Exhibit 99.1 Report of the Brazilian Corporate Governance Code. Itaú Unibanco Holding S.A. July/2019Exhibit 99.1 Report of the Brazilian Corporate Governance Code. Itaú Unibanco Holding S.A. July/2019

1.1.1 The Company’s capital stock should be comprised of common shares only. Partially Not Comply N/A Comply Comply Our bylaws provide two types of shares, common (ON) and preferred (PN) shares, both book-entry, with no par value and single class. Each common share entitles its holder to one vote at the General Meetings. The preferred shares do not give voting rights, except in specifi c cases legally provided and give its holder priority in receiving the non-cumulative minimum annual dividend of R$ 0.022 per share, which shall be adjusted in the event of a stock split or reverse stock split, and also the right of, in the event of disposal of control, to be included in a public offering for the acquisition of shares, in order to assure the equal price of 80% of the amount paid per voting share, part of the controlling stake, at least ensuring equal dividend to that of common shares Preferred shares are a legitimate instrument, set forth by law, and their issue bears no relation with the quality of our management, its corporate governance level, performance and return to our Stockholders. Since our incorporation, our controlling Stockholders’ understand that our capital structure satisfactorily meets our purposes. The Bylaws are available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Bylaws. 1.2.1 Stockholders agreements should not bind the exercise of voting rights of any members of management or supervisory and control bodies. Partially Not Comply N/A Comply Comply Given the merger between Itaú and Unibanco, in 2009, the regulation through a Stockholders’ Agreement was necessary, including binding the exercise of the voting rights of members of the Board of Directors. We understand that the defi nition and regulation of the stockholding control, reflected in the Stockholders’ Agreement, is positive to the smooth running of the business and does not harm the interests of investors and Company itself, mainly considering (i) the fi duciary duty of all management members, who should always vote in the best interest of the Company; (ii) the existence of a highly professional management with broad technical expertise; (iii) the significant number of independent members of the Board of Directors, representing more than 45% of the total members; and (iv) the existence of rigorous mechanisms to prevent actual situations where confl icts of interests may arise, which are strictly applied by the Company. Our IUPAR Stockholders’ Agreement does not provide for the binding of voting rights of any member of the Company’s inspection and control bodies. The Stockholders’ Agreement is available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Others. 21.1.1 The Company’s capital stock should be comprised of common shares only. Partially Not Comply N/A Comply Comply Our bylaws provide two types of shares, common (ON) and preferred (PN) shares, both book-entry, with no par value and single class. Each common share entitles its holder to one vote at the General Meetings. The preferred shares do not give voting rights, except in specifi c cases legally provided and give its holder priority in receiving the non-cumulative minimum annual dividend of R$ 0.022 per share, which shall be adjusted in the event of a stock split or reverse stock split, and also the right of, in the event of disposal of control, to be included in a public offering for the acquisition of shares, in order to assure the equal price of 80% of the amount paid per voting share, part of the controlling stake, at least ensuring equal dividend to that of common shares Preferred shares are a legitimate instrument, set forth by law, and their issue bears no relation with the quality of our management, its corporate governance level, performance and return to our Stockholders. Since our incorporation, our controlling Stockholders’ understand that our capital structure satisfactorily meets our purposes. The Bylaws are available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Bylaws. 1.2.1 Stockholders agreements should not bind the exercise of voting rights of any members of management or supervisory and control bodies. Partially Not Comply N/A Comply Comply Given the merger between Itaú and Unibanco, in 2009, the regulation through a Stockholders’ Agreement was necessary, including binding the exercise of the voting rights of members of the Board of Directors. We understand that the defi nition and regulation of the stockholding control, reflected in the Stockholders’ Agreement, is positive to the smooth running of the business and does not harm the interests of investors and Company itself, mainly considering (i) the fi duciary duty of all management members, who should always vote in the best interest of the Company; (ii) the existence of a highly professional management with broad technical expertise; (iii) the significant number of independent members of the Board of Directors, representing more than 45% of the total members; and (iv) the existence of rigorous mechanisms to prevent actual situations where confl icts of interests may arise, which are strictly applied by the Company. Our IUPAR Stockholders’ Agreement does not provide for the binding of voting rights of any member of the Company’s inspection and control bodies. The Stockholders’ Agreement is available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Others. 2

1.3.1 The executive board should use a Stockholders’ meeting to communicate how the Company’s business is run, the reason why management should publish a manual aimed at facilitating and encouraging attendance at general Stockholders’ meetings. Partially Not Comply N/A Comply Comply 1.3.2 Minutes should provide for the full understanding of the discussions held at meetings, even if drawn as a summary, and identify the votes cast by Stockholders’. Partially Not Comply N/A Comply Comply 1.4.1 The Board of Directors should conduct a critical analysis of the advantages and disadvantages of the defense measure and its characteristics, especially of triggers and price parameters, if applicable, providing related explanations. Partially Not Comply N/A Comply Comply 1.4.2 Provisions that prevent the removal of this measure from the bylaws, the so-called “irrevocable provisions”, must not be used. Partially Not Comply N/A Comply Comply 31.3.1 The executive board should use a Stockholders’ meeting to communicate how the Company’s business is run, the reason why management should publish a manual aimed at facilitating and encouraging attendance at general Stockholders’ meetings. Partially Not Comply N/A Comply Comply 1.3.2 Minutes should provide for the full understanding of the discussions held at meetings, even if drawn as a summary, and identify the votes cast by Stockholders’. Partially Not Comply N/A Comply Comply 1.4.1 The Board of Directors should conduct a critical analysis of the advantages and disadvantages of the defense measure and its characteristics, especially of triggers and price parameters, if applicable, providing related explanations. Partially Not Comply N/A Comply Comply 1.4.2 Provisions that prevent the removal of this measure from the bylaws, the so-called “irrevocable provisions”, must not be used. Partially Not Comply N/A Comply Comply 3

1.4.3 If the bylaws provide for a tender offer whenever a stockholder or group of Stockholders’ directly or indirectly reaches significant interest in the voting capital, the rule for determining the offer price should not impose additions of premiums substantially greater than the share economic or market value. Partially Not Comply N/A Comply Comply THE COMPANY’S BYLAWS SHOULD ESTABLISH THAT: 1.5.1 Transactions with a direct or indirect disposal of stockholding control should be followed by a (I) tender offer intended to all Stockholders, at the same price and in the same conditions obtained by the selling stockholder; Management should state an opinion on the terms and conditions of corporate reorganizations, capital (II) increases and other transactions leading to change of control, and state whether these ensure fair and equitable treatment to the Company’s Stockholders. Partially Not Comply N/A Comply Comply (I) The Brazilian Corporate Law provides for a tag along of 80% for minority holders of common shares in the case of disposal of stockholding control. The Company extends to preferred Stockholders the same 80% tag along right granted to common Stockholders. For this reason, the Company makes up the ITAG – Special Tag Along Stock Index of B3 – Bolsa, Brasil, Balcão S.A. (“B3”). (II) With respect to the opinion expressed by management members about possible corporate reorganizations, the Company understands that management may always express its opinion regardless of a statutory provision. 1.6.1 The bylaws should provide that the board of directors issues an opinion on any tender offer related to shares and securities convertible into or exchangeable for shares issued by the Company, and this should include, among other relevant information, the opinion of the board of directors on the possible acceptance of the tender offer and the Company’s economic value. Partially Not Comply N/A Comply Comply 41.4.3 If the bylaws provide for a tender offer whenever a stockholder or group of Stockholders’ directly or indirectly reaches significant interest in the voting capital, the rule for determining the offer price should not impose additions of premiums substantially greater than the share economic or market value. Partially Not Comply N/A Comply Comply THE COMPANY’S BYLAWS SHOULD ESTABLISH THAT: 1.5.1 Transactions with a direct or indirect disposal of stockholding control should be followed by a (I) tender offer intended to all Stockholders, at the same price and in the same conditions obtained by the selling stockholder; Management should state an opinion on the terms and conditions of corporate reorganizations, capital (II) increases and other transactions leading to change of control, and state whether these ensure fair and equitable treatment to the Company’s Stockholders. Partially Not Comply N/A Comply Comply (I) The Brazilian Corporate Law provides for a tag along of 80% for minority holders of common shares in the case of disposal of stockholding control. The Company extends to preferred Stockholders the same 80% tag along right granted to common Stockholders. For this reason, the Company makes up the ITAG – Special Tag Along Stock Index of B3 – Bolsa, Brasil, Balcão S.A. (“B3”). (II) With respect to the opinion expressed by management members about possible corporate reorganizations, the Company understands that management may always express its opinion regardless of a statutory provision. 1.6.1 The bylaws should provide that the board of directors issues an opinion on any tender offer related to shares and securities convertible into or exchangeable for shares issued by the Company, and this should include, among other relevant information, the opinion of the board of directors on the possible acceptance of the tender offer and the Company’s economic value. Partially Not Comply N/A Comply Comply 4

