Exhibit 99.1

ITAÚ UNIBANCO HOLDING S.A.

CNPJ 60.872.504/0001-23

Publicly-Held

NIRE 35300010230

PUBLIC ACCESS REPORT - MARKET RISK MANAGEMENT AND CONTROL POLICY

OBJECTIVE

Establish the market risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices.

TARGET AUDIENCE

This policy applies to all employees and activities of the conglomerate that result in exposure to market risk, impacting Itaú Unibanco Holding and its subsidiaries.

Market risk control covers all positions of the portfolios of financial and non-financial companies belonging to Itaú Unibanco in Brazil and at the International Units.

It does not apply to the market risk of customer portfolios managed by the bank and/or Trust management (e.g. Wealth Management & Services - WMS funds).

INTRODUCTION

Market risk is the possibility of losses arising from the fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices.

Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team.

Market risk control is based mainly on the following metrics:

Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval.

For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount.

Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank’s portfolio using the best available values.

These metrics, among others, are used to set thresholds and trigger alerts for the department.

GUIDELINES

Market risk control processes shall strictly follow the principles defined in this policy. These principles are reflected on the following guidelines according to which Itaú Unibanco’s market risk management and control framework shall:

Ensure the use of integral databases that reflect the business conducted based on duly approved products, which ensure correct information and calculations, from registration to recording in books;

Apply models that reflect best market practices;

Ensure that portfolio pricing is preferably based on quotations observed in financial markets, captured through integral external sources. When there is no price available, the calculation shall be made through a pricing model that represents a fair valuation of positions. In such cases, these assessments shall be consistent and verifiable, and

market benchmarks and data used in the assessment shall be regularly reviewed.

Calculate the results of marked-to-market portfolio positions following bank’s model governance.

Have risk control functions responsible for defining and applying pricing parameters, independently from the business areas.

Establish and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk:

- Are compatible with the nature of transactions, the complexity of products and the size of the institution’s exposure to market risk;

- Contain all sources of market risk, and

- Generate timely risk exposure reports for the business units, the institution’s executive board and the Board of Directors;

KEY ROLES AND RESPONSIBILITIES

The Market Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below.

Board of Directors:

- define the institution’s risk appetite and review it annually.

High Market and Liquidity Risk Committee:

- define the authority levels related to market risk control and review them annually.

- monitor market risk indicators by making the necessary decisions and following the risk appetite.

Chief Risk Officer:

- responsible for market risk management at Itaú Unibanco.

Market Risk Control:

- identify, measure, control, monitor and report exposure to market risk to business areas and report to high committees;

- monitor the exposure conformity with the approved limits, alerts and other market risk control measures, informing possible nonconformity to the relevant authority levels and requesting an action plan for conforming it;

- maintain specialized and adequately-sized teams to support market risk processes and systems under its governance and development management.

- calculate the managerial results of positions and disclose them to the functions that would enable monitoring and support in decision making.

Business Areas:

Employees are at least expected to fully understand the nature of the risk in the portfolios under their management and the effective management of this risk, ensuring transparency to desk managers and conformity with the established limits.

MARKET RISK CONTROL

The Market Risk control at Itaú Unibanco is conducted through governance and processes ensuring that:

The institution is operating in accordance with the risk appetite defined by the Board of Directors, reviewed and approved annually based on a limit and alert framework. The limits are sized by assessing the projected balance sheet results, size of equity, liquidity, complexity and market volatility, as well as the institution’s risk appetite.

The use of limits is reported by the Market Risk function to the Business Areas and to the bank’s executives. Alerts serve as pre-set limit indicators.

The institution’s limit and alert framework is composed of aggregate metrics that monitor and limit the risk in a global and granular way, in order to avoid excessive concentration of risk in one single risk factor.

The limits are amounts that the business areas must mandatorily observe, while the alerts are metrics that send a signal to the institution and, through clearly defined governance, establish procedures to be adopted if an alert is triggered.

The mark-to-market (pricing) of positions shall be based on quotations captured from external sources or, if this is not possible, calculated based models developed and validated according to guidelines established in specific policies.

Information on prices and traded positions is stored in one single historical and corporate database, with controls that ensure its integrity and completeness, and with functionalities that allow historical information to be consulted.

The models used capture the correct sensitivity, the market oscillations by applying compliance tests periodically to the total portfolio and sub-portfolios, including all risk categories. Their results shall be analyzed and used to improve

the models and manage the institution’s risk. In addition, the managerial result shall be used to verify compliance of the market risk measurement models.

The measurement of potential risk in extreme market situations complementing statistical risk measures. Through the application of stress tests to all positions of portfolios of financial and non-financial companies.

In addition to positions in the portfolio that do not have prices directly observed in the market, which are not liquid or are assessed through an internal pricing model, particularly securities and derivatives, apply prudential adjustments correcting possible MtM errors, and following the relevance and materiality criteria.

RELATED EXTERNAL RULES

Circular Letter No. 3.354/07 of the Central Bank of Brazil, which establishes minimum criteria for classification of transactions in the trading portfolio.

Resolution No. 4557/17 of the Brazilian Monetary Council, which provides for the implementation of a market risk management framework.

Approved by the Board of Directors on February, 25, 2021.

ITAÚ UNIBANCO HOLDING S.A.

Tax Payer’s # [CNPJ] 60.872.504/0001-23

Publicly-Held Corporation

NIRE 35300010230

INTEGRATED OPERATIONAL RISK MANAGEMENT AND INTERNAL CONTROLS POLICY

OBJETIVE

Establish guidelines and responsibilities associated with operational risk management and internal controls, observing good market practices, applicable standards and regulations.

TARGET AUDIENCE

This policy applies to Itaú Unibanco and its subsidiaries and affiliates, in Brazil and abroad. (Itaú Unibanco).

INTRODUÇÃO

We’re all risk managers. Risks are inherent to all activities of the Institution and are part of the employees day-to-day, being present in the processes, existing or new products and services including outsourced services. Managing operational risks properly is an essential condition for the sustainability of Itaú Unibanco’s business.

The Central Bank of Brazil defines operational risk as “the possibility of loss occurrence resulting from an external event or from error, defect or inadequacy of internal processes, persons or systems. It also includes the legal risk associated with inadequacy or deficiency in contracts signed by the Institution, the penalties on the grounds of non-compliance with legal provisions and reimbursement for damages to third parties arising from activities developed by the Institution”.

Proper management of operational risk entails the identification of risks inherent to the activities, projects, products or services, and its prioritization, according to the level of criticality (importance), taking into account impacts on the objectives of the process or organization. Once risks are prioritized, response measures are taken, i.e., actions addressing each of the identified risks, in order to fit them into acceptable levels of exposure. Such actions may include the implementation of preventive controls to reduce the possibility of materializing the risk, or involve controls aimed at the detection of materialization. The decision to share a risk may be taken by transferring the activity partially or totally, such as outsourcing the activity, for example. The risks mentioned can also be avoided by simply going for the discontinuity of the risk-generating activity, or assumed, in which case the decision must be to not adopt additional control measures in relation to existing ones.

GUIDELINES

The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate.

The specific guidelines related to operational risk management and internal controls are defined below.

Operational risk management model

Itaú Unibanco adopts the strategy of the three defense lines to operationalize its risk management structure.

Identification of operational risks

Operational risks that may influence the achievement of the Strategic and operational objectives defined by the conglomerate shall be continuously identified and updated. The identification scope includes the operational risks inherent in the conglomerate’s activities, existing or new products and services, including outsourced services.

Risk identification can occur at any time in the design of a new process, project or product as well as during its existence. For this, one must evaluate the inherent risk, that is, disregard from the context the existence of any control activity, evaluating to which failures risk identification scope is subject to and, therefore, could affect the planned result (objectives).

