ITAÚ UNIBANCO - MARKET RISK MANAGEMENT AND CONTROL POLICY - Form 6-K

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-POLICY ON SOCIAL, ENVIRONMENTAL AND CLIMATE RISKS 1. OBJECTIVE Establish the rules and responsibilities related to the management of Social, Environmental and Climate Risks of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations, in particular CMN Resolution 4,557/17 (Res. 4,557/17) amended by CMN Resolution 4,943/21 (Res. 4,943/21). 2. TARGET AUDIENCE This policy is applicable to the activities of Itaú Unibanco and its subsidiaries. 3. INTRODUCTION According to Res. 4,557/17, amended by Res. 4,943/21, Social, Environmental and Climate Risk ("SAC" or "SAC Risks") is understood as the possibility of causing losses to the institution, including reputational losses. SAC Risks must be identified and treated based on relevance and proportionality criteria, taking into account the following dimensions: -Social: events associated with the violation of fundamental rights and guarantees or acts harmful to the Common Interest; -Environmental: events associated with environmental degradation; and -Climate: events associated with both the process of transition to a low carbon economy and events associated with frequent and severe weather or long-term environmental changes, which may be related to changes in weather patterns. 4. SOCIAL, ENVIRONMENTAL AND CLIMATE RISK MANAGEMENT SAC Risks materialize in Traditional Risks, each of these risk disciplines being responsible for providing specific actions to identify, measure, evaluate, monitor, report, control and mitigate any adverse effects resulting from their interactions with SAC Risks. Such management must be based on the guidelines of this policy, as well as on: i. precepts and guidelines provided for in the Social, Environmental and Climate Responsibility Policy (PRSAC), in line with CMN Resolution 4,945/21; ii. provisions of the internal Risk Management Policy; iii. principles of relevance and proportionality; iv. determinations provided for in related Rules and Procedures; and v. public commitments assumed by Itaú Unibanco. It is necessary that each Traditional Risks discipline includes training for employees who work in SAC Risk management.

4.2. Guidelines SAC Risks will be managed as provided for in the internal Risk Management Policy. SAC Risks must be identified from three interdependent perspectives: • financial, when an event has the potential to materialize in monetary loss; • image, when an event has the potential to translate into a negative perception of Itaú Unibanco's reputation by stakeholders, as defined in the internal Corporate Risk Dictionary; • legal, when associated with inadequacy or deficiency in contracts signed by the institution, sanctions due to non-compliance with legal provisions and indemnities for damages to third parties arising from activities carried out by the institution. SAC Risks must be classified based on elements of probability and severity. 4.3. Risk Management and Governance Itaú Unibanco's risk management organizational structure adopts the three lines of defense strategy and follows the guidelines established in Res. 4,557/17, aiming to support the proper development of activities. The governance of risk management is structured to ensure that issues involving risk are widely discussed. In this way, the SAC Risks management structure includes governance composed of different collegiate bodies, set out in item 4.4 "Main Roles and Duties", which are responsible for deliberations and recommendations according to the specificity of each forum, focusing on risk mitigation, in order to maintain exposure to SAC Risks at acceptable levels for the institution. 4.4. Main Roles And Duties: The SAC Risk management structure at Itaú Unibanco has forums and departments whose responsibilities are indicated below. Risk Management Department (AR) Identify, evaluate, measure, control, monitor and report, as well as internalize SAC Risks for Traditional Risks in policies and procedures. Business Units (Brazil and International Units) - Identify, measure, evaluate, understand and manage SAC Risks to keep exposures within the established limits, as well as document and store information regarding losses incurred in its activities. -Communicate promptly to AR whenever they identify potential risks not foreseen in the development of control activities. -Maintain procedure manuals with detailed descriptions of the responsibilities and attributions of the processes and controls under their responsibility. Board of Directors Responsibilities provided for in internal Risk Management Policy and Corporate Governance Policy. Audit Committee-CAud Responsibilities provided for in Corporate Governance Policy.

Risk and Capital Management Committee-CGRC Responsibilities provided for in Corporate Governance Policy. In terms of SAC Risk management, the activities of the Risk and Capital Management Committee (CGRC) resulting from the application of this Policy will be coordinated with those of the Social, Environmental and Climate Responsibility Committee. Social, Environmental and Climate Responsibility Committee Higher ESG Committee Superior Social, Environmental and Climate Risk Committee (CRSAC Superior) Social, Environmental and Climate Risk Committee (CRSAC) Responsibilities provided in internal procedure. 5. RELATED EXTERNAL RULES - CMN Resolution 4,557/17, amended by CMN Resolution 4,943/21 - Risk and capital management structure and information disclosure policy. -CMN Resolution 4,945/21 - Social, Environmental and Climate Responsibility Policy (PRSAC) and actions aimed at its effectiveness. -SARB Regulation 014/2014-Banking Self-Regulation (FEBRABAN)-Creation and implementation of the Social and Environmental Responsibility Policy. 6. GLOSSARY CGRC: Risk and Capital Management Committee Common Interest: that associated with the group of persons legally or factually linked by the same cause or circumstance, when not related to the definition of environmental risk, transitional climatic risk or physical climatic risk. PRSAC: Social, Environmental and Climate Responsibility Policy PR: Itaú Unibanco's Internal Procedures PS: Itaú Unibanco's Internal Policies ID: Itaú Unibanco's Internal Rules SAC Risks: Social, Environmental and Climate Risks Traditional Risks: these are the risk disciplines listed in items I to V of art. 6 of CMN Resolution 4,557/17. Approved by the Board of Directors on May, 2022.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-MARKET RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market risk management and control framework of Itaú Unibanco Holding S.A. (Itaú Unibanco) following the applicable regulations and best market practices. TARGET AUDIENCE This policy applies to all employees and activities of the conglomerate that result in exposure to market risk, impacting Itaú Unibanco Holding and its subsidiaries. Market risk control covers all positions of the portfolios of financial and non-financial companies belonging to Itaú Unibanco in Brazil and at the International Units. It does not apply to the market risk of customer portfolios managed by the bank and/or Trust management (e.g. Wealth Management & Services-WMS funds). INTRODUCTION Market risk is the possibility of losses arising from th e fluctuation in market prices of positions held by an institution, including the risks of transactions subject to fluctuations in exchange rates, interest rates, stock prices, price indices and commodity prices. Market risk depends on the behavior of the asset price in face of market conditions. In addition to the treasury function, which buys and sells securities, other functions may impact the market risk assumed by the bank. E.g. the procurement department, when purchasing in foreign currency, or even the marketing department, when undertaking to sponsor, for instance, the Brazilian soccer team. Market risk control is based mainly on the following metrics: • Value at Risk (VaR): a statistical measure that quantifies the maximum potential financial loss expected under normal market conditions, taking into account a certain time horizon and confidence interval. For example, the VaR for a given day may be R$5,000,000.00 considering a confidence interval of 99%. This means that the bank has 99% confidence that loss on that day will not be greater than that amount. • Mark to Market (MtM / Pricing): marking to market or pricing securities means updating the amounts of transactions that make up the bank's portfolio using the best available values. These metrics, among others, are used to set thresholds and trigger alerts for the department. GUIDELINES

