UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 6-K
Report of
Foreign Issuer
Pursuant to Rule 13a-16 or 15d-16
of the Securities Exchange Act of 1934
For the month of December, 2023
Commission File Number: 001-15276
Itaú Unibanco Holding S.A.
(Exact name of registrant as specified in its charter)
Itaú Unibanco Holding S.A.
(Translation of Registrants Name into English)
Praça
Alfredo Egydio de Souza Aranha, 100-Torre Conceicao
CEP
04344-902 São Paulo, SP, Brazil
(Address of principal executive office)
Indicate by check mark whether the registrant files or will file annual reports under cover Form 20-F
or Form 40-F.
Form
20-F ☒ Form 40-F ☐
Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation
S-T Rule 101(b)(1):
Yes ☐ No ☒
Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by
Regulation S-T Rule 101(b)(7):
Yes ☐ No ☒
Indicate by check mark whether by furnishing the information contained in this Form, the registrant is also thereby furnishing information
to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.
Yes ☐ No ☒
If Yes is marked, indicate below the file number assigned to the registrant in connection with Rule 12g3-2(b):
82
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned,
thereunto duly authorized.
Date: December 11, 2023.
|
|
|
Itaú Unibanco Holding S.A. |
|
|
By: |
|
/s/ Renato Lulia Jacob |
Name: |
|
Renato Lulia Jacob |
Title: |
|
Group Head of Investor Relations and Market Intelligence |
|
|
By: |
|
/s/ Alexsandro Broedel |
Name: |
|
Alexsandro Broedel |
Title: |
|
Chief Financial Officer |
ITAÚ
UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - POLICY ON SOCIAL, ENVIRONMENTAL AND
CLIMATE RISKS 1. OBJECTIVE Establishes the rules and responsibilities related to the management of Social, Environmental and Climate
Risks of Itaú Unibanco Holding SA (“Itaú Unibanco”), observing the applicable regulations, in particular CMN
Resolution 4,557/17, amended by CMN Resolution 4,943/21 (“ Res. 4.943/21”), (“Res. 4.557/17”). 2. TARGET AUDIENCE
This policy is applicable to the activities of Itaú Unibanco and its subsidiaries. 3. INTRODUCTION According to Res. 4,557/17,
Social, Environmental and Climate Risks (“SAC” or “SAC Risks”) are understood as the possibility of causing losses
to the institution, including those of a reputational nature. SAC Risks must be identified and treated based on relevance and proportionality
criteria, taking into account the following dimensions: - Social: events associated with the violation of fundamental rights and guarantees
or acts harmful to the Common Interest; - Environmental: events associated with environmental degradation; and - Climate: events associated
with both the process of transition to a low carbon economy and events associated with frequent and severe weather or long-term environmental
changes, which may be related to changes in weather patterns. 4. SOCIAL, ENVIRONMENTAL AND CLIMATE RISK MANAGEMENT SAC Risks materialize
in Traditional Risks, with each of these risk disciplines providing for specific actions to identify, measure, evaluate, monitor, report,
control and mitigate any adverse effects resulting from their interactions with SAC Risks. Such management must be based on the guidelines
of this policy, as well as on: i. precepts and guidelines provided for in the Social, Environmental and Climate Responsibility Policy
(PRSAC), in line with CMN Resolution 4,945/21; ii. provisions of the Risk Management Policy (Global); iii. principles of relevance and
proportionality; iv. determinations provided for in related Rules (RG) and Procedures (PR); and v. public commitments assumed by Itaú
Unibanco. It is necessary that each Traditional Risks discipline includes training for employees who work in SAC Risk management. 4.2.
Guidelines SAC Risks will be managed as provided in the Risk Management Policy SAC Risks must be identified from three interdependent
perspectives: • financial, when an event has the potential to materialize in monetary loss; • image, when an event has the
potential to translate into a negative perception of Itaú Unibanco's reputation by stakeholders, as defined in internal procedure;
• legal, when associated with inadequacy or deficiency in contracts signed by the institution, sanctions due to non-compliance with
legal provisions and indemnities for damages to third parties arising from activities carried out by the institution. SAC Risks must
be classified based on elements of probability and severity. 4.3. Risk Management and Governance Itaú Unibanco's risk management
organizational structure adopts the three lines of defense strategy and follows the guidelines established in Res. 4,557/17, aiming to
support the proper development of activities. The governance of risk management is structured to ensure that issues involving risk are
widely discussed. In this way, the SAC Risks management structure includes governance composed of different collegiate bodies, set out
in item 4.4 “Main Roles and Duties”, which are responsible for deliberations and recommendations according to the specificity
of each forum, focusing on risk mitigation, in order to maintain exposure to SAC Risks at acceptable levels for the institution. 4.4.
Main Roles And Duties: The SAC risk management structure at Itaú Unibanco has the departments and committee members whose responsibilities
are indicated below. Risk Management Department (AR) Identify, evaluate, measure, control, monitor and report, as well as internalize
SAC Risks for Traditional Risks in policies and procedures. Business Units (Brazil and International Units) - Identify, measure, evaluate,
understand and manage SAC Risks to keep exposures within the established limits, as well as document and store information regarding
losses incurred in its activities. - Communicate promptly to AR whenever they identify potential risks not foreseen in the development
of control activities. - Maintain procedure manuals with detailed descriptions of the responsibilities and attributions of the processes
and controls under their responsibility. Committee Members: Board of Directors Audit Committee - CAud Risk and Capital Management Committee
- CGRC Social, Environmental and Climate Responsibility Committee Higher ESG Committee Superior Social, Environmental and Climate Risk
Committee (CRSAC Superior) Social, Environmental and Climate Risk Committee (CRSAC) 5. RELATED EXTERNAL RULES - CMN Resolution 4,557/17,
amended by CMN Resolution 4,943/21 – Risk and capital management structure and information disclosure policy. - CMN Resolution
4,945/21 – Social, Environmental and Climate Responsibility Policy (PRSAC) and actions aimed at its effectiveness. - SARB Regulation
014/2014 - Banking Self-Regulation (FEBRABAN) - Creation and implementation of the Social and Environmental Responsibility Policy. -
SUSEP (Superintendency of Private Insurance) Circular No. 666, OF JUNE 27, 2022 - Sustainability requirements, to be observed by insurance
companies and capitalization companies. Approved by the Board of Directors on 06.29.2023. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23
Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - MARKET AND IRRBB RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market
and IRRBB risk management and control structure of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations
and best market practices. TARGET AUDIENCE This policy is applicable to all employees and activities of the Conglomerate that result
in exposure to market risk and IRRBB, with an impact on Itaú Unibanco Holding and its subsidiaries. Market and IRRBB risk control
covers all positions in the portfolios of financial and non-financial companies belonging to Itaú Unibanco, in Brazil and in the
International Units. This policy does not apply to the market risk of customer portfolios managed by the bank and/or trusteeship (for
example: funds from Wealth Management & Services - WMS). INTRODUCTION For the purposes of this policy, market risk and interest rate
risk in the banking book (IRRBB) are defined in the prudential context by: I. Market risk is the possibility of losses resulting from
fluctuations in the market values of instruments held by the institution, including: a. the risk of variation in interest rates and stock
prices, for instruments classified in the trading book; and b. the risk of exchange rate variation and commodity prices, for instruments
classified in the trading book or in the banking book. II. IRRBB: as the risk, current or prospective, of the impact of adverse movements
in interest rates on the capital and results of the financial institution, for instruments classified in the banking book. The aforementioned
risks depend on the behavior of the price of risk factors in view of market conditions. In addition to Treasury, which operates buying
and selling bonds and securities, other departments can impact the market risk assumed by the bank. Examples are the procurement department,
when they make a purchase in foreign currency or even the marketing department when they commit to sponsoring, for example, the Brazilian
soccer team. Market risk and IRRBB controls are carried out according to the metrics defined in internal procedure. GUIDELINES Market
and IRRBB risk control processes must strictly observe the principles defined in the Policy. These principles are reflected in the following
guidelines, according to which Itaú Unibanco's market risk management and control structure must: • Ensuring the use of complete
databases, which reflect the business carried out from duly approved products, with the guarantee of correct information and calculations,
from registration to accounting; • Apply models that reflect the best market practices; • Ensure that the pricing of the portfolios
is preferably based on quotations observed in the financial markets, captured through trustworthy external sources. When no price is
available, the calculation must be performed using a pricing model that represents the fair valuation of the positions. In these cases,
such assessments must be consistent and verifiable, with market benchmarks and data used in the assessment regularly reviewed; •
Calculate the results of the positions of the marked-to-market portfolios following the governance of the Bank's models; • Have
risk control departments responsible for defining and applying pricing parameters, independent of the business departments; • Establish
and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk and IRRBB: • Are compatible
with the nature of the operations, the complexity of the products and the size of the Institution's exposure to market risk and IRRBB;
• Contain all sources of market risk and IRRBB; and • Generate timely risk exposure reports for the business units, for the
Institution's management and for the Board of Directors. MAIN ROLES AND RESPONSIBILITIES The Market Risk and IRRBB control structure
at Itaú Unibanco involves the parties indicated below, for which we highlight their roles in relation to this matter. Board of
Directors: - define the institution's risk appetite and review it annually. Superior Market and Liquidity Risk Commission: - define the
approval authorities related to the control of market risk and IRRBB and review them annually. - monitor market risk and IRRBB indicators,
taking the necessary decisions and respecting risk appetite. Chief Risk Officer: - responsible for market risk and IRRBB management at
Itaú Unibanco. Market Risk Control and IRRBB: - identify, measure, control, monitor and report exposure to market risk and IRRBB
to business departments and report to superior committees; - monitor compliance with exposures in relation to approved limits, trigger
alerts and other measures to control market risk and IRRBB, reporting any non-compliance to the competent authorities and requesting
an action plan for reclassification; - maintain specialized and appropriately sized teams to support market risk and IRRBB processes
and systems, which are under its governance and development management. - carry out the calculation of the managerial result of the positions
and disclose it to the competent departments, enabling monitoring and assistance in decision-making. Treasury: At the most fundamental
level, the employee is expected to fully understand the nature of the risk in the portfolios under management and the effective management
of this risk, ensuring its transparency for desk managers and compliance with established limits. MARKET AND IRRBB RISK CONTROL Market
Risk and IRRBB control at Itaú Unibanco is carried out through governance and processes that ensure compliance with the following
determinations or parameters: • The Institution must operate in accordance with the risk appetite defined by the Board of Directors
(CA), reviewed and approved annually based on a structure of limits and alerts. The limits are dimensioned by evaluating the projected
results of the balance sheet, the size of equity, liquidity, complexity and volatilities of the markets, as well as the Institution's
risk appetite; • Limit consumption must be reported by the Market Risk department to the Business Departments and bank executives.