Exposure to rare and high-severity operational risk events, but considered plausible, is assessed by creating scenarios, providing information on the potential risk, generating loss estimates and considering, where necessary, the impact of the simultaneous occurrence of multiple operational risk events.

Prioritization of operational risks

The operational risks identified are prioritized according to their level of impact on the Board and/or Conglomerate. In order to assist in the proper impact assessment, it is important to consider the various impact possibilities and their scope, such as:

Financial: to assess the representativeness of the financial impact that the exposure to the operational risk can generate in the business and/or the organization. Risks that may lead to significant errors in the accounting statements are classified in Sarbanes-Oxley Law (SOX).

Image/Reputation: to evaluate the possible negative impact on national and international media (visibility and dissemination), as well as the damage to the brand and its possibility of reversal.

Legal/Regulatory: to evaluate the possibilities of generating regulatory non-compliance, as well as the possibility of entailing fines, warnings, audits, administrative procedures, or losses of operating licenses.

Customers: to evaluate the volume of customers impacted, the segments or distribution channels involved.

Strategic and Business: to assess the impacts of failures or errors in the launch or maintenance strategy of processes, products and services. It can also result from untimely action in identifying and reacting to changes in the business environment, competitors, new business, changes in customer habits, etc.

Response to operational risk

Responding to operational risk means defining what action will be taken in relation to the identified risk. Some possible actions include:

Mitigating: establish actions that reduce the probability of operational risk materializing in the process or actions that decrease the impact produced.

Sharing: establish actions that aim at reducing the impact and/or likelihood of the risk occurring through the transfer or, in some cases, the sharing of a part of the risk. It may involve outsourcing activities or hiring insurance, for example.

Avoiding: establish actions that eliminate the probability of the risk materializing. It may involve discontinuity of risk-driven activity/operation.

Assuming: no action is established to reduce the impact and / or likelihood of the risk occurring. In this case, risk-taking governance should be observed.

Actions requiring technological development must be validated by the second line of defense as to their risk classification and must be associated with risk notes, Compliance notes and/or internal audit notes.

Monitoring of the level of exposure to operational risks

Exposure to the relevant operational risks shall be monitored by the organization by means of risk indicators in accordance with the established tolerance levels.

Operational risk Notes, internal and external audits shall be carried out and periodically monitored by the first line of defense.

The second line of defense should validate the implementation of the action plans of the Operational Risk notes of moderate and high level, according to the operational risk pointing management policy, as well as moderate internal audit points, according to internal document.

Reporting of operational risks

High-risk notes identified by the lines of Defense, regulators or external audit shall be communicated to top commissions, business unit executives, Chief Risk Officers (CROs), Audit Committee and CGRC, being the last two collegiate entities of the Board of Directors. The communication of Internal Audit annotations must comply with that described in internal document.

The reporting of High annotations from International Units is carried out in the competent forums of each Unit. The Integrated Risk Management area of International Units (DRO/SGIR-UI) is responsible for assessing and confirming the reporting and the audience involved in the Head Office.

Communication of operational risk management actions

The description of the operational risk management structure is made available by means of a public access report, approved by the Board of Directors. Additionally, a summary of the description of the operational risk management structure and Internal Controls is published along with the accounting statements.

The decisions, policies and strategies defined for managing the operational risk of international units are disclosed to the Chief Risk Officers (CROs).

Management of operational risk loss base

All areas of Itaú Unibanco are exposed to operational risk events, and Business Units (first line of Defense) are responsible for identifying such events and associated loss values, in order to compose the operational loss database (BDPO).

Expenses and provisions related to operational risk events that impact the bank’s profit and loss accounts shall be reported to the BDPO.

Capital allocation for operational risk

The conglomerate uses the standard alternative approach (ASA) in the calculation and allocation of regulatory capital for operational risk. In addition, the calculation and allocation of economic capital for operational risk [ICAAP] is carried out.

The adequacy of the level of reference assets [PR], in relation to the operational risk assumed by the conglomerate, should be regularly monitored.

MAIN ROLES AND TASKS

Management Board:

The Board of Directors approves the guidelines, strategies and policies relating to operational risk and internal controls, while ensuring that there is clear understanding of roles and responsibilities at all levels of the conglomerate.

Risk and Capital Management Committee - CGRC:

Supports the Board of Directors in performing its responsibilities related to the Company’s risk and capital management, submitting reports and suggestions on these issues to the Board’s resolution.

Audit Committee:

Supervises internal control and risk management processes.

Higher Commission on operational risk:

To have knowledge of the risks of the processes and business of Itaú Unibanco, defining guidelines for the management of operational risks and evaluates the results of carried out work.

Compliance and Operational Risk Committee:

To monitor, develop and implement the guidelines approved and defined by CSRO for each Executive Area, to discuss the main risks of the Business Areas, as well as the action plans proposed for mitigation.

Internal committee for Operational Risk:

To discuss matters relating to operational risks and internal controls of each business unit, which will be taken to a higher level in the Compliance and Operational Risk Committees.

Chief Risk Officer:

Responsible for overseeing the Operational Risk Manager for the institution.

Internal controls and operational risk:

Inserted in the second line of Defense, the structure is represented by the overseers who act as officers of internal controls and risks (OCIRs) and, together with their teams, are responsible for:

Supporting the first line of defense in observing their direct responsibilities.

Developing and making available the methodologies, tools, systems, infrastructure and governance necessary to Support Integrated Operational Risk Management and internal controls in the relevant conglomerate and outsourced activities;

Coordinating the activities of Operational Risk and Internal Controls closely to the Business and Support areas, being independent in the exercise of its functions and having direct communication with any director or employee, as well as access to any necessary information within the scope of their responsibilities. For this reason, it is forbidden to conduct the management of any business that may compromise its independence.

Business/Support areas:

Primarily responsible for identifying, prioritizing, responding to risk, monitoring and reporting operational risk events that may influence the achievement of the defined strategic and operational objectives.

Internal Audit:

To verify, independently and periodically, the adequacy of the processes and procedures for identifying and managing risks, in accordance with the guidelines established in internal document.

GLOSSARY

Control environment: set of controls of a Business or Support unit, considering their quality and effectiveness in mitigating the inherent risks.

Operational Risk Notes: operational failures, with or without loss, or identified process gaps, for analysis and treatment of the cause.

Outsourced activity: Rendering of services by specialized company hired to perform any activities of the contractor.

Cause: reason that led (or may lead to) operational risk materialize. It represents the source of the problem and can be organizational, behavioral, systemic, procedural or external in nature. Operational risk events can have one or more associated causes.

Control: activities undertaken to reduce, to acceptable levels, exposure to risks that may impact an organization’s objectives. Control activities are carried out by business / support areas at all levels of the Organization and may be detective or preventive and include manual or automated activities

Detective Control: control carried out to detect the materialization of an operational risk, allowing the reduction of its impact. It is reactive in nature.

Preventive control: control carried out to reduce the probability or prevent the materialization of an operational risk. It is proactive in nature.

Operational Risk Event: operational risk realization. These are situations that, when materialized, cause real consequences in business or support processes that differ from expected results and may have a direct (eg financial loss) or indirect (eg opportunity cost and reputation / image damage) impact. For categorization purposes, Itaú Unibanco uses the same definitions adopted by the Basel Committee and the Central Bank of Brazil.

Risk exposure: financial volume representing exposure to unexpected operating losses associated with the Conglomerate’s activities.

Impact (consequence): amount of operational risk loss resulting from direct cost, restitution, legal expenses, legal fines, loss of appeal and reduction of the value of assets.

Inherent risk: existing risk due to the type or nature of the business, area, product, process, project or new or existing system, which is exposed regardless of the control structure or other mitigating factors implemented. Is the gross risk or risk before controls are implemented.