Market risk control processes shall strictly follow the principles defined in this policy. These principles are reflected on the following guidelines according to which Itaú Unibanco's market risk management and control framework shall: • Ensure the use of integral databases that reflect the business conducted based on duly approved products, which ensure correct information and calculations, from registration to recording in books; • Apply models that reflect best market practices; • Ensure that portfolio pricing is preferably based on quotations observed in financial markets, captured through integral external sources. When there is no price available, the calculation shall be made through a pricing model that represents a fair valuation of positions. In such cases, these assessments shall be consistent and verifiable, and market benchmarks and data used in the assessment shall be regularly reviewed. • Calculate the results of marked-to-market portfolio positions following bank's model governance. • Have risk control functions responsible for defining and applying pricing parameters, independently from the business areas. • Establish and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk: -Are compatible with the nature of transactions, the complexity of products and the size of the institution's exposure to market risk; -Contain all sources of market risk, and -Generate timely risk exposure reports for the business units, the institution's executive board and the Board of Directors; KEY ROLES AND RESPONSIBILITIES The Market Risk control framework at Itaú Unibanco involves the parties below, whose roles in connection with this matter are described below. Board of Directors: - define the institution's risk appetite and review it annually. High Market and Liquidity Risk Committee: - define the authority levels related to market risk control and review them annually. -monitor market risk indicators by making the necessary decisions and following the risk appetite. Chief Risk Officer: - responsible for market risk management at Itaú Unibanco. Market Risk Control: - identify, measure, control, monitor and report exposure to market risk to business areas and report to high committees;

- monitor the exposure conformity with the approved limits, alerts and other market risk control measures, informing possible nonconformity to the relevant authority levels and requesting an action plan for conforming it; -maintain specialized and adequately-sized teams to support market risk processes and systems under its governance and development management. -calculate the managerial results of positions and disclose them to the functions that would enable monitoring and support in decision making. Treasury: Employees are at least expected to fully understand the nature of the risk in the portfolios under their management and the effective management of this risk, ensuring transparency to desk managers and conformity with the established limits. MARKET RISK CONTROL The Market Risk control at Itaú Unibanco is conducted through governance and processes ensuring that: • The institution is operating in accordance with the risk appetite defined by the Board of Directors, reviewed and approved annually based on a limit and alert framework. The limits are sized by assessing the projected balance sheet results, size of equity, liquidity, complexity and market volatility, as well as the institution's risk appetite. • The use of limits is reported by the Market Risk function to the Business Areas and to the bank's executives. Alerts serve as pre-set limit indicators. • The institution's limit and alert framework is composed of aggregate metrics that monitor and limit the risk in a global and granular way, in order to avoid excessive concentration of risk in one single risk factor. • The limits are figures that the operation desks of the negotiating portfolio and trading desks of the banking portfolio must respect. Alerts are metrics that issue a signal to the institution, from which, through a clearly defined governance, procedures to be adopted in case of activation of this alert are outlined. • The mark-to-market (pricing) of positions shall be based on quotations captured from external sources or, if this is not possible, calculated based models developed and validated according to guidelines established in specific policies. • Information on prices and traded positions is stored in one single historical and corporate database, with controls that ensure its integrity and completeness, and with functionalities that allow historical information to be consulted. • The models used capture the correct sensitivity, the market oscillations by applying compliance tests periodically to the total portfolio and sub-portfolios, including all risk categories. Their results shall be analyzed and used to improve the models and manage the institution's risk. In addition, the managerial result shall be used to verify compliance of the market risk measurement models.

• The measurement of potential risk in extreme market situations complementing statistical risk measures. Through the application of stress tests to all positions of portfolios of financial and non-financial companies. • In addition to positions in the portfolio that do not have prices directly observed in the market, which are not liquid or are assessed through an internal pricing model, particularly securities and derivatives, apply prudential adjustments correcting possible MtM errors, and following the relevance and materiality criteria. 7. RELATED EXTERNAL RULES Circular Letter No. 3.354/07 of the Central Bank of Brazil, which establishes minimum criteria for classification of transactions in the trading portfolio. Resolution No. 4557/17 of the Brazilian Monetary Council, which provides for the implementation of a market risk management framework. Approved by the Board of Directors on February, 2022.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's # [CNPJ] 60.872.504/0001-23 Publicly-Held Corporation NIRE 35300010230 INTEGRATED OPERATIONAL RISK MANAGEMENT AND INTERNAL CONTROLS POLICY OBJETIVE Establish the guidelines and responsibilities related to operational risk management and internal controls, observing the good market practices and all applicable standards and regulations. TARGET AUDIENCE All employees of Itaú Unibanco Holding and its subsidiaries in Brazil and abroad. INTRODUCTION Risks are present in all activities performed at the institution, including outsourced services, and managing such risks is necessary. All employees must exercise the risk manager role according to their functions and duties, comply with the established rules, and be attentive to changes. Operational Risk is among all the risks to which we are exposed. It is the subject addressed in this document, including the internal controls used for its management. Central Bank of Brazil defines operational Risk as "the possibility of losses resulting from external occurrences or failures, deficiencies or inadequacy of internal processes, personnel or systems." It also includes the legal Risk associated with inadequacy or deficiency in contracts signed by the Institution, sanctions due to non-compliance with legal provisions, and indemnities to third parties for damages arising from the activities carried out by the Institution. Unlike a large part of the risks applicable to the financial sector, the Operational Risk is not taken as a counterpart for an expected reward, existing in the natural course of corporate activities. The proper operational risk management presupposes understanding the organization's existing processes and identifying the risks inherent to activities, projects, products, or services and their prioritization, depending on the level of criticality (importance), by considering their impacts on the process or organization objectives. Once the risks are prioritized, response measures are taken, that is, actions that address each of the identified risks to bring them to acceptable exposure levels. Such actions may include implementing preventive controls to reduce the possibility of risk materialization or involve controls aimed to detect materialization. There may be a decision to share risk, transferring it either partially or completely, for example, by contracting insurance. The aforementioned risks can also be avoided by simply opting for discontinuing the risk-generating activity, or otherwise assumed, in which case the decision is not adopting additional control measures concerning the existing ones. GUIDELINES The specific guidelines regarding operational risk management and internal controls are defined below. Operational risk management model To properly manage its risks, including operational risks, Itaú Unibanco uses the 3 lines of defense. Identification of operational risks

