Exhibit 99.1

4Q 21 Risk and capital management Pillar 3 Fourth quarter of 2021

Contents Objective 1 Key indicators 1 Prudential Metrics and Risk Management 2 KM1: Key metrics at consolidated level 2 OVA: Bank risk management approach 3 Scope and main characteristics of risk management 3 Risk and Capital Governance 4 Risk Appetite 5 Risk Culture 5 Stress Testing 6 Recovery Plan 7 Capital Adequacy Assessment 8 Capital Adequacy 8 OV1: Overview of risk-weighted assets (RWA) 9 Links between financial statements and regulatory exposures 10 LIA: Explanations of differences between accounting and regulatory exposure amounts 10 LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial 11 statement categories with regulatory risk categories LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial 12 statements PV1: Prudent valuation adjustments (PVA) 12 Institutions that comprise the Financial Statement of Itaú Unibanco Holding 13 Non Consolidated Institutions 17 Material Entities 17 Composition of Capital 18 CCA: Main features of regulatory capital instuments 18 CC1: Composition of regulatory capital 19 CC2: Reconciliation of regulatory capital to balance sheet 21 Macroprudential Indicators 22 CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the 22 Countercyclical Capital Buffer GSIB1: Disclosure of G-SIB indicators 22 Leverage Ratio 22 LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) 23 LR2: Leverage ratio common disclosure 23 Liquidity Ratios 24 LIQA: Liquidity Risk Management Information 24 Framework and Treatment 24 LIQ1: Liquidity Coverage Ratio (LCR) 25 LIQ2: Net Stable Funding Ratio (NSFR) 26 Credit Risk 27 CRA: Qualitative information on credit risk management 27 CR1: Credit Quality of Assets 28 CR2: Changes in Stock of defaulted loans and debts securities 29 CRB: Additional disclosure related to the credit quality of assets Credit risk mitigation 29 Exposure by industry 30 Exposure by remaining maturity 30 Overdue exposures 31 Exposure by geographical area in Brazil and by country 31 Largest debtors exposures 32 Restructured exposures 32 Corporativo | Interno

CRC: Qualitative disclosure related to Credit Risk Mitigation techniques 32 CR3: Credit Risk mitigation techniques – overview 33 CR4: Standardized Approach – Credit Risk exposure and credit risk mitigation effects 34 CR5: Standardized Approach – exposures by asset classes and risk weights 34 Counterparty Credit Risk (CCR) 34 CCRA: Qualitative disclosure related to CCR 34 CCR1: Analysis of CCR exposures by approach 35 CCR3: Standardized approach – CCR exposures by regulatory portfolio and risk weights 35 CCR5: Composition of collateral for CCR exposures 36 CCR6: CCR associated with credit derivatives exposures 36 CCR8: CCR associated with Exposures to central counterparties 37 Securitization Exposures 37 SECA: Qualitative disclosure requirements related to securitisation exposures 37 SEC1: Securitisation exposures in the banking book 38 SEC2: Securitisation exposures in the trading book 38 SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements – 38 bank acting as originator or as sponsor SEC4: Securitisation exposures in the banking book and associated capital requirements – bank acting 38 as investor Market Risk 39 MRA: Qualitative disclosure requirements related to market risk 39 MR1: Market risk under standardized approach 41 MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA) 41 MR2: RWA flow statements of market risk exposures under an IMA 44 Exposures subject to market risk 44 MR3: IMA values for trading portfolios 44 MR4: Comparison of VaR estimates with gains/losses 45 Backtesting 45 Total Exposure associated with Derivatives 46 IRRBB 46 IRRBBA: IRRBB risk management objectives and policies 46 Framework and Treatment 47 IRRBB1 – Quantitative information on IRRBB 49 Remuneration of Directors 50 REMA: Compensation Policy 50 REM1: Remuneration awarded during the financial year 60 REM2: Special payments 60 REM3: Deferred remuneration 60 Other Risks 61 Insurance products, pension plans and premium bonds risks 61 Social and Environmental Risk 61 Model Risk 62 Regulatory or Compliance Risk 63 Reputational Risk 63 Country Risk 65 Business and Strategy Risk 65 Contagion Risk 65 Operational Risk 66 Crisis Management and Business Continuity 67 Independent Validation of Risk Models 68 Glossary of Acronyms 69 Glossary of Regulations 73 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Objective This document presents Itaú Unibanco Holding S.A. (Itaú Unibanco) information required by the Central Bank of Brazil (BACEN) through Resolution BCB nº 54 and subsequent amendments, which addresses the disclosure of information on risks and capital management, the comparison between accounting and prudential information, the liquidity and market risk indicators, the calculation of risk-weighted assets (RWA), the calculation of the Total Capital (“Patrimônio de Referência”—PR), and the compensation of management members. 1 The referred Resolution brought several amendments in the disclosure format of the Pillar 3 information, besides changes in the scope and frequency of the information disclosed. All these amendments, implemented by the Central Bank, aim the convergence of the Brazilian financial regulation to the recommendations of the Basel Committee, seeking to harmonize the information disclosed by financial institutions at an international level, and taking into account the structural conditions of the Brazilian economy. The disclosure policy of the Risk and Capital Management Report presents the guidelines and responsibilities of the areas involved in its preparation, as well as the description of the information that must be disclosed and the integrity endorsement and approval governance, as established by the article 56 of the Resolution nº. 4,557. Key indicators Itaú Unibanco’s risk and capital management focuses on maintaining the institution in line with the risk strategy approved by the Board of Directors. The key indicators based on the Prudential Consolidation, on December 31, 2021, are summarized below. 1 Compensation of management members data is reported annually. _____________________________________________________________________________________________ Itaú Unibanco 1 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Prudential Metrics and Risk Management Itaú Unibanco invests in robust and company-wide risk management processes to serve as a basis for its strategic decisions intended to ensure business sustainability. The key prudential metrics related to regulatory capital and information on the bank’s integrated risk management are presented below. KM1: Key metrics at consolidated level In order to ensure the soundness of Itaú Unibanco and the availability of capital to support business growth, Itaú Unibanco maintains capital levels above the minimum requirements, as demonstrated by the Common Equity Tier I, Additional Tier I Capital and Total CapitaI ratios. On December 31, 2021, the Total Capital (PR) reached R$ 169,797 million, R$ 149,912 million of Tier I and R$ 19,885 million of Tier II. _____________________________________________________________________________________________ Itaú Unibanco 2 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ The Basel Ratio reached 14.7% on December 31, 2021, remaining at the September 30, 2021 level. In this period, the increase in the result of the period was offset by the growth of the loan portfolio. Besides, Itaú Unibanco has a R$ 77,490 million capital excess in relation to its minimum required Total Capital. It corresponds to 6,7 pp above the minimum requirement (8%) and higher than the Capital Buffer requirement of 3.0% (R$ 34,615 million). Considering the Capital Buffers, the capital excess would be 3,7 pp. The fixed assets ratio shows the commitment percentage of adjusted Referential Equity with the adjusted permanent assets. Itaú Unibanco falls within the maximum limit of 50% of adjusted PR, established by BACEN. At December 31, 2021, fixed assets ratio reached 16.9%, showing a surplus of R$ 56,280 million. OVA – Bank risk management approach Scope and main characteristics of risk management To undertake and manage risks is one of the activities of Itaú Unibanco. For this reason, the institution must have clearly established risk management objectives. In this context, the risk appetite defines the nature and the level of risks acceptable for the institution, while the risk culture guides the attitudes required to manage them. Itaú Unibanco invests in robust risk management processes, that are the basis for its strategic decisions to ensure business sustainability and maximize shareholder value creation. These processes are in line with the guidelines of the Board of Directors and Executives who, through corporate bodies, define the institution’s global objectives, which are then translated into targets and thresholds for the business units that manage risks. Control and capital management units, in turn, support Itaú Unibanco’s management through the processes of analysis and monitoring of capital and risk. The principles that provide the risk management and the risk appetite foundations, as well as guidelines regarding the actions taken by Itaú Unibanco’s employees in their daily routines are as follows: Sustainability and customer satisfaction: the vision of Itaú Unibanco is to be a leading bank in sustainable performance and customer satisfaction. For this reason, the institution is concerned about creating shared values for employees, customers, shareholders and society to ensure the longevity of the business. Itaú Unibanco is concerned about doing business that is good for customers and for the institution; Risk culture: the institution’s risk culture goes beyond policies, procedures and processes. It strengths the individual and collective responsibility of all employees to manage and mitigate risks consciously, respecting the ethic way of doing business. The risk culture is described in the item “Risk Culture”; Risk Pricing: Itaú Unibanco operates and assumes risks in business that it knows and understands, avoids the ones