Residual Risk: inherent risk that remains exposed after considering the mitigation controls and actions which existing.

Approved by the Board of Directors on june, 2020.

ITAÚ UNIBANCO HOLDING S.A.

Tax Payer’s #CNPJ] 07.540.097/0001-74

Publicly-Held Corporation

Identification Number in the Companies Registry [NIRE] 35300010230

PUBLIC ACCESS REPORT-COMPLIANCE POLICY

OBJECTIVE

Establish the guidelines and main tasks associated with Compliance role, observing good market practices and applicable regulations.

INTRODUCTION

Compliance role aims at preventing and mitigating the exposure of Itaú Unibanco to situations of non-compliance with internal and external standards (Compliance risk), responsible for aspects of governance, compliance certification, conduct, and transparency. Compliance risk is the risk of legal or regulatory sanctions, financial losses or damage to reputation, arising out of the lack of compliance with legal and regulatory provisions, market standards, local and international commitments through codes of self-regulation, technical standards, codes of conduct or internal policies.

Itaú Unibanco adopts the strategy of three lines of defense to operationalize its risk management structure (including Compliance) and to ensure compliance with the guidelines provided in this policy, with clear division of roles and responsibilities.

1. The first line of Defense

Is represented by the business and support areas. Its employees are responsible for risk management and adherence to standards associated with its activities, as well as for the implementation of the controls and by the implementation of corrective measures for proper treatment of risks.

2. The Second line of Defense

Is represented by risk control functions, which are completely segregated from the activities of the internal and legal audit, having independence in the exercise of its functions. It has direct communication with the administrators, including the members of the Board of Directors and the Audit Committee, as well as with any employee. They have access to any information required under its responsibilities.

It is forbidden, in Brazil and abroad, to the areas that make up the second line of Defense, the management of any business or process that may compromise its independence or generate conflicts of interest. For the same reason, its goals and pay cannot be related to the performance of business areas.

3. The third line of Defense

Is represented by the Internal Audit, which provides an independent assessment of the institution’s activities by means of audit techniques. It allows management to assess the adequacy of controls, the effectiveness of risk management, the reliability of accounting statements and compliance with standards and regulations.

GUIDELINES

About Compliance function

Compliance risk management should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated regarding compliance with applicable standards, commitments made with regulators and requirements related to the Code of ethics, where applicable to internal standards.

The Compliance function is performed by the Executive Board of Operational Risk and compliance, reporting to the Finance and risk area and acting independently from the other support and business areas of the conglomerate. In the international units, there are local and independent structures responsible for the control of operational and Compliance risks, under the responsibility of the local CROs, who report to the Executive Board of Operational Risk and Compliance. Corporativo | Interno The notes raised by the Executive areas, internal and external audits, regulators and other supervisory and supervisory entities must be followed up on, so that their effective treatment is guaranteed by the competent areas.

Compliance Risk reports shall be clear, objective and timely, and shall be reported to senior commissions, business unit executives, Vice president of risks, risk and Capital Management Committee, Audit Committee and Board of directors, so that the established exposure levels and limits of framework are monitored. In international units, Compliance Risk Reports should be reported to the relevant forums of each unit and to DCIRO/SCRUI.

To contribute to the proper risk management, Itaú Unibanco has a risk management methodology consisting of 5 steps: identification, prioritization, Risk Response, Monitoring, and reporting.

MAIN ROLES AND TASKS

Common to all areas of Itaú Unibanco

- Conduct the integrity and Ethics and Risk Management Training provided by Itaú Unibanco.

- Sign, yearly, the Form “Corporate Integrity Policies”, confirming knowledge and agreement to what is

established in this policy.

- Define, implement and comply with policies and procedures for adherence to regulations.

- Take account of the provisions laid down by the internal policies of the conglomerate.

- Report fact or suspicion of violation of the provisions of this policy.

Management Board

The Management Board shall be responsible for:

- Approve:

a) Compliance guidelines, strategies and policies, with the aim of ensuring a clear understanding of the roles and responsibilities at all levels of the conglomerate; and b) The Executive Board of Operational Risk and Compliance’s position in the organizational structure of the institution, in order to avoid possible conflicts of interest, mainly with the business areas. - Provide the necessary means for activities related to the Compliance function to be performed properly, including the availability of resources for personnel allocation in sufficient quantity, with the necessary experience and training.

- Meet with the Executive Board of Operational Risk and Compliance at least on an annual basis as part of the assessment of the effectiveness of Integrated Operational Risk Management, internal controls and Compliance.

- Ensuring:

a) appropriate management of this policy;

b) effectiveness and continuity of implementation of this policy;

c) communication of this policy to all relevant employees and third party service providers;

d) disclosure of standards of integrity and ethical conduct as part of the institution’s culture; and

e) adoption of corrective measures for identified Compliance failures..

The evaluation of these items by the Board of Directors will be held on the basis of regular meetings and the annual report prepared by the Executive Board of Operational Risk and Compliance, as well as by the annual assessment made by the Audit Committee.

Audit Committee:

The Audit Committee must:

- Validate Compliance policy before it is sent for approval by the Board of Directors.

- Evaluate, at least annually, the Compliance structure in relation to the following aspects:

a) clear definition of the tasks, roles and responsibilities of Compliance function, avoiding possible conflicts of interest, mainly with the business areas of the institution; b) positioning in the appropriate hierarchical level, independent and segregated of operational and business areas, with duly exercised mandate regarding the definition of scope, execution of the work and communication of its results; c) organizational structure consistent with the needs of the conglomerate and staff allocation in sufficient quantity, adequately trained and experienced to carry out the activities related to their respective functions;

d) effectiveness of Compliance Management; and

e) adhesion of the structure to the applicable adjustment.

- Verify the performance of:

a) communication of this policy to all relevant employees and third party service providers;

b) disclosure of standards of integrity and ethical conduct as part of the institution’s culture; and

c) adoption of corrective measures for identified Compliance failures.

First line of Defense

- Inform and empower employees and third party service providers relevant to Compliance issues;

- Relate to regulatory, self-regulatory, supervisory and supervisory bodies, taking into account their requests and issuing to them the reports due.

- Identify, measure, evaluate and manage Compliance risk events that may influence the achievement of the conglomerate’s strategic and operational objectives; - Maintain an effective control environment, consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining the risk exposure at acceptable levels, as the risk appetite established for the Conglomerate; - Define and implement the action plans for addressing non-compliance notes made by internal and external audits, internal controls, Compliance, regulators, self-regulatory and other supervisory and regulator; - Report promptly to the Compliance area when identifying changes in relation to existing standards and regulations or risks of Compliance not foreseen by the control activities; and - Maintain compliance with local and international regulatory standards and requirements.

Second line of Defense

Risk and Finance Area

- Calculate, monitor and control the operational limits established by the regulators to ensure the regulatory adhesion of Itaú Unibanco, even when there is no obligation of periodic submission to the regulator.

Executive Board of Operational Risk and Compliance

It is the responsibility of the Executive Board of operational risks and Compliance, through the Corporate Compliance and internal controls and operational risk boards:

- Support the first line of defense in observing their direct responsibilities.