The identification of operational risks inherent to the Conglomerate activities must be carried out at any time: in existing products and services; design of a new process, project, or product; activities carried out internally or outsourced; and throughout a product or service lifetime. Inherent Risk is the risk that, due to its nature, cannot be separated from the activity. That is, it is the intrinsic Risk from the different activities and areas of the Conglomerate, not considering the control systems implemented for its mitigation. The exposure to rare and high-severity operational risk events, although considered as plausible, is assessed by creating scenarios, providing information on the potential Risk, generating loss estimates, and considering, when necessary, the impact resulting from the simultaneous occurrence of multiple operational risk occurrences. Operational risk prioritization The operational risks identified are prioritized according to their impact level on the objectives of the Executive Board and/or the Conglomerate. To assist in the proper impact assessment, it is important to consider the various possibilities of impacts and their scope, such as: • Financial: evaluate the representativeness of the financial impact that may occur on the business and/or on the Organization resulting from the exposure to operational risk. Risks that could lead to significant errors in the financial statements are classified following the Sarbanes-Oxley Act (SOx). • Image/Reputation: assess the possible negative repercussions in national and international media (visibility and dissemination), as well as damage to the brand and its possibility of reversal. • Legal/Regulatory: evaluate the possibilities to cause regulatory non-compliance, as well as the possibility of incurring fines, warnings, inspections, administrative proceedings, or loss of operating licenses. • Customers: assess the volume of impacted customers, the segmentation or distribution channels involved. • Strategic and Business: evaluate the impacts arising from failures or errors in the strategy for launching or maintaining processes, products, and services. This may also result from untimely action in identifying and reacting to changes in the business environment, competitors, new businesses, changes in customer habits, etc. Response to operational Risk Responding to the operational Risk means defining what action will be taken concerning the identified Risk. Some possible actions: • Mitigate: establishing actions that reduce the likelihood of operational risk to materialize in the process or actions for reducing the impact produced. • Share: establishing actions aimed to reduce the impact and/or likelihood of risk occurrences by transferring or, in some cases, sharing a part of the Risk. It might involve contracting insurance, for example. • Avoid: establishing actions to eliminate the likelihood of risk materialization. It may involve the discontinuation of the activity/operation subject to Risk. • Assume: no action is taken to reduce the impact and/or likelihood of risk occurrences. In this case, the risk assumption governance. Monitoring the level of exposure to operational risks The Organization must monitor exposure to operational Risk through risk indicators according to established tolerance levels. The identified failures must be timely registered through operational risk occurrences, then addressed and periodically monitored by the first line of defense, together with the findings by Compliance and Internal and External audits.

The second line of defense must validate the implementation of action plans for moderate and high-level operational risk events. Operational risk reporting Any high-risk level occurrences identified by the lines of defense, regulatory bodies, or external audit must be communicated to the superior committees, executives of the business units, Chief Risk Officer (CRO), Audit Committee, and the CGRC, being the last two collegiate bodies from the Board of Directors. The reporting of High Operational Risk occurrences in International Units is carried out in each Unit's relevant forums. Disclosure of operational risk management actions Description of the Operational Risk management structure is made available through a publicly accessible report duly approved by the Board of Directors. Additionally, a description summary on the management structure of Operational Risk and Internal Controls is published together with the financial statements. The decisions, policies, and strategies defined for managing the operational Risk of the international units are disclosed to the Chief Risk Officers (CROs). Management of operational risk loss database All departments of Itaú Unibanco are exposed to operational risk events, so the Business Units (first line of defense) are responsible for identifying such events and the associated loss values to compose the Operational Losses Database (OLDB). Expenses and provisions related to operational risk events that impact the Bank's income statement must be reported in OLDB. Capital allocation for operational Risk The conglomerate uses the Alternative Standardized Approach (ASA) to calculate and allocate regulatory capital for operational risk. Additionally, the economic capital for operational Risk (ICAAP) is calculated and allocated. The adequacy of the Reference Equity (PR) level, concerning the operational Risk assumed by the Conglomerate, must be periodically monitored. MAIN ROLES AND DUTIES Board of Directors - BD: - Approve the guidelines, strategies, and policies related to operational Risk and internal controls, ensuring a clear understanding of the roles and responsibilities for all levels of the conglomerate. Risk and Capital Management Committee - CGRC: - Support the Board of Directors in performing their responsibilities related to the capital and risk management of the Company, submitting reports and recommendations on these topics to Board's decision. Audit Committee - CAUD: - Supervise the internal controls and risk management processes.

Superior Operational Risk Commission - CSRO: - Know risks in processes and businesses of Itaú Unibanco, define guidelines for managing operational risks, and evaluate the outcomes from works performed in Itaú Unibanco Internal Controls and Compliance operation. Compliance and Operational Risk Committee - CCRO: - Monitor and promote, in each Executive Area from the Financial Conglomerate, the development, and implementation of the guidelines approved and defined by CSROS. Subsidize the CSRO with the main topics that require a higher authority level of discussion. Discuss the main risks of the Business Areas and the proposed action plans to mitigate the identified risks. Internal Operational Risk Committee - CIRO: - Discuss matters related to Compliance, Operational Risks, Internal Controls, and Underwriting Risks (when exposed) of each Business Unit. Forward to the Compliance and Operational Risk Committees-CCRO all the resolutions requiring higher authority levels. Chief Risk Officer (CRO): - Responsible for risk management in the institution. Operational Risk Board: Inserted in the second line of defense, the structure is represented by the superintendents who act as Internal Controls and Risks Officers (OCIRs) and, together with their teams, are responsible for: • Supporting the first line of defense in observing their direct responsibilities. • Developing and making available the methodologies, tools, systems, infrastructure, and governance necessary to support the integrated management of Operational Risk and Internal Controls in the relevant conglomerate and outsourced activities. • Coordinating the Operational Risk and Internal Control activities with the Business and Support areas, being independent in the exercise of their functions and having direct communication with any administrator or employee, and access to any information necessary within the scope of their responsibilities. For this reason, this department is prohibited from managing any business that could compromise its independence. • Communicating high-risk occurrences in the relevant forums. Business/Support Areas: - Primary responsible for identifying, prioritizing, responding to risk, monitoring, and reporting operational risk events that may influence the achievement of the previously defined strategic and operational objectives. Internal Audit: - Check, independently and periodically, the adequacy of processes and procedures for identifying and managing risks. GLOSSARY Control environment: represents the set of policies, processes, procedures, personnel, and systems used by the Conglomerate to manage its exposure to operational Risk inherent to the complexity, diversity, frequency, and volume of its operations. Operational risk occurrence: it is the record of operational failures/gaps identified in the Conglomerate. Outsourced activity: Provision of services by a specialized company hired to carry out any activities of the contracting party.

Cause: the reason that led (or could lead) the operational risk to materialize. It represents the problem root and can be organizational, behavioral, systemic, procedural, or external. Operational risk events can have one or more associated causes. Control: activities carried out to reduce, to acceptable levels, exposure to risks that may impact an organization's objectives. Control activities are carried out by the business/support areas at all levels of the Organization, and these can be detective or preventive and include manual or automated activities. Detective control: control carried out to detect the materialization of operational risk, enabling to reduce its impact. It is reactive in nature. Preventive control: control carried out aiming to reduce the probability or prevent an operational risk from occurring. It is proactive in nature. Operational risk event: operational risk materialization. These are situations that, when materialized, cause real consequences in business processes or support and that differ from the expected results and may have a direct impact (e.g., financial losses) or indirect impact (e.g., opportunity cost and damage to reputation/image). For categorization purposes, Itaú Unibanco uses the same definitions adopted by the Basel Committee and the Central Bank of Brazil. Risk exposure: financial volume that represents the exposure to unexpected operational losses associated with the Conglomerate activities. Failures: situations where the Risk has already materialized due to inadequate systems, poor management, ineffective controls, human error, or internal/external fraud, which may result or not in financial loss. ICAAP: Internal Capital Adequacy Assessment Process Impact (consequence): the amount of operational risk loss resulting from direct cost, restitution, legal expenses, legal fines, loss of appeal, and asset value reduction. Risk Materialization: a risk is considered to have a cause and, if it happens, there is a consequence or effect. Inherent Risk: existing Risk due to the type or nature of the business, area, product, process, project, or new or existing system, which is exposed to Risk, regardless of the control structure or other mitigating factors implemented. It is the raw Risk or Risk before controls are implemented. Residual Risk: portion of the inherent Risk that remains exposed after considering the existing controls and mitigating actions. RELATED EXTERNAL RULES CMN Resolution 4.557/17- Provides for the risk management structure and the capital management structure. CVM Instruction 558/15-Provides for the professional exercise for the management of securities portfolios SUSEP Circular 521 /15 - Regulates technical provisions; liabilities adequacy test; reducing assets; underwriting, credit, operational and market risk capital; constitution of operational losses database; among others. Sarbanes Oxley Act-Establishes rules for Corporate Governance related to the disclosure and issuance of financial reports. Approved by the Board of Directors on August, 2021.