that are unknown or that do not provide competitive advantages, and carefully assesses risk-return ratios; Diversification: the institution has low appetite for volatility in its results. Accordingly, it operates with a diversified base of customers, products and business, seeking risk diversification and giving priority to low-risk transactions; Operational excellence: Itaú Unibanco intends to provide agility, as well as a robust and stable infrastructure, in order to offer high quality services; _____________________________________________________________________________________________ Itaú Unibanco 3 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Ethics and respect for regulations: at Itaú Unibanco, ethics is non-negotiable. For this reason, the institution promotes an institutional environment of integrity, educating its employees to cultivate ethical relationships and businesses, as well as respecting the norms, and therefore looking after the institution’s reputation. Since August, 2017, the Resolution CMN 4,557 came into force, which established the structure of risk and capital management. The resolution highlights are the implementation of a continuous and integrated risk management framework; the requirements for the definition of the Risk Appetite Statement (RAS) and the stress test program; the establishment of a Risk Committee; the indication, before BACEN, of the Chief Risk Officer (CRO); and the CRO’s roles, responsibilities and independence requirements. Risk and Capital Governance The Board of Directors is the main body responsible for establishing the guidelines, policies and authority levels regarding risk and capital management. In turn, the Risk and Capital Management Committee (CGRC) provides support to the Board of Directors in the performance of their duties relating to risk and capital management. At the executive level, corporate bodies headed by Itaú Unibanco’s Chief Executive Officer (CEO) are established to manage risks and capital. Their decisions are overseen by the CGRC. Additionally, the Itaú Unibanco Holding has corporate bodies that perform delegated duties in the risk and capital management, under the responsibility of CRO (Chief Risk Officer). To support this structure, the Risk Area is structured with specialized departments. The objective is to provide independent and centralized management of the institution’s risks and capital, and to ensure the accordance with the established rules and procedures. Itaú Unibanco’s risk management organizational structure complies with Brazilian and international regulations in place and is aligned with the market’s best practices, including governance for identifying emerging risks, which are those with medium and long-term impact potentially material about the business. Responsibilities for risk management at Itaú Unibanco are structured according to the concept of three lines of defense, namely: in the first line of defense, the business and corporate support areas manage risks they give rise to, by identifying, assessing, controlling and reporting such risks; in the second line of defense, an independent unit provides central control, so as to ensure that Itaú Unibanco’s risk is managed according to the risk appetite and established policies and procedures. This centralized control provides the Board and executives with a global overview of Itaú Unibanco’s exposure, to ensure correct and timely corporate decisions; in the third line of defense, internal audit provides an independent assessment of the institution’s activities, so that senior management can see that controls are adequate, risk management is effective and institutional standards and regulatory requirements are being complied with. Itaú Unibanco uses robust automated systems for full compliance with capital regulations, as well as for measuring risks in accordance with the regulatory determinations and models in place. It also monitors adherence to the qualitative and quantitative regulators’ minimum capital and risk management requirements. _____________________________________________________________________________________________ Itaú Unibanco 4 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Risk Appetite Itaú Unibanco has a risk appetite policy, which was established and approved by the Board of Directors and guides the institution’s business strategy. The bank’s risk appetite is grounded on the following declaration of the Board of Directors: “We are a universal bank, operating predominantly in Latin America. Supported by our risk culture, we operate based on rigorous ethical and regulatory compliance standards, seeking high and growing results, with low volatility, by means of the long-lasting relationship with clients, correctly pricing risks, well-distributed fund-raising and proper use of capital.” Based on this declaration, the bank established five dimensions, each of which comprising a set of metrics associated with the key risks involved, combining complementary measurements and seeking a comprehensive view of its exposure: Capitalization: establishes that Itaú Unibanco should have sufficient capital to protect itself against a serious recession or stress events without the need to adjust its capital structure under adverse circumstances. It is monitored by following up the bank’s capital ratios, in usual or stress situations, and the institution’s debt issue ratings. Liquidity: establishes that the institution’s liquidity should be able to support long stress periods. It is monitored by following up on liquidity ratios. Composition of results: establishes that business will mainly focus on Latin America, where Itaú Unibanco will have a diversified range of customers and products, with low appetite for results volatility and high risk. This dimension includes business and profitability, as well as market and credit risks aspects. The metrics monitored by the bank seek to ensure, by means of exposure concentration limits such as, for example, industry sectors, quality of counterparties, countries and geographic regions and risk factors, a suitable composition of the bank’s portfolios, aiming at low volatility of results and business sustainability. Operational risk: focuses on controlling operational risk events that may adversely impact the bank’s business strategy and operations. This control is carried out by monitoring key operational risk events and incurred losses. Reputation: deals with risks that may impact brand value and the institution’s reputation before its customers, employees, regulators, investors and the general public. In this dimension, risks are monitored by following up on customers’ satisfaction or dissatisfaction, media exposure and observation of the institution’s conduct. The Board of Directors is responsible for approving risk appetite guidelines and limits, performing its activities with the support of the Risk and Capital Management Committee (CGRC) and the Chief Risk Officer (CRO). Metrics are regularly monitored and must comply with the limits defined. The monitoring is reported to the risk commissions and to the Board of Directors, guiding the use of preventive measures to ensure that exposures are within the limits provided and in line with the bank’s strategy. Risk Culture Aiming at strengthening its values and aligning the behavior of its employees with risk management guidelines, the institution adopts several initiatives to disseminate and strengthen its Risk Culture, which is based on four principles: conscious risk taking, discussions and actions on the institution’s risks, and each and everyone’s responsibility for risk management. _____________________________________________________________________________________________ Itaú Unibanco 5 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Chart 1—Risk Culture Besides the risk management policies, procedures and processes, the institution promotes its Risk Culture by emphasizing a behavior that helps people of all company levels to undertake and manage risks in a conscious way. By disseminating these principles, the institution fosters the understanding and the open discussion about risks, so that they are kept within the risk appetite levels established and each employee individually, regardless of their position, area or duties, may also assume responsibility for managing the risks of the business. Itaú Unibanco also makes some channels available for communication of operating failures, internal or external fraud, conflicts at the workplace, or cases that may result in inconveniences and/or losses for the institution or its customers. All employees or third parties are responsible for informing any problems immediately, as soon as they become aware of the situation. Stress Testing The stress test is a process of simulating extreme economic and market conditions on Itaú Unibanco’s results, liquidity and capital. The institution has been carrying out this test in order to assess its solvency in plausible scenarios of crisis, as well as to identify areas that are more susceptible to the impact of stress that may be the subject of risk mitigation. For the purposes of the test, the economic research area estimates macroeconomic variables for each stress scenario. The elaboration of stress scenarios considers the qualitative analysis of the Brazilian and the global conjuncture, historical and hypothetical elements, short and long term risks, among other aspects, as defined in CMN Resolution 4,557. In this process, the main potential risks to the economy are assessed based on the judgment of the bank’s team of economists, endorsed by the Chief Economist of Itaú Unibanco and approved by the Board of Directors. Projections for the macroeconomic variables (such as GDP, the basic interest rate and inflation) and for variables in the credit market (such as raisings, lending, rates of default, margins and charges) used are based on exogenous shocks or through use of models validated by an independent area. Then, the stress scenarios adopted are used to influence the budgeted result and balance sheet. In addition to the scenario