1.7.1 The Company should prepare and disclose a policy on appropriation of earnings defined by the board of directors. Among others, such policy should provide for the frequency of dividend payouts and the reference parameter to be used to define the related amount (such as percentages of adjusted net income and of free cash flow). Partially Not Comply N/A Comply Comply 1.8.1 The bylaws should clearly and accurately identify the public interest that has justified the creation of the mixed-capital Company in a specific chapter. Partially Not Comply N/A Comply Comply 1.8.2 The board of directors should monitor the Company’s activities and establish policies, mechanisms, and internal controls to verify any costs of serving the public interest and any refunds to the Company or other Stockholders and investors by the controlling stockholder. Partially Not Comply N/A Comply Comply WITHOUT PREJUDICE TO OTHER LEGAL OR STATUTORY POWERS AND OTHER PRACTICES SET FORTH IN THIS 2.1.1 CODE, THE BOARD OF DIRECTORS SHOULD: Define business strategies, taking into account the impacts of the Company’s activities on society (I) and the environment, aiming at the continuity of the Company and the creation of long-term value; Periodically assess the Company’s risk exposure and the effectiveness of risk management systems, (II) internal controls, and compliance system, and approve a risk management policy in line with these business strategies; Define the Company’s values and ethical principles and ensure the Company’s transparency in (III) its relationship with all stakeholders; 51.7.1 The Company should prepare and disclose a policy on appropriation of earnings defined by the board of directors. Among others, such policy should provide for the frequency of dividend payouts and the reference parameter to be used to define the related amount (such as percentages of adjusted net income and of free cash flow). Partially Not Comply N/A Comply Comply 1.8.1 The bylaws should clearly and accurately identify the public interest that has justified the creation of the mixed-capital Company in a specific chapter. Partially Not Comply N/A Comply Comply 1.8.2 The board of directors should monitor the Company’s activities and establish policies, mechanisms, and internal controls to verify any costs of serving the public interest and any refunds to the Company or other Stockholders and investors by the controlling stockholder. Partially Not Comply N/A Comply Comply WITHOUT PREJUDICE TO OTHER LEGAL OR STATUTORY POWERS AND OTHER PRACTICES SET FORTH IN THIS 2.1.1 CODE, THE BOARD OF DIRECTORS SHOULD: Define business strategies, taking into account the impacts of the Company’s activities on society (I) and the environment, aiming at the continuity of the Company and the creation of long-term value; Periodically assess the Company’s risk exposure and the effectiveness of risk management systems, (II) internal controls, and compliance system, and approve a risk management policy in line with these business strategies; Define the Company’s values and ethical principles and ensure the Company’s transparency in (III) its relationship with all stakeholders; 5

Annually revise the corporate governance system to improve it. (IV) Partially Not Comply N/A Comply Comply (I) We incorporate sustainability into corporate strategy through a governance structure, which is integrated with our business. The Board of Directors annually guides, monitors, approves and proposes improvements in sustainability strategy and policy, in a long-term vision. Every six months, the Executive Committee discusses how sustainability trends are integrated into our business, as well as the promotion and dissemination of this matter in the organization, the monitoring of corporate sustainability indicators and projects and compliance with the voluntary agreements signed by us. (II) We sustain a risk management structure aimed at (i) identifying risks; (ii) analyzing materiality; (iii) measuring risks; (iv) responding to risks; (v) monitoring risks; and (vi) communicating and reporting. In addition, we have a defined governance process for policy review applicable to Brazil and our international units. Policies preponderantly define institutional guidelines, methodologies and processes, address regulatory requirements and the best market practices. We have internal policies that provides guidelines and establishes risk management governance, as follows: Capital Management, Credit Risk Management and Control, Integrated Management of Operational Risk, Internal Controls and Compliance, Liquidity Risk Management and Control, Market Risk Management and Control and Compliance Policy. The Risk and Capital Management Committee (CGRC) is responsible for supporting the Board of Directors in carrying out its risk and capital management activities. The Company’s Risk Management Policies are approved by the Board of Directors, being annually revised and are available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Reports. (III) Our Code of Ethics is approved by the Board of Directors and aimed at guiding, preventing and resolving ethical dilemmas and conflicts of interest related to the our activities, preserving transparency, respect and honesty in its relationship with all stakeholders. The Code of Ethics is based on four principles: identity, interdependence, good faith and excellence. These principles inspire corporate rules, ensure integrity in operations and aim at establishing effective links with stakeholders, ensuring the quality of products and services, assessing the environmental and social impacts of the activity and adopting practices that contribute to create shared value. The adoption of these practices is monitored in accordance with the governance established in the Integrity and Ethics Corporate Program. The Code of Ethics is available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Code of Ethics and Conduct. (IV) Our Nomination and Corporate Governance Committee is responsible for supporting the Board of Directors in promoting and supervising discussions related to Corporate Governance, which are periodically revised, formalized and reflected in the Corporate Governance Policy and annually approved by the Board of Directors. Among its duties include: analyzing and issuing opinions on situations of possible conflict of interest between the members of the Board of Directors and the companies of the Conglomerate; providing methodological and procedural support for the evaluation of the Board of Directors, members, committees and Chief Executive Officer, and discussing on the succession of the members of the Board of Directors and the Chief Executive Officer, as well as making recommendations on this matter. The Capital and Risk Management Committee has its own internal charter, approved by the Board of Directors and available on our the Investor Relations website, as well as the Corporate Governance Policy: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 6Annually revise the corporate governance system to improve it. (IV) Partially Not Comply N/A Comply Comply (I) We incorporate sustainability into corporate strategy through a governance structure, which is integrated with our business. The Board of Directors annually guides, monitors, approves and proposes improvements in sustainability strategy and policy, in a long-term vision. Every six months, the Executive Committee discusses how sustainability trends are integrated into our business, as well as the promotion and dissemination of this matter in the organization, the monitoring of corporate sustainability indicators and projects and compliance with the voluntary agreements signed by us. (II) We sustain a risk management structure aimed at (i) identifying risks; (ii) analyzing materiality; (iii) measuring risks; (iv) responding to risks; (v) monitoring risks; and (vi) communicating and reporting. In addition, we have a defined governance process for policy review applicable to Brazil and our international units. Policies preponderantly define institutional guidelines, methodologies and processes, address regulatory requirements and the best market practices. We have internal policies that provides guidelines and establishes risk management governance, as follows: Capital Management, Credit Risk Management and Control, Integrated Management of Operational Risk, Internal Controls and Compliance, Liquidity Risk Management and Control, Market Risk Management and Control and Compliance Policy. The Risk and Capital Management Committee (CGRC) is responsible for supporting the Board of Directors in carrying out its risk and capital management activities. The Company’s Risk Management Policies are approved by the Board of Directors, being annually revised and are available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Reports. (III) Our Code of Ethics is approved by the Board of Directors and aimed at guiding, preventing and resolving ethical dilemmas and conflicts of interest related to the our activities, preserving transparency, respect and honesty in its relationship with all stakeholders. The Code of Ethics is based on four principles: identity, interdependence, good faith and excellence. These principles inspire corporate rules, ensure integrity in operations and aim at establishing effective links with stakeholders, ensuring the quality of products and services, assessing the environmental and social impacts of the activity and adopting practices that contribute to create shared value. The adoption of these practices is monitored in accordance with the governance established in the Integrity and Ethics Corporate Program. The Code of Ethics is available on our investor relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Code of Ethics and Conduct. (IV) Our Nomination and Corporate Governance Committee is responsible for supporting the Board of Directors in promoting and supervising discussions related to Corporate Governance, which are periodically revised, formalized and reflected in the Corporate Governance Policy and annually approved by the Board of Directors. Among its duties include: analyzing and issuing opinions on situations of possible conflict of interest between the members of the Board of Directors and the companies of the Conglomerate; providing methodological and procedural support for the evaluation of the Board of Directors, members, committees and Chief Executive Officer, and discussing on the succession of the members of the Board of Directors and the Chief Executive Officer, as well as making recommendations on this matter. The Capital and Risk Management Committee has its own internal charter, approved by the Board of Directors and available on our the Investor Relations website, as well as the Corporate Governance Policy: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 6