ITAÚ UNIBANCO HOLDING S.A. Tax Payer's #CNPJ] 07.540.097/0001-74 Publicly-Held Corporation Identification Number in the Companies Registry [NIRE] 35300010230 PUBLIC ACCESS REPORT-COMPLIANCE POLICY OBJECTIVE Establish the guidelines and main tasks associated with Compliance role, observing good market practices and applicable regulations. INTRODUCTION Compliance role aims at preventing and mitigating the exposure of Itaú Unibanco to situations of non-compliance with internal and external standards (Compliance risk), responsible for aspects of governance, compliance certification, conduct, and transparency. Compliance risk is the risk of legal or regulatory sanctions, financial losses or damage to reputation, arising out of the lack of compliance with legal and regulatory provisions, market standards, local and international commitments through codes of self-regulation, technical standards, codes of conduct or internal policies. Itaú Unibanco adopts the strategy of three lines of defense to operationalize its risk management structure (including Compliance) and to ensure compliance with the guidelines provided in this policy, with clear division of roles and responsibilities. 1. The first line of Defense Is represented by the business and support areas. Its employees are responsible for risk management and adherence to standards associated with its activities, as well as for the implementation of the controls and by the implementation of corrective measures for proper treatment of risks. 2. The Second line of Defense Is represented by risk control functions, which are completely segregated from the activities of the internal and legal audit, having independence in the exercise of its functions. It has direct communication with the administrators, including the members of the Board of Directors and the Audit Committee, as well as with any employee. They have access to any information required under its responsibilities. It is forbidden, in Brazil and abroad, to the areas that make up the second line of Defense, the management of any business or process that may compromise its independence or generate conflicts of interest. For the same reason, its goals and pay cannot be related to the performance of business areas. 3. The third line of Defense Is represented by the Internal Audit, which provides an independent assessment of the institution's activities by means of audit techniques. It allows management to assess the adequacy of controls, the effectiveness of risk management, the reliability of accounting statements and compliance with standards and regulations. GUIDELINES About Compliance function Compliance risk management should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated regarding compliance with applicable standards, commitments made with regulators and requirements related to the Code of ethics, where applicable to internal standards.

The Compliance function is performed by the Executive Board of Operational Risk and compliance, reporting to the Finance and risk area and acting independently from the other support and business areas of the conglomerate. In the international units, there are local and independent structures responsible for the control of operational and Compliance risks, under the responsibility of the local CROs, who report to the Executive Board of Operational Risk and Compliance. Corporativo | Interno The notes raised by the Executive areas, internal and external audits, regulators and other supervisory and supervisory entities must be followed up on, so that their effective treatment is guaranteed by the competent areas. Compliance Risk reports shall be clear, objective and timely, and shall be reported to senior commissions, business unit executives, Vice president of risks, risk and Capital Management Committee, Audit Committee and Board of directors, so that the established exposure levels and limits of framework are monitored. In international units, Compliance Risk Reports should be reported to the relevant forums of each unit and to DCIRO/SCRUI. To contribute to the proper risk management, Itaú Unibanco has a risk management methodology consisting of 5 steps: identification, prioritization, Risk Response, Monitoring, and reporting. MAIN ROLES AND TASKS Common to all areas of Itaú Unibanco -Conduct the integrity and Ethics and Risk Management Training provided by Itaú Unibanco. -Sign, yearly, the Form "Corporate Integrity Policies", confirming knowledge and agreement to what is established in this policy. -Define, implement and comply with policies and procedures for adherence to regulations. -Take account of the provisions laid down by the internal policies of the conglomerate. -Report fact or suspicion of violation of the provisions of this policy. Management Board The Management Board shall be responsible for: -Approve: a) Compliance guidelines, strategies and policies, with the aim of ensuring a clear understanding of the roles and responsibilities at all levels of the conglomerate; and b) The Executive Board of Operational Risk and Compliance's position in the organizational structure of the institution, in order to avoid possible conflicts of interest, mainly with the business areas. -Provide the necessary means for activities related to the Compliance function to be performed properly, including the availability of resources for personnel allocation in sufficient quantity, with the necessary experience and training. -Meet with the Executive Board of Operational Risk and Compliance at least on an annual basis as part of the assessment of the effectiveness of Integrated Operational Risk Management, internal controls and Compliance. -Ensuring: a) appropriate management of this policy; b) effectiveness and continuity of implementation of this policy; c) communication of this policy to all relevant employees and third party service providers; d) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified Compliance failures The evaluation of these items by the Board of Directors will be held on the basis of regular meetings and the annual report prepared by the Executive Board of Operational Risk and Compliance, as well as by the annual assessment made by the Audit Committee. Audit Committee: The Audit Committee must:

- Validate Compliance policy before it is sent for approval by the Board of Directors. -Evaluate, at least annually, the Compliance structure in relation to the following aspects: a) clear definition of the tasks, roles and responsibilities of Compliance function, avoiding possible conflicts of interest, mainly with the business areas of the institution; b) positioning in the appropriate hierarchical level, independent and segregated of operational and business areas, with duly exercised mandate regarding the definition of scope, execution of the work and communication of its results; c) organizational structure consistent with the needs of the conglomerate and staff allocation in sufficient quantity, adequately trained and experienced to carry out the activities related to their respective functions; d) effectiveness of Compliance Management; and e) adhesion of the structure to the applicable adjustment. -Verify the performance of: a) communication of this policy to all relevant employees and third party service providers; b) disclosure of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for identified Compliance failures. First line of Defense -Inform and empower employees and third party service providers relevant to Compliance issues; -Relate to regulatory, self-regulatory, supervisory and supervisory bodies, taking into account their requests and issuing to them the reports due. - Identify, measure, evaluate and manage Compliance risk events that may influence the achievement of the conglomerate's strategic and operational objectives; -Maintain an effective control environment, consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining the risk exposure at acceptable levels, as the risk appetite established for the Conglomerate; -Define and implement the action plans for addressing non-compliance notes made by internal and external audits, internal controls, Compliance, regulators, self-regulatory and other supervisory and regulator; -Report promptly to the Compliance area when identifying changes in relation to existing standards and regulations or risks of Compliance not foreseen by the control activities; and -Maintain compliance with local and international regulatory standards and requirements. Second line of Defense Risk and Finance Area -Calculate, monitor and control the operational limits established by the regulators to ensure the regulatory adhesion of Itaú Unibanco, even when there is no obligation of periodic submission to the regulator. Executive Board of Operational Risk and Compliance It is the responsibility of the Executive Board of operational risks and Compliance, through the Corporate Compliance and internal controls and operational risk boards: -Support the first line of defense in observing their direct responsibilities. -Disclose standards of integrity and ethics as part of the conglomerate's risk culture and controls, and disseminate best practices and policies related to Compliance function; -Guide and advise the managers and employees of the conglomerate, directing specific solutions on compliance with internal standards related to the integrity and Ethics Program; -Guide and advise the managers and employees of the conglomerate, directing specific solutions related to compliance with external standards;

