional capital quantification; · Capital quantification and internal capital adequacy assessment; · Internal capital adequacy assessment process [ICAAP]; · Capital Index projection; · Calculation of the reference assets [PR] and calculation of the capital indexes; · Preparation of the capital plan and contingency plan; · Preparation of the recovery plan; · Monitoring of the solvency and liquidity regulation plan for SUSEP companies; · Stress tests; · Calculation of the global systemic importance Index [ISG]; · Preparation of the quarterly risk management and capital Report – Pillar 3. The management structure of the capital of Itaú Unibanco allows monitoring and control of capital maintained by the Institution, the assessment of the need for capital to face the risks to which the Institution is exposed, and the planning of targets and capital requirement, considering the strategic objectives of the Institution and/ or adverse situations. With this, Itaú Unibanco adopts a forward-looking stance, anticipating the need for capital arising from possible changes in market conditions.

CONCEPTS Required Capital: is the capital required to cover the risks to which the institution is exposed to, ensuring its solvency and also covering international units. The requirements are normalized by BACEN, for Brazil, and by the local regulatory entities, for international units. Such requirements are expressed in indexes that compare the available capital to the total risk-weighted assets (RWA) The PR used to verify compliance with the operational limits defined by BACEN consists of the sum of three items, called: · Main Capital: sum of share capital, of reserves and of accumulated profits, subtracted from deductions and Prudential adjustments; · Additional Capital: composed of perpetual instruments that meet eligibility requirements. Added to the Main Capital, making up Tier I; · Tier II: composed of defined subordinated debt instruments meeting eligibility requirements. Added to Main Capital and to Additional Capital, making up the Total Capital. For the purpose of calculating these minimum capital requirements, the total amount of RWA shall be calculated as the sum of assets' parcels weighted by credit, market and operational risk: RWA = RWA + RWA + RWA CPAD MINT OPAD · RWACPAD = credit risk exposure portion, calculated according to a standardized approach; · RWAMINT = share of capital required for market risk, composed of the maximum between the internal model and 80% of the standardized model; · RWAOPAD = share of capital required for operational risk, calculated according to a standardized approach. In addition to the regulatory minimum, BACEN standards established an Additional Main Capital [ACP] corresponding to the sum of the ACPConservation, ACPContracyclic and ACPSystemic which, together with the above requirements, increase the need for capital: · ACPConservation: represents an extra capital mattress to absorb possible losses; · ACPContracyclic: is an additional share of capital to be accumulated during the expansion phase of the credit cycle and to be consumed during its contraction phase; · ACPSystemic: institutions of systemic importance are demanded to present an additional capital to address systemic risk. Internal capital adequacy assessment process [ICAAP]; It is a report made available annually to BACEN, which aims at highlighting the internal capital adequacy assessment (ICAAP) process of Itaú Unibanco. It also aims at providing an overview and comprehensive management of risks and capital of the institution, and to demonstrate the results related to the self-assessment of the adequacy of the level of capital depending on their risk profile. Capital Plan The capital plan is a document inserted in the ICAAP that aims at ensuring maintenance of an adequate and sustainable level of capital. It incorporates, in its elaboration, the limits established by risk appetite and the analyses of economic and regulatory environments. Additionally, it is structured in a manner consistent with the strategic planning of Itaú Unibanco. This plan presents the financial and capital projections in the short and medium term (at least three years after the base date year), both in normal and stress scenarios, its main sources of capital, the results distribution policy and the contingency plan. Capital contingency plan Itaú Unibanco has a capital contingency plan for cases where its capital sources prove impractical or insufficient, or for cases of unforeseen events that may affect the capital adequacy of the institution. The plan includes a set of contingency actions and its responsible personnel, which allow Itaú Unibanco to increase its capitalization levels. It shall contain, as a minimum, the definition of the capital limits that trigger its drive and the corresponding governance, in order to maintain an adequate level of capitalization of Itaú Unibanco in an adverse situation. CONCEPTS Required Capital: is the capital required to cover the risks to which the institution is exposed to, ensuring its solvency and also covering international units. The requirements are normalized by BACEN, for Brazil, and by the local regulatory entities, for international units. Such requirements are expressed in indexes that compare the available capital to the total risk-weighted assets (RWA) The PR used to verify compliance with the operational limits defined by BACEN consists of the sum of three items, called: · Main Capital: sum of share capital, of reserves and of accumulated profits, subtracted from deductions and Prudential adjustments; · Additional Capital: composed of perpetual instruments that meet eligibility requirements. Added to the Main Capital, making up Tier I; · Tier II: composed of defined subordinated debt instruments meeting eligibility requirements. Added to Main Capital and to Additional Capital, making up the Total Capital. For the purpose of calculating these minimum capital requirements, the total amount of RWA shall be calculated as the sum of assets' parcels weighted by credit, market and operational risk: RWA = RWA + RWA + RWA CPAD MINT OPAD · RWACPAD = credit risk exposure portion, calculated according to a standardized approach; · RWAMINT = share of capital required for market risk, composed of the maximum between the internal model and 80% of the standardized model; · RWAOPAD = share of capital