THE BYLAWS SHOULD ESTABLISH THAT: 2.2.1 The board of directors should be composed of a majority of external members, where at least one third (I) shall be independent members; The board of directors should annually assess and disclose the independent members of the board (II) of directors, and indicate and justify any circumstances that might compromise their independence. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD APPROVE A NOMINATION POLICY THAT ESTABLISHES: 2.2.2 The nomination process for the members of the board of directors, including indicating the participation (I) of other corporate bodies of the Company in the process; That the board of directors should be composed taking into account the time availability of its members (II) for exercising their duties and the diversity of knowledge, experience, conduct, cultural aspects, age and gender. Partially Not Comply N/A Comply Comply Our Policy for Nominating Management Members sets forth the processes for nominating members for the Board of Directors, its committees and the Executive Board, including the involvement of the Nomination and Corporate Governance Committee in these processes. This Policy also establishes that the nomination process should consider, among other criteria, complementary skills, time availability for carrying out duties and diversity, such as gender, race and age criteria. The policy is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 2.3.1 The CEO should not hold the position of chairman of the board of directors at the same time. Partially Not Comply N/A Comply Comply 7THE BYLAWS SHOULD ESTABLISH THAT: 2.2.1 The board of directors should be composed of a majority of external members, where at least one third (I) shall be independent members; The board of directors should annually assess and disclose the independent members of the board (II) of directors, and indicate and justify any circumstances that might compromise their independence. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD APPROVE A NOMINATION POLICY THAT ESTABLISHES: 2.2.2 The nomination process for the members of the board of directors, including indicating the participation (I) of other corporate bodies of the Company in the process; That the board of directors should be composed taking into account the time availability of its members (II) for exercising their duties and the diversity of knowledge, experience, conduct, cultural aspects, age and gender. Partially Not Comply N/A Comply Comply Our Policy for Nominating Management Members sets forth the processes for nominating members for the Board of Directors, its committees and the Executive Board, including the involvement of the Nomination and Corporate Governance Committee in these processes. This Policy also establishes that the nomination process should consider, among other criteria, complementary skills, time availability for carrying out duties and diversity, such as gender, race and age criteria. The policy is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 2.3.1 The CEO should not hold the position of chairman of the board of directors at the same time. Partially Not Comply N/A Comply Comply 7

2.4.1 The Company should implement an annual performance evaluation process for the board of directors and its committees, as joint committees, and for the chairman and board members, individually considered, and the governance department, if any. Partially Not Comply N/A Comply Comply In accordance with the Internal Charter of the Board of Directors, the evaluation of the Board of Directors itself, its members and Chairman or Co-Chairmen, the related Committees and the Secretariat of the Body is held annually in order to ascertain their performance, in accordance with the best corporate governance practices. The reelection of members of the Board of Directors and Committees takes into account their positive performance and high attendance at meetings during the previous term, as well as their experience and level of independence. The evaluation process comprises the following steps: self-evaluation and cross-evaluation of the members of the Board of Directors (members evaluate one another), evaluation of the Board itself by its members, evaluation of the Chairman or Co-chairmen by their Board members, evaluation of the Committees by their members and evaluation of the Secretariat of the Board of Directors by their members. This evaluation is conducted by a professional, responsible for handing out specific questionnaires to the Board of Directors and each Committee, as well as interviewing each of the members of the Board of Directors and the Committees individually. Additionally, the responses are analyzed to identify and address possible gaps related to the Board of Directors, the Committees and the Secretariat of the Board of Directors that may be identified by this process, such as deadlines for receiving materials and definition of the Board of Director’s agenda. The Nomination and Corporate Governance Committee provides methodological and procedural support to the evaluation process. This Committee also discusses the evaluation results, as well as the composition and succession plan of the Board of Directors. The Internal Charter of the Board of Directors is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. 2.5.1 The board of directors should approve and continuously update a succession plan for the CEO, the preparation of which should be coordinated by the chairman of the board of directors. Partially Not Comply N/A Comply Comply Our Succession Policy is approved by the Board of Directors, having been updated on August 30, 2018. In addition to issues related to the succession of our managers, including the CEO, it also addresses recruiting, retention and training matters. 82.4.1 The Company should implement an annual performance evaluation process for the board of directors and its committees, as joint committees, and for the chairman and board members, individually considered, and the governance department, if any. Partially Not Comply N/A Comply Comply In accordance with the Internal Charter of the Board of Directors, the evaluation of the Board of Directors itself, its members and Chairman or Co-Chairmen, the related Committees and the Secretariat of the Body is held annually in order to ascertain their performance, in accordance with the best corporate governance practices. The reelection of members of the Board of Directors and Committees takes into account their positive performance and high attendance at meetings during the previous term, as well as their experience and level of independence. The evaluation process comprises the following steps: self-evaluation and cross-evaluation of the members of the Board of Directors (members evaluate one another), evaluation of the Board itself by its members, evaluation of the Chairman or Co-chairmen by their Board members, evaluation of the Committees by their members and evaluation of the Secretariat of the Board of Directors by their members. This evaluation is conducted by a professional, responsible for handing out specific questionnaires to the Board of Directors and each Committee, as well as interviewing each of the members of the Board of Directors and the Committees individually. Additionally, the responses are analyzed to identify and address possible gaps related to the Board of Directors, the Committees and the Secretariat of the Board of Directors that may be identified by this process, such as deadlines for receiving materials and definition of the Board of Director’s agenda. The Nomination and Corporate Governance Committee provides methodological and procedural support to the evaluation process. This Committee also discusses the evaluation results, as well as the composition and succession plan of the Board of Directors. The Internal Charter of the Board of Directors is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. 2.5.1 The board of directors should approve and continuously update a succession plan for the CEO, the preparation of which should be coordinated by the chairman of the board of directors. Partially Not Comply N/A Comply Comply Our Succession Policy is approved by the Board of Directors, having been updated on August 30, 2018. In addition to issues related to the succession of our managers, including the CEO, it also addresses recruiting, retention and training matters. 8

2.6.1 The Company should have an integration program for new members of the board of directors, structured in advance, so that such members are introduced to the Company’s key people and facilities that addresses topics key for understanding the Company’s business. Partially Not Comply N/A Comply Comply To integrate new members into the Board of Directors, the Company carries out an immersion program so that these members are introduced to key people and get to know our executive departments, for example, through presentations done by executives addressing the structure of several areas of expertise, as well as their main challenges. 2.7.1 The compensation of the members of the board of directors should be proportional to their duties, responsibilities and time demands. Compensation should not be based on meeting attendance, and any variable compensation of the members of the board should not be bound to short-term results. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD HAVE AN INTERNAL CHARTER THAT SETS FORTH ITS RESPONSIBILITIES, DUTIES 2.8.1 AND RULES OF OPERATION, INCLUDING: The duties of the chairman of the board of directors; (I) Rules for replacing the chairman of the board of directors in the event of absence or vacancy; (II) Measures to be adopted in the event of conflicts of interest; (III) Definition of a deadline with enough time in advance to receive materials for discussion at meetings, (IV) in appropriate detail. Partially Not Comply N/A Comply Comply 92.6.1 The Company should have an integration program for new members of the board of directors, structured in advance, so that such members are introduced to the Company’s key people and facilities that addresses topics key for understanding the Company’s business. Partially Not Comply N/A Comply Comply To integrate new members into the Board of Directors, the Company carries out an immersion program so that these members are introduced to key people and get to know our executive departments, for example, through presentations done by executives addressing the structure of several areas of expertise, as well as their main challenges. 2.7.1 The compensation of the members of the board of directors should be proportional to their duties, responsibilities and time demands. Compensation should not be based on meeting attendance, and any variable compensation of the members of the board should not be bound to short-term results. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD HAVE AN INTERNAL CHARTER THAT SETS FORTH ITS RESPONSIBILITIES, DUTIES 2.8.1 AND RULES OF OPERATION, INCLUDING: The duties of the chairman of the board of directors; (I) Rules for replacing the chairman of the board of directors in the event of absence or vacancy; (II) Measures to be adopted in the event of conflicts of interest; (III) Definition of a deadline with enough time in advance to receive materials for discussion at meetings, (IV) in appropriate detail. Partially Not Comply N/A Comply Comply 9