analysis methodology, sensitivity analysis and the Reverse Stress Test are also used. _____________________________________________________________________________________________ Itaú Unibanco 6 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Itaú Unibanco uses the simulations to manage its portfolio risks, considering Brazil (segregated into wholesale and retail) and External Units, from which the risk-weighted assets and the capital and liquidity ratios are derived. The stress test is also an integral part of the ICAAP (Internal Capital Adequacy Process), the main purpose of which is to assess whether, even in severely adverse situations, the institution would have adequate levels of capital and liquidity, without any impact on the development of its activities. This information enables potential offenders to the business to be identified and provides support for the strategic decisions of the Board of Directors, the budgeting and risk management process, as well as serving as an input for the institution’s risk appetite metrics. Recovery Plan In response to the latest international crises, the Central Bank issued the Resolution No. 4,502, which requires the development of a Recovery Plan for the financial institutions that are classified in the Segment 1, with a total exposure of more than 10% of Gross Domestic Product (GDP). This plan aims to reestablish adequate levels of capital and liquidity, above the regulatory requirements, through appropriate strategies in the event of severe stress shocks of a systemic or idiosyncratic nature. Accordingly, each institution would be able to preserve its financial feasibility and, at the same time, mitigate the impact on the National Financial System. Itaú Unibanco has a Recovery Plan that contemplates the entire Conglomerate, including foreign subsidiaries, and contains the description of the following items:     I.     Critical functions rendered by Itaú Unibanco to the market, activities that, if abruptly interrupted, could impact the National Financial System (SFN) and the functioning of the real economy;    II.     Institution’s essential services: activities, operations or services which discontinuity could compromise the bank’s viability;    III.     Monthly monitoring program, establishing critical levels for a set of indicators, with a view to risk monitoring and eventual trigger for the execution of the Recovery Plan;    IV.     Stress scenarios, contemplating events that may threaten the business continuity and the viability of the institution, including reverse tests, which seek to identify remote risk scenarios, contributing to an increase of the management sensitivity;    V.     Recovery strategies in response to different stress scenarios, including the main risks and barriers, as well as the mitigators of the latter and the procedures for the operationalization of each strategy;    VI.     Communication plan with stakeholders, seeking its timely execution with the market, regulators and other stakeholders; VII.     Governance mechanisms necessary for the coordination and execution of the Recovery Plan, such as the definition of the director responsible for the exercise at Itaú Unibanco. This plan is reviewed annually and is subjected to the approval of the Board of Directors. With this practice, Itaú Unibanco has been able to continuously demonstrate, that even in severe scenarios, with remote probability of occurrence, it has strategies capable of generating sufficient resources to ensure the sustainable maintenance of critical activities and essential services, without losses to customers, to the financial system and to other participants in the markets in which it operates. _____________________________________________________________________________________________ Itaú Unibanco 7 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Itaú Unibanco ensures the exercise maintenance to guarantee that strategies remain up-to-date and viable in the face of organizational, competitive or systemic changes. Capital Adequacy Assessment For its capital adequacy assessment process, the annual Itaú Unibanco’s procedure is as follows: Identification of material risks and assessment of the need for additional capital; Preparation of the capital plan, both in normality and stress situations; Internal assessment of capital adequacy; Structuring of capital contingency and recovery plans; Preparation of management and regulatory reports. By adopting a prospective stance regarding capital management, Itaú Unibanco implemented its capital management structure and its ICAAP in order to comply with National Monetary Council (CMN) Resolution 4,557, BACEN Circular 3,846 and BACEN Circular Letter 3,907. The result of the last ICAAP, which includes stress tests – dated as of December 2020 – showed that, in addition to having enough capital to face all material risks, Itaú Unibanco has a significant buffer, thus ensuring the soundness of its equity position. Capital Adequacy Itaú Unibanco, through the ICAAP process, assesses the adequacy of its capital to face the incurred risks, composed by regulatory capital for credit, market and operational risks and by the necessary capital to face other risks. In order to ensure the soundness and the availability of Itaú Unibanco’s capital to support business growth, the Total Capital levels were maintained above the minimum requirements. _____________________________________________________________________________________________ Itaú Unibanco 8 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ OV1 – Overview of risk-weighted assets (RWA) According to CMN Resolution 4,193 and subsequent amendments, for assessing the minimum capital requirements, the RWA must be calculated by adding the following risk exposures: RWA = RWACPAD + RWAMINT + RWAOPAD RWACPAD = portion related to exposures to credit risk, calculated using standardized approach; RWAMINT = portion related to the market risk capital requirement, made up of the maximum between the internal model and 80% of the standardized model, and regulated by BACEN Circulars 3,646 and 3,674; RWAOPAD = portion related to the operational risk capital requirement, calculated using standardized approach. The higher amount of credit risk-weighted assets (RWACPAD) was mainly due to the increase in loan portfolio in the period. _____________________________________________________________________________________________ Itaú Unibanco 9 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Links between financial statements and regulatory exposures LIA: Explanations of differences between accounting and regulatory exposure amounts The main difference between the accounting carrying value and the amounts considered for regulatory purposes is the non-consolidation of non-financial companies (especially Insurance, Pension Plan and Capitalization companies) in the regulatory consolidated, a difference that also impacts the elimination of related parties transactions. Within the regulatory scope, the procedures for assessing the need for prudent valuation adjustments (PVAs) arising from the pricing of financial instruments, as well as the description of the systems and controls used to ensure its reliability are described below. The pricing methodology for the financial instruments subject to Resolution No. 4,277, of October 31st, 2013, conducted by an independent area from the business areas, considers, in addition to benchmarks, the risks listed in the closeout uncertainty, market concentration, early termination, model risk, investing and funding costs, unearned credit spread and others. The fair value measurement at Itaú Unibanco follows the principles enclosed in the main regulatory bodies, such as CVM and BACEN. The institution follows the best practices in terms of pricing policies, procedures and methodologies and is committed to secure the pricing of financial instruments in its balance sheet with prices quoted and disclosed by the market, and in the impossibility of doing so, expends its best efforts to estimate which would be the fair price at which financial assets would be effectively traded, maximizing the use of relevant observable data and, under specific conditions, these instruments can be valued on a model basis. In all of these situations, the organization has control over its pricing methods and model risk management. The process of independent price verification (IPV) follows the guidelines included in Resolution No. 4,277, with daily verification of prices and market inputs, which is performed by a team independent from the pricing team. This process is also subject to an independent evaluation by the internal control, internal audit and external audit teams. The institution has a hybrid model for assessing the need for prudent valuation adjustments with two components. The first component is a timely assessment model that assesses new products, operations and risk factors traded and verifies the compliance and liability with any components of the existing prudent valuation adjustments. The second is a periodic assessment that aims to analyze the existing prudent valuation adjustments in relation to adequate pricing. The process and methodology are evaluated periodically and independently by internal controls and internal audit. In the line Other Differences of the table LI2, are reported the transactions subject to credit risk and counterparty credit risk, which are not accounted for in the balance sheet or in the off-balance sheet amounts. _____________________________________________________________________________________________ Itaú Unibanco 10 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial statement categories with regulatory risk categories _____________________________________________________________________________________________ Itaú Unibanco 11 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial statements PV1: Prudent valuation adjustments (PVA) _____________________________________________________________________________________________ Itaú Unibanco 12 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Institutions