- Disclose standards of integrity and ethics as part of the conglomerate’s risk culture and controls, and

disseminate best practices and policies related to Compliance function;

- Guide and advise the managers and employees of the conglomerate, directing specific solutions on compliance with internal standards related to the integrity and Ethics Program; - Guide and advise the managers and employees of the conglomerate, directing specific solutions related to compliance with external standards;

- Assess the incentives to comply with regulations and commitments made with regulators and report these results to the Remuneration and Audit Committees; - Ensure that the teams responsible for carrying out Compliance functions have appropriate authority and that they are adequate, both in resources and in knowledge, through a structured training program; - Categorize Compliance themes according to their severity and monitor the conglomerate’s exposure to these risks; - Certify the efficacy of the Compliance control environment of the first line of defense by means of monitoring and testing programs, reporting the results to the High Administration and regulatory bodies, when requested; - Review and monitor the action plans adopted for addressing notes made by internal and external audits and regulatory bodies; - Report to the Board of Directors, the Audit Committee, the risk and Capital Management Committee and the Board of Directors the relevant situations that are non-compliant; - Supervise the international units in the evaluation of adherence to the corporate guidelines, as well as in the adoption of the Compliance methodology and consolidated monitoring and reporting to the Matrix; - Coordinate implementation, monitoring and evolution of corporate integrity and Ethics Program in international units; and - Coordinate governance of International Regulation Compliance Programs relevant to the conglomerate.

It is the sole responsibility of the Board of Corporate Compliance:

- Maintain proof of the approval of this document by the Management Board;

- Define principles and guidelines for the dissemination of the culture of Compliance, including training;

- Develop and make available the methodologies, tools, systems, infrastructure and governance necessary

to support Compliance in the relevant conglomerate and outsourced activities;

- Manage the process of capturing, screening, impact assessment and compliance monitoring;

- Coordinate governance of policies and procedures of Itaú Unibanco, in accordance with applicable

regulations and market best practices;

- Monitor policies of personal investments and Securities Trading Policy of Itaú Unibanco Holding S. A;

- Report on a timely basis relevant information, both of the results of the assessments of Compliance

undertaken that have identified failures in materials, and significant changes in the regulatory environment; - Sending annual report to the Audit Committee and the Board of Directors, containing a summary of the results of activities related to Compliance issues, main conclusions, recommendations and action plans adopted for treatment of the deficiencies identified;

- Manage Trade Surveillance and integrity programs;

- Coordinate the relationship with regulators, self-regulators and other inspection entities and supervisors,

monitoring the actions arising from the commitments undertaken, facilitating information sharing and ensuring the consistency of institutional positioning.

Third line of Defense

Verify, independently and periodically, the adequacy of processes and procedures for the identification and management of risks, including the integrated management of operational risk, internal controls and Compliance, according to the guidelines set forth in internal documents, and submit the results from its notes to the Audit Committee.

Approved by the Board of Directors on 04/30/2020.

ITAÚ UNIBANCO HOLDING S.A.

CNPJ 60.872.504/0001-23

Publicly-Held

NIRE 35300010230

PUBLIC ACCESS REPORT - LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY

OBJECTIVE

Establish the liquidity risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices.

TARGET AUDIENCE

This policy applies to all financial companies controlled by Itaú Unibanco in Brazil and abroad.

This policy applies to all activities of the conglomerate that result in exposure to liquidity risk, impacting Itaú Unibanco Holding and its subsidiaries.

It does not apply to the liquidity risk of customer portfolios managed by the bank and/or Trust management (e.g. Wealth Management & Services - WMS funds).

INTRODUCTION

Liquidity risk is the possibility of the institution being unable to honor its obligations effectively. Liquidity risk may arise when there is a mismatch between cash flows (assets and liabilities) that affects daily transactions or generate significant losses.

Example: Customer A deposits R$100.00. Customer B requests a loan of R$100.00 for a period of one year. At this point the bank transfers the amount deposited by customer A to customer B. After a few days Customer A requests the withdrawal of the amount deposited. If the bank does not have this amount available it will not be able to honor its commitment, presenting a liquidity problem. Significant losses may occur if the bank decides to sell an asset, on a timely basis, to generate cash and honor its commitment to Customer A.

Liquidity risk is controlled by a department that is independent from the business areas. The purpose is to compare assets (usually the most liquid) with financial obligations (generally shorter-term maturities) and ensure that cash equivalents are sufficient to meet its obligations.

The liquidity risk is controlled in accordance with the Limit Framework established by the Board of Directors and by the Higher Committees.

GUIDELINES

Liquidity risk management and control processes shall strictly follow the principles defined in this policy.

The liquidity risk measurement shall cover all financial transactions of Itaú Unibanco’s companies, as well as possible contingent exposures (exposures with no estimated date) or unexpected exposures (changes in cash inflow or outflow). These situations are commonly caused by:

- settlement services (e.g. significant decrease in tax collection, settlement of bank payment slips or bank transfers);

- granting of pledges and guarantees (e.g. customers executing pledges and/or guarantees due to failure to repay loans);

- acquired and unused lines of credit (e.g. increased use of overdraft limits or credit cards);

The main measure used for controlling liquidity risk shall be reserve, which is composed of:

- cash equivalents in Brazil (federal government bonds, cash, deposits in the Central Bank of Brazil, any asset that could be immediately traded and converted into cash without significant loss in value);

- cash equivalents overseas (assets that could be immediately traded and converted into cash abroad without significant loss in value, such as currency in kind, cash equivalents in other banks)

- all assets immediately convertible (D0) into means of payment.

Liquidity Risk Control includes contingency and liquidity recovery plans to clearly define liquidity recovery actions in different stress scenarios.

KEY ROLES AND RESPONSIBILITIES

The Liquidity Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below.

Board of Directors:

- define the institution’s risk appetite and review it annually.

High Market and Liquidity Risk Committee:

- define the authority levels related to liquidity risk control and review them annually.

- monitor liquidity risk indicators by making the necessary decisions and following the risk appetite.

- submit the liquidity contingency plan (Brazil) to the Board of Directors for approval, at least annually;

Chief Risk Officer:

- responsible for liquidity risk management at Itaú Unibanco.

Liquidity Risk Control

- define the breakdown of the reserve, in accordance with the guidelines established by the senior management;

- identify, assess, monitor, control and report exposure to liquidity risk on a daily basis.

- propose liquidity risk limits;

- monitor the contingency and recovery plans, as well as the limits established for each plan and

communicate possible deviations to the respective authority levels.

- perform liquidity risk simulations under stress conditions.

- periodically report the main liquidity risk controls in Brazil and at the External Units, and, on a timely basis,

any sudden liquidity decrease situations and significant aspects of measures in progress to committees, Treasury department, Supervising Department of Integrated Capital Management, CRO, and the Board of Directors;

On a timely basis, communicate any possible deviations of both the managerial risk appetite and the Contingency and Recovery triggers to the Supervising Department of Integrated Capital Management, of the daily LCR indicator, ensuring support to the monitoring of the Recovery Plan;

- in relation to risk appetite metrics, monitor, analyze and report any information in the Risk Appetite Report, in addition to communicating the material aspects to those involved, such as: committee decisions, request for action plans, and warnings about matters for attention.

- maintain specialized and adequately-sized teams to support liquidity risk processes and systems under its

governance and development management.

Institutional Treasury (Brazil and International)

- centralize Itaú Unibanco’s liquidity risk management, ensuring adequate and sufficient liquidity levels;

- Reserve Pilot

- identify, assess, monitor and alert any cash requirements for transactions conducted during the day;

Information Technology

- maintain specialized and adequately-sized teams to support the liquidity risk processes and systems that are under its governance, and management of technology development, and the Hosting processes defined

in specific service agreements.

LIQUIDITY RISK CONTROL

The Liquidity Risk control at Itau Unibanco includes measurement, monitoring, control and reporting of exposure levels, as well as contingency and liquidity recovery plans.

Liquidity risk exposure measurement is based on the daily analysis of cash flow evolution and compliance

with the regulatory ratios, as described below:

- Projected cash flow (Going Concern Scenario): shows expected cash flows considering the company has the ability to continue as a going concern under normal conditions; - Portfolio Settlement Scenario (run-off): shows the expected cash flows considering the settlement of current portfolios and the company ceasing to continue as a going concern. - LCR – Liquidity Coverage Ratio: shows that high quality liquid assets of the prudential conglomerate are sufficient to withstand a severe liquidity crisis for a period of 30 days, according to assumptions defined by the Central Bank of Brazil; and - Net Stable Funding Ratio (NSFR): shows that the prudential conglomerate has available stable funds higher than those required by cash outflows in a 1-year stress scenario.