2.9.1 The board of directors should establish an annual calendar with the dates of ordinary meetings, which should not be fewer than six or over twelve, in addition to calling extraordinary meetings, whenever necessary. this calendar should set forth an annual thematic agenda with relevant issues and dates for discussion. Partially Not Comply N/A Comply Comply 2.9.2 The meetings of the board of directors should provide for regular exclusive sessions for external board members, without the presence of the executives and other guests, to align the external board members and discuss topics that could cause embarrassment. Partially Not Comply N/A Comply Comply 2.9.3 The minutes of the meetings of the board of directors should be clearly drafted and include the decisions made, the names of attendees, any dissenting votes and abstentions. Partially Not Comply N/A Comply Comply The Internal Charter of the Company’s Board of Directors expressly establishes in item 6.8 that the minutes of the meetings should be clearly drafted and include the decisions made, the names of the attendees, any dissenting votes and abstentions. The Internal Charter of the Board of Directors is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. WITHOUT PREJUDICE TO ITS LEGAL AND STATUTORY POWERS AND TO OTHER PRACTICES SET FORTH IN THIS CODE, 3.1.1 THE EXECUTIVE BOARD SHOULD: Follow the risk management policy and, whenever necessary, propose to the board of directors (I) any necessary revision of such policy, in view of changes to the risks to which the Company is exposed; 102.9.1 The board of directors should establish an annual calendar with the dates of ordinary meetings, which should not be fewer than six or over twelve, in addition to calling extraordinary meetings, whenever necessary. this calendar should set forth an annual thematic agenda with relevant issues and dates for discussion. Partially Not Comply N/A Comply Comply 2.9.2 The meetings of the board of directors should provide for regular exclusive sessions for external board members, without the presence of the executives and other guests, to align the external board members and discuss topics that could cause embarrassment. Partially Not Comply N/A Comply Comply 2.9.3 The minutes of the meetings of the board of directors should be clearly drafted and include the decisions made, the names of attendees, any dissenting votes and abstentions. Partially Not Comply N/A Comply Comply The Internal Charter of the Company’s Board of Directors expressly establishes in item 6.8 that the minutes of the meetings should be clearly drafted and include the decisions made, the names of the attendees, any dissenting votes and abstentions. The Internal Charter of the Board of Directors is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. WITHOUT PREJUDICE TO ITS LEGAL AND STATUTORY POWERS AND TO OTHER PRACTICES SET FORTH IN THIS CODE, 3.1.1 THE EXECUTIVE BOARD SHOULD: Follow the risk management policy and, whenever necessary, propose to the board of directors (I) any necessary revision of such policy, in view of changes to the risks to which the Company is exposed; 10

Implement and maintain effective mechanisms, processes and programs to monitor and disclose (II) the financial and operating performance and the impacts of the Company’s activities on society and the environment. Partially Not Comply N/A Comply Comply 3.1.2 The executive board should have a dedicated charter establishing its structure, operation and roles and responsibilities. Partially Not Comply N/A Comply Comply 3.2.1 No executive positions or managerial positions should be reserved for direct appointment by Stockholders. Partially Not Comply N/A Comply Comply 3.3.1 The CEO should be evaluated, on an annual basis, in a formal process conducted by the board of directors, based on his/her achieving the financial and non-financial performance goals established by the board of directors for the Company. Partially Not Comply N/A Comply Comply Our CEO, is annually evaluated based on the verification of achievement of financial and non-financial performance targets. The evaluation of the CEO by the Board of Directors was included in the the Minute of meeting held on December 14, 2018. 11Implement and maintain effective mechanisms, processes and programs to monitor and disclose (II) the financial and operating performance and the impacts of the Company’s activities on society and the environment. Partially Not Comply N/A Comply Comply 3.1.2 The executive board should have a dedicated charter establishing its structure, operation and roles and responsibilities. Partially Not Comply N/A Comply Comply 3.2.1 No executive positions or managerial positions should be reserved for direct appointment by Stockholders. Partially Not Comply N/A Comply Comply 3.3.1 The CEO should be evaluated, on an annual basis, in a formal process conducted by the board of directors, based on his/her achieving the financial and non-financial performance goals established by the board of directors for the Company. Partially Not Comply N/A Comply Comply Our CEO, is annually evaluated based on the verification of achievement of financial and non-financial performance targets. The evaluation of the CEO by the Board of Directors was included in the the Minute of meeting held on December 14, 2018. 11

3.3.2 The results of the evaluation of other officers, including the CEO’s proposals of goals to be agreed and whether the executives should continue, be promoted or dismissed from their respective positions, should be submitted to, reviewed, discussed and approved by the board of directors. Partially Not Comply N/A Comply Comply The other officers are evaluated annually based on the verification of achievement of financial and non-financial performance targets. The evaluation report of our Executive Board, composed of Chief-Executive Officer, General Directors and Vice- Presidents, was included in the Minute of Board of Directors’ meeting held on February 28, 2019. 3.4.1 The compensation of the executive board should be defined through a compensation policy approved by the board of directors based on a formal and transparent procedure that takes into account the costs and risks involved. Partially Not Comply N/A Comply Comply Explanation on item 3.4.3. 3.4.2 The compensation of the executive board should be bound to results, with medium and long-term goals clearly and objectively related to the creation of long-term economic value for the Company. Partially Not Comply N/A Comply Comply Explanation on item 3.4.3. 123.3.2 The results of the evaluation of other officers, including the CEO’s proposals of goals to be agreed and whether the executives should continue, be promoted or dismissed from their respective positions, should be submitted to, reviewed, discussed and approved by the board of directors. Partially Not Comply N/A Comply Comply The other officers are evaluated annually based on the verification of achievement of financial and non-financial performance targets. The evaluation report of our Executive Board, composed of Chief-Executive Officer, General Directors and Vice- Presidents, was included in the Minute of Board of Directors’ meeting held on February 28, 2019. 3.4.1 The compensation of the executive board should be defined through a compensation policy approved by the board of directors based on a formal and transparent procedure that takes into account the costs and risks involved. Partially Not Comply N/A Comply Comply Explanation on item 3.4.3. 3.4.2 The compensation of the executive board should be bound to results, with medium and long-term goals clearly and objectively related to the creation of long-term economic value for the Company. Partially Not Comply N/A Comply Comply Explanation on item 3.4.3. 12

3.4.3 The incentive structure should be in line with the risk limits established by the board of directors and bar a single person from controlling the decision-making process and its respective inspection. Nobody should resolve on their own compensation. Partially Not Comply N/A Comply Comply Our compensation policy of management members aims at attracting, rewarding, retaining and encouraging management members to conduct our business in a sustainable way, within appropriate risk limits, and always in line with the Stockholders’ interests. Our compensation policy takes into account market practices, our strategy and the appropriate risk management over time so as not to encourage behaviors that increase the risk exposure above levels considered prudent. The governance structure that defines the compensation comprises clear and transparent processes. Accordingly, to achieve the aforementioned objectives and aiming at adopting the best governance practices introduced in Brazil and abroad, as well as ensuring the balance of risk management practices, we have a statutory Compensation Committee reporting to the Board of Directors, whose main duties in accordance with the Compensation Committee Internal Charter, are: (i) preparing a compensation policy, by proposing to the Board of Directors the many forms of fixed and variable compensation, in addition to benefits and special recruiting and termination programs; (ii) discussing, analyzing and overseeing the implementation andoperation of compensation models in place for the Itaú Unibanco Conglomerate, discussing the general principles of the employee compensation policy and recommending any corrections or improvement to the Board of Directors; (iii) proposing to the Board of Directors the aggregate compensation amount for management members to be submitted to the Annual General Stockholders’ Meeting; and (iv) preparing the “Compensation Committee Report” on an annual basis. The Compensation Committee Internal Charter is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. THE STATUTORY AUDIT COMMITTEE SHOULD: 4.1.1 Have among its duties to advise the board of directors on the monitoring and control of the quality (I) of financial statements, on the internal controls, and on the risk management and compliance; Be made up mostly by independent members coordinated by an independent director; (II) Have at least one of its independent members with proven experience in the accounting-corporate, (III) internal controls, financial and auditing areas, in the aggregate; 133.4.3 The incentive structure should be in line with the risk limits established by the board of directors and bar a single person from controlling the decision-making process and its respective inspection. Nobody should resolve on their own compensation. Partially Not Comply N/A Comply Comply Our compensation policy of management members aims at attracting, rewarding, retaining and encouraging management members to conduct our business in a sustainable way, within appropriate risk limits, and always in line with the Stockholders’ interests. Our compensation policy takes into account market practices, our strategy and the appropriate risk management over time so as not to encourage behaviors that increase the risk exposure above levels considered prudent. The governance structure that defines the compensation comprises clear and transparent processes. Accordingly, to achieve the aforementioned objectives and aiming at adopting the best governance practices introduced in Brazil and abroad, as well as ensuring the balance of risk management practices, we have a statutory Compensation Committee reporting to the Board of Directors, whose main duties in accordance with the Compensation Committee Internal Charter, are: (i) preparing a compensation policy, by proposing to the Board of Directors the many forms of fixed and variable compensation, in addition to benefits and special recruiting and termination programs; (ii) discussing, analyzing and overseeing the implementation andoperation of compensation models in place for the Itaú Unibanco Conglomerate, discussing the general principles of the employee compensation policy and recommending any corrections or improvement to the Board of Directors; (iii) proposing to the Board of Directors the aggregate compensation amount for management members to be submitted to the Annual General Stockholders’ Meeting; and (iv) preparing the “Compensation Committee Report” on an annual basis. The Compensation Committee Internal Charter is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules. THE STATUTORY AUDIT COMMITTEE SHOULD: 4.1.1 Have among its duties to advise the board of directors on the monitoring and control of the quality (I) of financial statements, on the internal controls, and on the risk management and compliance; Be made up mostly by independent members coordinated by an independent director; (II) Have at least one of its independent members with proven experience in the accounting-corporate, (III) internal controls, financial and auditing areas, in the aggregate; 13