The alerts work as indicators of the pre-established limit; • The institution's structure of limits and alerts is composed of aggregated
metrics, which monitor and limit risk globally, and granular ones, which aim to avoid an excessive concentration of risk in a single
risk factor; • The limits are figures that the operation desks of the trading book and trading desks of the banking book must respect.
Alerts are metrics that issue a signal to the institution, from which, through a clearly defined governance, procedures to be adopted
in case of activation of this alert are outlined. • The mark-to-market (pricing) process of positions must be carried out based
on quotations captured from external sources or, if this is not possible, calculated from models developed and validated according to
guidelines established in specific policies; • Information relating to prices and traded positions is stored in a single, corporate
historical database, with controls that ensure its integrity and completeness, with functionalities that allow consultation of historical
information; • The models used capture the correct sensitivity of market fluctuations, based on the application of periodic adherence
tests for the total portfolio and sub-portfolios, including all risk categories. Its results must be analyzed and used to improve the
models and manage the Institution's risk. Additionally, the managerial result must be used to verify adherence to the market risk and
IRRBB measurement models; • The measurement of potential risk in extreme market situations, which complement the statistical risk
measures, with the application of stress tests for all positions contained in the portfolios of financial and non-financial companies;
• For positions in the portfolio that do not have prices observed directly in the market, that are not very liquid or that are evaluated
using an internal pricing model, particularly TVMs (securities) and derivatives, apply prudential adjustments that correct possible marking
errors, respecting criterion of relevance and materiality. RELATED EXTERNAL RULES Central Bank of Brazil Circular 3.354/07, which establishes
the minimum criteria for classifying transactions in the trading book; Resolution 4,557/17 of the National Monetary Council, which provides
for the implementation of a risk management structure. Approved by the Board of Directors on 03.30.2023. ITAÚ UNIBANCO HOLDING
S.A. CNPJ 60.872.504/0001-23 Publicly-Held Company NIRE 35300010230 PUBLIC ACCESS REPORT – OPERATIONAL RISK AND INTERNAL CONTROLS
INTEGRATED MANAGEMENT POLICY (GLOBAL) OBJECTIVE Establish guidelines and responsibilities associated with operational risk management
and internal controls, observing applicable rules and regulations and good market practices. TARGET AUDIENCE All employees of Itaú
Unibanco Holding and of its controlled entities in Brazil and abroad. INTRODUCTION The Brazilian National Monetary Council, through Resolution
4,557 of February 23, 2017,defines operational risk as “the possibility of losses resulting from external events or failures, deficiencies
or inadequacy of internal processes, people or systems”, including the legal risk associated with inadequacies or deficiencies
in contracts signed by the Institution, sanctions due to non-compliance with legal provisions and compensation for damages to third parties
arising from the activities carried out by the Institution. Operational risk, unlike most of the risks applicable to the financial sector,
is not taken in exchange for an expected reward, but exists in the natural course of corporate activities. The proper management of operational
risk presupposes the understanding of the existing processes in the Organization and the identification of the risks inherent to the
activities, projects, products or services and their prioritization, according to the level of criticality (importance), taking into
account their impacts in the objectives of the processes or the Organization. Once the risks are prioritized, response measures are adopted,
that is, mitigation actions, in order to bring them into acceptable exposure levels. Such actions may include the implementation of preventive
controls in order to reduce the possibility of materialization of risk or involve controls aimed at detecting materialization. It is
also possible to share a risk, transferring it in part or in full, for example, by hiring insurance. The mentioned risks can also be
avoided, simply opting for the discontinuity of the activity generating the risk, or assumed, when the decision is not to adopt control
measures in relation to the existing ones. Below is the framework used to manage operational risks: GUIDELINES The specific guidelines
regarding operational risk management and internal controls are defined below. Operational risk management model To adequately manage
its risks, including operational ones, Itaú Unibanco uses the Lines strategy, described in internal Polícy. Identification
of operational risks The identification of operational risks inherent to the Conglomerate's activities must be carried out at any time
in existing products and services; in the design of a new process, project or product; in activities carried out internally or outsourced;
and throughout the existence of the product or service, in order to ensure the continuous assessment of internal and external factors
that may adversely affect the Conglomerate and its respective mitigation. Assessment of operational risks The operational risks identified
are evaluated based on measuring their level of impact on the Conglomerate's objectives. To assist in the proper assessment, it is important
to consider the different possibilities of impact and their scope: Relationship with Customers: volume of customers impacted, the segmentations
or distribution channels involved. Reputation: negative repercussion in national and international media (visibility and dissemination),
as well as damage to the brand and its possibility of reversal. Regulatory: regulatory non-compliance, fines, warnings, sanctions, administrative
proceedings or loss of operating licenses. Legal: non-compliance with contractual clauses signed with third parties that may lead to
legal discussions. Financial: representing the financial impact that may occur on the business and/or the Organization, as a result of
exposure to operational risk. Risks that could lead to significant errors in the financial statements are classified in accordance with
the Sarbanes-Oxley Act (SOx). For more references, see the internal procedure. Social, Environmental and Climate: social, environmental
or climate impact due to process failure that may affect the Organization and its controlled entities in their relationship with their
customers, suppliers and service providers, society and/or the environment. Strategic: encompasses the impacts of failures or errors
in the strategy for launching or maintaining processes, products and services. It can also result from untimely action in identifying
and reacting to changes in the business environment, competitors, new businesses or changes in customer habits. For more information,
see the internal procedure. Response to operational risk Responding to or dealing with operational risk means defining what action will
be taken in relation to the identified risk. Some possible actions: Mitigate: mechanisms or controls are established that aim to reduce
the impact and/or the probability that the operational risk materializes in the process or actions that reduce the impact produced. Sharing:
transferring or sharing part of the risk, for example, hiring insurance. Avoid: discontinuity of the activity/operation subject to risk.
Assume: no action is established to reduce the impact and/or probability of the risk occurring. In this case, the risk assumption governance
described in a specific procedure must be observed, see the internal procedure. Monitoring the level of exposure to operational risks
Exposure to operational risk must be monitored by the Organization through risk indicators, notes and mandatory certifications, in accordance
with established tolerance levels. For more information, you should consult the “Risk Indicators” manual, under Operational
Risk management. Operational risk reporting Risk Notes can be identified by the 1st, 2nd and 3rd Governance Lines, regulatory bodies
or external audit and must be communicated according to the risk level in accordance with internal procedure. High: Initial communication
is made to: Members of the business Executive Committee, Chief Risk Officer (CRO), Head of Internal Audit, directors of Operational Risk,
Internal Audit and Compliance, business director and Audit Committee, the latter, advisory and consulting body of the Conglomerate’s
Board of Directors. The reporting of High Operational Risk notes from International Units is carried out in the competent forums of each
Unit. Additionally, there are periodic reports in risk forums; Moderate and Low: Communication to the owner department. In addition,
the results of Operational Risk work, which evaluates internal control systems and classifies control environments as Adequate, Moderate
(+), Moderate (-) or Insufficient, must be communicated to the appropriate authorities, as established by the guidelines of the “RO
Work Shelf” manual, under Operational Risk management: If the result is Moderate(+) or Adequate: Superintendent and Business Director,
Operational Risk, Compliance and Internal Audit superintendents. If the result is Moderate(-): Added to the above list are the Members
of the Executive Business Committee, the Audit Committee, the directors of Operational Risk and Corporate Compliance, the Head and directors
of Internal Audit. In case of Insufficient result: The Chief Risk Officer (CRO) is added to the above list. For regular reporting and
monitoring of internal control systems and operational risk management structure, Committees and Board Meetings are also held periodically,
namely: (i) Risk and Capital Management Committee (CGRC); (ii) Risk and Capital Management Committee – Insurance (CGRC - S); (iii)
Audit Committee (CAud); (iv) Superior Operational Risk Commission (CSRO); (v) International Units Risk Committee (CRUI-R); (vi) Chile's
Internal Risk Committee (CIR); (vii) Compliance and Operational Risk Committee (CCRO); (viii) SOX Operational Committee; and (ix) Technical
Model Assessment Committee (CTAM). For more details, such as frequency, list of mandatory participants and scope, consult internal procedure.