- Concentration of Funding Providers: demonstrates the prudential conglomerate´s exposure is diversified among liquidity providers.

The use of liquidity risk limits shall be checked against approved limits.

The control shall be performed and reported on a daily basis to the Institutional Treasury and the senior

management.

Deviations from the limits and ratios determined shall be reported by liquidity risk control to the senior management, relevant departments for immediate exposure adjustment, and relevant committees.

The purpose of the contingency and recovery plans is to restore adequate liquidity levels and preserve the viability of Itaú Unibanco, in response to stress scenarios. The plans shall contain a list of actions to be implemented, contemplating volumes, deadlines and owners. The contingency plan actions shall contemplate a criticality level scale. The order of actions must be determined based on how easy the implementation is, taking into account the characteristics of the market.

Approved by the Board of Directors on February, 25, 2021.

ITAÚ UNIBANCO HOLDING S.A.

CNPJ 60.872.504/0001-23

Publicly-Held

NIRE 35300010230

PUBLIC ACCESS REPORT - CREDIT RISK MANAGEMENT AND CONTROL POLICY

OBJECTIVE

To establish governance and credit risk control of Itaú Unibanco Holding S. A. (Itaú Unibanco), observing applicable regulations and best market practices.

TARGET AUDIENCE

Financial institutions controlled by Itaú Unibanco Holding S. A. (Itaú Unibanco) in Brazil and abroad, incurring credit risk, covering all segments (individuals and corporations).

INTRODUCTION

Credit Risk can be defined as a risk of losses arising from non-compliance on the part of the borrower of funds, guarantor, issuer of a securities or financial assets acquired from their respective financial contracted covenants; a credit agreement’s devaluation resulting from the policyholder’s, issuer’s or counterparty’s risk rating deterioration; decreased gains or remuneration; advantages in renegotiations and recovery costs.

Credit risk control processes must support the institution, strictly observing the principles defined in internal policies.

The centralized control of credit risk is carried out independently by the risk and finance area (ARF), segregated from the business units and the Executive area of the internal audit activity.

In the International Units, the independent structure responsible for monitoring controls and risks is under local CROs’ responsibility, who must provide monthly reports to the ARF´s risk departments and quarterly reports to Itaú Unibanco’s CRO.

The roles and responsibilities of Local CROs are defined in internal policies.

The structure enables the continuous and integrated management of credit risk and shall consider both transactions classified in the trading book and those classified in the non-trading book.

GUIDELINES

Risk management must be integrated, enabling the identification, measurement, evaluation, monitoring, reporting, Control and mitigation of credit risk.

Credit risk management structures shall be proportionate to the size and relevance of risk exposure, be compatible with the business model, the nature of operations and the complexity of Itaú Unibanco’s products, services, activities and processes. To this end, they must maintain specialised and appropriately sized teams to support the credit risk processes and systems that are under their governance.

The credit risk management structure shall provide: clear documented policies and strategies for Risk Management, which establish limits and procedures to maintain risk exposure according to Risk Appetite Statement. They should also take into account the prior identification of credit risks inherent in:

- New products and services;

- Relevant changes in existing products or services;

- Significant changes in the institution’s processes, systems, operations and business model;

- Hedge strategies and risk and taking risk assumption initiatives; -

Significant corporate reorganisations; and -Changes in the macroeconomic outlook.

The processes of monitoring, with a view to identifying the points of non-compliance with the policy for the management of credit risk, with the respective justifications, and expected actions for resolution of discrepancies; - Systems, routines, and procedures for the management of credit risk, including updates; Reports to management journals to the board of directors as well as other forums on the subject of Credit Risk are included in the agenda.

The established guidelines shall be applied for credit, counterparty, country, disbursement risks, guarantees, co-obligations, credit commitments or other operations of a similar nature and losses associated with non-compliance with obligations relating to the settlement of transactions involving bilateral flows, including the trading of financial assets or derivatives.

MAIN ROLES AND TASKS

Credit Risk Control

Must:

- Define centralized credit risk monitoring and control environment;

- Review policies, strategies and procedures that establish operational limits, risk mitigation mechanisms

and procedures designed to keep the exposure to credit risk at management acceptable levels, and approve them at the competent levels; and -Disclose credit decisions, corporate policies and strategies for credit risk management to Business Units and to CROs of the international units.

Modelling credit and market risk

Should contribute to the execution of credit risk control activities, following the tasks set out in the Model Risk Policy.

Finance

Define rules for simulations and calculations in line with applicable rules and regulations, and publish accounting statements and other reports that help and complement the Control and management of credit risk.

ARF Collegiates

Responsible for decision-making according to the specificity of each forum, focusing on risk mitigation in order to maintain exposure to credit risk at levels acceptable to the administration.

The Business units (Brazil and International Units):

It is expected that each and every employee to fully understand the nature of the risk in the portfolios under their management, and to effectively manage its risk by ensuring that it is transparent to management, and is framed within the rules and within the limits laid down in it.

For each of the credit risk control processes provided for in this policy, there should be a more detailed description in the respective procedures manuals of the responsibilities and assignments of each of the units involved.

CREDIT RISK CONTROL Economic Groups

Define governance of creation and change of economic groups in Itaú Unibanco Holding for credit risk management purposes.

All segments containing corporate customers that grant or manage credit, except Itaú CorpBanca.

Customer: PF or PJ, identified by the tax number of the corresponding country or internal identifiers used by the IUH (CPF [individual taxpayer ID], CNPJ [corporate taxpayer ID], RUT, RUC, CGI, among others).

Definitions:

Economic group: set of customers (with at least one company) in which there is a direct or indirect control relationship. Economic subgroup: a subset of an economic group in which customers have similar characteristics. Head of Group or sub-group: Company chosen to be the representative of the group or sub-group. Mixed groups: are those composed of two or more members of distinct segments of Itaú Unibanco Holding.

Counterpart Credit Risk

Itaú Unibanco considers the credit risk of the counterparty as the possibility of a counterparty not fulfilling obligations relating to the settlement of transactions involving the trading of financial assets at bilateral risk. It covers derivative financial instruments, transactions to be settled, asset loans and committed transactions.

The measurement of counterparty credit risk involves its conversion into equivalent credit risk exposure through specific models. Potential credit risk measurement models (ROC) are used to measure equivalent credit exposure in transactions subject to counterparty credit risk. The development and approval of these models follow the governance described in a specific procedure. Counterparty credit risk measurement policies define the measurement of credit risk for certain products and businesses in a priority manner over the PCR models and aim to: - Consider the presence of mitigating instruments in the credit risk measurement, provided that they are no longer explicitly considered in the RCP models; - Define the measurement of counterparty credit risk for certain products and businesses where material risks are not captured by the RCP models; and - Define the risk measurement for certain products and businesses where there is no specific developed model.

Country Risk

In addition to the international units mentioned in the section 3, Itaú Unibanco maintains relationships with borrowers, issuers, counterparties, and guarantors from different locations in the world, regardless of whether there is an external unit in the borrower’s, issuer’s, counterparty’s, or guarantor’s site. This means that Country Risk is a risk present at the institution.