required for operational risk, calculated according to a standardized approach. In addition to the regulatory minimum, BACEN standards established an Additional Main Capital [ACP] corresponding to the sum of the ACPConservation, ACPContracyclic and ACPSystemic which, together with the above requirements, increase the need for capital: · ACPConservation: represents an extra capital mattress to absorb possible losses; · ACPContracyclic: is an additional share of capital to be accumulated during the expansion phase of the credit cycle and to be consumed during its contraction phase; · ACPSystemic: institutions of systemic importance are demanded to present an additional capital to address systemic risk. Internal capital adequacy assessment process [ICAAP]; It is a report made available annually to BACEN, which aims at highlighting the internal capital adequacy assessment (ICAAP) process of Itaú Unibanco. It also aims at providing an overview and comprehensive management of risks and capital of the institution, and to demonstrate the results related to the self-assessment of the adequacy of the level of capital depending on their risk profile. Capital Plan The capital plan is a document inserted in the ICAAP that aims at ensuring maintenance of an adequate and sustainable level of capital. It incorporates, in its elaboration, the limits established by risk appetite and the analyses of economic and regulatory environments. Additionally, it is structured in a manner consistent with the strategic planning of Itaú Unibanco. This plan presents the financial and capital projections in the short and medium term (at least three years after the base date year), both in normal and stress scenarios, its main sources of capital, the results distribution policy and the contingency plan. Capital contingency plan Itaú Unibanco has a capital contingency plan for cases where its capital sources prove impractical or insufficient, or for cases of unforeseen events that may affect the capital adequacy of the institution. The plan includes a set of contingency actions and its responsible personnel, which allow Itaú Unibanco to increase its capitalization levels. It shall contain, as a minimum, the definition of the capital limits that trigger its drive and the corresponding governance, in order to maintain an adequate level of capitalization of Itaú Unibanco in an adverse situation.

Stress tests; The stress test is a process of simulating extreme market and economic conditions, in the results and capital of the institution. Stress scenarios should be approved by the Board of Directors, and their results should be considered in the definition of the business and capital strategy of Itaú Unibanco. The stress test, for Itaú Unibanco, can be divided into internal and regulatory. The first seeks to measure the vulnerability and solidity of the conglomerate in hypothetical but plausible scenarios of economic crisis, based on simulations and macroeconomic projections developed by the institution itself. The regulatory stress test has the same objective, but uses a scenario developed by the Central Bank of Brazil. In both cases, the main analyses are on the result of the Bank [DRE], its distribution between the portfolios and activities of the conglomerate and on the capital level of the institution. Additionally, to add to the results obtained with the processes described above, sensitivity analyses and reverse stress tests are performed annually. The capital management structure should provide for the assessment of capital impacts from the definition of severe scenarios chosen by the institution and include them in the results of the stress test program. Recovery Plan It is a report made available annually to BACEN, which aims at defining how to reestablish adequate levels of capital and liquidity in response to stress situations. In this way, an institution would be able to preserve its viability and financial continuity without hindering the functioning of the National Financial System, and would mitigate the need to resort to bailout. To this end, Itaú Unibanco consolidates its recovery plan by describing: · The critical functions and essential services of the institution; · Monitoring monthly, through the monitoring program of a set of indicators, potential risks to solvency and liquidity, informing the high management via committees-Capital Committee (CCap), risk and Capital Management Committee and Superior market and liquidity risk Commission; · Establishing scenarios of severe stress, systemic in nature and idiosyncratic (specific event from a single institution), that threaten the viability of the institution, to simulate the recovery strategies of capital and liquidity, the financial impacts of these risks for the effectiveness and its possible mitigation.. In addition, it establishes a transparent communication plan with regulators, investors and Capital Markets, employees, press and customers. Solvency and Liquidity Regulation Plan - SUSEP Monthly monitoring of the measure of capital sufficiency is carried out. Once its inadequacy has been established, it is defined, together with the asset management areas of the Insurance Group, measures to adjust the solvency and liquidity indexes of the companies subject to the SUSEP guidelines. Calculation of the global systemic importance Index [ISG]; The index measures the importance of each financial institution in the global market and consists of five main indicators: · Size: reflects the institution's relative participation in the overall activity; · Activity abroad: relative participation of the institution in international activities; · Interconnection: institution's relative participation in the interbank and global capital markets; · Replacement: relative participation of the institution in the overall financial services offer; · Complexity: relative participation of the institution in complex or low liquidity instruments. Risk Management and Capital Report – Pillar 3 It is a report containing information on the risk and capital management of Itaú Unibanco, the calculation of the amount of risk-weighted assets (RWA) and the calculation and appropriateness of the reference assets (PR), disclosed quarterly on the institution's Investor Relations website GUIDELINES Stress tests; The stress test is a process of simulating extreme market and economic conditions, in