- Assess the incentives to comply with regulations and commitments made with regulators and report these results to the Remuneration and Audit Committees; -Ensure that the teams responsible for carrying out Compliance functions have appropriate authority and that they are adequate, both in resources and in knowledge, through a structured training program; -Categorize Compliance themes according to their severity and monitor the conglomerate's exposure to these risks; -Certify the efficacy of the Compliance control environment of the first line of defense by means of monitoring and testing programs, reporting the results to the High Administration and regulatory bodies, when requested; -Review and monitor the action plans adopted for addressing notes made by internal and external audits and regulatory bodies; -Report to the Board of Directors, the Audit Committee, the risk and Capital Management Committee and the Board of Directors the relevant situations that are non-compliant; -Supervise the international units in the evaluation of adherence to the corporate guidelines, as well as in the adoption of the Compliance methodology and consolidated monitoring and reporting to the Matrix; -Coordinate implementation, monitoring and evolution of corporate integrity and Ethics Program in international units; and -Coordinate governance of International Regulation Compliance Programs relevant to the conglomerate. It is the sole responsibility of the Board of Corporate Compliance: -Maintain proof of the approval of this document by the Management Board; -Define principles and guidelines for the dissemination of the culture of Compliance, including training; -Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to support Compliance in the relevant conglomerate and outsourced activities; -Manage the process of capturing, screening, impact assessment and compliance monitoring; -Coordinate governance of policies and procedures of Itaú Unibanco, in accordance with applicable regulations and market best practices; -Monitor policies of personal investments and Securities Trading Policy of Itaú Unibanco Holding S. A; -Report on a timely basis relevant information, both of the results of the assessments of Compliance undertaken that have identified failures in materials, and significant changes in the regulatory environment; -Sending annual report to the Audit Committee and the Board of Directors, containing a summary of the results of activities related to Compliance issues, main conclusions, recommendations and action plans adopted for treatment of the deficiencies identified; -Manage Trade Surveillance and integrity programs; -Coordinate the relationship with regulators, self-regulators and other inspection entities and supervisors, monitoring the actions arising from the commitments undertaken, facilitating information sharing and ensuring the consistency of institutional positioning. Third line of Defense Verify, independently and periodically, the adequacy of processes and procedures for the identification and management of risks, including the integrated management of operational risk, internal controls and Compliance, according to the guidelines set forth in internal documents, and submit the results from its notes to the Audit Committee. Approved by the Board of Directors on 04/30/2020.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the liquidity risk management and control structure of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations and best market practices. TARGET AUDIENCE This policy is applicable to all financial companies controlled by Itaú Unibanco in Brazil and abroad. This policy is also applicable to all activities of the conglomerate that result in exposure to liquidity risk, with an impact on Itaú Unibanco Holding and its subsidiaries. This policy does not apply to the liquidity risk of customer portfolios managed by the bank and/or trusteeship (e.g. funds from Wealth Management & Services-WMS). INTRODUCTION Liquidity risk is defined as the possibility that the Institution may not be able to honor efficiently and in a timely manner its obligations. Liquidity risk can occur when there is a mismatch between cash flows (assets and liabilities) that affects its operations or produces significant losses. Example: Customer A makes a deposit of R$100.00. Customer B requests a loan of R$100.00 for a period of one year. At this point, the bank transfers the amount deposited by Customer A to Customer B. After a few days, Customer A requests the withdrawal of the deposited amount. If the bank does not have this amount available, it will not be able to honor the commitment, exposing a liquidity problem. Significant losses may occur if the bank is forced to sell any assets to generate cash and honor its commitment to Customer A. Liquidity risk control is carried out by a department independent of the business departments. The objective is to compare assets (generally the most liquid) with financial obligations (generally with shorter maturities) and ensure that sufficient cash is available to meet the obligations. Liquidity risk is controlled in accordance with the Limits Framework established by the Board of Directors and the Higher Committees. GUIDELINES The liquidity risk management and control processes must strictly observe the principles defined in this policy. The measurement of liquidity risk must cover all financial operations of Itaú Unibanco companies, as well as possible contingent exposures (exposure situations with no expected date to occur) or unexpected exposures (changes in cash inflows or outflows). These situations are commonly caused by: -settlement services (for example: significant decrease in tax collection, settlement of bank slips or bank transfers); -provision of guarantees and endorsements (for example: customers who execute guarantees and/or warranties for non-payment of loans); -contracted and unused credit lines. (for example: increased use of overdraft or credit card limits);

- Realization of adverse events that impact technical provisions (Occurrence of incidents, redemption or portability of pension plan, redemption or inclusion in capitalization draws) The main measure in controlling liquidity risk should be measurement of liquid assets, which is composed of: -cash in the country (federal government bonds, cash, BACEN deposits, any asset that can be immediately traded and converted into cash without significant loss of value); -cash abroad (assets that can be immediately traded and converted into cash abroad without significant loss of value, such as, for example, cash, cash in other banks) -all assets immediately convertible (D0) into means of payment. Liquidity Risk Control includes contingency and liquidity recovery plans to clearly define actions to restore liquidity in different stress situations. KEY ROLES AND RESPONSIBILITIES The Liquidity Risk control structure at Itaú Unibanco involves the parties indicated below, for which we highlight their roles in this matter. Board of Directors -define the institution's risk appetite and review it annually. Superior Market and Liquidity Risk Commission: - define the powers related to liquidity risk control and review them annually. -monitor liquidity risk indicators, taking the necessary decisions, respecting the defined risk appetite. -submit for approval by the Board of Directors, at least annually, the liquidity contingency plan (Brazil); Liquidity Risk Control -define the composition of the reserve, in accordance with the guidelines established by senior management; -identify, assess, monitor, control and report daily exposure to liquidity risk. -propose liquidity risk limits; -monitor the contingency and recovery plans, as well as the limits established for each of these plans and report any non-compliance to the competent approval authorities. - carry out liquidity risk simulations under stress conditions. -periodically report the main liquidity risk controls in Brazil and the External Units, as well as situations of sudden reductions in liquidity and relevant aspects of the measures in progress to the collegiate bodies, Treasury, Superintendence of Integrated Capital Management, CRO and the Board of Directors; -Inform any non-compliance, both in the managerial risk appetite and in the Contingency and Recovery triggers. Also inform the Integrated Capital Management Superintendence of the daily LCR (Liquidity Cover Ratio) indicator levels, ensuring support for monitoring the Recovery Plan; -in relation to risk appetite metrics, monitor, analyze and report the information that makes up the Risk Appetite Report, in addition to communicating relevant aspects to those involved, such as committee decisions, requests for action plans and notices on points of attention. -maintain specialized and adequately sized teams to support the liquidity risk processes and systems under its governance and development management.