that comprise the Financial Statements of Itaú Unibanco Holding The lists below provide the institutions that comprise the financial statements and the Prudential Consolidation of Itaú Unibanco Holding S.A.. _____________________________________________________________________________________________ Itaú Unibanco 13 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ _____________________________________________________________________________________________ Itaú Unibanco 14 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Institutions that comprise the Financial Statements of Itaú Unibanco Holding _____________________________________________________________________________________________ Itaú Unibanco 15 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ _____________________________________________________________________________________________ Itaú Unibanco 16 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ The institutions presented in the tables above represent the total scope of companies of Itaú Unibanco Holding. Non Consolidated Institutions Material entities Total assets, stockholders’ equity, country and the activities of the material entities, including those subject to the risk weight for the purpose of capital requirements are as follows: _____________________________________________________________________________________________ Itaú Unibanco 17 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Composition of Capital CCA: Main features of regulatory capital instruments The authorized regulatory capital instruments may be extinguished according to the criteria established in Resolution nº 4,192 in articles 17, item XV, or 20, item X, such as non-compliance with the minimum regulatory ratios, decree of temporary special administration regime or intervention, application of public resources or upon the Central Bank of Brazil determination. Should any criteria for the extinction of subordinated instruments be triggered, the area responsible for Itaú Unibanco’s Capital management will activate the areas involved to execute the following action plan: The treasury, through the payment agent of the subordinated instruments or straight through the central depository, will notify its holders and take actions to ensure that Itaú Unibanco’s trading desks cease to trade such instruments; The operational and accounting areas will carry out the necessary procedures for the proper treatment of the extinction; and The Investor Relations area will communicate the market of the extinction of the subordinated instruments. The table CCA—Main features of regulatory capital instruments, is available at www.itau.com.br/investor-relations, section “Results and Reports”, “Regulatory Reports”, “Pillar 3”. _____________________________________________________________________________________________ Itaú Unibanco 18 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CC1—Composition of regulatory capital _____________________________________________________________________________________________ Itaú Unibanco 19 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ _____________________________________________________________________________________________ Itaú Unibanco 20 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CC2: Reconciliation of regulatory capital to balance sheet _____________________________________________________________________________________________ Itaú Unibanco 21 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Macroprudential Indicators CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer The following table details the geographic distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer, according to Circular 3,769 of 29 October 2015: GSIB1: Disclosure of G-SIB indicators The GSIB1 table, disclosure of global systemically important bank (G-SIB) indicators, will be available on the website www.itau.com.br/investor-relations, section “Reports”, “Pillar 3 and Global Systemically Important Banks”, within the period stipulated by BCB Resolution 54/20. Leverage Ratio The Leverage Ratio is defined as the ratio between Tier I Capital and Total Exposure, calculated according to BACEN Circular 3,748. The ratio is intended to be a simple measure of non-risk-sensitive leverage, and so it does not take into account risk weights or risk mitigation. As required by BACEN Circular Letter 3,706, Itaú Unibanco monthly reports to BACEN the Leverage Ratio, which minimum requirement is of 3%. The following information is based on the methodology and standard format introduced by BACEN Circular 3,748. _____________________________________________________________________________________________ Itaú Unibanco 22 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) LR2: Leverage ratio common disclosure _____________________________________________________________________________________________ Itaú Unibanco 23 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Liquidity Ratios LIQA: Liquidity Risk Management Information Framework and Treatment Liquidity risk is defined as the likelihood of the institution not being able to effectively honor its expected and unexpected obligations, current and future, including those from guarantees commitment, without affecting its daily operations or incurring in significant losses. In line with the fundraising strategy, Itaú Unibanco has diversified and stable sources of funding available, monitored through concentration and maturity indicators, in order to mitigate liquidity risks, in accordance with the institution’s risk appetite. The governance of the liquidity risk management is based on advisory boards, subordinated to the Board of Directors or the executive structure of Itaú Unibanco. Such boards establish the institution’s risk appetites, define the limits related to the liquidity control and monitor the liquidity indicators. The control of the liquidity risk is carried out by an area that is independent of the business areas, responsible for defining the composition of the reserve, estimating the cash flow and the exposure to liquidity risk in different time horizons and monitoring short and long term liquidity indicators (LCR and NSFR respectively). In addition, it proposes minimum limits to absorb losses in stress scenarios for each country where Itaú Unibanco operates and reports any non-compliance to the competent authorities. All activities are subject to verification by the independent validation, internal controls and audit departments. Additionally, and pursuant to the requirements of Resolution 4,557, BACEN Circular 3,749 and Circular 3,869, the Liquidity Risk Statement (DRL—LCR) and the Long Term Liquidity Statement (DLP—NSFR) are monthly sent to BACEN. Finally, the following items are periodically prepared and submitted to senior management for monitoring and decision support: Stress of liquidity indicators based on macroeconomic scenarios, simulation of reverse stress based on risk appetite, and projection of the main liquidity indicators to support decisions; Contingency and recovery plans for crisis situations, with actions that provide for a gradation according to the level of criticality determined by the easiness of implementation, taking into account the characteristics of the local market in which it operates, seeking a rapid restoration of liquidity indicators; Reports and graphs that describe risk positions; Concentration indicators of funding providers and time. The document that details the liquidity risk control institutional policy is on the Investor Relations website https://www.itau.com.br/investor-relations,section “Itaú Unibanco”, under “Corporate Governance”, “Rules and Policies, Reports”. _____________________________________________________________________________________________ Itaú Unibanco 24 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ LIQ1: Liquidity Coverage Ratio (LCR) Itaú Unibanco has High Quality Liquidity Assets (HQLA) that amounted to R$ 307.3 billion on average for the quarter, mainly composed of Sovereign Securities, Central Bank Reserves and Cash. Net Cash Outflows amounted to R$ 193.1 billion on average for the quarter, which are mostly comprised of Retail Funding, Wholesale, Additional Requirements, Contractual and Contingent Obligations, offset by Cash inflows from loans and other Cash inflows. The table shows that the average LCR in the quarter is 159.1%, above the limit of 100% and therefore the institution has high quality liquidity resources comfortably available to support the losses in the standardized stress scenario for the LCR. _____________________________________________________________________________________________ Itaú Unibanco 25 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ LIQ2: Net Stable Funding Ratio (NSFR) Itaú Unibanco has an Available Stable Funding (ASF) amounted to R$ 1,017.0 billion in the 4 quarter, mainly composed of Capital, Retail Funding and Wholesale. In addition, the Required Stable Funding (RSF) amounted to R$ 839.8 billion _____________________________________________________________________________________________ Itaú Unibanco 26 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ in the 4 quarter, which is mostly composed of loans and financing granted to wholesale, retail, central economies and central bank operations. The table shows that the NSFR at the end of the quarter is 121.1%, above the limit of 100%, and therefore the institution has Available Stable Funding to support the Required Stable Funding comfortably in the long-term, according to the metric. Credit Risk CRA: Qualitative information on credit risk management Itaú Unibanco defines credit risk as the risk of loss associated with: failure by a borrower, issuer or counterparty to fulfill their respective financial obligations as defined in the contracts; value loss of credit agreements resulting from deterioration of the borrower’s, issuer’s or counterparty’s credit rating; reduction of profits or income; benefits granted upon subsequent renegotiations; or debt recovery costs. The management of credit risk is intended to preserve