Such risk is defined, in Itaú Unibanco, as the risk of losses arising from the non-fulfilment of financial obligations, within the terms agreed, by borrowers, emitters, counterparties or guarantors, as a result of actions carried out by the government of the country where the borrower, issuer, counterparty or guarantor is located, or of political-economic and social events related to that country. At Itaú Unibanco focus of management and controls consider:

- Sovereign Risk, which is defined as the risk that the inability of the central government (Treasury and Central Bank) to generate the resources to honor their obligations;

- Transfer risk, which is defined as the risk arising from the inability of total or partial transfer of assets held outside the head office of Itaú Unibanco, as a result of the actions taken by the government of the country where the resource is. The policyholder, issuer, counterparty or guarantor is unable to honour the payment of their foreign currency commitments.

In order to consistently assess the risks inherent in each country, Itaú Unibanco defines the rating of countries by observing both sovereign risk and transfer risk.

The local sovereign rating reflects the payment capacity of the sovereign issuer (Treasury and Central Bank) for its bonds settled in local currency.

The external sovereign rating reflects a country’s ability to generate currency (foreign currency) and, as a consequence, is the rating used both for sovereign issuer (Treasury and Central Bank) for its bonds to be settled in foreign currency and for transfer risk. Failure to generate foreign currency can lead to two consequences: (i) the default of the sovereign issuer in its foreign currency debts and/or (ii) the imposition of capital control that prevents the transfer of private resources between jurisdictions (restrictions for the conversion of national currency into foreign currency).

Itaú Unibanco establishes limits based on ratings and deadlines of operations, aiming to control the country risk exposure.

The limits are periodically reviewed, and exceptional revisions regarding some new relevant fact may occur.

Credit Portfolio Monitoring

Monitoring the portfolio is the follow up of indicators related to total active credit operations. In general terms, indicators referring to the balance of the active portfolio, credit granting in the month (also known as harvest) and default indicators (balance in arrears in relation to the balance of the portfolio or harvest) are followed during monitoring. Portfolio monitoring aims to verify the financial health of credit operations by adjusting credit strategies to the conglomerate’s risk appetite.

Deviations identified in relation to the maximum and minimum levels of the Global Policy are reported in the following way: the centralized monitoring of Brazil is reported monthly in the Superior Commission of Retail Credit and recovery (CSCCV) and quarterly in the Superior Commission of Wholesale Credit and Recovery (CSCCA). At International Units, monitoring is reported in the International Units Risk Committee - Local (CRUI-L), with the participation of the units’ CROs, and in the International Units Risk Committee - Global (CRUI-G).

Portfolio And Credit Processes Review

The review has the task of carrying out an assessment of the quality and integrity of the credit process of each business unit, covering the quality assessments of the concession, the rating award and the post-concession stage. This analysis should be carried out by an independent reviewer team, and will focus on the portion of the credit portfolio that has not undergone a prior independent assessment by the areas of risk, as set out in specific governance for credit approvals and ratings. The final result will be reported to the senior credit and risk management of the revised units and the ARF.

Assessment Of Credit Policies And Strategies

Sets out the general responsibilities and rules for the assessment and approval process of changes in credit policies and business rules that impact credit risk exposure.

For proprietary portfolios, policies deal with the granting and maintenance of credit as well as the acquisition on the market of instruments with credit risk. For third party portfolios, policies address the rules for discretionary decision-making in assets with credit risk.

Credit policy change is any action that generates an impact on assumed risk or that may have an impact on credit limit consumption and Allocated Economic Capital. Credit policies can be divided into three types:

Policies for granting and maintaining credit: changes and exchanges in credit models, segmentation, income/billing, etc.; changes in credit approval Heights (composition and values); impact on risk due to annual re-segmentation; change in cut-off point; new segmentations (breaks) that change credit decisions.

Risk measurement policies: mitigation by collateral; definition or change of criteria for the application of potential credit risk models (RCP); definition or change of parameters for capital calculation and limit consumption.

Global Credit Policy: maximum or minimum levels for a set of indicators and variables reflecting credit risk in the bank, which must be considered in all retail and wholesale policies.

Concentration Risk

To ensure low volatility of results, the concentration risk management is performed on different perspectives within the bank, in order to that the institution is not significantly exposed to a single name risk. This way, Concentration Risk is monitored from the following perspectives: individual, top 10, by country, by sector of the economy and of the institution’s activity. The Board of Directors and Executive Board monitor these indicators monthly, and are also responsible for adjusting and approving metrics and their limits.

The limits are defined according to each dimension’s variables. To define the limits for individual and top 10 conglomerates’ concentration, the inherent credit risk of Itaú Unibanco is assessed, respecting resolution 4,677 triggers.. For concentration by country, risk diversification is based on the credit risk presented by each country and bank`s strategy. For concentration by segment, diversification is based on bank`s strategy and its operation’s business result volatility, while for concentration by sector, the limits are defined according to the sector’s credit portfolio’s risk profile, its profitability, and the sector’s relevance in the economy. The limits defined for each metric, as well as more details on calculation methodologies, are found in the Risk Appetite Manual.

Income

Determines the types of income and how to earn income for an individual.

When capturing any income information from customers (such as proven income, certified income, payment capacity or other approved income information in exception) and using it for maintenance, credit granting or any other income purpose for a physical person, it is mandatory to follow the guidance of PR-339 respecting the type of document, its term, and exceptions, in case of seasonality.

Billing

defines the types of invoicing and how to earn income for a company.

When capturing any customer billing information (as proven, certified, payment capacity or other information approved in exception) and using it for maintenance, credit granting or any other billing purpose for a legal person, it is mandatory to follow the respective procedures, respecting the type of document, its validity and exceptions, in case of seasonality.

Income Commitment

Income commitment (CR) is the division of debt by CPF [corporate taxpayer ID] gross income. It is used in the concession and maintenance, through the credit policies and business rules of an individual’s retail, as a measure to assess the client’s risk, considering its current indebtedness and what the impact of the credit requested on this indebtedness. The specific use of the CR is described in the policies of each product. The rule of the CR seeks to reflect the client’s current indebtedness, so no periodic changes are made to the rule. The rule is changed punctually when any opportunity for improvement is identified.

Use Of Collateral

Collateral are instruments that aim to reduce the occurrence of losses in credit risk transactions. The term guarantee covers:

Financial guarantees: are those in which the secondment of a specific financial asset occurs to ensure the creditor’s compensation in the event of default by the client.

Examples: Divestment of shares and debentures, fiduciary transfer of credit rights – CBD, savings, commitments – Public Debt Securities, Investment Fund shares.

Real guarantees: are those in which the posting of a specific good (or a set of goods, furniture or real estate) takes place to guarantee the creditor’s compensation in the event of default by the client. Examples: Real Estate Mortgage, commodity pledge, fiduciary disposal of real estate/vehicles/machinery and equipment.

Bond clearing and Settlement Agreement: the purpose of the agreement is to reduce the credit risk arising from transactions between parties, so that, in case of maturity, after netting, the value actually due by the debtor party to the creditor party is identified. It can be used in derivative operations and other types of financial transactions.

Personal Guarantees: a guarantee by an individual or company that assumes, in whole or in part, the obligation of a counterparty if it fails to honor the debt. In this case, there is no detachment of a specific good to guarantee the obligation, the guarantor will answer with the totality of his patrimony for the fulfilment of the obligation - except residential property proper to the couple and property that garrisons it, in the case of an individual.

Examples: endorsement, bail, joint debtor, insurance guarantee, stand by letter of credit and letter of guarantee.

Credit institution: Guarantee provided through a derivative contract in which a PF or PJ assumes all or part of the obligation of a certain counterparty if it fails to honor the debt.

Assessment Of Policies And Strategies For Recovery

Recovery strategies are actions relating to the recovery and renegotiation of overdue credit operations. To evaluate the recovery strategies monitoring of portfolios (default, harvest and portfolio) and pricing (term, rate and discount on debt) is carried out, focusing on the renegotiation products. Monitoring of these actions is done by the Credit Risk and Modeling Board, with the purpose of mitigating risks in the collection strategies and operations carried out by the Business Units.