Institutional Treasury (Brazil and International) -centralizing the management of Itaú Unibanco's liquidity risk, ensuring adequate and sufficient levels of liquidity; CAAF (Financial Asset Management Commission): -Centralize the liquidity management of the proprietary portfolio and vehicles supervised by SUSEP. - Reserve Pilot (see Glossary): -identify, evaluate, monitor and alert on cash needs for operations carried out during the day; Information Technology: -maintain specialized and adequately sized teams to support the liquidity risk processes and systems that are under the governance and management of technology development, and for the Hosting processes defined in specific service provision agreements; LIQUIDITY RISK CONTROL The control of Liquidity Risk at Itaú Unibanco includes measuring, monitoring, controlling and reporting exposure levels, in addition to contingency plans and liquidity recovery. The measurement of exposure to liquidity risk is based on the daily analysis of the evolution of cash flows and compliance with regulatory indices, as described below: -Projected cash flow (Business Continuity Scenario): demonstrates cash flow expectations, considering business continuity in normal conditions; -Portfolio Settlement Scenario (run-off): demonstrates the expected cash flows, considering the settlement of current portfolios and the discontinuation of business. -Portfolio Settlement Scenario (Stressed) demonstrates cash flows in adverse idiosyncratic scenarios for companies regulated by Susep. -Short-Term Liquidity Cover Ratio (LCR): demonstrates that the prudential conglomerate 's high-quality liquid assets are sufficient to withstand a severe liquidity crisis, for a period of 30 days, according to premises defined by the Central Bank of Brazil; and -Net Stable Funding Ratio (NSFR): demonstrates that the prudential conglomerate has available stable resources higher than required by cash outflows in a one-year stress scenario. -Concentration of Funding Providers: demonstrates that the prudential conglomerate has diversified exposure to liquidity provider counterparties. The use of liquidity risk limits must be verified against the approved limits. Noncompliance with the established limits and indicators must be reported by the liquidity risk control to senior management, the relevant departments for immediate reclassification of exposure and the relevant committees. The contingency and recovery plans are designed to restore adequate levels of liquidity and preserve Itaú Unibanco's viability in response to stress situations. The plans must contain a list of actions to be implemented, covering volumes, deadlines and those responsible for them. The actions of the contingency plan must contemplate a gradation by level of criticality. The order of actions should be determined by the ease of implementation, taking into account the characteristics of the market. Approved by the Board of Directors on April, 2022.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-CREDIT RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the Governance and Credit Risk control of Itaú Unibanco Holding S.A., observing the applicable regulations. TARGET AUDIENCE Financial institutions controlled by Itaú Unibanco Holding S.A. (Itaú Unibanco), in Brazil and abroad, incur credit risk, covering all segments (individuals and legal entities). INTRODUCTION According to the institution's corporate risks dictionary, Credit Risk is understood as the risk of losses arising from: - non-compliance by the borrower, issuer, or counterparty with their respective financial obligations under the agreed terms, - credit agreement devaluation resulting from deterioration in the risk rating of the borrower, the issuer, or the counterparty, - reduction of earnings or remuneration, -advantages granted in subsequent renegotiations and -credit recovery costs. The credit risk control processes must support the institution, strictly observing the principles defined in internal policies. The centralized control of credit risk is carried out independently by the Risk Management Department (A.R.), segregated from the Business Units and the area executing the internal audit activity. In the International Units, the independent structure responsible for monitoring controls and risks is under the responsibility of the local CROs (Chief Risk Officers), who must report monthly to the A.R. risk director boards and quarterly to the CRO of Itaú Unibanco. The roles and responsibilities of the CROs from International Units are defined in internal procedure. This structure enables the continuous and integrated management of credit risk. It must consider the operations classified in the trading portfolio and those classified in the non-trading portfolio. GUIDELINES Risk management must be integrated, thus enabling identification, measurement, evaluation, monitoring, reporting, control, and mitigation of Credit Risk. Credit Risk management structures must be proportional to the risk exposure dimension and relevance, compatible with the business model, the nature of transaction operations, and the complexity of Itaú Unibanco products, services, activities, and processes. Therefore, specialized and properly dimensioned teams must be maintained to support the credit risk processes and systems under their governance. The Credit Risk management structure must provide: - Clearly documented risk management policies and strategies that establish limits and procedures for maintaining risks exposure following the Risk Appetite Statement. It should also take into account the prior identification of credit risks inherent to: -New products and services; -Relevant modifications to existing products or services; -Significant changes in processes, systems, operations, and business model of the institution; -Protection strategies (hedge) and risk assumption initiatives; -Significant corporate reorganizations; and -Changes in macroeconomic scenarios.

- Monitoring processes to identify points in non-compliance with credit risk management policies, including the respective justifications and expected actions to resolve any divergences; -Systems, routines, and procedures for credit risk management, including their updates; -Periodic management reports for the board, committees, and other forums where the topic of Credit Risk is on the agenda. The guidelines mentioned above must be applied to risks of credit, counterparty, country, disbursement events to honor endorsements, sureties, co-obligations, credit commitments or other operations of a similar nature and losses associated with non-compliance with obligations related to settlement transactions involving bilateral flows, including the trading of financial assets or derivatives. MAIN ROLES AND DUTIES Credit Risk Control Must: - Define centralized credit risk monitoring and control environment; -Periodically review the policies, strategies, and procedures for establishing operational limits, risk mitigation mechanisms, and procedures designed to maintain the credit risk exposure at acceptable levels by management, and approve them at the competent approval authority levels; and -Disclose credit decisions, corporate policies, and strategies for managing credit risk to the Business Units and CROs of the International Units. Credit Risk Modeling Must contribute to the execution of Credit Risk Control activities, following the assignments provided for in the Model Risk Policy. Finance Define rules for performing simulations and calculations in line with applicable standards and regulations, in addition to publishing financial statements and other reports that assist and complement Credit Risk Management and Control. Risk Management Department Committee Members Responsible for decision-making according to the specificity of each forum, striving for risk mitigation to maintain credit risk exposure at acceptable levels for management. Business Units (Brazil and International Units) Ensure visibility of the credit risk incurred in its operations and compliance with the established rules and limits. Additionally, the business areas shall maintain procedure manuals with detailed descriptions of the responsibilities and assignments for the processes and controls under their accountability. CREDIT RISK CONTROL ECONOMIC GROUPS The credit risk management process of Itaú Unibanco Holding has governance dedicated to formation and change of economic groups, covering as target audience all commercial segments that grant or manage credit, which includes international units, except Itaú CorpBanca. COUNTERPARTY CREDIT RISK It is the risk of non-compliance, by a certain counterparty, with obligations related to a settlement of operations that involve trading of financial assets with bilateral risk. It covers derivative financial instruments, transactions to be settled, asset loans, repurchase agreements, and bilateral energy contracts. Measuring counterparty credit risk involves converting it into the equivalent credit risk exposure through specific models. The Potential Credit Risk (PCR) measurement models are used to measure the equivalent credit exposure in transactions subject to counterparty credit risk. The development and approval of these models follow the governance described in a specific procedure. The procedure for