the quality of the loan portfolio at levels compatible with the institution’s risk appetite for each market segment in which Itaú Unibanco operates. The governance of credit risk is managed through corporate bodies, which report to the Board of Directors or to the Itaú Unibanco executive structure. Such corporate bodies act primarily by assessing the competitive market conditions, setting the credit limits for the institution, reviewing control practices and policies, and approving these actions at the respective authority levels. The risk communication and reporting process, including disclosure of institutional and supplementary policies on credit risk management, are also function of this structure. Itaú Unibanco manages the credit risk to which it is exposed during the entire credit cycle, from before approval, during the monitoring process and up to the collection or recovery phase, with the periodic monitoring of troubled assets, which are defined as: Overdue Transactions for more than 90 days; Restructured Operations for Troubled Assets; Counterparties that present inability to pay, whether by legal measures, bankruptcy, loss, among others; Significant deterioration in credit quality, which can be identified by deterioration in internal rating metrics, guarantees honored, overdue exposure, among others. Additionally, if it is identified that a CNPJ may contaminate the counterparties, they may be marked as Troubled Assets. The monitoring contains information on significant exposures, including recovery history and prospects, as well as restructuring information. These analyzes are generated monthly for executives and quarterly for the Board of Directors through the Risk and Capital Management Committee (CGRC). There is a credit risk management and control structure, centralized and independent of the business units which defines operational limits, risk mitigation mechanisms and processes, and instruments to measure, monitor and control the credit risk inherent to all products, portfolio concentrations and impacts to potential changes in the economic environment. Such structure is subjected to internal and external auditing processes. The credit’s portfolio, policies and strategies are continuously monitored so as to ensure compliance with the rules and laws in effect in each country. The key assignments of the business units are (i) monitoring of the portfolios under their responsibility, (ii) granting of credit, taking into account current approval levels, market conditions, the macroeconomic prospects and changes in markets and products, and (iii) credit risk management aimed at making the business sustainable. _____________________________________________________________________________________________ Itaú Unibanco 27 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Itaú Unibanco’s credit policy is based on internal factors, such as: client rating criteria, performance and evolution of the portfolio, default levels, return rates and allocated economic capital, among others; and also take into account external factors such as: interest rates, market default indicators, inflation and changes in consumption, among others. With respect to individuals, small and medium companies, retail public, the credit ratings are assigned based on statistical application (in the early stages of relationship with a customer) and behavior score (used for customers with whom Itaú Unibanco already has a relationship) models. For wholesale public, the classification is based on information such as the counterparty’s economic and financial situation, its cash-generating capacity, and the business group to which it belongs, the current and prospective situation of the economic sector in which it operates. Credit proposals are analyzed on a case-by-case basis through the approval governance. The concentrations are monitored continuously for economic sectors and largest debtors, allowing preventive measures to be taken to avoid the violation of the established limits. Itaú Unibanco also strictly controls credit exposure to clients and counterparties, acting to reverse occasional limit breaches. In this sense, contractual covenants may be used, such as the right to demand early payment or require additional collateral. To measure credit risk, Itaú Unibanco takes into account the probability of default by the borrower, issuer or counterparty, the estimated amount of exposure in the event of default, past losses from default and concentration of borrowers. Quantifying these risk components is part of the lending process, portfolio management and definition of limits. The models used by Itaú Unibanco are independently validated, to ensure that the databases used in constructing the models are complete and accurate, and that the method of estimating parameters is adequate. Itaú Unibanco also has a specific structure and processes aimed at ensuring that other aspects of credit risk, such as country risk, are managed and controlled, described in the item “Other Risks”. In compliance with CMN Resolution 4,557, the document “Public Access Report—Credit Risk,” which describes the guidelines established in the institutional ruling on credit risk control, can be viewed on the website www.itau.com.br/investor-relations, section “Itaú Unibanco”, under “Corporate Governance”, “Rules and Policies”, “Reports”. CR1: Credit Quality of Asset _____________________________________________________________________________________________ Itaú Unibanco 28 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CR2: Changes in Stock of defaulted loans and debts securities CRB: Additional disclosure related to the credit quality of assets The tables below contain additional disclosure related to the credit quality exposures reported in the table CR1. Where is informed breakdown of exposures by geographical area, industry and defaulted exposures. In addition, the total exposures by residual maturity by delay range, the total of restructured exposures and the percentage of the ten and one hundred largest exposures are reported. _____________________________________________________________________________________________ Itaú Unibanco 29 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Exposure by industry Exposure by remaining maturity _____________________________________________________________________________________________ Itaú Unibanco 30 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Overdue exposures Exposure by geographical area in Brazil and by country _____________________________________________________________________________________________ Itaú Unibanco 31 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Largest debtors exposures Restructured exposures CRC: Qualitative disclosure related to Credit Risk Mitigation techniques Itaú Unibanco uses guarantees to increase its recovery capacity in operations subject to credit risk. The guarantees used can be financial, credit derivatives, fiduciary, real, legal structures with mitigation power and offsetting agreements. For these guarantees to be considered as credit risk mitigating instruments, it is necessary that they comply with the requirements and determinations of the that regulate them, whether internal or external, and that they are legally enforceable (effective), enforceable and regularly evaluated. The information regarding the possible concentration associated with the mitigation of credit risk considers these different mitigating instruments, segregating by type and by provider. For reasons of confidentiality, the institution determines the non-disclosure of information beyond the classification of the type of guarantor, but ensuring adherence to the general requirements. Financial Guarantees: the borrower or third party highlights a financial asset (deposits, bonds, shares, shares of low-risk equity, among others), in such a way as to guarantee the creditor’s reimbursement in case of default. Fiduciary Guarantees and credit derivatives: a third party assumes the responsibility for fulfilling the obligation contracted by the debtor, which falls on the general equity of that third party. Avals, sureties and CDS are examples of these guarantees. Fiduciary guarantees are segregated into the following providers: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions, Sovereigns, National Treasury or Central Bank. Itaú Unibanco also uses credit derivatives to mitigate the credit risk of its securities portfolios. These instruments are priced based on models that use the fair price of market variables, such as credit spreads, recovery rates, correlations and interest rates. They are also segregated into: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions and Sovereigns. _____________________________________________________________________________________________ Itaú Unibanco 32 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Real Guarantees: the borrower himself or a third party highlights an asset or a set of assets, movable or immovable, in such a way as to guarantee the reimbursement of the creditor in case of default. Examples of instruments and assets: mortgages on real estate, pledge of goods, fiduciary sale of real estate, vehicles, machinery and equipment. These guarantees are segregated by type: financial collateral, bilateral contracts and assets. Clearing and Settlement of Obligations Agreement and legal structures with mitigating power: the clearing agreement aims to reduce the risk of credit exposure of one party to the other, resulting from transactions entered into between them, so that, in case of maturity, after offsetting, the net amount owed by the debtor to the creditor is identified. It is commonly used in derivative transactions, but it can also cover other types of financial transactions. In legal structures with mitigation power and compensation agreements, mitigation is based on methodologies established and approved by the business units responsible for credit risk management and by the centralized credit risk control area. Such methodologies consider factors related to the legal enforceability of the