Disclosure of operational risk management actions Annually, in compliance with CMN resolution 4968, an Activity Report is produced, containing
a description of the Operational Risk management structure, as well as an assessment of the adequacy and effectiveness of internal control
systems, which is shared with the Audit Committee, a statutory body that reports to the Board of Directors, and remains, for the normative
period, at the disposal of the Central Bank of Brazil and the Private Insurance Superintendence. Additionally, in line with the best
corporate governance and investor relations practices, a description of the Operational Risk and Internal Controls management structure
is published together with the financial statements. The decisions, policies and strategies defined for the operational risk management
of the international units are disclosed to the local Chief Risk Officers (CROs). For internal consultation of the structure of the Risk
and Operational Risk Departments, see the internal procedure Management of operational risk loss database All departments of Itaú
Unibanco are exposed to operational risk events, and the Operational Business Units (first line) are responsible for identifying such
events and the associated loss amounts, to compose the Operational Loss Database (BDPO). Expenses and provisions related to the Conglomerate's
operational risk events must be reported to the BDPO. In April 2022, there was a reformulation of the risk department structures, segregating
operational activities from specialist activities for each risk discipline. At DRO, the activity of processing and maintaining the losses
database migrated to the new AR structure, the BOE (specialized back-office), as it is an operational activity. Capital allocation for
operational risk The Conglomerate uses the Alternative Standardized Approach (ASA) in calculating and allocating regulatory capital for
operational risk. Additionally, an internal capital level adequacy assessment (ICAAP) is carried out for the Operational Risk portion,
one of the inputs being operational risk scenarios, which aim to measure financial exposure, considering the severity and probability
of occurrence of operational loss events. For more details, consult internal procedure The adequacy of the level of Reference Equity
(PR), in relation to the operational risk assumed by the Conglomerate, must be periodically assessed. For more details, see the internal
procedure MAIN ROLES AND RESPONSIBILITIES Board of Directors Approve the guidelines, strategies and policies relating to operational
risk and internal controls, ensuring that there is a clear understanding of the roles and responsibilities for all levels of the conglomerate.
Risk and Capital Management Committee Support the Board of Directors in the performance of its responsibilities related to the Conglomerate's
risk and capital management, submitting reports and recommendations on these topics for deliberation by the Board of Directors. For more
details, see the internal Policy. Risk Management and Capital Insurance Committee Support the Board of Directors in carrying out its
responsibilities relating to the Conglomerate's risk and security management, through periodic assessment of the effectiveness of the
risk management structure, the Conglomerate's business plan and its risk appetite; and assistance in decision-making by submitting reports
and recommendations for deliberation by the Board of Directors. For more details, see PS-20 - Insurance Risk Management Policy (Brazil.
Audit Committee According to its Internal Regulations, the Audit Committee is responsible for supervising: Internal control and risk
management processes; The activities of Internal Audit; and The activities of the Conglomerate's independent auditing companies. Superior
Operational Risk Commission Understand the risks of Itaú Unibanco's processes and businesses, define guidelines for managing operational
risks and evaluate the results of the work carried out on the functioning of the Itaú Unibanco System of Internal Controls and
Compliance. Compliance and Operational Risk Committee Monitor and promote, in the Conglomerate's executive departments, the development
and implementation of guidelines approved and defined by the CSRO. Subsidize the CSRO with the main topics that require a higher authority
level of discussion. Discuss the main risks of the Business Departments and the action plans proposed to mitigate the risks. Chile's
Internal Risk Committee Propose and support the Board of Directors in defining risk appetite and framing general policies that allow
adequate alignment with the Bank's global strategy. Oversee the correct identification, measurement and control of all risks, allocate
capital to identified risks and meet regulatory requirements. SOX Operational Commission Deliberate on control remediation and risk assumption
plans and approve the proposal for aggregating the conglomerate's deficiencies. Technical Commission for Model Assessment Assessment
and approval of the independent opinion of the Model Validation departments related to testing the methodologies, performance and implementations
of the validated models. The forum's responsibilities include: discussing risks related to models; recommend, suggest and monitor the
proposed action plans for the validated models. International Units Risk Committee Present and debate the main risks of International
Units and the corresponding strategies and action plans proposed to mitigate the identified risks. Monitoring the risk indicators and
risk appetite of the International Units, as well as measures to maintain acceptable levels, considering the particularities of each
country or region; Deliberate on situations that require mobilization of Units and respective management departments in Brazil, including
monitoring risk events, regulators' notes, results of internal and external audits, risk maps and regulatory demands. Chief Risk Officer
Responsible for risk management at the Institution. The responsibilities of Local and Regional CROs in international Units are described
in the specific internal procedure Operational Risk Board Inserted in the second line, with the Dedicated Operational Risk role, it guarantees
the performance and integrity of Internal Control Systems independently, being responsible for: Supporting the first line in the management
of operational risks associated with its activities Developing and making available the methodologies, tools, systems, infrastructure
and governance necessary to support the integrated management of Operational Risk and Internal Controls in the relevant conglomerate
and outsourced activities; Coordinating the Operational Risk and Internal Controls activities with the Business and Support departments,
being independent in the exercise of their functions, with direct communication with any administrator or employee, and access to any
information necessary within the scope of their responsibilities. For this reason, this department is prohibited from managing any business
or activity that could compromise its independence; Communicate the notes of moderate and high risks to the approval authorities and
competent forums. Business/Support Departments and Communities Primarily responsible for identifying, prioritizing, responding to risk,
monitoring and reporting operational risk events, which may adversely impact the fulfillment of defined strategic and operational objectives;
Some well-defined scopes and in accordance with the stage of maturity in risk management, such as Corporate Compliance and Fraud Prevention,
act with second-line responsibility for their respective scopes, described in the item above; Business department Executives must present
a diagnosis of relevant unavailability events that generate significant impacts on our customers, the financial system and/or the market.
Internal Audit Verify, independently and periodically, the adequacy of risk identification and management processes and procedures, in
accordance with guidelines established in internal policy. For further references on the organizational structure, we recommend consulting
internal Policies. GLOSSARY Control environment: represents the set of policies, processes, procedures, people and systems used by the
Conglomerate to manage its exposure to operational risk inherent to the complexity, diversity, frequency and volume of its operations;
Risk Note: is the record, in the Conglomerate, of identified operational failures and unforeseen potential risk situations; Outsourced
activity: provision of services by a specialized company hired to carry out any of the contracting party activities; Control: activities
carried out with the objective of reducing, to acceptable levels, exposure to risks that may impact on an organization objectives. Control
activities are carried out by business/support departments at all levels of the Organization and can be detective or preventive and include
manual or automated activities; Detective control: control carried out with the objective of detecting the materialization of a certain
risk, allowing the reduction of its impact or the remediation of its consequences. It is reactive in nature; Preventive control: control
carried out with the objective of reducing the probability or preventing the materialization of a certain risk. It is proactive in nature;
Operational risk event: operational risk materialization. These are situations that, when materialized, cause real consequences in business
processes or support and that differ from the expected results, and may have a direct impact (e.g.: financial losses) or indirect impact
(e.g.: opportunity cost and damage to reputation/image). For categorization purposes, Itaú Unibanco uses the same definitions
adopted by the Basel Committee and by the Central Bank of Brazil. Risk exposure: financial volume that represents the exposure to unexpected
operational losses associated with the Conglomerate activities. Failures: situations where the risk has already materialized due to inadequate
systems, poor management, ineffective controls, human error or internal/external fraud, which may result or not in financial loss; Impact
(consequence) : amount of loss derived from operational risk resulting from direct cost, compensation to third parties, indemnities,
restitution, legal expenses, legal fines, loss of resource, increase in liabilities and reduction of the value of assets; Risk Materialization:
circumstance in which the risk ceases to be an uncertainty, becoming a situation with adverse effect and unwanted consequences; Inherent
risk: risk existing due to the type or nature of the new or existing business, department, product, process, project or system, to which
it is exposed regardless of the structure of controls or other mitigating factors implemented. It is the raw risk or risk before controls
are implemented. Residual risk: portion of the inherent risk that remains exposed after considering the existing controls and mitigating
actions. RELATED EXTERNAL RULES CMN Resolution 4,557/17 - Provides for the risk management structure, the capital management structure
and the information disclosure policy; CMN Resolution 4,968/21 - Provides for the internal control systems of financial institutions
and other institutions authorized to operate by the Central Bank of Brazil; CNSP Resolution 416/21 - Provides for the Internal Control
System, the Risk Management Structure and the Internal Audit activity; Sarbanes Oxley Act - Establishes rules for Corporate Governance
related to the disclosure and issuance of financial reports. Approved by the Board of Directors on 2023, November. ITAÚ UNIBANCO
HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT-COMPLIANCE POLICY SUMMARY Establishes the fundamentals
associated with the Compliance function (compliance). 1. OBJECTIVE Establish the guidelines and main duties associated with the Compliance
function, observing good market practices and applicable regulations. 2. TARGET AUDIENCE Itaú Unibanco Holding and its subsidiaries
in Brazil and companies abroad listed in internal procedure. 3. INTRODUCTION The Compliance role aims to prevent and mitigate Itaú
Unibanco's exposure to situations of non-compliance with standards and commitments (Compliance Risk), being responsible for governance,
certification of adherence, conduct and transparency. Regulatory Risk or Compliance Risk is the risk of sanctions, financial loss or
reputational damage arising from failure to comply with legal and regulatory provisions, local and international market standards, internal
policies, commitments to regulators, voluntary commitments in addition to self-regulation and conduct codes adhered to by Itaú
Unibanco . Compliance risk is managed through a structured process that aims to identify changes in the regulatory environment, analyze
the impacts on the institution's departments and monitor actions aimed at adherence to regulatory requirements and other commitments
mentioned in the previous paragraph. Itaú Unibanco adopts the strategy of three lines of defense to operationalize its risk management
structure, including Compliance, and to ensure compliance with the guidelines set out in this policy, with a clear division of roles
and responsibilities. The three lines work in a coordinated manner for the management of Compliance Risk in order to provide senior management
with a global view of regulatory risk exposure. 3.1. First Line of Defense It is represented by the Business and Support departments.