Development of Market Risk Models defines the counterparty credit risk measurement for certain products and businesses as a priority concerning PCR models and has a purpose: -Considering, when measuring credit risk, the presence of mitigating instruments, as long as they are not explicitly considered in the PCR models; -Defining the measurement of counterparty credit risk for certain products and businesses where there are material risks not captured by the PCR models; and -Defining the risk measurement for certain products and businesses in which there is no specific model developed. COUNTRY RISK Itaú Unibanco maintains relationships with borrowers, issuers, counterparties, and guarantors in various locations worldwide, regardless of having an external unit in these locations. Therefore, Country Risk is a risk present in the institution. Such risk is defined in the corporate risk dictionary as the risk of losses arising from non-compliance with financial obligations, within the agreed terms, by borrowers, issuers, counterparties, or guarantors, as a result of actions taken by the government from the country where the borrower, issuer, counterparty, or guarantor is located, or political, economic, and social events related to that country; being subdivided into: -Sovereign risk, defined as the risk of central governments (Treasury and Central Bank) inability to generate resources to honor their commitments; -Transfer risk, defined as the risk resulting from the total or partial impossibility of transferring assets held in a jurisdiction abroad to the jurisdiction of the country using a legal vehicle of Itaú Unibanco, due to the barriers arising in the conversion exchange rate as a consequence of macroeconomic events or actions taken by the central government of the jurisdiction where the resource is located; leaving the borrower, issuer, counterparty or guarantor incapable of honoring the payment of its commitments in foreign currency. Itaú Unibanco has a specific structure for managing and controlling country risk, comprised of collegiate bodies and dedicated teams, all with formally defined responsibilities. To consistently assess the risks inherent to each country, Itaú Unibanco defines the rating of the countries by taking into account both the sovereign risk and the transfer risk. The local sovereign rating reflects the payment capacity of the sovereign issuer (Treasury and Central Bank) against its obligations settled in local currency. The external sovereign rating reflects the ability of a country to generate foreign exchange (foreign currency) and, therefore, it is the rating used to assess the capacity of the sovereign issuer (Treasury and Central Bank) to honor its obligations to be settled in foreign currency, as well as to assess the transfer risk. The inability to generate foreign exchange can lead to two consequences: (i) default of the sovereign issuer on its debts in foreign currency and/or (ii) imposition of capital controls that prevent transferring private resources between jurisdictions (restrictions for converting national currency into foreign currency). Itaú Unibanco establishes limits based on ratings and transaction terms, aiming to control the country's risk exposure. Such limits are periodically reviewed, and extraordinary revisions may occur in light of a new material fact. CREDIT PORTFOLIO MONITORING Portfolio monitoring is understood as the follow-up of indicators related to credit operations. In general, monitoring indicators are observed for the balance of the active portfolio, credit concession in the month (also known as the harvest), default indicators (balance in arrears concerning the portfolio or harvest balance), and quality. The portfolio monitoring has as purpose verifying the financial health of credit operations, adapting credit strategies to the conglomerate risk appetite. Any deviations identified concerning the maximum and minimum levels of the Global Policy are reported as follows: centralized monitoring in Brazil is periodically reported to the Credit Risk Policy Committee (CPRC). Consolidated indicators of the retail segment harvest and portfolio are reported monthly to the Superior Credit and Collection Commission for Retail (CSCCV) and the wholesale segment quarterly to the Superior Credit and Collection Commission for Wholesale (CSCCA). In the International Units, monitoring is reported to the International Units Risk Committee-Local (CRUI-L), with the participation of the CROs from the units, and to the International Units Risk Committee-Global (CRUI-G).

PORTFOLIO AND CREDIT PROCESSES REVIEW The review should consist of analyzing credit process quality and integrity in each business unit, covering everything starting with the adequate compliance with credit policies, assessing the quality of concession, assessing customers' payment capacity, adequacy of assigned ratings, and, lastly, the post-concession phase (e.g., analysis of guarantees, covenants, etc.). An independent team composed of reviewers must carry out this analysis. The result reported to the senior credit and risk management of the business units under review (Credit Officer) Risk Management Department (Credit Risk Officer or CRO). ASSESSMENT OF CREDIT STRATEGIES AND POLICIES Establish the responsibilities and general rules relative to determining and approving changes in credit policies and business rules that impact credit risk exposure. For proprietary portfolios, the policies address the credit granting and maintenance and the acquisition, in the market, of instruments with credit risk. For third-party portfolios, the policies address the rules for discretionary decision-making in assets with credit risk. Change in credit policy is any action that affects the risk assumed or that may impact the consumption of credit limit and on Allocated Economic Capital. Credit policies can be divided into three types: Credit granting and maintenance policies: amendments and changes in credit models, segmentation, income/revenue, etc.; changes in credit approval authorities (composition and values); impact at risk due to annual re-segmentations; change of cutoff point; new segmentations (breaks) that change the credit decisions. Risk measurement policies: mitigation by guarantees; definition or change of the application criteria for potential credit risk (PCR) models; definition or change of parameters for calculating capital and limit consumption. Global Credit Policy: maximum or minimum levels for a set of indicators and variables reflecting credit risk in the bank, which must be considered in all retail and wholesale policies. CONCENTRATION RISK Concentration risk is the risk of financial loss resulting from the excessive concentration of operations with credit risk in clients, sectors, geographic regions, or mitigating instruments, in a direct or correlated way. Aiming to ensure low outcome volatility, the concentration risk management is conducted from different perspectives within the bank to observe that the institution is not significantly exposed to a single source of risk. This way, Concentration Risk is monitored from the following perspectives: individual, top 10, by country, by sector of the economy, and the institution's activity. The Board of Directors and Executive Board monitor these indicators monthly and are also responsible for adjusting and approving metrics and their limits. The limits are defined according to each dimension variable. To define the concentration limits for individual and top 10 conglomerates, we assess the inherent credit risk of the conglomerates, respecting the maximum limits under resolution 4.677. For concentration by country, the risk diversification is based on the credit risk presented by each country and the bank strategy. As for concentration by segment, the diversification is based on bank strategy and its operating business outcome volatility, while for concentration by sector, the limits are defined according to the sector-based credit portfolio risk profile, its profitability, and the sector relevance in the economy. The limits defined for each metric and more details on calculation methodologies are found in the Risk Appetite Manual. INCOME Determines the types of income and how to define the income for Individuals. When capturing any customer income information (such as proven, certified income, ability to pay, or other income information approved under an exception) and using it for granting credit, maintenance, or any other purpose of income for individuals, it is mandatory to follow the guidance mentioned in internal procedure respecting the document type, its validity and exceptions, in case of seasonality. REVENUE Determine the types of revenue and the way to obtain income for the legal entity. When capturing any customer revenue information (such as evidence, certificate, ability to pay, or other approved information in an exception) and use it for credit granting maintenance, or any other purpose, it is mandatory to follow the guidance in internal procedure observing the respective procedures, types of documents, their validity and any exceptions.