Have its own budget to engage advisors on accounting, legal and other topics, when the opinion (IV) of an external expert is required. Partially Not Comply N/A Comply Comply (I) The statutory Audit Committee watches over the quality and completeness of the financial statements, the compliance with legal and regulatory requirements, the operation, independence and quality of the work carried out by the independent auditor, the operation, independence and quality of the work carried out by the Internal Audit function, and the quality and effectiveness of the internal controls and risk management systems. (II) All members of the Audit Committee are independent, according to Brazilian Nacional Monetary Council regulations, and the Board of Directors is entitled to end the term of office of any member if their independence is impaired by any conflicting circumstances. The Committee’s chairman is an independent member of the Board of Directors. (III) The members of the Audit Committee are elected annually by the Board of Directors among the members of the Board of Directors itself or among professionals of reputed capacity and remarkable knowledge, provided that at least one of these members will be nominated as a Financial Expert and must have proven knowledge of the accounting and auditing areas. (IV) The Audit Committee Charter sets forth that the Board of Directors defines the remuneration of the Committee’s members, as well as the budget intended to cover expenses on its operation, including a forecast for the engagement of external experts to help the Committee comply with its duties. 4.2.1 The fiscal council should have a dedicated charter describing its structure, operation, work program, roles and responsibilities, without hindering the performance of its individual members. Partially Not Comply N/A Comply Comply 4.2.2 The minutes of the fiscal council meetings should follow the same disclosure rules applicable to the board of directors’ minutes. Partially Not Comply N/A Comply Comply 14Have its own budget to engage advisors on accounting, legal and other topics, when the opinion (IV) of an external expert is required. Partially Not Comply N/A Comply Comply (I) The statutory Audit Committee watches over the quality and completeness of the financial statements, the compliance with legal and regulatory requirements, the operation, independence and quality of the work carried out by the independent auditor, the operation, independence and quality of the work carried out by the Internal Audit function, and the quality and effectiveness of the internal controls and risk management systems. (II) All members of the Audit Committee are independent, according to Brazilian Nacional Monetary Council regulations, and the Board of Directors is entitled to end the term of office of any member if their independence is impaired by any conflicting circumstances. The Committee’s chairman is an independent member of the Board of Directors. (III) The members of the Audit Committee are elected annually by the Board of Directors among the members of the Board of Directors itself or among professionals of reputed capacity and remarkable knowledge, provided that at least one of these members will be nominated as a Financial Expert and must have proven knowledge of the accounting and auditing areas. (IV) The Audit Committee Charter sets forth that the Board of Directors defines the remuneration of the Committee’s members, as well as the budget intended to cover expenses on its operation, including a forecast for the engagement of external experts to help the Committee comply with its duties. 4.2.1 The fiscal council should have a dedicated charter describing its structure, operation, work program, roles and responsibilities, without hindering the performance of its individual members. Partially Not Comply N/A Comply Comply 4.2.2 The minutes of the fiscal council meetings should follow the same disclosure rules applicable to the board of directors’ minutes. Partially Not Comply N/A Comply Comply 14

4.3.1 The Company should establish a policy to engage non-related audit services from its independent auditors, approved by the board of directors, to bar the engagement of non-related audit services that might compromise the auditors’ independence. The Company should not engage independent auditors who have provided internal audit services for the Company for the last three years. Partially Not Comply N/A Comply Comply 4.3.2 The independent audit team should report to the board of directors, through the audit committee, if applicable. The audit committee should monitor the effectiveness of the independent auditors’ work, as well as its independence. It should also assess and discuss the independent auditor’s annual work plan and submit it for appreciation of the board of directors. Partially Not Comply N/A Comply Comply 4.4.1 The Company should have an internal audit function reporting directly to the board of directors. Partially Not Comply N/A Comply Comply The Internal Audit function reports, on the administrative level, to our Board of Directors, and its activities are monitored by the Audit Committee. The Internal Audit purpose is to evaluate the activities developed, through audit techniques, allowing management to assess the adequacy of controls, the risk management effectiveness, the reliability of financial statements and the compliance with rules and regulations. The Internal Audit function has an agenda of activities that includes meetings with the Audit Committee, the Executive Committee and the Board of Directors. 154.3.1 The Company should establish a policy to engage non-related audit services from its independent auditors, approved by the board of directors, to bar the engagement of non-related audit services that might compromise the auditors’ independence. The Company should not engage independent auditors who have provided internal audit services for the Company for the last three years. Partially Not Comply N/A Comply Comply 4.3.2 The independent audit team should report to the board of directors, through the audit committee, if applicable. The audit committee should monitor the effectiveness of the independent auditors’ work, as well as its independence. It should also assess and discuss the independent auditor’s annual work plan and submit it for appreciation of the board of directors. Partially Not Comply N/A Comply Comply 4.4.1 The Company should have an internal audit function reporting directly to the board of directors. Partially Not Comply N/A Comply Comply The Internal Audit function reports, on the administrative level, to our Board of Directors, and its activities are monitored by the Audit Committee. The Internal Audit purpose is to evaluate the activities developed, through audit techniques, allowing management to assess the adequacy of controls, the risk management effectiveness, the reliability of financial statements and the compliance with rules and regulations. The Internal Audit function has an agenda of activities that includes meetings with the Audit Committee, the Executive Committee and the Board of Directors. 15

4.4.2 If this activity is outsourced, the internal audit services should not be provided by the same firm that audits the financial statements of the Company. The Company should not hire internal audit services from any independent auditors who have provided internal audit services for the Company for the last three years. Partially Not Comply N/A Comply Comply 4.5.1 The Company should adopt a risk management policy, approved by the board of directors, that includes a definition of the risks for which a protection is sought, the instruments used accordingly, the organizational structure for risk management, the assessment of the adequacy of the operational structure and internal controls when checking its effectiveness, in addition to define guidelines to establish acceptable limits for the Company’s exposure to these risks. Partially Not Comply N/A Comply Comply Explanation on item 4.5.3. 4.5.2 The board of directors should ensure that the executive board have mechanisms and internal controls to get to know, assess and control risks to keep these risks at levels consistent with the defined limits, including a compliance program aimed at complying with the laws, regulations, and external and internal rules. Partially Not Comply N/A Comply Comply Explanation on item 4.5.3. 164.4.2 If this activity is outsourced, the internal audit services should not be provided by the same firm that audits the financial statements of the Company. The Company should not hire internal audit services from any independent auditors who have provided internal audit services for the Company for the last three years. Partially Not Comply N/A Comply Comply 4.5.1 The Company should adopt a risk management policy, approved by the board of directors, that includes a definition of the risks for which a protection is sought, the instruments used accordingly, the organizational structure for risk management, the assessment of the adequacy of the operational structure and internal controls when checking its effectiveness, in addition to define guidelines to establish acceptable limits for the Company’s exposure to these risks. Partially Not Comply N/A Comply Comply Explanation on item 4.5.3. 4.5.2 The board of directors should ensure that the executive board have mechanisms and internal controls to get to know, assess and control risks to keep these risks at levels consistent with the defined limits, including a compliance program aimed at complying with the laws, regulations, and external and internal rules. Partially Not Comply N/A Comply Comply Explanation on item 4.5.3. 16