Its employees are directly responsible for risk management and adherence to the rules associated with its operations, as well as for
carrying out controls and implementing corrective measures for the proper handling of risks. 3.2. Second Line of Defense It is represented
by the departments responsible for risk control activities, which are fully segregated from the activities of the internal and legal
audit, being independent in the exercise of their functions. It has direct communication both with the administrators, including the
members of the Board of Directors and the Audit Committee, as well as with any employee, and has access to any information necessary
within the scope of its responsibilities. In Brazil and abroad, the departments that make up the second line of defense are prohibited
from managing any business or process that could compromise their independence or generate conflicts of interest. For the same reason,
your goals and compensation cannot be related to the performance of the business departments. 3.3. Third Line of Defense It is represented
by the Internal Audit, which provides an independent assessment of the institution's activities, through auditing techniques, allowing
management to assess the adequacy of controls, the effectiveness of risk management, the reliability of the financial statements and
the compliance with standards and regulations. 4. GUIDELINES As for the Compliance function The management of compliance risks should
address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services
must be periodically tested and evaluated for adherence to applicable standards, commitments made with regulators and requirements related
to the Code of Ethics. To contribute to proper risk management, Itaú Unibanco has a risk management methodology comprising 5 stages:
identification, prioritization, risk response, monitoring and reporting. The Compliance role is coordinated and performed by the Corporate
Compliance and Money Laundering Prevention Board (DCCPLD), reporting to the Risk Management Department (AR), and acting independently
from the Conglomerate's other support and business departments. Additionally, under the coordination of DCCPLD, the Operational Risk
Board, also reporting to the Risk Management Department, performs compliance functions in the coverage of Risks and Finance and Technology,
through the certification of the control environment of the regulatory aspects of these departments, which occurs by prioritizing topics
recorded in the Risk Maps and carrying out Operational Risk Diagnostics (DRO). The AR aims to consolidate the risk culture and strengthen
the management and governance of operational risks and of the organization's Compliance activities. The non-compliance findings identified
by any departments of the Conglomerate, regulators and other supervisory and inspection bodies must be monitored so that their effective
treatment by the competent departments is guaranteed. Compliance risk reports must be clear, objective, and timely, and must be reported
to superior committees, business unit executives, the Risk executive, the Risk and Capital Management Committee, the Audit Committee
and the Board Directors, so that the level of exposure and compliance with the established limits are monitored. In the International
Units, there are local and independent structures responsible for Compliance, under the responsibility of the local Compliance Risk Officers
(CROs), who report the status of risks to the Regional CROs who, in turn, report it to the Global CRO, according to the organizational
structure described in internal procedure. 5. MAIN ROLES AND DUTIES 5.1. Board of Directors The Board of Directors is responsible for:
- Approving: a) the guidelines, strategies and policies relating to Compliance, in order to ensure a clear understanding of the roles
and responsibilities for all levels of the Conglomerate; and b) the position of the DCCPLD in the organizational structure of the institution
in order to avoid possible conflicts of interest, especially with the business departments. - Provide the necessary means so that the
activities related to the Compliance function are properly carried out, including the availability of resources to allocate sufficient
personnel and with the necessary training and experience. - Meet with the DCCPLD, at least annually, as part of the assessment of the
effectiveness of compliance management - Ensuring: a) proper management of this policy; b) effectiveness and continuity of the application
of this policy; c) communication of this policy to all employees and relevant outsourced service providers; d) dissemination of standards
of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified Compliance
failures. The evaluation of these items by the Board of Directors will be carried out on the basis of periodic meetings and the annual
report prepared by the DCCPLD, as well as an annual evaluation carried out by the Audit Committee. 5.2. Audit Committee The Audit Committee
is responsible for: - Validating the Compliance Policy prior to submission for approval by the Board of Directors. - Evaluating, at least
annually, the Compliance structure, in relation to the following aspects: a) Clear definition of the duties, roles and responsibilities
of the Compliance function, avoiding possible conflicts of interest, especially with the institution's business departments; b) Positioning
at an appropriate hierarchical level, independent and segregated from operational and business departments, with a duly exercised mandate
regarding the definition of scope, execution of the work and communication of its results; c) Organizational structure consistent with
the needs of the Conglomerate and allocation of sufficient personnel, adequately trained and with the necessary experience to carry out
the activities related to the respective functions; d) Effectiveness of Compliance management; and e) Adherence of the structure to the
applicable regulation. - Checking the performance of: a) communication of this Policy to all employees and relevant outsourced service
providers; b) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective
measures for identified failures. 5.3. First Line of Defense - Inform and train employees and relevant third-party service providers
on matters relating to Compliance. - Liaise with Regulatory, Self-Regulatory, Supervisory and Overseeing Agencies, responding to their
requests, and issuing the appropriate reports to them, as established in the Policy on Relationship with Regulatory, Self-Regulatory,
Supervisory and Overseeing Agencies; - Identify, measure, evaluate and manage Compliance risk events that may influence the fulfillment
of the Conglomerate's strategic and operational objectives; - Maintain an effective control environment consistent with the nature, size,
complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of
Compliance risks, maintaining exposure to risks at acceptable levels according to the risk appetite established for the Conglomerate;
- Define and implement action plans to address non-compliance findings; - Promptly communicate to the Compliance department whenever
it identifies changes or non-compliance with current rules and regulations or Compliance risks not predicted by the control activities;
and - Maintain compliance with standards and regulatory requirements. 5.4. Second Line of Defense Risk Management Department: It is up
to the Risk Management Department , through the DCCPLD and DRO: - Supporting the first line of defense in observing their direct responsibilities.
- Disseminating integrity and ethical standards as part of the Conglomerate's risk and control culture and disseminating good practices
and policies related to the Compliance function. - Guiding and advising the Conglomerate's administrators and employees, directing specific
solutions on compliance with internal rules related to the Integrity and Ethics Program; - Guiding and advising the Conglomerate's administrators
and employees, directing specific solutions related to compliance with external standards; - Ensuring that the teams responsible for
performing the Compliance functions have appropriate authority and that they are adequate, both in resources and knowledge, through a
structured training program; - Categorizing Compliance topics according to their severity and monitoring the conglomerate's exposure
to these risks; - Certifying the efficiency of the First Line of Defense Compliance control environment, through monitoring and testing
programs, reporting the results to Senior Management and, when requested, to the Regulatory Agencies; - Follow up investigations related
to internal and external complaints, sanctions or supervisory measures applied by Susep or other authorities, among other cases that
may signal risks to compliance; - Reviewing and monitoring the action plans adopted to address the findings made by regulatory agencies;
- Reviewing and monitoring the action plans adopted to address the findings made by the independent auditor in the non-compliance report
with legal and regulatory provisions; - Reporting to the Executive Board, the Audit Committee, the Risk and Capital Management Committee
and the Board of Directors the relevant situations that are not in compliance; - Develop and disseminate to the IUs a script containing
the best practices and Compliance methodology adopted by the Headquarters; - Coordinating the implementation, monitoring and evolution
of the Corporate Program for Integrity and Ethics in International Units; and - Coordinating the governance of Compliance Programs of
international regulations relevant to the conglomerate. Exclusive roles of the DCCPLD are: i. Defining principles and guidelines for
disseminating the Compliance Culture, including training. ii. Manage the process of capturing, screening, impact assessment and monitoring
compliance with new regulations. iii. Timely reporting relevant information both on the results of the Compliance assessments carried
out that have identified material flaws and on significant changes in the regulatory environment. iv. Managing the Integrity and Ethics
Programs and Monitoring Abuse Practices (Trade Surveillance). v. Coordinate the relationship with regulators and other supervisory and
overseeing agencies with centralized management, monitoring the actions arising from the commitments assumed, facilitating the sharing
of information and ensuring the consistency of the institutional positioning. vi. Developing and making available the methodologies,
tools, systems, infrastructure and governance necessary to support the Compliance function in the Conglomerate's activities. vii. Coordinating
the governance of Itaú Unibanco's policies and procedures, in accordance with applicable regulations, maintaining evidence of
approval of all documents by the established approval authorities, including the approval of this Policy. viii. Monitoring the Personal
Investment Policies and the Securities Trading Policy issued by Itaú Unibanco Holding S.A. ix. Sending to the Audit Committee
and the Board of Directors an annual Compliance Report containing a summary of the results of activities related to Compliance topics,
main conclusions, recommendations and action plans adopted to address identified deficiencies. x. Monitoring the actions taken to report
violations or red flags uploaded through the available reporting channels. xi. Manage the Integrity and Ethics and Monitoring of Abusive
Practices programs ( Trade Surveillance), with operational support from the Capital, Market Risk and Liquidity (DCRML) Department. In
the International Units, the Local CROs are responsible for the above items according to the governance established in internal procedure.
5.5. Third Line of Defense Independently and periodically verify the adequacy of risk identification and management processes and procedures,
including the integrated management of operational risk, internal controls and Compliance, in accordance with the guidelines established
in the Internal Audit Policy and submit the results of your findings to the Audit Committee. 5.6. Common to All Departments of Itaú
Unibanco - Conduct training on integrity and ethics and risk management provided by Itaú Unibanco. - Annually sign the Term “Corporate
Integrity Policies” attesting to its knowledge and agreement with what is established in this Policy. - Define, implement and comply
with policies and procedures for adherence to regulations. - Comply with the provisions established by the Conglomerate's external rules
and internal policies. - Communicate fact or suspicion of violations of the Code of Ethics, the Integrity, Ethics and Conduct Policy
or this policy. 6. RELATED EXTERNAL RULES Basel Committee on Banking Supervision - Compliance and the compliance function in Banks (April
2005) Resolution No. 4,968/21 of the Brazilian National Monetary Council: provides for the implementation and implementation of an internal
control system Resolution No. 4,557/17 of the Brazilian National Monetary Council: addresses the risk management structure and the capital
management structure Resolution No. 4,595/17 of the Brazilian National Monetary Council: addresses the compliance policy of financial
institutions and other institutions authorized to operate by the Central Bank of Brazil. Resolution No. 65/21 of the Central Bank of
Brazil: addresses the compliance policy of consortium administrators and payment institutions. Resolution No. 416/21 of the Brazilian
National Private Insurance Council: provides for the Internal Controls System, the Risk Management Structure and the Internal Audit activity.