guarantees, the costs necessary for such and the expected value in the execution, taking into account the volatility and liquidity of the market. To control the mitigating instruments, there is periodic monitoring that monitors the level of compliance with the use of each instrument when compared to internal measurement policies, even including corrective action plans when there is noncompliance, analyzing concentration, types, providers, formalization. The parameters used are: HE (Haircut of execution) which evaluates the probability of success in executing the guarantee, HV (Volatility Haircut) represents the liquidity of the collateral being offered, and LMM (Maximum Mitigation Limit) which is the mitigation ceiling for real guarantees. CR3: Credit Risk mitigation techniques—overview(1) Increase in credit concession mainly observed in the lines of companies and in retail, in credit card. In debt securities the main variation comes from the reduction in exposures to central governments partially offset by the growth in private securities. _____________________________________________________________________________________________ Itaú Unibanco 33 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CR4: Standardized Approach – Credit Risk exposure and credit risk mitigation effects CR5: Standardized Approach – exposures by asset classes and risk weights The increase in the total exposure in tables CR4 and CR5 occurred mainly in the in the corporates and retail exposures and was partially offset by the reduction in exposures linked to governments and central banks. Counterparty Credit Risk (CCR) CCRA: Qualitative disclosure related to CCR Counterparty credit risk is the possibility of noncompliance with obligations related to the settlement of transactions that involve the trading of financial assets with a bilateral risk. It encompasses derivative financial instruments, settlement pending transactions, securities lending and repurchase transactions. Itaú Unibanco has well-defined rules for calculating its managerial and regulatory exposure to this risk, and the models developed are used both for the governance of consumption of limits and management of counterparties sub-limits, as well as for the allocation of capital, respectively. _____________________________________________________________________________________________ Itaú Unibanco 34 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ The managerial volatility of the potential credit risk (PCR) of derivatives (interpreted as the amount of potential financial exposure that an operation can reach until its maturity) and the volatility of repurchase agreements and foreign exchange transactions are monitored periodically to maintain the exposure at levels considered acceptable by the institution’s management. The risk may be mitigated by the use of margin call, initial margin or other mitigating instrument. Currently, Itaú Unibanco does not have impact in the amount of collateral that the bank would be required to provide given a credit rating downgrade. The regulatory exposures of counterparty credit risk are presented as follows. CCR1: Analysis of CCR exposures by approach CCR3: Standardised approach – CCR exposures by regulatory portfolio and risk weights In the tables CCR1 and CCR3 there was a decrease in the exposure of repo operations mainly in central governments and central banks and in financial institutions and others authorized by the Central Bank of Brazil. _____________________________________________________________________________________________ Itaú Unibanco 35 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CCR5: Composition of collateral for CCR exposures CCR6: CCR associated with credit derivatives exposures _____________________________________________________________________________________________ Itaú Unibanco 36 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CCR8: CCR associated with Exposures to central counterparties Decrease in non-segregated initial margin. Securitisation Exposures SECA: Qualitative disclosure requirements related to securitisation exposures Currently, Itaú Unibanco coordinates and distributes issues of securitized securities in the capital market with or without a firm placement guarantee. In case of exercising the firm guarantee, the bank will assume the risk as an investor in the operation. Itaú Unibanco does not act as a sponsoring counterpart of any specific purpose company with the objective of operating in the securitisation market, nor does it manage entities that acquire securities issued or originated by their own. In relation to accounting, it should be noted that (i) assets representing third-party securitisations are accounted for as well as other assets owned by the Bank, according to the brazilian accounting standards; and (ii) securitisation credits originating from Itaú Unibanco’s own portfolio remain accounted for in cases of credit assignment with co-obligation. In 2021, Itaú Unibanco did not carry out the sale of credit assets without substantial risk retention and did not assign exposures with substantial risk retention, which have been honored, repurchased or written off as loss. _____________________________________________________________________________________________ Itaú Unibanco 37 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ SEC1: Securitisation exposures in the banking book SEC2: Securitisation exposures in the trading book In Itaú Unibanco’s current securitization portfolio, there are no exposures to be reported in table SEC2. SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements – bank acting as originator or as sponsor In Itaú Unibanco’s current securitization portfolio, there are no exposures to be reported in table SEC3. SEC4: Securitisation exposures in the banking book and associated capital requirements—bank acting as investor _____________________________________________________________________________________________ Itaú Unibanco 38 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Market Risk MRA: Qualitative disclosure requirements related to market risk Market risk is the possibility of losses resulting from fluctuations in the market values of positions held by a financial institution, including the risk of operations subject to variations in foreign exchange rates, interest rates, equity and commodity prices, as set forth by CMN. Price Indexes are also treated as a risk factor group. The institutional policy for market risk is in compliance with Resolution 4,557 and establishes the management structure and market risk control, which has the function of: Provide visibility and comfort for all senior management levels that market risks assumed must be in line with Itaú Unibanco risk-return objectives; Provide a disciplined and well informed dialogue on the overall market risk profile and its evolution over time; Increase transparency as to how the business works to optimize results; Provide early warning mechanisms to facilitate effective risk management, without obstructing the business objectives; and Monitoring and avoiding the concentration of risks. Market risk is controlled by an area independent of the business units, which is responsible for the daily activities: (i) measuring and assessing risk, (ii) monitoring stress scenarios, limits and alerts, (iii) applying, analyzing and stress testing scenarios, (iv) reporting risk to the individuals responsible in the business units, in compliance with Itaú Unibanco´s governance, (v) monitoring the measures needed to adjust positions and/or risk levels to make them viable, and (vi) supporting the secure launch of new financial products. The market risk management framework categorizes transactions as part of either the Trading Book or the Baking Book, in accordance with general criteria established by CMN Resolution 4,557 and BACEN Circular 3,354. Trading Book is composed of all trades with financial and commodity instruments (including derivatives) undertaken with the intention of trading. Banking Book is predominantly characterized by portfolios originated from the banking business and operations related to balance sheet management, are intended to be either held to maturity, or sold in the medium and in the long term. The market risk management is based on the following key metrics: Value at Risk (VaR): a statistical metric that quantifies the maximum potential economic loss expected in normal market conditions, considering a defined holding period and confidence interval; Losses in Stress Scenarios (Stress Testing): a simulation technique to evaluate the impact, in the assets, liabilities and derivatives of the portfolio, of various risk factors in extreme market situations (based on prospective and historic scenarios); Stop Loss: metrics that trigger a management review of positions, if the accumulated losses in a given period reach specified levels; Concentration: cumulative exposure of certain financial instrument or risk factor calculated at market value (“MtM—Mark to Market”); and _____________________________________________________________________________________________ Itaú Unibanco 39 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Stressed VaR: statistical metric derived from VaR calculation, aimed at capturing the biggest risk in simulations of the current trading portfolio, taking into consideration the observable returns in historical scenarios of extreme volatility. In addition to the risk metrics described above, sensitivity and loss control measures are also analyzed. They include: Gap Analysis: accumulated exposure of the cash flows by risk factor, which are marked-to-market and positioned by settlement dates; Sensitivity (DV01 – Delta Variation Risk): impact on the market value of cash flows when a 1 basis point change is applied to current interest rates or on the index rates; and Sensitivities to Various Risk Factors (Greeks): partial derivatives of a portfolio of options on the prices of the underlying assets, implied volatilities, interest rates and time. In an attempt to fit the transactions into the defined limits, Itaú