4.5.3 The executive board should assess at least once a year the effectiveness of the risk management and internal control policies and systems, as well as the compliance programs, and submit this assessment to the board of directors. Partially Not Comply N/A Comply Comply The Board of Directors is the highest authority with respect to risk management, which duty is to set up the Company’s risk appetite levels under the risk appetite policy. Under the risk appetite structure, the Company defi nes a set of measures that captures the key dimensions of major risks, and the process to define such measures, its limits and the risk appetite requires interactions between executives and the Board of Directors. With the purpose of helping the Board of Directors, the Company established a Risk and Capital Management Committee to submit to the Board of Directors the types of risks to which the Company may be exposed, as well as risk limits and guidelines on the tolerance to risks that may impact the business strategy. The Risk and Capital Management Committee is responsible for supporting the Board of Directors in the performance of its responsibilities related to risk and capital management of the Company, submitting to the Board’s deliberation reports and recommendations on topics such as: approval and review, at least done annually, of the policies, strategies and of risk ad capital management limits; the definition of the Company’s risk appetite, ensuring alignment with the strategy, including acceptable tolerance levels and types of risk to which the Company may be exposed and, finally, the supervision of compliance with the terms of the Company’s risk appetite. At the executive level, the risk and capital management is carried out by Senior Committees chaired by the CEO of Itaú Unibanco. Through the level of commissions and committees, risks are first discussed at lower levels of authority and, if the level of authority for this topic is higher or the topic is deemed of high importance, it will be submitted to its respective higher level of authority, being taken to the Board of Directors. Commissions and committees use materials that include recurring and specific risk and capital management reports, including elements relevant to each body, and these materials are made available to the members of the Board of Directors. The main risk and capital report is the risk appetite report, prepared at the Risk and Capital Management Committee and periodically submitted to the Audit Committee. 5.1.1 The Company should have an independent and self-governing conduct committee, reporting directly to the board of directors, responsible for implementing, transmitting, training, reviewing and updating the code of conduct and the whistleblowing channel, as well as for carrying out inquiries and proposing corrective measures in connection with any violations to the code of conduct. Partially Not Comply N/A Comply Comply The Audit Committee works as a Conduct Committee as it has been designated by the Code of Ethics as responsible for monitoring the Integrity and Ethics Corporate Program, by way of reports from the Internal Audit, Internal Controls and Compliance, Corporate Security Office and Ombudsman Of fice, as well as through other mechanisms available. The Audit Committee reports directly to the Board of Directors and is made up of independent members, as set forth by the Brazilian National Monetary Council regulation. Additionally, this governance includes the Integrity and Ethics Bodies, which monitor the guidelines of Itaú Unibanco’ s Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy through way of the actions of the Corporate Integrity and Ethics Program. 174.5.3 The executive board should assess at least once a year the effectiveness of the risk management and internal control policies and systems, as well as the compliance programs, and submit this assessment to the board of directors. Partially Not Comply N/A Comply Comply The Board of Directors is the highest authority with respect to risk management, which duty is to set up the Company’s risk appetite levels under the risk appetite policy. Under the risk appetite structure, the Company defi nes a set of measures that captures the key dimensions of major risks, and the process to define such measures, its limits and the risk appetite requires interactions between executives and the Board of Directors. With the purpose of helping the Board of Directors, the Company established a Risk and Capital Management Committee to submit to the Board of Directors the types of risks to which the Company may be exposed, as well as risk limits and guidelines on the tolerance to risks that may impact the business strategy. The Risk and Capital Management Committee is responsible for supporting the Board of Directors in the performance of its responsibilities related to risk and capital management of the Company, submitting to the Board’s deliberation reports and recommendations on topics such as: approval and review, at least done annually, of the policies, strategies and of risk ad capital management limits; the definition of the Company’s risk appetite, ensuring alignment with the strategy, including acceptable tolerance levels and types of risk to which the Company may be exposed and, finally, the supervision of compliance with the terms of the Company’s risk appetite. At the executive level, the risk and capital management is carried out by Senior Committees chaired by the CEO of Itaú Unibanco. Through the level of commissions and committees, risks are first discussed at lower levels of authority and, if the level of authority for this topic is higher or the topic is deemed of high importance, it will be submitted to its respective higher level of authority, being taken to the Board of Directors. Commissions and committees use materials that include recurring and specific risk and capital management reports, including elements relevant to each body, and these materials are made available to the members of the Board of Directors. The main risk and capital report is the risk appetite report, prepared at the Risk and Capital Management Committee and periodically submitted to the Audit Committee. 5.1.1 The Company should have an independent and self-governing conduct committee, reporting directly to the board of directors, responsible for implementing, transmitting, training, reviewing and updating the code of conduct and the whistleblowing channel, as well as for carrying out inquiries and proposing corrective measures in connection with any violations to the code of conduct. Partially Not Comply N/A Comply Comply The Audit Committee works as a Conduct Committee as it has been designated by the Code of Ethics as responsible for monitoring the Integrity and Ethics Corporate Program, by way of reports from the Internal Audit, Internal Controls and Compliance, Corporate Security Office and Ombudsman Of fice, as well as through other mechanisms available. The Audit Committee reports directly to the Board of Directors and is made up of independent members, as set forth by the Brazilian National Monetary Council regulation. Additionally, this governance includes the Integrity and Ethics Bodies, which monitor the guidelines of Itaú Unibanco’ s Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy through way of the actions of the Corporate Integrity and Ethics Program. 17

PREPARED BY THE EXECUTIVE BOARD, SUPPORTED BY THE CONDUCT COMMITTEE AND APPROVED BY THE BOARD 5.1.2 OF DIRECTORS, THE CODE OF CONDUCT SHOULD: Govern the internal and external relations of the Company, by expressing the commitment (I) expected from the Company, its directors, officers, Stockholders, employees, suppliers and stakeholders with the adoption of proper conduct standards; Manage conflict s of int erest and provide for the abstention of the member of the boar d of directors, (II) the audit committee and/or the conduct committee, if any, which, if applicable, is confl icted; Clearly defi ne the scope and reach of actions intended to determine the occurrence of situations construed (III) as carried out with the use of inside information (e.g.: use of inside information for business purposes or for gaining the upper hand when trading securities); Establish that ethical principles be the basis of negotiating contracts, agreements, proposals to amend (IV) bylaws, as well as policies that guide the entire Company, and establish a maximum value for goods or services from third parties that management members and employees may accept on a gratuitous or favored basis. Partially Not Comply N/A Comply Comply 18PREPARED BY THE EXECUTIVE BOARD, SUPPORTED BY THE CONDUCT COMMITTEE AND APPROVED BY THE BOARD 5.1.2 OF DIRECTORS, THE CODE OF CONDUCT SHOULD: Govern the internal and external relations of the Company, by expressing the commitment (I) expected from the Company, its directors, officers, Stockholders, employees, suppliers and stakeholders with the adoption of proper conduct standards; Manage conflict s of int erest and provide for the abstention of the member of the boar d of directors, (II) the audit committee and/or the conduct committee, if any, which, if applicable, is confl icted; Clearly defi ne the scope and reach of actions intended to determine the occurrence of situations construed (III) as carried out with the use of inside information (e.g.: use of inside information for business purposes or for gaining the upper hand when trading securities); Establish that ethical principles be the basis of negotiating contracts, agreements, proposals to amend (IV) bylaws, as well as policies that guide the entire Company, and establish a maximum value for goods or services from third parties that management members and employees may accept on a gratuitous or favored basis. Partially Not Comply N/A Comply Comply 18