Approved by the Board of Directors on 2022, June. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230
PUBLIC ACCESS REPORT - LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY 1. OBJECTIVE Establish the liquidity risk management and control
structure of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations and best market practices.
2. TARGET AUDIENCE This policy is applicable to all financial companies controlled by Itaú Unibanco in Brazil and abroad. This
policy is also applicable to all activities of the conglomerate that result in exposure to liquidity risk, with an impact on Itaú
Unibanco Holding and its subsidiaries. This policy does not apply to the liquidity risk of customer portfolios managed by the bank and/or
trusteeship (e.g. funds from Wealth Management & Services - WMS). 3. INTRODUCTION Liquidity risk is defined as the possibility that
the Institution may not be able to honor efficiently and in a timely manner its financial obligations. Liquidity risk can occur when
there is a mismatch between cash flows (assets and liabilities) that affects its operations or produces significant losses. Liquidity
risk control is carried out by a department independent of the business departments. The objective is to compare assets (generally the
most liquid) with financial obligations (generally with shorter maturities) and ensure that sufficient cash is available to meet the
obligations. Liquidity risk is controlled in accordance with the Limits Framework established by the Board of Directors and the Higher
Committees. 4. GUIDELINES The liquidity risk management and control processes must strictly observe the principles defined in this policy.
The measurement of liquidity risk must cover all financial operations of Itaú Unibanco companies, as well as possible contingent
exposures (exposure situations with no expected date to occur) or unexpected exposures (changes in cash inflows or outflows). These situations
are commonly caused by: - settlement services (for example: significant decrease in tax collection, settlement of bank slips or bank
transfers); - provision of guarantees and endorsements (for example: customers who execute guarantees and/or warranties for non-payment
of loans); - contracted and unused credit lines. (for example: increased use of overdraft or credit card limits); - Realization of adverse
events that impact technical provisions (Occurrence of incidents, redemption or portability of pension plan, redemption or inclusion
in capitalization draws) The main measure in controlling liquidity risk should be measurement of liquid assets, which is composed of:
- cash in the country (federal government bonds, cash, BACEN deposits, any asset that can be immediately traded and converted into cash
without significant loss of value); - cash abroad (assets that can be immediately traded and converted into cash abroad without significant
loss of value, such as, for example, cash, cash in other banks) - all assets immediately convertible (D0) into means of payment. Liquidity
Risk Control includes contingency and liquidity recovery plans to clearly define actions to restore liquidity in different stress situations.
5. MAIN ROLES AND DUTIES The Liquidity Risk control structure at Itaú Unibanco involves the parties indicated below, for which
we highlight their roles in this matter. Board of Directors - define the institution's risk appetite and review it annually. - review
the contingency plan annually. Superior Market and Liquidity Risk Commission: - define the powers related to liquidity risk control and
review them annually. - monitor liquidity risk indicators, taking the necessary decisions, respecting the defined risk appetite. - submit
for approval by the Board of Directors, at least annually, the liquidity contingency plan (Brazil); Liquidity Risk Control - explain
composition of the reserve, in accordance with the guidelines established by senior management; - identify, assess, monitor, control
and report daily exposure to liquidity risk. - propose liquidity risk limits; - monitor the contingency and recovery plans, as well as
the limits established for each of these plans and report any non-compliance to the competent approval authorities. - carry out liquidity
risk simulations under stress conditions. - periodically report the main liquidity risk controls in Brazil and the External Units, as
well as situations of sudden reductions in liquidity and relevant aspects of the measures in progress to the collegiate bodies, Treasury,
Superintendence of Integrated Capital Management, CRO and the Board of Directors; - Inform any non-compliance, both in the managerial
risk appetite and in the Contingency and Recovery triggers. Also inform the Integrated Capital Management Superintendence of the daily
LCR (Liquidity Cover Ratio) indicator levels, ensuring support for monitoring the Recovery Plan; - in relation to risk appetite metrics,
monitor, analyze and report the information that makes up the Risk Appetite Report, in addition to communicating relevant aspects to
those involved, such as committee decisions, requests for action plans and notices on points of attention. - maintain specialized and
adequately sized teams to support the liquidity risk processes and systems under its governance and development management. Institutional
Treasury (Brazil and International) - centralizing the management of Itaú Unibanco's liquidity risk, ensuring adequate and sufficient
levels of liquidity; Reserve Pilot (see Glossary): - identify, evaluate, monitor and alert on cash needs for operations carried out during
the day; GIS ( Global Institutional Solutions): - responsible for liquidity management of proprietary portfolios and technical reserve
portfolios of companies supervised by SUSEP. Information Technology: - maintain specialized and adequately sized teams to support the
liquidity risk processes and systems that are under the governance and management of technology development, and for the Hosting processes
defined in specific service provision agreements; 6. LIQUIDITY RISK CONTROL The control of Liquidity Risk at Itaú Unibanco includes
measuring, monitoring, controlling and reporting exposure levels, in addition to contingency plans and liquidity recovery. The measurement
of exposure to liquidity risk is based on the daily analysis of the evolution of cash flows and compliance with regulatory indices, as
described below: - Projected cash flow (Business Continuity Scenario): demonstrates cash flow expectations, considering business continuity
in normal conditions; - Portfolio Settlement Scenario (run-off): demonstrates the expected cash flows, considering the settlement of
current portfolios and the discontinuation of business. - Portfolio Settlement Scenario (Stressed) demonstrates cash flows in adverse
idiosyncratic scenarios for companies regulated by Susep. - Short-Term Liquidity Cover Ratio (LCR): demonstrates that the prudential
conglomerate 's high-quality liquid assets are sufficient to withstand a severe liquidity crisis, for a period of 30 days, according
to premises defined by the Central Bank of Brazil; and - Net Stable Funding Ratio (NSFR): demonstrates that the prudential conglomerate
has available stable resources higher than required by cash outflows in a one-year stress scenario. - Concentration of Funding Providers:
demonstrates that the prudential conglomerate has diversified exposure to liquidity provider counterparties. The use of liquidity risk
limits must be verified against the approved limits. Noncompliance with the established limits and indicators must be reported by the
liquidity risk control to senior management, the relevant departments for immediate reclassification of exposure and the relevant committees.
The contingency and recovery plans are designed to restore adequate levels of liquidity and preserve Itaú Unibanco's viability
in response to stress situations. The plans must contain a list of actions to be implemented, covering volumes, deadlines and those responsible
for them. The actions of the contingency plan must contemplate a gradation by level of criticality. The order of actions should be determined
by the ease of implementation, taking into account the characteristics of the market. The details of procedures and specific rules linked
to this policy can be accessed at ItaúConecta/Policy and Rules/Policies (Simplified Model)/Ethics, Risks and Governance/Risks/Liquidity.
7. GLOSSARY Reserve Pilot: structure responsible for continuously calculating the bank reserve balance and monitoring all debit and/or
credit entries of the financial institution. Funding Providers: counterparties that invest funds in the Institution through various products,
such as Demand Deposits, Term Deposits, Financial Bills, among others. Reserve: total assets that can be converted into cash immediately,
according to the considerations of the markets and regulatory bodies where the unit is located. Run-Off: scenario in which assets and
liabilities expire and are not renewed. Approved by the Board of Directors on 2023, May. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23
Publicly-Held Company NIRE 35300010230 CREDIT RISK MANAGEMENT AND CONTROL POLICY 1. OBJECTIVE Establish the Governance and Credit Risk
Control of Itaú Unibanco Holding SA, observing applicable regulations and best market practices. 2. TARGET AUDIENCE Financial
institutions controlled by Itaú Unibanco Holding S.A. (Itaú Unibanco), in Brazil and abroad, that incur credit risk, covering
all segments (individuals and legal entities). 3. INTRODUCTION According to the institution's corporate risks dictionary, Credit Risk
is understood as the risk of losses arising from: - Non-compliance by the borrower, issuer or counterparty with their respective financial
obligations under the agreed terms, - Credit agreement devaluation resulting from deterioration in the risk rating of the borrower, the
issuer or the counterparty, - Reduction of earnings or remuneration, - Advantages granted in subsequent renegotiations and - Credit recovery
costs. The credit risk control processes must support the institution, strictly observing the principles defined in theinternal policies.