Unibanco hedges its client transactions and proprietary positions, including investments overseas. Derivatives are the most commonly used instruments for carrying out these hedging activities, and can be characterized as either accounting or economic hedge, both of which are governed by institutional regulations at Itaú Unibanco. The structure of limits and alerts is in alignment with the board of directors’ guidelines, being reviewed and approved on an annual basis. This structure extends to specific limits and is aimed at improving the process of risk monitoring and understanding as well as preventing risk concentration. Limits and alerts are calibrated based on projections of future balance sheets, stockholders’ equity, liquidity, complexity and market volatility, as well as the Itaú Unibanco’s risk appetite. The consumption of market risk limits is monitored and disclosed daily through exposure and sensitivity maps. The market risk area analyzes and controls the adherence of these exposures to limits and alerts and reports them timely to the Treasury desks and other structures foreseen in the governance. Itaú Unibanco uses proprietary systems to measure the consolidated market risk. The processing of these systems takes place in an access-controlled environment, being highly available, which has data safekeeping and recovery processes, and counts on an infrastructure to ensure the continuity of business in contingency (disaster recovery) situations. _____________________________________________________________________________________________ Itaú Unibanco 40 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ MR1: Market risk under standardized approach The variations observed in the Market Risk-Weighted Assets were not significant. MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA) In the internal models approach, the stressed VaR and VaR models are used. These models are applied to operations in the Trading Book and Banking Book. For the Trading Book, the risk factors considered are: interest rates, inflation rates, exchange rates, stocks and commodities. For the Banking Book, exchange rates and commodities are considered. The VaR and stressed VaR models are used in the companies of the Prudential Conglomerate that are presented in the following table: _____________________________________________________________________________________________ Itaú Unibanco 41 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ _____________________________________________________________________________________________ Itaú Unibanco 42 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Itaú Unibanco, for regulatory purposes, uses the historical simulation methodology to calculate the VaR and Stressed VaR. This methodology uses the returns observed in the past to calculate the gains and losses of a portfolio over time, with a 99% confidence interval and a holding period of at least 10 days. On December 31, 2021, VaR represented 56% of the capital requirement, while the stressed VaR represented 44%. The same methodology is used for management purposes, that is, there are no differences between the managerial and regulatory models. In relation to the VaR model, the historical returns are daily updated. Itaú Unibanco uses in its VaR model both the unweighted approach, in which historical data have the same weight, and the weighted by the volatility of returns. For the calculation of volatilities, the Exponentially Weighted Moving Average method is used. The Historical VaR methodology with 10-day maintenance periods assumes that the expected distribution for possible losses and gains for the portfolio can be estimated from the historical behavior of the returns of the market risk factors to which this portfolio is exposed. The returns observed in the past are applied to current operations, generating a distribution of probability of losses and simulated gains that are used to estimate the Historical VaR, according to the 99% confidence level and using a historical period of 1,000 days. Losses and gains from linear operations are calculated by multiplying mark-to-market by returns, while non-linear operations are recalculated using historical returns. The returns used in simulating the movements of risk factors are relative. Regarding the Stressed VaR model, the calculation is performed for a time horizon of 10 working days, considering the 99% confidence level and simple returns in the historical period of one year. The historical stress period is periodically calculated for the period since 2004 and can be revised whenever deemed necessary. This can occur when the composition of Itaú Unibanco’s portfolios changes significantly, when changes are observed in the results of the simulation of historical returns or when a new market crisis occurs. Losses and gains from linear operations are calculated by multiplying mark to market by returns, while non-linear operations are recalculated using historical returns. In addition to the use of VaR, Itaú Unibanco carries out daily risk analysis in extreme scenarios through a diversified framework of stress tests, in order to capture potential significant losses in extreme market situations. The scenarios are based on historical, prospective crises and predetermined shocks in risk factors. One factor that has a great influence on the results of the tests, for example, is the correlation between the assets and the respective risk factors, and this effect is simulated in several ways in the various scenarios tested. In order to identify its greatest risks and assist in the decision-making of treasury and senior management, the results of stress tests are assessed by risk factors, as well as on a consolidated basis. The effectiveness of the VaR model is proven by backtesting techniques, by comparing hypothetical and actual daily losses and gains, with the estimated daily VaR, according to BACEN Circular 3,646. The number of exceptions to the established VaR limits must be compatible, within an acceptable statistical margin, with three different confidence intervals (99%, 97.5% and 95%), in three different historical windows (250, 500 and 750 working days). This includes nine different samples, therefore ensuring the statistical quality of the historical VaR hypothesis. Itaú Unibanco has a set of processes, which are periodically executed by the internal control teams, whose objective is to independently replicate the metrics that influence market risk capital by internal models. In addition to the results of the periodic processes, Itaú Unibanco assesses the process of measuring time horizons by risk factors and the estimate of the stress period for calculating the stressed VaR. The validation of the internal model includes several topics considered essential for the critical analysis of the model, such as, the evaluation of the model’s limitations, the adequacy of the parameters used in the volatility estimate and the comprehensiveness and reliability of the input data. _____________________________________________________________________________________________ Itaú Unibanco 43 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ MR2: RWA flow statements of market risk exposures under an IMA Exposures subject to market risk The following table presents the exposures subject to market risk in the internal models approach, for calculating the capital requirement. The decrease in RWAMINT compared to the previous quarter was mainly due to the reduction in the risk levels of the positions held by Itaú Unibanco. MR3: IMA values for trading portfolios The following table presents the VaR and stressed VaR values determined by the internal market risk models. VaR increased in relation to the previous quarter due to increased volatility in interest rates. Stressed VaR decreased compared to the previus quarter duo to the lower level of risk in equities.     _____________________________________________________________________________________________ Itaú Unibanco 44 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ MR4: Comparison of VaR estimates with gains/losses Backtesting The effectiveness of the VaR model is validated by backtesting techniques, comparing daily hypothetical and actual results with the estimated daily VaR. The daily VaR is calculated over a one-day maintenance horizon, according to the 99% confidence level and using a historical period of 1,000 days. The percentage of capital requirement associated with this model is 100%. The backtesting analysis presented below considers the ranges suggested by the Basel Committee on Banking Supervision (BCBS). The ranges are divided into: Green (0 to 4 exceptions): backtesting results that do not suggest any problem with the quality or accuracy of the adopted models; Yellow (5 to 9 exceptions): intermediate range group, which indicates an early warning monitoring and may indicate the need to review the model; and Red (10 or more exceptions): need for improvement actions. The following chart shows the comparison between VaR and actual and hypothetical results: The exceptions in relation to the hypothetical results occurred on 10/19/2021 and 10/21/2021, in the amounts of R$ 37,7 and R$ 7,9 million, respectively. These excesses were caused by the increased level of local interest market volatility. In relation to the actual results, the exceptions also ocurred on 10/19/2021 and 10/21/2021, in the amounts of R$ 23,2 and R$ 3,5 million, respectively. These excesses were caused by the increased level of local interest market volatility. The actual results do not include fees, brokerage fees and commissions. There are no profit reserves. _____________________________________________________________________________________________ Itaú Unibanco 45 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Total Exposure associated with Derivatives The main purpose of the derivative positions is to manage risks in the Trading Book and in the Banking Book in the corresponding risk factors. Derivatives: Trading and Banking IRRBBA: IRRBB risk management objectives and policies BACEN’s (Central Bank of Brazil) Circular 