the results and capital of the institution. Stress scenarios should be approved by the Board of Directors, and their results should be considered in the definition of the business and capital strategy of Itaú Unibanco. The stress test, for Itaú Unibanco, can be divided into internal and regulatory. The first seeks to measure the vulnerability and solidity of the conglomerate in hypothetical but plausible scenarios of economic crisis, based on simulations and macroeconomic projections developed by the institution itself. The regulatory stress test has the same objective, but uses a scenario developed by the Central Bank of Brazil. In both cases, the main analyses are on the result of the Bank [DRE], its distribution between the portfolios and activities of the conglomerate and on the capital level of the institution. Additionally, to add to the results obtained with the processes described above, sensitivity analyses and reverse stress tests are performed annually. The capital management structure should provide for the assessment of capital impacts from the definition of severe scenarios chosen by the institution and include them in the results of the stress test program. Recovery Plan It is a report made available annually to BACEN, which aims at defining how to reestablish adequate levels of capital and liquidity in response to stress situations. In this way, an institution would be able to preserve its viability and financial continuity without hindering the functioning of the National Financial System, and would mitigate the need to resort to bailout. To this end, Itaú Unibanco consolidates its recovery plan by describing: · The critical functions and essential services of the institution; · Monitoring monthly, through the monitoring program of a set of indicators, potential risks to solvency and liquidity, informing the high management via committees-Capital Committee (CCap), risk and Capital Management Committee and Superior market and liquidity risk Commission; · Establishing scenarios of severe stress, systemic in nature and idiosyncratic (specific event from a single institution), that threaten the viability of the institution, to simulate the recovery strategies of capital and liquidity, the financial impacts of these risks for the effectiveness and its possible mitigation.. In addition, it establishes a transparent communication plan with regulators, investors and Capital Markets, employees, press and customers. Solvency and Liquidity Regulation Plan - SUSEP Monthly monitoring of the measure of capital sufficiency is carried out. Once its inadequacy has been established, it is defined, together with the asset management areas of the Insurance Group, measures to adjust the solvency and liquidity indexes of the companies subject to the SUSEP guidelines. Calculation of the global systemic importance Index [ISG]; The index measures the importance of each financial institution in the global market and consists of five main indicators: · Size: reflects the institution's relative participation in the overall activity; · Activity abroad: relative participation of the institution in international activities; · Interconnection: institution's relative participation in the interbank and global capital markets; · Replacement: relative participation of the institution in the overall financial services offer; · Complexity: relative participation of the institution in complex or low liquidity instruments. Risk Management and Capital Report – Pillar 3 It is a report containing information on the risk and capital management of Itaú Unibanco, the calculation of the amount of risk-weighted assets (RWA) and the calculation and appropriateness of the reference assets (PR), disclosed quarterly on the institution's Investor Relations website GUIDELINES

Capital management should support the institution in accordance with the principles set out in the risk and Capital Management Policy. These principles are reflected in the following guidelines, according to which the capital management structure of Itaú Unibanco should: · Ensure that policies and strategies for capital Management are clearly documented and establish mechanisms and procedures to maintain the Benchmark (PR), Tier I and core Capital compatible with the risks incurred by the institution. · Maintain systems, routines and procedures for capital Management. · Be compatible with the nature of its operations, the complexity of the products and services offered and the size of the risk exposure. · Ensure the routing of policies and strategies for the management of capital, as well as the capital plan, for approval and review, at least annually, by the Board of Directors, in order to determine their compatibility with the strategic planning of the institution, and the conditions of the market. · Create management reports on a timely basis to the board of directors of the institution, the risks committee and the Board of Directors, that point out any deficiencies in the structure of capital management, and actions to correct them and the adequacy of the levels of PR, Tier I and Main Capital to the risks incurred OR any defects of the management structure of capital, as well as actions to correct them. · Ensure that the solvency and liquidity regulation plan for SUSEP is met in a possible insolvency or non- liquidity situation by one or more companies in the insurance industry, ensuring that the areas involved in the management of assets of those companies are activated for the definition of a proposed corrective action, as well as for submitting it to impact assessment. · Define the governance and responsibilities of the capital Management Process, disseminate decisions and policies related to this process to the impacted areas and monitor the regulatory capital of Itaú Unibanco and its international units. · Business units and international units must ensure that approved decisions and policies are properly implemented. · Ensure that the information disclosed in the report of the Risk Management and Capital - Pillar 3 have detail appropriate to the scope, complexity of operations, sophistication of systems, and risk management processes of the institution, and also ensure that relevant differences in relation to other information disclosed by the institution for clarification; · Ensure that published information adheres to the existing rules laid down