The centralized control of credit risk is carried out independently by the Risk Management Department (AR), segregated from the Business
Units and the area executing the internal audit activity. At the International Units, the independent structure responsible for controlling
local risks is under the responsibility of the local Chief Risk Officers (CROs), who report to the respective Local CEOs and Regional
CROs, acting in a coordinated and aligned manner with the Credit Risk and Modeling Board. The Regional CROs are responsible for the integrated
and preventive management of risks in the region, ensuring their effectiveness and reporting their status to the CRO of Itaú Unibanco
Holding. The roles and responsibilities of the Holding’s, Regional and Local CROs are defined in internal procedure. This structure
enables the continuous and integrated management of credit risk and must consider the operations classified in the trading portfolio
and those classified in the non-trading portfolio as well. 4. GUIDELINES Risk management must be integrated, thus enabling identification,
measurement, evaluation, monitoring, reporting, control and mitigation of Credit Risk. Credit Risk management structures must be proportional
to the risk exposure dimension and relevance, compatible with the business model, the nature of transaction operations and the complexity
of Itaú Unibanco products, services, activities and processes. Therefore, specialized and properly dimensioned teams must be maintained
to support the credit risk processes and systems that are under their governance. The Credit Risk management structure must provide:
- Clearly documented risk management policies and strategies that establish limits and procedures for maintaining risks exposure in accordance
with the Risk Appetite Statement. It should also take into account the prior identification of credit risks inherent to: - New products
and services; - Relevant modifications to existing products or services; - Significant changes in processes, systems, operations and
business model of the institution; - Protection strategies (hedge) and risk assumption initiatives; - Significant corporate reorganizations;
- Aspects related to social risk, environmental risk and climate risk; - Changes in macroeconomic scenarios. - Monitoring processes,
in order to identify points in non-compliance with credit risk management policies, including the respective justifications and expected
actions to resolve any divergences; - Systems, routines and procedures for credit risk management, including their updates; - Periodic
management reports for the board, committees, as well as for other forums where the topic of Credit Risk is on the agenda. - Alternative
models or methodologies to better measure credit risk. The above-mentioned guidelines must be applied to risks of credit, counterparty,
country, disbursement events to honor endorsements, sureties, co-obligations, credit commitments or other operations of a similar nature
and losses associated with non-compliance with obligations related to settlement transactions involving bilateral flows, including the
trading of financial assets or derivatives. 5. MAIN ROLES AND DUTIES Credit Risk Control Must: - Define centralized credit risk monitoring
and control environment; - Periodically review the policies, strategies and procedures for establishing operational limits, risk mitigation
mechanisms and procedures designed to maintain the credit risk exposure at acceptable levels by management, and approve them at the competent
approval authority levels; and - Disclose credit decisions, corporate policies and strategies for managing credit risk to the Business
Units and CROs of the International Units. Credit Risk Modeling Must contribute to the execution of Credit Risk Control activities, following
the assignments provided for in the Model Risk Policy. Model risk management aims to identify, analyses and classify models according
to their risk. This classification is done using criteria based on the pillars of model size (the impact or relevance it represents),
residual model risk (related to development, performance and robustness), regulatory requirements, technology used and usage characteristics.
In order to manage and mitigate the risks inherent in the use of models, we have a dedicated governance framework, described in our internal
policy, which aims to ensure the effective application of best practices in model risk management. Finance Define rules for performing
simulations and calculations in line with applicable standards and regulations, in addition to publishing financial statements and other
reports that assist and complement Credit Risk Management and Control. Risk Management Department Committee Members Responsible for decision
making according to the specificity of each forum, striving for risk mitigation in order to maintain credit risk exposure at acceptable
levels for management. Business Units (Brazil and International Units) Ensure visibility of the credit risk incurred in its operations
and compliance with the established rules and limits. Additionally, the business areas shall maintain procedure manuals with detailed
descriptions of the responsibilities and assignments for the processes and controls under their accountability. 6. CREDIT RISK CONTROL
6.1 - ECONOMIC GROUPS Itaú Unibanco Holding's credit risk management process has governance for the formation and alteration of
economic groups, whose target audience is all commercial segments that grant or manage credit, which includes international units, except
Itaú Chile Colombia. 6.2 - COUNTERPARTY CREDIT RISK This is the risk of non-compliance, by a certain counterparty, with obligations
related to settlement of operations that involve trading of financial assets with bilateral risk. It covers financial derivatives instruments,
transactions to be settled, asset loans and repurchase agreements and bilateral energy contracts. Measuring counterparty credit risk
involves converting it into the equivalent credit risk exposure through specific models. The Potential Credit Risk (PCR) measurement
models are used to measure the equivalent credit exposure in transactions subject to counterparty credit risk. The development and approval
of these models follow the governance described in a specific procedure. The procedure for Development of Market Risk Models defines
the counterparty credit risk measurement for certain products and businesses, as priority in relation to PCR models and has as purpose:
- Considering, when measuring credit risk, the presence of mitigating instruments, as long as they are not explicitly considered in the
PCR models; - Defining the measurement of counterparty credit risk for certain products and businesses where there are material risks
not captured by the PCR models; and - Defining the risk measurement for certain products and businesses in which there is no specific
model developed. 6.3 - COUNTRY RISK Itaú Unibanco maintains relationships with borrowers, issuers, counterparties and guarantors
in several locations around the world, regardless of having an external unit in these locations. Therefore, Country Risk is a risk present
in the institution. Such risk is defined, at Itaú Unibanco, as the risk of losses arising from the failure to comply with financial
obligations, within the agreed terms, by borrowers, issuers, counterparties or guarantors, as a result of actions carried out by the
government of the country where the borrower is located, issuer, counterparty or guarantor, or political, economic and social events
related to that country; being subdivided into: - Sovereign risk, defined as the risk of central governments (Treasury and Central Bank)
inability to generate resources to honor their commitments; - Transfer risk, defined as the risk resulting from the total or partial
impossibility of transferring assets held in a jurisdiction abroad to the jurisdiction of the country using a legal vehicle of Itaú
Unibanco, due to the barriers arising in the conversion exchange rate as a consequence of macroeconomic events or actions taken by the
central government of the jurisdiction where the resource is located; leaving the borrower, issuer, counterparty or guarantor incapable
of honoring the payment of its commitments in foreign currency. Itaú Unibanco has a specific structure for managing and controlling
country risk, comprised by collegiate bodies and dedicated teams, all with formally defined responsibilities. In order to consistently
assess the risks inherent to each country, Itaú Unibanco defines the rating of the countries by taking into account both the sovereign
risk and the transfer risk. The local sovereign rating reflects the payment capacity of the sovereign issuer (Treasury and Central Bank)
against its obligations settled in local currency. The external sovereign rating reflects the ability of a country to generate foreign
exchange (foreign currency) and, therefore, it is the rating used to assess the capacity of the sovereign issuer (Treasury and Central
Bank) to honor its obligations to be settled in foreign currency, as well as to assess the transfer risk. The inability to generate foreign
exchange can lead to two consequences: (i) default of the sovereign issuer on its debts in foreign currency and/or (ii) imposition of
capital controls that prevent transferring private resources between jurisdictions (restrictions for converting national currency into
foreign currency). Itaú Unibanco establishes limits based on ratings and transaction terms, aiming to control the country risk
exposure. Such limits are periodically reviewed, and extraordinary revisions may occur in light of a new material fact. 6.4 – SOCIAL,
ENVIRONMENTAL AND CLIMATE RISK Social, environmental and climate risk events on the counterparty may result in credit losses. Due to
this, Itaú Unibanco defined a set of guidelines to guide the establishment and maintenance of credit relationships and operations
with credit risk with Customers, which are detailed in internal procedure. 6.5 - CREDIT PORTFOLIO MONITORING Portfolio monitoring is
understood as the follow-up of indicators related to credit operations. In general, monitoring indicators are observed for the balance
of active portfolio, credit concession in the month (also known as the harvest), and default indicators (balance in arrears in relation
to the portfolio or harvest balance) and quality. The portfolio monitoring has as purpose verifying the financial health of credit operations,
adapting credit strategies to the conglomerate risk appetite. Any deviations identified in relation to the maximum and minimum levels
of the Global Policy are reported as follows: centralized monitoring in Brazil is periodically reported to the Credit Risk Policy Committee
(CPRC). Consolidated indicators of the retail segment harvest and portfolio are reported on a monthly basis to the Superior Credit and
Collection Commission for Retail (CSCCV) and for the wholesale segment, bimonthly (can be changed on request) to the Superior Credit
and Collection Commission for Wholesale (CSCCA). In the International Units, monitoring is reported to the Risk Committee of the International
Units (CRUI), with the participation of local and regional CROs. Regarding the indicators of the International Units, monitoring is reported
by the Risk Committee of the International Units (CRUI-R)(HN and Conesul) and CIR - Integrated Risk Committee (Itaú Chile), with
the participation of the Holding, Regional and Local CROs. 6.6 - PORTFOLIO AND CREDIT PROCESSES REVIEW The review must consist of analyzing
the quality and integrity of the credit process of each business unit, covering everything from correct compliance with credit policies,
assessment of concession quality, assessment of customers' ability to pay and adequacy of assigned ratings. This analysis must be carried
out by an independent team of reviewers and the outcome reported to senior credit management (Chief Credit Officer), risk management
of the reviewed business units (Chief Credit Risk Officer or CRO and the Credit Risk Holding Area. 6.7 ASSESSMENT OF CREDIT STRATEGIES
AND POLICIES Establish the responsibilities and general rules relative to the process of determining and approving changes in credit
policies and business rules that impact on credit risk exposure. For proprietary portfolios, the policies address the credit granting
and maintenance, as well as the acquisition, in the market, of instruments with credit risk. For third-party portfolios, the policies
address the rules for discretionary decision making in assets with credit risk. Change in credit policy is any action that affects the
risk assumed or that may have an impact on the consumption of credit limit and on Allocated Economic Capital. Credit policies can be
divided into three types: 1. Credit granting and maintenance policies: amendments and changes in credit models, segmentation, income/revenue,
etc.; changes in credit approval authorities (composition and values); impact at risk due to annual re-segmentations; change of cutoff
point; new segmentations (breaks) that change the credit decisions. 2. Risk measurement policies: mitigation by guarantees; definition
or change of the application criteria for potential credit risk (PCR) models; definition or change of parameters for calculating capital
and limit consumption. 3. Global Credit Policy: maximum or minimum levels for a set of indicators and variables reflecting credit risk
in the bank, which must be considered in all retail and wholesale policies. 6.8 CONCENTRATION RISK Concentration risk is the risk of
financial loss resulting from the excessive concentration of operations with credit risk in clients, sectors, geographic regions or mitigating
instruments, on a directly or correlated way. Concept mentioned in internal procedure. Aiming to ensure low outcome volatility, the concentration
risk management is conducted from different perspectives within the bank, so as to observe that the institution is not significantly
exposed to a single source of risk. This way, Concentration Risk is monitored from the following perspectives: individual, top 10, by
country, by sector of the economy and of the institution’s activity. The Board of Directors and Executive Board monitor these indicators
on a monthly basis and are also responsible for adjusting and approving metrics and their limits. The limits are defined according to
each dimension variables. In order to define the individual concentration limits and the top 10 conglomerates, we evaluated the inherent
credit risk of the conglomerates, respecting the maximum limits of CMN Resolution 4,677. For concentration by country, the risk diversification
is based on the credit risk presented by each country and the bank strategy. As for concentration by segment, the diversification is
based on bank strategy and its operation business outcome volatility, while for concentration by sector, the limits are defined according
to the sector-based credit portfolio risk profile, its profitability, and the sector relevance in the economy. The limits defined for
each metric, as well as more details on calculation methodologies, are found in the Risk Appetite Manual. 6.9 - INCOME Determines the
types of income and how to define the income for Individuals. When capturing any customer income information (such as proven, certified
income, ability to pay or other income information approved under exception) and using it for granting credit, maintenance, or any other
purpose of income for individuals, it is mandatory to follow the guidance in internal procedure respecting the document type, its validity
and exceptions, in case of seasonality. 6.10 - REVENUE Determine the types of revenue and the way to obtain income for the legal entity.