Update And Development Of Risk Parameters For Provision And Capital

Risk parameters are the required inputs that qualify the provisioning or allocation calculations performed by the finance department for accounting and/or managerial purposes. Parameters are assigned by parameter development units (UDPs) through premises and calculations to ensure the Bank’s solvency in the face of expected and/or unexpected changes in past, current and future scenarios.

The definitions and concepts of each parameter shall be aligned between the parameter developer unit (UDP) and the parameter user unit (UUP).

PDD - Provision for doubtful debtors: provision for losses arising from transactions in doubtful debts.

CEA - Allocated Economic Capital, with rules and criteria for calculation defined by The Capital Risk Policy.

Regulatory Capital: is the minimum capital required by the regulatory entity to be maintained to ensure the solvency of the institution.

Management Capital: is the capital necessary to meet the risks according to internal methodologies defined by the administration. It is also used for the analysis of the capital adequacy of the institution, as well as for the distribution between its business units.

PD - Probability of Default is the probability associated with the risk of non-payment of a credit operation.

LGD - Loss Given Default is the percentage of expected loss from a credit operation, once the debt goes unpaid.

EAD - Exposure at Default is the expected amount of financial exposure for a credit operation at the time non-payment becomes known.

PE - Expected Loss: Expected loss for the operation during its term (life cycle)

RELATED EXTERNAL STANDARDS

Resolution 4557 of the National Monetary Council, that provides for the implementation of the risk management structure of credit.

Norm 2.682 Central Bank - criteria for the classification of credit operations and rules for the establishment of the allowance for credit liquidation.

Instruction 247 of the Securities and exchange Commission, which provides for the valuation of investments in associated companies and subsidiaries, and the procedures for the preparation and disclosure of the consolidated financial statements.

Approved by the Board of Directors on June 25, 2020.

ITAÚ UNIBANCO HOLDING S.A.

CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230

PUBLIC ACCESS REPORT - CAPITAL MANAGEMENT POLICY

OBJECTIVE

To define rules and responsibilities pertaining to Itaú Unibanco Holding S.A. (Itaú Unibanco) capital management activities, observing applicable regulations and best market practices.

TARGET AUDIENCE

The capital management process shall cover all conglomerate companies controlled by Itaú Unibanco in Brazil and abroad.

INTRODUCTION

For any company to operate, it must have capital, which is the investment made by shareholders. In addition, the funds that the company generates and that are not distributed and are kept in equity are also called capital.

For financial institutions, the Central Bank of Brazil requires minimum capital (capital required), which is the capital required to cover the risks to which the institution is exposed, ensuring its solvency.

Capital management is an instrument essential for the sustainability of the financial system. Risk identification, assessment, control, mitigation and monitoring methods support financial institutions in adverse times. Itaú Unibanco considers capital management essential for the decision-making process, which contributes to the optimization and efficiency of capital use in its operations. In this management, Itaú Unibanco’s companies in Brazil and abroad are considered.

Changes in the global financial environment, such as integration between markets, the emergence of new transactions and products, increased technological sophistication and new regulations have made financial activities and their risks increasingly complex.

In addition, lessons learned from financial disasters underscore the importance of risk management (Public Access Report - Risk) and capital management in strengthening the financial health of the banking industry.

The participation of Brazil in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international prudential standards in the Brazilian regulatory framework.

In line with this perspective, Itaú Unibanco invests in the continuous improvement of capital management processes and practices, in accordance with international market, regulatory and supervisory benchmarks. Itaú Unibanco’s capital management consists of a continuous process of capital planning, assessment, control and monitoring necessary to face the conglomerate’s relevant risks and to support the capital requirements of the regulator, or those defined internally by the Institution, with the purpose of optimizing capital allocation.

The functions defined in the capital management structure are jointly or individually responsible for:

a) Identifying the risks to which the institution is exposed and analyzing their materiality;

b) Assessing the capital required to bear the risks;

c) Developing methodologies for quantification of supplementary capital;

d) Quantifying capital and for internal assessment of capital adequacy;

e) Internal Capital Adequacy Assessment Process (ICAAP);

f) Projecting capital ratios;

g) Calculating minimum capital required (PR) and capital ratios;

h) Preparing the capital plan and contingency plan;

i) Preparing the recovery plan;

j) Monitoring the solvency and liquidity regularization plan of SUSEP companies;

k) Stress tests;

l) Calculating the Global Systemically Importance Index (ISG);

m) Preparing the quarterly risk and capital management report - Pillar 3.

Itaú Unibanco’s capital management structure allows the monitoring and control of the capital maintained by the Institution, the assessment of capital required to face the risks to which the Institution is exposed and the planning of goals and capital requirement, considering the Institution’s strategic objectives and/or considering adverse situations. Therefore, Itaú Unibanco adopts a prospective attitude, anticipating capital requirement arising from possible changes in market conditions.

CONCEPTS

Capital required: capital required to cover the risks to which the institution is exposed, ensuring its solvency and including the international units. The requirements are regulated by BACEN (Central Bank of Brazil) in Brazil and by local regulatory agencies for international units.

Such requirements are expressed as ratios that relate available capital to total risk-weighted assets (RWA - Risk Weighted Assets).

The capital requirement used to check compliance with the operating limits imposed by BACEN consists of the sum of three items, namely:

Core Capital: sum of capital, reserves and retained earnings, less deductions and prudential adjustments;

Supplementary Capital: composed of perpetual instruments that meet eligibility requirements. Added to Core Capital, it makes up Tier I;

Tier II: composed of subordinated debt instruments with defined maturity that meet eligibility requirements. Added to Core Capital and Supplementary Capital, it makes up Total Capital.

For the purposes of calculating these minimum capital requirements, total RWA is calculated by adding the portions of credit, market and operational risk-weighted assets:

RWA = RWACPAD + RWAMINT + RWAOPAD

RWACPAD = portion related to credit risk exposures, calculated according to a standardized approach;

RWAMINT = portion of the capital required for market risk, composed of the maximum of the internal model and 80% of the standardized model;

RWAOPAD = portion of the capital required for operational risk, calculated according to a standardized approach.

In addition to the regulatory minimum capital, BACEN standards have established a Supplementary Core Capital (ACP) corresponding to the sum of the Conservation ACP, Countercyclical ACP and Systemic ACP portions that, together with the above-mentioned requirements, increase the capital requirement:

Conservation ACP: an additional capital “buffer” to absorb possible losses

Countercyclical ACP: an additional capital buffer to be accumulated during the expansion phase of the credit cycle and to be used during its contraction phase.

Systemic ACP: for institutions with systemic importance, an additional capital is required to cover systemic risk.

The amount of each portion and the regulatory minimum capital, as defined in CMN (Brazilian Monetary Council) Resolution No. 4193, is described in the following table:

Core Capital 4.5%

Level I 6.0%

Total Capital 8.0%

Additional Core Capital (ACP) 3.5%

Conservation 2.5%

Countercyclical(1) 0%

Systemic Importance 1.0%

Core Capital + ACP 8.0%

Total Capital + ACP 11.5%

Deductions from Prudential Adjustments 100%

(1) ACPContracíyclical is set by the Financial Stability Committee (Comef),based on discussions about the pace of credit expansion, and is currently set at zero. In the event of increased requirement, the new rate will come into effect twelve months after disclosure.

** in accordance with Resolution No. 4,783 from 3/16/2020, BACEN has established rates to be applied to the RWA sum indeterminately, for the purpose of calculating the ACPConservation share:

I - 1.25%, from April 1, 2020 to March 31, 2021;

II - 1.625%, from April 1, 2021 to September 30, 2021;

III - 2.00%, from April 1, 2021 to March 31, 2022;

IV - 2.5%, from April 1, 2022 on

Internal Capital Adequacy Assessment Process (ICAAP)

BACEN requires a financial year report assessing Itaú Unibanco’s capital adequacy, providing a general and comprehensive overview of the institution’s risk and capital management and stating the results of its capital level adequacy self-assessment according to its risk profile.