by the regulatory entities; · Calculate, monitor and control the regulatory operational limits of Itaú Unibanco Holding. MAIN ROLES AND TASKS Itaú Unibanco's management is directly involved in the internal capital adequacy assessment process and its risk assessment. Among the committees and commissions that discuss the process of capital Management, stand out: · Administration Committee (AC): · Risk and Capital Management Committee [CGRC]: · Capital Committee [CCap]: · Stress Test Management Committee [CGTE] Risk and Finance Area It aims at ensuring that the risks of Itaú Unibanco are managed in accordance with established policies and procedures, and is responsible for centralizing the capital management of the institution. The objective of centralized control is to provide the Board of Directors and the High administration with a global view of Itaú Unibanco's exposures to risks, as well as a prospective view on the adequacy of its capital, in order to optimize and streamline corporate decisions. Business Areas: At a core level, it is expected that the areas to provide the necessary information for the identification of risks, analysis of their materiality and to the measurement of the capital required, and also to be prepared the capital budget, the capital plan, the contingency plan, the recovery plan, the report of the risk management and capital – Pillar 3 and other regulatory reporting and management, ensuring its completeness, integrity and consistency, and considering both the growth and the evolution of the risk profile expected of the business unit. The areas involved in the capital management process must be able to carry out the required actions whenever they are activated. Capital management should support the institution in accordance with the principles set out in the risk and Capital Management Policy. These principles are reflected in the following guidelines, according to which the capital management structure of Itaú Unibanco should: · Ensure that policies and strategies for capital Management are clearly documented and establish mechanisms and procedures to maintain the Benchmark (PR), Tier I and core Capital compatible with the risks incurred by the institution. · Maintain systems, routines and procedures for capital Management. · Be compatible with the nature of its operations, the complexity of the products and services offered and the size of the risk exposure. · Ensure the routing of policies and strategies for the management of capital, as well as the capital plan, for approval and review, at least annually, by the Board of Directors, in order to determine their compatibility with the strategic planning of the institution, and the conditions of the market. · Create management reports on a timely basis to the board of directors of the institution, the risks committee and the Board of Directors, that point out any deficiencies in the structure of capital management, and actions to correct them and the adequacy of the levels of PR, Tier I and Main Capital to the risks incurred OR any defects of the management structure of capital, as well as actions to correct them. · Ensure that the solvency and liquidity regulation plan for SUSEP is met in a possible insolvency or non- liquidity situation by one or more companies in the insurance industry, ensuring that the areas involved in the management of assets of those companies are activated for the definition of a proposed corrective action, as well as for submitting it to impact assessment. · Define the governance and responsibilities of the capital Management Process, disseminate decisions and policies related to this process to the impacted areas and monitor the regulatory capital of Itaú Unibanco and its international units. · Business units and international units must ensure that approved decisions and policies are properly implemented. · Ensure that the information disclosed in the report of the Risk Management and Capital - Pillar 3 have detail appropriate to the scope, complexity of operations, sophistication of systems, and risk management processes of the institution, and also ensure that relevant differences in relation to other information disclosed by the institution for clarification; · Ensure that published information adheres to the existing rules laid down by the regulatory entities; · Calculate, monitor and control the regulatory operational limits of Itaú Unibanco Holding. MAIN ROLES AND TASKS Itaú Unibanco's management is directly involved in the internal capital adequacy assessment process and its risk assessment. Among the committees and commissions that discuss the process of capital Management, stand out: · Administration Committee (AC): · Risk and Capital Management Committee [CGRC]: · Capital Committee [CCap]: · Stress Test Management Committee [CGTE] Risk and Finance Area It aims at ensuring that the risks of Itaú Unibanco are managed in accordance with established policies and procedures, and is responsible for centralizing the capital management of the institution. The objective of centralized control is to provide the Board of Directors and the High administration with a global view of Itaú Unibanco's exposures to risks, as well as a prospective view on the adequacy of its capital, in order to optimize and streamline corporate decisions. Business Areas: At a core level, it is expected that the areas to provide the necessary information for the identification of risks, analysis of their materiality and to the measurement of the capital required, and also to be prepared the capital budget, the capital plan, the contingency plan, the recovery plan, the report of the risk management and capital – Pillar 3 and other regulatory reporting and management, ensuring its completeness, integrity and consistency, and considering both the growth and the evolution of the risk profile expected of the business unit. The areas involved in the capital management process must be able to carry out the required actions whenever they are activated.

The details of the responsibilities of each of the areas involved in the capital management process are described in the procedures. Approved by the Administration Committee on 03/28/2019. The details of the responsibilities of each of the areas involved in the capital management process are described in the procedures. Approved by the Administration Committee on 03/28/2019.