When capturing any customer revenue information (such as evidence, certificate, ability to pay or other approved information in an exception)
and use it for credit granting, maintenance or any other purpose, it is mandatory to follow the guidance in internal procedure observing
the respective procedures, types of documents, their validity and any exceptions. 6.11 - INCOME COMMITMENT The income commitment (CR)
is the debt divided by gross income of the Individual Customer. It is used in the granting and maintenance, through credit policies and
business rules of Individual Retail, as a measure to assess the customer risk, considering their current indebtedness and the impact
of the requested credit on that debt. The specific use of CR is described in each product policies. The rules for calculating CR and
the guidelines for recalculating this information are described in internal procedure. 6.12 - GUARANTEES Guarantees are instruments that
have as purpose reducing the occurrence of losses in operations with credit risk, including, without distinction, financial guarantees,
real guarantees, agreements for compensation and settlement of obligations, personal and fiduciary guarantees, and credit derivatives.
For these guarantees to be considered as a risk reduction instrument, they must comply with the requirements and determinations of the
standards that regulate them. 6.13 - ASSESSMENT OF COLLECTION POLICIES AND STRATEGIES Collection strategies refer to the recovery and
renegotiation of credit operations that are in arrears. To assess collection strategies, portfolios are monitored (default, harvest and
portfolio), with focus on renegotiation products. Monitoring of these actions carried out by the Modeling and Credit Risk Management
Department is intended to mitigate risks on the collection strategies and operations carried out by the Business Units. 6.14 - UPDATE
AND DEVELOPMENT OF RISK PARAMETERS FOR PROVISION AND CAPITAL Risk parameters are the necessary inputs that qualify the calculations of
provisions or capital allocation performed by the finance area for accounting and/or management purposes. Parameters are assigned by
parameter developer units (UDPs) through premises and calculations to ensure the Bank's solvency in the face of expected and/or unexpected
changes in past, current and future scenarios. The definitions and concepts of each parameter must be aligned between the parameter developer
unit (UDP) and the parameter user unit (UUP). 6.15 - CREDIT PORTFOLIO MANAGEMENT As a complement to credit risk management, portfolio
management is the methodology used to monitor groups of customers with different profitability and resilience over an economic cycle.
Based on these different resilience behaviours of customers and their respective credit operations, clusters are assigned: - Monitor
the loan portfolio and new lending - Determine limits (% maximum) of exposure in riskier groups - To be used as a decision support tool
for lending, complementing existing models. 7. RELATED EXTERNAL RULES - CMN Resolution No. 4,557/2017 of the Brazilian National Monetary
Council (CMN), which provides for the implementation of a credit risk management structure, amended by CMN Resolution 4,943/2021, which
provides for the risk management structure, the capital management structure and information disclosure policy. - CMN Resolution 2,682,
which establishes criteria for classifying credit operations and rules for establishing a provision for settlement credits. - CMN Resolution
No. 4,966/2021, which provides for the accounting concepts and criteria applicable to financial instruments, as well as for the designation
and recognition of hedging relationships (hedge accounting) by financial institutions and other institutions authorized to operate by
the Central Bank of Brazil. - CMN Resolution No. 4,945/2021, which provides for the Social, Environmental and Climate Responsibility
Policy (PRSAC) and actions aimed at its effectiveness - Brazilian Securities and Exchange Commission Instruction 247, which provides
for the evaluation of investments in associated and subsidiaries and the procedures for preparing and disclosing the consolidated financial
statements. Approved by the Board of Directors on 2023, July. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held
NIRE 35300010230 PUBLIC ACCESS REPORT - CAPITAL MANAGEMENT POLICY 1 OBJECTIVE To define rules and responsibilities pertaining to Itaú
Unibanco Holding S.A. (Itaú Unibanco) capital management activities. (Itaú Unibanco), in accordance with the applicable
regulations and best market practices. 2 TARGET AUDIENCE The capital management process must cover all companies in the conglomerate
controlled by Itaú Unibanco in Brazil and abroad. 3 INTRODUCTION For any company to be able to operate, it is necessary that it
has capital, which is the investment made by shareholders. In addition, the resources that the company generates and that are not distributed,
being kept in its equity, are also called capital. For financial institutions, the Central Bank of Brazil requires a minimum capital
(required capital), which is the capital necessary to face the risks to which the institution is exposed, guaranteeing its solvency.
Capital management is a fundamental instrument for the sustainability of the financial system. Methods for identifying, evaluating, controlling,
mitigating and monitoring risks support financial institutions in adverse moments. Itaú Unibanco considers capital management
essential for the decision-making process, which contributes to the optimization and efficiency of the use of capital in its operations.
In this management, Itaú Unibanco companies in Brazil and abroad are considered. Changes in the global financial environment,
such as the integration between markets, the emergence of new transactions and products, increasing technological sophistication and
new regulations have made financial activities and their risks increasingly complex. Additionally, lessons from financial crises reinforce
the importance of risk management (Public Access Report - Risk) and capital management to strengthen the financial health of the banking
industry. The Brazilian participation in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international
prudential standards in the Brazilian regulatory framework. In line with this perspective, Itaú Unibanco invests in the continuous
improvement of capital management processes and practices, in accordance with international market, regulatory and supervisory benchmarks.
Itaú Unibanco's capital management consists of a continuous process of planning, evaluation, control and monitoring of the capital
necessary to face the relevant risks of the Conglomerate and support the capital requirements required by the regulator, or those defined
internally by the Institution, with the objective of optimize capital allocation. The departments defined in the capital management structure,
together with the support of some specific departments of each theme, answer together or individually for: a. Identification of the risks
to which the institution is exposed and analysis of their materiality; b. Assessment of the capital needed to support the risks; c. Development
of methodologies for quantification of additional capital; d. Capital quantification and internal capital adequacy assessment; e. Internal
Capital Adequacy Assessment Process (ICAAP) f. Projection of capital ratios; g. Determination of reference equity (PR) and Calculation
of capital ratios; h. Preparation of the capital plan and contingency plan; i. Preparation of the recovery plan; j. Monitoring the solvency
and liquidity regularization plan of SUSEP companies; k. Capital stress tests; l. Determination of the Global Systemic Importance Index
(ISG); m. Preparation of the quarterly risk and capital management report – Pillar 3; n. Monitoring the Cost of Capital of the
Holding and External Units; o. Monitoring the capital of the External Units. Itaú Unibanco's capital management structure allows
the monitoring and control of the capital held by the Institution, the assessment of the need for capital to face the risks to which
the Institution is exposed and the planning of goals and capital needs, considering the Institution's strategic objectives and/or considering
adverse situations. As a result, Itaú Unibanco adopts a prospective approach, anticipating the need for capital arising from possible
changes in market conditions. Due to sensitivity and specificity, an internal policy to protect the capital index was created, which
is also periodically reviewed. 4 CONCEPTS Required capital: it is the capital necessary to face the risks to which the institution is
exposed, guaranteeing its solvency and including international units. The requirements are regulated by BACEN for Brazil and by local
regulatory bodies at international units. Such requirements are expressed in the form of indices that relate available capital to total
risk-weighted assets (RWA – Risk Weighted Assets). The Reference Equity (PR) used to verify compliance with the operating limits
imposed by BACEN consists of the sum of three items, called: . Common Equity: sum of capital stock, reserves and retained earnings, minus
deductions and prudential adjustments; . Complementary Capital: composed of perpetual instruments that meet eligibility requirements.