Capital Plan

The capital plan is a document included in ICAAP intended to ensure maintenance of an adequate and sustainable capital level, incorporating in its preparation the limits set by the risk appetite and the analysis of the economic and regulatory environments. Additionally, its structure is consistent with Itaú Unibanco’s strategy planning.

This plan presents short- and medium-term financial and capital projections (at least three years after the reporting date), in both normal and stress scenarios, its main sources of capital, the profit distribution policy and the contingency plan.

Contingent Capital Plan

Itaú Unibanco has a capital contingency plan for cases in which at least one capital ratio is found to be lower than those defined by the Board of Directors (CA), or for cases of unforeseen events that may affect the capital adequacy of the institution.

The plan includes a set of contingency actions, and those in charge of such actions, which allow Itaú Unibanco to increase its capitalization levels, and it must contain at least the definition of the capital limits that trigger it and the corresponding governance, in order to maintain Itaú Unibanco’s adequate capitalization level in an adverse situation.

Stress Test

Stress testing is a process of simulating of effects extreme economic and market conditions in the institution’s profit or loss and capital. Stress scenarios must be approved by the Board of Directors and their results must be considered in the definition of Itaú Unibanco’s business and capital strategy.

The stress test for Itaú Unibanco can be divided into internal and regulatory. The first seeks to measure the vulnerability and solidity of the conglomerate in hypothetical but plausible scenarios of economic crisis based on simulations and macroeconomic projections developed by the institution itself. The regulatory stress test has the same purpose, but uses a scenario developed by the Central Bank. In both cases, the main analyses are about the Bank’s profit or loss (Statement of Profit or Loss), its distribution among the portfolios and activities of the conglomerate and about the institution’s capital level.

Additionally, to supplement the results obtained according to the processes described above, sensitivity analyses and reverse stress testing are performed annually.

The capital management structure must include assessments of capital impacts from the definition of severe scenarios chosen by the institution and include them in the stress testing program results.

Recovery Plan

Itaú Unibanco has a Recovery Plan that aims to reestablish adequate levels of capital and liquidity above regulatory operating limits, in the face of severe stress shocks of a systemic or idiosyncratic nature, in order to preserve its financial viability, and at the same time mitigate impact on the National Financial System.

The Recovery Plan contemplates the entire conglomerate, including subsidiaries abroad, and is reviewed annually and submitted to the approval of the Board of Directors. It contains a description of the items below, as required by the Central Bank under Resolution No. 4,502:

I - Critical functions Itaú Unibanco performs for the market, activities that could impact the National Financial System (SFN) and the functioning of the economy, if abruptly interrupted;

II- Essential services of the institution: activities, operations or services that could compromise the bank’s viability, if discontinued;

III - Monthly monitoring program establishing critical levels for a set of indicators, in order to monitor risks and, if needed, trigger the Recovery Plan;

IV - Stress scenarios, including events that may threaten the viability of the institution and continuity of its business, such as reverse tests, which seek to identify remote risk scenarios, contributing to management sensitivity;

V - Recovery strategies in response to different stress scenarios, including main risks and barriers, in addition to mitigators of the latter and procedures for the operationalization of each strategy;

VI - Communication plan with stakeholders, including the market, regulators, and others, seeking to ensure the timely execution of the Plan;

VII - Governance mechanisms required for coordinating and executing the Recovery Plan, such as, for example, defining the officer responsible for the fiscal year at Itaú.

Global Systemically Importance Index (ISG)

The index measures the importance of each financial institution in the global market and consists of five

main indicators:

- Size: reflects the institution’s share in the global activity;

- Foreign activities: the institution’s share in international activities;

- Interconnection: the institution’s share in the interbank market and the global capital market;

- Substitution: the institution’s share in the global offer of financial services;

- Complexity: the institution’s share in complex or low-liquidity instruments.

The information pertaining to ISG calculation is disclosed annually on the Investor Relations website, in two phases, according to BACEN Circular 3,751.

Risk and Capital Management Report – Pillar 3

This report contains information on Itaú Unibanco’s risk and capital management, on calculation of risk-weighted assets (RWA) and on calculation and adjustment of capital required (PR), disclosed quarterly on the Institution’s Investor Relations website.

GUIDELINES

Capital management must support the institution in accordance with the principles defined in the Risk Management policy and in this policy. These principles are reflected in the following guidelines, according to which Itaú Unibanco’s capital management structure shall:

- Ensure that capital management policies and strategies are clearly documented and establish mechanisms and procedures designed to maintain Capital Adequacy (PR), Tier I and Core Capital consistent with the risks incurred by the institution.

- Maintain procedures for capital management.

- Be compatible with the nature of its transactions, the complexity of products and services offered and the extent of risk exposure.

- Ensure the submission of capital management policies and strategies, as well as of the capital plan, for approval and review by the Board of Directors, at least annually, in order to determine their compatibility with the institution’s strategy planning and market conditions.

- Generate reports to the institution’s executive board, the Risk and Capital Management Committee (CGRC) and the Board of Directors (BD), which indicate the capital adequacy ratio, Tier I and Core Capital, in relation to the risks incurred or any deficiencies in the capital management structure, as well as actions to correct them. .

- Ensure that the Solvency and Liquidity Regularization Plan required by SUSEP be complied with in the event of insolvency or lack of liquidity by one or more insurance companies, ensuring that the asset management functions of these companies are called to define a corrective action proposal, as well as to submit it for an impact assessment.

- Define the governance and responsibilities of the capital management process, and disclose decisions and policies relating to this process to the impacted areas, as well as to monitor the regulatory capital of Itaú Unibanco and international units.

- Business units and international units must ensure that the approved decisions and policies are properly implemented.

- Ensure that the information disclosed in the Risk and Capital Management - Pillar 3 report is adequately detailed according to the scope, the complexity of transactions, the sophistication of systems, and the institution’s risk management processes, and ensure that material any differences in relation to other information disclosed by the institution are clarified;

- Ensure that any published information complies with the current rules established by regulatory bodies;

- Calculate, monitor and control the regulatory operating limits for Itaú Unibanco Holding’s capital.

KEY ROLES AND RESPONSIBILITIES

Itaú Unibanco’s management is directly involved in the internal capital adequacy assessment process and its risk assessment. The committees and commissions that discuss the capital management process include:

Board of Directors (BD);

CGRC - Comitê Gestão de Riscos e Capital (Risk and Capital Management Committee)

CCap - Comitê de Capital (Capital Committee);

CGTE - Comitê Gestor do Teste de Estresse (Stress Test Management Committee)

ARF - Área de Riscos e Finanças (Risk and Finance Function):

The purpose of ARF is to ensure that Itaú Unibanco’s risks are managed in accordance with established policies and procedures, and it is also responsible for centralizing the Institution’s capital management. The purpose of such centralized control is to provide the Board of Directors and senior management with an overview of Itaú Unibanco’s risk exposures, as well as a prospective view on its capital adequacy in order to optimize and streamline corporate decisions.

Business Functions:

At the most fundamental level, these functions are expected to provide the information required to identify risks, analyze their materiality, and measure the capital required, as well as prepare the capital budget, capital plan, contingency plan, recovery plan, risk and capital management - Pillar 3 report and other regulatory and management reports, ensuring their completeness, integrity and consistency and considering both growth and development of the risk profile expected for businesses at the unit.

The areas involved in the capital management process must be able to perform the required actions whenever so requested.

The responsibilities of each function involved in the capital management process are detailed in the procedures.

Approved by the Board of Directors on June 25, 2020.