5.1.3 The whistleblowing channel should be independent, self-contained and unbiased, operating working guidelines defined by the executive board and approved by the board of directors. It should be operated on an independent and unbiased way, and preserve the anonymity of its users, in addition to timely investigate and take the measures required accordingly. This service may be carried out by a third party of reputed capacity. Partially Not Comply N/A Comply Comply The Code of Ethics is a public document, approved by the Board of Directors, applied indistinctly to all management members and employees of the Conglomerate in Brazil and abroad. This document encourages the timely reporting of actual facts or suspected violation of guidelines, laws, regulations or standards, and advises that each employee’s commitment with the Code’s guidelines is the foundation of our soundness and longevity. The Code discloses four whistleblowing and/or guiding channels, each with its own specifications. Guidelines common to these channels are as follows: The secrecy of the investigation is strictly kept; anonymity is ensured for those who want it; investigation is carried out on an independent and unbiased way, charges or accusations with no consistent reasoning are brushed aside; malicious charges or accusations aimed at harming a person are subject to disciplinary sanctions; and disciplinary sanctions are to be applied against any attempted retaliation. These reporting channels available are internal and have the following attributions: a. Ethics Consultancy: channel available to employees for guidance and solving doubts on ethical issues, such as conflicts of interest and ethical dilemmas. b. Audit Committee: a channel available to internal employees and the public to receive suspected or actual reports on any noncompliance with legal and regulatory provisions and internal rules, frauds committed by management members, employees or third parties, or errors resulting in significant misstatements. c. Inspector Office: a channel available to internal employees and the public to receive reports on frauds and other illicit acts, including corruption acts. d. Internal Ombudsman’s Office: a channel available to employees to receive and handle interpersonal conflicts and conflicts of interest in the workplace, ethical misconduct and nonconformities with related institutional policies carried out by management members and employees. 5.2.1 The Company’s governance rules should watch over the clear segregation and definition of functions, roles and responsibilities associated with the mandates of all governance agents. the levels of authority for decision making of each level to minimize possible conflicts of interests should also be defined. Partially Not Comply N/A Comply Comply Ours governance rules are published at the our Corporate Governance Policy, which sets forth the clear segregation and definition of functions of all governance agents. Additionally, the Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy have specific provisions on conflicts of interest, including mechanisms adopted by us to prevent them. All these documents are available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 195.1.3 The whistleblowing channel should be independent, self-contained and unbiased, operating working guidelines defined by the executive board and approved by the board of directors. It should be operated on an independent and unbiased way, and preserve the anonymity of its users, in addition to timely investigate and take the measures required accordingly. This service may be carried out by a third party of reputed capacity. Partially Not Comply N/A Comply Comply The Code of Ethics is a public document, approved by the Board of Directors, applied indistinctly to all management members and employees of the Conglomerate in Brazil and abroad. This document encourages the timely reporting of actual facts or suspected violation of guidelines, laws, regulations or standards, and advises that each employee’s commitment with the Code’s guidelines is the foundation of our soundness and longevity. The Code discloses four whistleblowing and/or guiding channels, each with its own specifications. Guidelines common to these channels are as follows: The secrecy of the investigation is strictly kept; anonymity is ensured for those who want it; investigation is carried out on an independent and unbiased way, charges or accusations with no consistent reasoning are brushed aside; malicious charges or accusations aimed at harming a person are subject to disciplinary sanctions; and disciplinary sanctions are to be applied against any attempted retaliation. These reporting channels available are internal and have the following attributions: a. Ethics Consultancy: channel available to employees for guidance and solving doubts on ethical issues, such as conflicts of interest and ethical dilemmas. b. Audit Committee: a channel available to internal employees and the public to receive suspected or actual reports on any noncompliance with legal and regulatory provisions and internal rules, frauds committed by management members, employees or third parties, or errors resulting in significant misstatements. c. Inspector Office: a channel available to internal employees and the public to receive reports on frauds and other illicit acts, including corruption acts. d. Internal Ombudsman’s Office: a channel available to employees to receive and handle interpersonal conflicts and conflicts of interest in the workplace, ethical misconduct and nonconformities with related institutional policies carried out by management members and employees. 5.2.1 The Company’s governance rules should watch over the clear segregation and definition of functions, roles and responsibilities associated with the mandates of all governance agents. the levels of authority for decision making of each level to minimize possible conflicts of interests should also be defined. Partially Not Comply N/A Comply Comply Ours governance rules are published at the our Corporate Governance Policy, which sets forth the clear segregation and definition of functions of all governance agents. Additionally, the Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy have specific provisions on conflicts of interest, including mechanisms adopted by us to prevent them. All these documents are available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 19

5.2.2 The Company’s governance rules should be made public and determine that any person who is not independent regarding the issue under discussion or resolution in the Company’s management or inspection bodies should state, on a timely basis, their conflict of interest or interest in particular. If they fails to do so, these rules determine that another knowing person may bring such conflict into light and that as soon as this conflict of interest regarding a specific topic is identified, the involved person keeps away, even physically, from such discussions and resolutions. These rules define that this temporary seclusion be registered in the minutes. Partially Not Comply N/A Comply Comply The Charter of the Board of Directors includes an express provision establishing rules to prevent possible confl icts, such as the impediment of members of the Board of Directors take part in resolutions related to topics with which their interests confl ict with those of the Company. Each member should report to the Board of Directors any conflict of interest he/she has as soon as this topic is included in the agenda or proposed by the Board of Directors’ Chairman and, anyway, before the beginning of any discussion on each topic accordingly. Furthermore, the Bylaws provide that the Board of Directors shall terminate the term of office of any member of the Audit Committee if its independence has been affected by any circumstance of conflict or potentially conflictive. Finally, the Transactions with Related Parties Policy expressly provides that in situations where a member involved in the approval of the transaction is prevented from deliberating on the matter due to a potential conflict of interest, said member must declare themselves impeded, explaining their involvement in the transaction and providing details on the transaction and the parties involved. The impediment must be reported in the document with the resolutions on the transaction.The policy is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 5.2.3 The Company should have mechanisms to manage conflicts of interest in the voting submitted to the general meeting, to receive and deal with alleged conflicts of interest, and to annul votes cast in such conflicting situations, even if subsequently to the voting. Partially Not Comply N/A Comply Comply The Company’s Shareholders Manual expressly provides that during the General Meeting, as is the case at meetings of the Company’s management and supervisory bodies, the Shareholders present shall express their opinion on the existence of a possible conflict of interest situation in any matters in discussion or deliberation, which their independence will be compromised. Also, any present shareholder who has knowledge of a conflicting situation in relation to another shareholder and the subject matter of the resolution must also be declared. When the conflict of interest is manifested, the conflicting shareholder shall refrain from deliberating on that matter. If the conflicting shareholder refuses to abstain from deliberations, the chairman of the General Meeting shall determine the annulment of the conflicting votes, even after the conclave. The Company’s Shareholders Manual is available on our Investor Relations website: www.itau.com.br/investor-relations > Reports > Brazilian Securities and Exchange Commission (CVM). 205.2.2 The Company’s governance rules should be made public and determine that any person who is not independent regarding the issue under discussion or resolution in the Company’s management or inspection bodies should state, on a timely basis, their conflict of interest or interest in particular. If they fails to do so, these rules determine that another knowing person may bring such conflict into light and that as soon as this conflict of interest regarding a specific topic is identified, the involved person keeps away, even physically, from such discussions and resolutions. These rules define that this temporary seclusion be registered in the minutes. Partially Not Comply N/A Comply Comply The Charter of the Board of Directors includes an express provision establishing rules to prevent possible confl icts, such as the impediment of members of the Board of Directors take part in resolutions related to topics with which their interests confl ict with those of the Company. Each member should report to the Board of Directors any conflict of interest he/she has as soon as this topic is included in the agenda or proposed by the Board of Directors’ Chairman and, anyway, before the beginning of any discussion on each topic accordingly. Furthermore, the Bylaws provide that the Board of Directors shall terminate the term of office of any member of the Audit Committee if its independence has been affected by any circumstance of conflict or potentially conflictive. Finally, the Transactions with Related Parties Policy expressly provides that in situations where a member involved in the approval of the transaction is prevented from deliberating on the matter due to a potential conflict of interest, said member must declare themselves impeded, explaining their involvement in the transaction and providing details on the transaction and the parties involved. The impediment must be reported in the document with the resolutions on the transaction.The policy is available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 5.2.3 The Company should have mechanisms to manage conflicts of interest in the voting submitted to the general meeting, to receive and deal with alleged conflicts of interest, and to annul votes cast in such conflicting situations, even if subsequently to the voting. Partially Not Comply N/A Comply Comply The Company’s Shareholders Manual expressly provides that during the General Meeting, as is the case at meetings of the Company’s management and supervisory bodies, the Shareholders present shall express their opinion on the existence of a possible conflict of interest situation in any matters in discussion or deliberation, which their independence will be compromised. Also, any present shareholder who has knowledge of a conflicting situation in relation to another shareholder and the subject matter of the resolution must also be declared. When the conflict of interest is manifested, the conflicting shareholder shall refrain from deliberating on that matter. If the conflicting shareholder refuses to abstain from deliberations, the chairman of the General Meeting shall determine the annulment of the conflicting votes, even after the conclave. The Company’s Shareholders Manual is available on our Investor Relations website: www.itau.com.br/investor-relations > Reports > Brazilian Securities and Exchange Commission (CVM). 20