Added to the Common Equity, it makes up Level I; . Tier II: composed of defined-maturity subordinated debt instruments that meet eligibility
requirements. Added to the Common Equity and the Complementary Capital, it makes up the PR (Total Capital). For the purposes of calculating
these minimum capital requirements, the total amount of the RWA is calculated by the sum of the portions of assets weighted by credit,
market and operational risks: = ++
+
= portion related to
exposures to credit risk, calculated according to a standardized approach;
= portion related to exposures to credit risk calculated according to the IRB approach, consisting of the maximum between the internal
model and 72.5% of the standardized model¹;
= portion related to the capital required for market risk, composed of the maximum between the internal model and 80% of the standardized
model; = portion related
to the capital required for operational risk, calculated according to a standardized approach. In addition to regulatory minimums, BACEN
rules establish Additional Capital Buffers (ACP), corresponding to the sum of the ACP Conservation, ACP Countercyclical and ACP Systemic
installments which, together with the aforementioned requirements, increase the need for capital: .ACP Conservation: represents an extra
“cushion” of capital to absorb possible losses . ACP Countercyclical: is an additional cushion of capital to be accumulated
during the expansion phase of the credit cycle and to be consumed during its contraction phase. . ACP Systemic: for institutions with
systemic importance, an additional capital is required to face systemic risk. The values of each installment and the regulatory minimums,
as defined in CMN Resolution No. 4,958, are described in the following table: Internal Capital Adequacy Assessment Process (ICAAP) Annual
exercise required by the Central Bank of Brazil whose objective is to assess the capital adequacy of Itaú Unibanco, thus providing
a general and comprehensive view of the institution's risk and capital management and demonstrating the results related to the self-assessment
of the adequacy of its capital level according to its risk profile. The ICAAP comprises the Capital Plan and the Contingency Plan, described
below. Capital Plan The capital plan is a section of the ICAAP that discusses how the bank's capital planning takes place in order to
maintain an adequate and sustainable level of capital, incorporating the limits established by the risk appetite and the analyses of
economic and regulatory environments. Additionally, it is structured consistently with Itaú Unibanco's strategic planning. This
plan presents the financial and capital forecasts in the short and medium term (at least three years following the base date year), both
in normality and stress scenarios, together with its main sources of capital, distribution policy results and contingency plan. Common
Equity Tier I4.5%Tier I6.0%Total Capital8.0%Additional Capital Buffers (ACP)3.5%conservation2.5%countercyclical (1)0.0%systemic1.0%Common
Equity Tier I + ACP8.0%Total Capital + ACP11.5%Prudential adjustments deductions100%(1)thecountercyclicalcapitalbufferisfixedbytheFinancialStabilityCommittee(Comef)basedondiscussionsaboutthepaceofcreditexpansion,andcurrentlyissettozero(BacencommunicationNº39,425/22).Shouldtherequirementincrease,thenewpercentagetakeseffect
twelve months after the announcement. Capital Contingency Plan Itaú Unibanco has a capital contingency plan for cases in which
at least one capital ratio is found to be lower than those defined by the Board of Directors (Conselho de Administração
(CA)), or for unforeseen events that may affect the capital adequacy of the institution. The plan includes a set of contingency actions
and those responsible for them, which allows Itaú Unibanco to increase its capitalization levels and must contain, at least, the
definition of the capital limits that trigger its activation and the corresponding governance, aiming to maintain the adequate capitalization
level of Itaú Unibanco in an adverse situation. Recovery Plan Itaú Unibanco has a Recovery Plan that aims to reestablish
adequate levels of capital and liquidity above regulatory operating limits, in the face of severe stress shocks of a systemic or idiosyncratic
nature, in order to preserve its financial viability, and at the same time mitigate impact on the National Financial System. The Recovery
Plan covers the entire conglomerate, including subsidiaries abroad, and is reviewed annually and submitted for approval by the Board
of Directors. Its normative basis is CMN Resolution No. 4,502, and contains the critical functions and essential services provided by
Itaú Unibanco that can impact the National Financial System and the institution's own viability. Additionally, it discusses stress
scenarios, communication plans with interested parties and governance mechanisms necessary for the coordination and execution of the
plan. Stress Test The stress test, an integral part of the Institution's Capital Plan, is a process of simulating the effects of extreme
economic and market conditions on the institution's results and capital. Stress scenarios must be approved by the Board of Directors
and their results must be considered when defining Itaú Unibanco's business and capital strategy. The stress test, for Itaú
Unibanco, can be divided into internal and regulatory. The first seeks to measure the vulnerability and strength of the conglomerate
in hypothetical, but plausible, economic crisis scenarios based on macroeconomic simulations and projections developed by the institution
itself. The regulatory stress test has the same objective, but uses a scenario developed by the Central Bank. In both processes, the
main analyzes are on the Bank's results (DRE - P&L), its distribution among the conglomerate's portfolios and activities and on the
institution's level of capital and liquidity. Additionally, to complement the results according to the processes described above, sensitivity
analyzes and reverse stress tests are carried out annually. The capital management framework should provide assessments of impacts on
capital from the definition of severe scenarios chosen by the institution and include them in the results of the stress test program.
Solvency and Liquidity Regularization Plan – SUSEP This plan provides for the minimum capital required for the operation of insurance
and reinsurance companies, where the capital sufficiency indicator is monitored monthly. Based on the verification of its insufficiency,
jointly with the asset management departments of the insurance group, measures to regularize the solvency and liquidity ratios of companies
subject to SUSEP guidelines are defined. Global Systemic Importance Index (GSI) Methodology defined by the Bank for International Settlements
(BIS), and ratified by the Financial Stability Board, this index measures the importance of each financial institution in the global
market, whose bankruptcy could cause an international threat to the financial system, and is made up of five main indicators: - Size:
which reflects the relative participation of the institution in the global activity; - Activity abroad: relative participation of the
institution in international activities; - Interconnection: relative participation of the institution in the interbank market and with
the global capital market; - Substitution: relative participation of the institution in the global offer of financial services; - Complexity:
relative participation of the institution in complex or low liquidity instruments. Information regarding the ISG calculation is published
annually on the Investor Relations website, in accordance with BACEN Resolution No. 171. Capital and Risk Management Report – Pillar
3 It is a report that contains information relating to prudential indicators and risk management, comparison between accounting and prudential
information, capital composition, macro prudential indicators, leverage ratio, liquidity indicators, credit risk, counterparty credit
risk, exposures of securitization, market risk, risk of variation in interest rates on instruments classified in the banking portfolio
and remuneration of administrators, published quarterly on the Institution's Investor Relations website (Pillar3), in accordance with
BCB Resolution No. 54. Guidelines Capital management must support the institution according to the principles defined in the Risk Management
policy and those defined in this policy. These principles are reflected in the following guidelines, according to which Itaú Unibanco's
capital management structure must: - Ensure that policies and strategies for capital management are clearly documented and establish
mechanisms and procedures to maintain the Reference Equity (RE), Level I, and Principal Capital compatible with the risks incurred by
the institution. - Maintain procedures for managing capital. - Be compatible with the nature of its operations, the complexity of the
products and services offered and the dimension of risk exposure. - Ensure the submission of capital management policies and strategies,
as well as the capital plan, for approval and review, at least annually, by the Board of Directors, in order to determine their compatibility
with the institution's strategic planning and with market conditions. - Generate reports for the institution's departments, the Risk
and Capital Management Committee (CGRC)) and the Board of Directors, pointing out the adequacy of the levels of PR, Level I and Brazilian
Capital Principal to the risks incurred or any deficiencies of the capital management framework, as well as actions to correct them.
- Ensure that the Solvency and Liquidity Regularization Plan required by SUSEP is met in the event of insolvency or non-liquidity by
one or more companies in the insurance industry, ensuring that the areas involved in the asset management of these companies are activated
for the definition of a corrective action proposal, as well as submitting it to impact assessment. - Define the governance and responsibilities
of the capital management process, and disclose decisions and policies related to this process to the affected areas, as well as monitor
the regulatory capital of Itaú Unibanco and international units. - Business units and international units must ensure that approved
decisions and policies are properly implemented. - Ensure that the information disclosed in the Risk and Capital Management report -
Pillar 3 has adequate detailing to the scope, complexity of operations, sophistication of systems, institution’s risk management
processes and ensure that any relevant differences relating to other information disclosed by the institution is clarified; - Ensure
that published information adheres to the current rules established by regulatory bodies; - Calculate, monitor and control regulatory
operating limits related to Itaú Unibanco Holding's capital. MAIN ROLES AND RESPONSIBILITIES Itaú Unibanco's management
is directly involved in the internal process of assessing capital adequacy and its risk assessment. Among the committees and internal
commissions that discuss the capital management process include: . Board of Directors (CA) . Risk and Capital Management Committee (CGRC)
.. Asset Liability Capital Committee (ALCCO) Risk Management Department: The Risk Management Department aims to ensure that Itaú
Unibanco's risks are managed in accordance with established policies and procedures, in addition to being responsible for centralizing
the institution's capital management. The purpose of centralized control is to provide the Board of Directors and senior management with
a global view of Itaú Unibanco's exposures to risks, as well as a prospective view of capital adequacy in order to optimize and
streamline corporate decisions. Information Providing Departments: At the most fundamental level, the areas are expected to provide the
necessary information for the identification of risks, for the analysis of their materiality and for the measurement of the required
capital, as well as for the preparation of the capital budget, capital plan, contingency plan, recovery plan, risk and capital management
report - Pillar 3 and other regulatory and management reports, ensuring their completeness, integrity and consistency and considering
both the growth and evolution of the business's expected risk profile of the unit. The areas involved in the capital management process
must be able to carry out the required actions whenever they are called upon. Details of the responsibilities of each of the departments
involved in the capital management process are described in the internal procedures. Approved by the Board of Directors on 2023, September.
Itau Unibanco (NYSE:ITUB)
Historical Stock Chart
From Jun 2024 to Jul 2024
Itau Unibanco (NYSE:ITUB)
Historical Stock Chart
From Jul 2023 to Jul 2024