INCOME COMMITMENT The income commitment (C.R.) is the debt divided by gross income of the Individual Customer. It is used in the granting and maintenance, through credit policies and business rules of Individual Retail, to assess the customer risk, considering their current indebtedness and the impact of the requested credit on that debt. The specific use of C.R. is described in each product policy. The rules for calculating C.R. and the guidelines for recalculating this information are described in internal procedure. GUARANTEES Guarantees are instruments that have as purpose reducing the occurrence of losses in operations with credit risk, including, without distinction, financial guarantees, real guarantees, agreements for compensation and settlement of obligations, personal and fiduciary guarantees, and credit derivatives. For these guarantees to be considered as a risk reduction instrument, they must comply with the requirements and determinations of the standards that regulate them ASSESSMENT OF COLLECTION POLICIES AND STRATEGIES Collection strategies refer to the recovery and renegotiation of credit operations that are in arrears. To assess collection strategies, portfolios are monitored (default, harvest, and portfolio), focusing on renegotiation products. Monitoring these actions carried out by the Modeling and Credit Risk Management Department is intended to mitigate risks on the Business Units' collection strategies and operations. UPDATE AND DEVELOPMENT OF RISK PARAMETERS FOR PROVISION AND CAPITAL Risk parameters are the necessary inputs that qualify the calculations of provisions or capital allocation performed by the finance area for accounting and/or management purposes. Parameters are assigned by parameter developer units (UDPs) through premises and calculations to ensure the Bank's solvency in the face of expected and/or unexpected changes in past, current, and future scenarios. The definitions and concepts of each parameter must be aligned between the parameter developer unit (UDP) and the parameter user unit (UUP). RELATED EXTERNAL RULES -Brazilian National Monetary Council Resolution 4557, which provides for the implementation of a credit risk management structure -Central Bank Standard 2.682-criteria for the classification of credit operations and rules for setting up a provision to settlement credits Brazilian Securities and Exchange Commission Instruction 247 provides for the evaluation of investments in associated and subsidiaries and the procedures for preparing and disclosing the consolidated financial statements. Approved by the Board of Directors on August, 2021.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-CAPITAL MANAGEMENT POLICY OBJECTIVE Internal Capital Adequacy Assessment Process (ICAAP) BACEN requires a financial year report assessing Itaú Unibanco's capital adequacy, providing a general and comprehensive overview of the institution's risk and capital management and stating its capital level adequacy self-assessment results according to its risk profile. Capital Plan The capital plan is a section of the ICAAP that discusses how the Bank's capital planning takes place to maintain an adequate and sustainable level of capital, incorporating the limits established by the risk appetite and the analyses of economic and regulatory environments. Additionally, it is structured consistently with Itaú Unibanco's strategic planning. This plan presents the financial and capital forecasts in the short and medium-term (at least three years following the base date year), both in normality and stress scenarios, together with its main sources of capital, distribution policy results, and contingency plan. Capital Contingency Plan Itaú Unibanco has a capital contingency plan for cases in which at least one capital ratio is found to be lower than those defined by the Board of Directors (Conselho de Administração (CA)), or for unforeseen events that may affect the capital adequacy of the institution. The plan includes a set of contingency actions and those responsible, which allow Itaú Unibanco to increase its capitalization levels and must contain, at least, the definition of the capital limits that trigger its activation and the corresponding governance to maintain Itaú Unibanco's level capitalization in an adverse scenario. Stress Test Stress testing is a process of simulating the effects of extreme economic and market conditions on an institution's earnings and capital. The Board must approve stress scenarios of Directors, and their results must be considered when defining Itaú Unibanco's business and capital strategy. The stress test for Itaú Unibanco can be divided into internal and regulatory. The first seeks to measure the vulnerability and strength of the conglomerate in hypothetical but plausible economic crisis scenarios based on macroeconomic simulations and projections developed by the institution itself. The regulatory stress test has the same objective but uses a scenario developed by the Central Bank. In both processes, the main analyses are on the Bank's income statement (P&L), its distribution among the conglomerate's portfolios and activities, and the institution's capital level. Additionally, to complement the results according to the processes described above, sensitivity analyzes and reverse stress tests are carried out annually. The capital management framework should provide assessments of impacts on capital from the definition of severe scenarios chosen by the institution and include them in the results of the stress test program. Capital and Risk Management Report - Pillar 3 It is a report that contains information regarding prudential indicators and risk management, comparison between accounting and prudential information, capital composition, macroprudential indicators, leverage ratio, liquidity indicators, credit risk, counterparty credit risk, securitization exposures, market risk, risk of interest rate variation on instruments classified in the banking portfolio and management compensation, disclosed quarterly on the Institution's Investor Relations website, pursuant to BCB Resolution 54. GUIDELINES Capital management must support the institution according to the principles defined in the Risk Management policy and those defined in this policy. These principles are reflected in the following guidelines, according to which Itaú Unibanco's capital management structure must: -Ensure that policies and strategies for capital management are clearly documented and establish mechanisms and procedures to maintain the Reference Equity (RE), Level I, and Principal Capital compatible with the risks incurred by the institution. -Maintain procedures for managing capital. Be compatible with the nature of its operations, the complexity of the products and services offered, and the risk exposure dimension.

- Ensure the submission of capital management policies and strategies, as well as the capital plan, for approval and review, at least annually, by the Board of Directors to determine their compatibility with the institution's strategic planning and with market conditions. -Generate reports for the institution's departments, the Risk and Capital Management Committee (CGRC)) and the Board of Directors, pointing out the adequacy of the levels of PR, Level I, and Brazilian Capital Principal to the risks incurred or any deficiencies of the capital management framework, as well as actions to correct them. -Ensure that the Solvency and Liquidity Regularization Plan required by SUSEP are met in the event of insolvency or non-liquidity by one or more companies in the insurance industry, ensuring that the areas involved in the asset management of these companies are activated for the definition of a corrective action proposal, as well as submitting it to impact assessment. -Define the governance and responsibilities of the capital management process, and disclose decisions and policies related to this process to the affected areas, as well as monitor the regulatory capital of Itaú Unibanco and international units. -Business units and international units must ensure that approved decisions and policies are properly implemented. -Ensure that the information disclosed in the Risk and Capital Management report-Pillar 3 has adequate detailing to the scope, the complexity of operations, sophistication of systems, institution's risk management processes and ensure that any relevant differences relating to other information disclosed by the institution are clarified; -Ensure that published information adheres to the current rules established by regulatory bodies; -Calculate, monitor, and control regulatory operating limits related to Itaú Unibanco Holding's capital. MAIN ROLES AND DUTIES Itaú Unibanco's management is directly involved in the internal process of assessing capital adequacy and its risk assessment. Among the committees and commissions that discuss the capital management process include: . Board of Directors (CA) . Risk and Capital Management Committee (CGRC) . Capital and Stress Test Committee (CCAP) Risk Management Department: The Risk Management Department aims to ensure that Itaú Unibanco's risks are managed following established policies and procedures, in addition to being responsible for centralizing the institution's capital management. The purpose of centralized control is to provide the Board of Directors and senior management with a global view of Itaú Unibanco's exposures to risks and a prospective view of capital adequacy to optimize and streamline corporate decisions. Business Department: At the most fundamental level, the areas are expected to provide the necessary information for the identification of risks, for the analysis of their materiality and the measurement of the required capital, as well as for the preparation of the capital budget, capital plan, contingency plan, recovery plan, risk, and capital management report-Pillar 3 and other regulatory and management reports, ensuring their completeness, integrity, and consistency and considering both the growth and evolution of the business's expected risk profile of the unit. The areas involved in the capital management process must be able to carry out the required actions whenever they are called upon. The details of the responsibilities of each of the areas involved in the capital management process are described in the internal procedures. RELATED EXTERNAL RULES Bacen Circular 3911, of 08/31/2018. Bacen Circular Letter 3907, of 09/10/2018. CMN Resolution 4,557, of 02/23/2017 and 4,388, of 12/18/2014. CNSP Resolution No. 321, of 2015. Bacen website with all Prudential Regulation: https://www.bcb.gov.br/estabilidadefinanceira/regprudencialsegmentacao Approved by the Board of Directors on August, 2021.