5.3.1 The bylaws should define which transactions with related parties should be approved by the board of directors, with the exclusion of any members with potentially conflicting interests. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD APPROVE AND IMPLEMENT A TRANSACTIONS WITH RELATED-PARTIES POLICY, 5.3.2 WHICH INCLUDES, AMONG OTHER PROVISIONS: Previous to the approval of specific transactions or guidelines for entering into transactions, the board (I) of directors should request to the executive board market alternatives to the transaction with related parties, adjusted by the risk factors involved; Bar any ways of remuneration to advisors, consultants or intermediaries that give rise to (II) conflicts of interest with the Company, management members, Stockholders or types of Stockholders; Bar any loans granted for the controlling party and management members; (III) Any transactions with related-parties that should be supported by independent appraisal reports prepared (IV) without the participation of any party involved in such operation, whether a bank, lawyer, specialized consulting Company, among others, based on realistic assumptions and information supported by third parties; Corporate restructuring involving related parties should ensure equitable treatment for all Stockholders. (V) Partially Not Comply N/A Comply Comply Our Transactions with Related Parties Policy, approved by the Board of Directors, is in line with the guidelines of the Brazilian Corporate Governance Code, except for the prohibition of loans in favor of the controlling and the administrators, which are now allowed under Law 4,595/64 and Resolution of the National Monetary Council 4,693/18 always obeying market conditions and limits established in the regulations in force. Our Transactions with Related Parties Policy defines the concept of related party and the rules and procedures for transactions of this type. This policy establishes that such transactions must be executed in writing, under market conditions and disclosed in the financial statements, in accordance with the materiality criteria defined by accounting standards. Transactions with related parties involving amounts higher than R$1.0 million should be approved by the Related Parties Committee, which is entirely composed of Board of Directors’ independent members. In addition, these transactions will be reported on a quarterly basis to the Board of Directors. The full text of the Transactions with Related Parties Policy is available on our Investor Relations website: www.itau.com.br/ investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 215.3.1 The bylaws should define which transactions with related parties should be approved by the board of directors, with the exclusion of any members with potentially conflicting interests. Partially Not Comply N/A Comply Comply THE BOARD OF DIRECTORS SHOULD APPROVE AND IMPLEMENT A TRANSACTIONS WITH RELATED-PARTIES POLICY, 5.3.2 WHICH INCLUDES, AMONG OTHER PROVISIONS: Previous to the approval of specific transactions or guidelines for entering into transactions, the board (I) of directors should request to the executive board market alternatives to the transaction with related parties, adjusted by the risk factors involved; Bar any ways of remuneration to advisors, consultants or intermediaries that give rise to (II) conflicts of interest with the Company, management members, Stockholders or types of Stockholders; Bar any loans granted for the controlling party and management members; (III) Any transactions with related-parties that should be supported by independent appraisal reports prepared (IV) without the participation of any party involved in such operation, whether a bank, lawyer, specialized consulting Company, among others, based on realistic assumptions and information supported by third parties; Corporate restructuring involving related parties should ensure equitable treatment for all Stockholders. (V) Partially Not Comply N/A Comply Comply Our Transactions with Related Parties Policy, approved by the Board of Directors, is in line with the guidelines of the Brazilian Corporate Governance Code, except for the prohibition of loans in favor of the controlling and the administrators, which are now allowed under Law 4,595/64 and Resolution of the National Monetary Council 4,693/18 always obeying market conditions and limits established in the regulations in force. Our Transactions with Related Parties Policy defines the concept of related party and the rules and procedures for transactions of this type. This policy establishes that such transactions must be executed in writing, under market conditions and disclosed in the financial statements, in accordance with the materiality criteria defined by accounting standards. Transactions with related parties involving amounts higher than R$1.0 million should be approved by the Related Parties Committee, which is entirely composed of Board of Directors’ independent members. In addition, these transactions will be reported on a quarterly basis to the Board of Directors. The full text of the Transactions with Related Parties Policy is available on our Investor Relations website: www.itau.com.br/ investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Policies. 21

5.4.1 The Company should adopt, as resolved by the board of directors, a policy for trading securities issued by the Company, which, without prejudice to the adherence to the CVM rules, establishes controls to achieve the monitoring of trades done, as well as the inquiry and sanctions against those responsible for noncompliance with such policy. Partially Not Comply N/A Comply Comply We have a Policy for Trading Securities that provides for guidelines and procedures to be followed by the Company and related persons in connection with the trading of securities issued by the Company and its subsidiaries (in Brazil or abroad), including sanctions applicable in the event of violation thereto. The Policy sets forth that bound persons are responsible for, among others: (i) keeping secrecy about information related to a material fact pertaining to the Company and its subsidiaries and refraining from using it to gain the upper hand, for their own benefi t or the benefi t of others, in the securities market, ensuring that subordinates and third parties he/she trusts keep secrecy about such information and refrain from using it, being held jointly and severally liable in the event of any noncompliance therewith; and (ii) making exclusive use of the Conglomerate’s brokers to trade the securities under this Policy, which have controls in Brazil to prevent trading during blackout periods. The Compliance area monitors the adherence to the Policy and the trading of securities issued by the Conglomerate. Any noncompliance is investigated and submitted to ours Integrity and Ethics Committee and Disclosure and Trading Committee accordingly. The Policy Regarding the Disclosure of Material Information also sets other mechanisms to control the information secrecy in connection with material facts, such as: (i) bound persons should ensure the safety of the means of storage and transmission of material information (emails, files, etc.), avoiding any type of unauthorized access, and should also restrict the forwarding of information not properly protected to third parties. Material information should always be discussed in restricted and non-public places; and (ii) in attachment to the process that gave rise to the material fact, a list of the bound persons who became knowledgeable of the information before its disclosure should be filed accordingly. 5.5.1 In order to ensure greater transparency in the use of the Company’s resources, a policy should be prepared on its voluntary contributions, including those related to political activities, to be approved by the board of directors and carried out by the executive board, containing clear and objective principles and rules. Partially Not Comply N/A Comply Comply In addition to other corporate policies, such as the Donations Policy and the Sponsorships Policy, note of worth is the Government and Institutional Relations Policy, approved on October 25, 2018, which establishes that it is prohibited to contribute, directly or indirectly, by all companies of the Conglomerate in Brazil and abroad for electoral campaigns, candidates for public offices and political parties. The Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy also has provisions on voluntary contributions. The above documents are available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 225.4.1 The Company should adopt, as resolved by the board of directors, a policy for trading securities issued by the Company, which, without prejudice to the adherence to the CVM rules, establishes controls to achieve the monitoring of trades done, as well as the inquiry and sanctions against those responsible for noncompliance with such policy. Partially Not Comply N/A Comply Comply We have a Policy for Trading Securities that provides for guidelines and procedures to be followed by the Company and related persons in connection with the trading of securities issued by the Company and its subsidiaries (in Brazil or abroad), including sanctions applicable in the event of violation thereto. The Policy sets forth that bound persons are responsible for, among others: (i) keeping secrecy about information related to a material fact pertaining to the Company and its subsidiaries and refraining from using it to gain the upper hand, for their own benefi t or the benefi t of others, in the securities market, ensuring that subordinates and third parties he/she trusts keep secrecy about such information and refrain from using it, being held jointly and severally liable in the event of any noncompliance therewith; and (ii) making exclusive use of the Conglomerate’s brokers to trade the securities under this Policy, which have controls in Brazil to prevent trading during blackout periods. The Compliance area monitors the adherence to the Policy and the trading of securities issued by the Conglomerate. Any noncompliance is investigated and submitted to ours Integrity and Ethics Committee and Disclosure and Trading Committee accordingly. The Policy Regarding the Disclosure of Material Information also sets other mechanisms to control the information secrecy in connection with material facts, such as: (i) bound persons should ensure the safety of the means of storage and transmission of material information (emails, files, etc.), avoiding any type of unauthorized access, and should also restrict the forwarding of information not properly protected to third parties. Material information should always be discussed in restricted and non-public places; and (ii) in attachment to the process that gave rise to the material fact, a list of the bound persons who became knowledgeable of the information before its disclosure should be filed accordingly. 5.5.1 In order to ensure greater transparency in the use of the Company’s resources, a policy should be prepared on its voluntary contributions, including those related to political activities, to be approved by the board of directors and carried out by the executive board, containing clear and objective principles and rules. Partially Not Comply N/A Comply Comply In addition to other corporate policies, such as the Donations Policy and the Sponsorships Policy, note of worth is the Government and Institutional Relations Policy, approved on October 25, 2018, which establishes that it is prohibited to contribute, directly or indirectly, by all companies of the Conglomerate in Brazil and abroad for electoral campaigns, candidates for public offices and political parties. The Code of Ethics and the Corporate Conduct, Integrity and Ethics Policy also has provisions on voluntary contributions. The above documents are available on our Investor Relations website: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies. 22

5.5.2 This policy should set forth that the board of directors is the body responsible for approving all expenditures related to political activities. Partially Not C Comply omply N N/A /A Comply Comply 5.5.3 The policy on voluntary contributions of government-controlled companies or companies with recurring, material business relations with the government should bar any contributions or donations to political parties or persons bound to the latter, even if permitted by law. Partially Not C Comply omply N/A Comply Comply 235.5.2 This policy should set forth that the board of directors is the body responsible for approving all expenditures related to political activities. Partially Not C Comply omply N N/A /A Comply Comply 5.5.3 The policy on voluntary contributions of government-controlled companies or companies with recurring, material business relations with the government should bar any contributions or donations to political parties or persons bound to the latter, even if permitted by law. Partially Not C Comply omply N/A Comply Comply 23