3,876, published in January 2018, states on methodologies and procedures for evaluation of the capital adequacy, held to cover interest rates risk from instruments held in the banking book. For the purposes of this Circular, are defined: â^†EVE (Delta Economic Value of Equity) is defined as the difference between the present value of the sum of repricing flows of instruments subject to IRRBB in a base scenario, and the present value of the sum of repricing flows of the same instruments in an interest-rate shocked scenario; â^†NII (Delta Net Interest Income) is defined as the difference between the result of financial intermediation of instruments subject to IRRBB in a base scenario, and the result of financial intermediation of the same instruments in an interest-rate shocked scenario. The sensibility analysis introduced here are just a static evaluation of the portfolio interest rate exposure, and, therefore, don´t consider the dynamic management of the treasury desk and risk control areas, which hold the responsibility for measures to mitigate risk under an adverse situation, minimizing significant losses. Moreover, it is highlighted, though, the results presented do not translate into accountable or economic results for certain, because this analysis has, only, an interest rate risk disclosure purpose and to demonstrate the principle protection actions, considering the instruments fair value, apart from any accounting practices adopted by Itaú Unibanco. The institution uses an internal model to measure â^†EVE and â^†NII. â^†EVE results do not represent immediate impact in the stockholders’ equity. Meanwhile, â^†NII results indicate potential volatility in the projected interest rates results. In compliance with the circular 3,876, the following demonstrates qualitative and quantitative details of risk management for IRRBB in Itaú Unibanco. Framework and Treatment Interest rate risk in the banking book refers to the potential risk of impact on capital sufficiency and/or on the results of financial intermediation due to adverse movements in interest rates, taking into account the principal flows of instruments held in the banking book. _____________________________________________________________________________________________ Itaú Unibanco 46 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ The main point of assets and liabilities management is to maximize the risk-return ratio of positions held in the banking book, taking into account the economic value of these assets/liabilities and the impact on actual and future bank’s results. The interest rate risk managing on transactions held in the banking book occurs within the governance and hierarchy of decision-making bodies and under a limits structure and alerts approved specifically for these purpose, which is sensitive due to different levels and classes of market risk. The management structure of IRRBB has it owns risk policies and controls intended to ensure adherence to the bank’s risk appetite. The IRRBB framework has granular management limits for several other risk metrics and consolidated limits for â^†EVE and â^†NII results, besides the limits associated with stress tests. The asset and liability management unit is responsible for managing timing mismatches between asset and liability flows, and minimizes interest rate risk by through strategies as economic hedge and accounting hedge. All the models associated with IRRBB have a robust independent validation process and are approved by a CTAM (Technical Model Assessment Commission). In addition, all the models and processes are assessed by internal audit. The interest rate risk framework in the banking book uses management measurements that are calculated daily for limit control. The â^†EVE and â^†NII metrics are calculated according to the risk appetite limits and the other risk metrics in terms of management risk limits. In the process of managing interest rate risk of the banking book, transactions subject to automatic options are calculated according to internal market models which split the products, as far as possible, into linear and non-linear payoffs. The linear payoffs are treated similarly to any other instruments without options, and for non-linear payoffs an additional value is computed and added on the â^†EVE and â^†NII metrics. In general terms, transactions subject to behavioral options are classified as deposits with no contractual maturity date defined or products subject to early repayment. Non-maturity deposits are classified according to their nature and stability to guarantee compliance with regulatory limits. A survival analysis model treats the products subject to prepayment, using the historical dataset to calibrate its parameters. The instruments flows with homogeneous characteristics are adjusted by specific models to reflect, in the most appropriate way, the repricing flows of the instruments. The banking book consists of asset and liability transactions originating in different commercial channels (retail and wholesale) of Itaú Unibanco. The market risk exposures inherent in the banking book consists of various risk factors, which are primary components of the market in price formation. IRRBB also includes hedging transactions intended to minimize risks deriving from strong fluctuations of market risk factors and their accounting asymmetries. Market risk generated from structural mismatches is managed by a variety of financial instruments, such as exchange-traded and over-the-counter derivatives. In some cases, operations using derivative financial instruments can be classified as accounting hedges, depending on their risk and cash flow characteristics. In these cases, the supporting documentation is analyzed to enable the effectiveness of the hedge and other changes in the accounting process to be continuously monitored. The accounting and administrative procedures for hedging are defined in BACEN Circular 3,082. The IRRBB model includes a series of premises: â^†EVE and â^†NII are measured on the basis of the cash flows of the banking book instruments, broken down into their risk factors to isolate the effect of the interest rate and the spread components; _____________________________________________________________________________________________ Itaú Unibanco 47 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ For non-maturity deposits, the models are classified according to their nature and stability and distributed over time considering the regulatory limits; The institution uses survival analysis models to handle credit transactions subject to prepayment, and empirical models for transactions subject to early redemption; The medium-term repricing attributed to non-maturity deposits is defined as 1.71 years; The maximum-term repricing attributed to non-maturity deposits is defined as 30.00 years. The article 16 of the BCB Resolution 54 defines the need to publish â^†EVE and â^†NII, using the standard shock scenarios described in article 11 of the BACEN Circular 3,876. The table below are presented the main results due the change in the interest rates over the banking book in the standardized scenarios. It is important to note that, following the normative rules, the potential losses are represented by positive values and potential gains by negative values (between parentheses). Parallel Up: increasing in the short-term and in the long-term interest rates; Parallel Down: decreasing in the short-term and in the long-term interest rates; Short-term increase: increasing in the short-term interest rates; Short-term reduction: decreasing in the short-term interest rates; Steepener: decreasing in the short-term interest rates and increasing the in the long-term interest rates; Flattener: increasing in the short-term interest rates and decreasing the in the long-term interest rates. _____________________________________________________________________________________________ Itaú Unibanco 48 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ IRRBB1 – Quantitative information on IRRBB Potential Loss of Instruments Classified in the Banking Book arising from Interest Rate Variation Scenarios(1) (Losses are represented by positive values, while gains are represented by negative values between parentheses) For the outlier test, the maximum variation of the â^†EVE, with standardized shocks was R$ 10,406 million as of December 31, 2021, corresponding to a potential loss of 6.94% of Tier I, which is less than 15%—percentage that defines the institution as outlier (according to Art. 44 of Circular 3,876). The â^†NII, with internal shocks, for a horizon of a year, has maximum loss of R$ 1,724 million in the Parallel High Scenario. _____________________________________________________________________________________________ Itaú Unibanco 49 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Remuneration of Directors REMA: Compensation Policy Compensation Committee It is incumbent upon the Compensation Committee to promote discussions on our management compensation-related matters. Its duties include, but are not limited to: developing a compensation policy for our management, proposing to the Board of Directors the many forms of fixed and variable compensation, in addition to special benefits and recruitment and termination programs; discussing, examining and overseeing the implementation and operation of existing compensation models, discussing general principles of the compensation policy for our employees and recommending adjustments or improvements to the Board of Directors. The Committee has its own internal charter, approved by the Board of Directors on August 28, 2018, disclosed on the Investor Relations website: www.itau.com.br/investor-relations > Menu > Itaú Unibanco > Corporate Governance > Rules and Policies > Rules > Compensation Committee Internal Charter. Composition of Compensation Committee Name Election date Taxpayer ID (CPF) Term of office Position held Number of Date of birth consecutive terms o office Geraldo José Carbone Independent Committee member 29/04/2021 (and non-administrator, under the 952.589.818-00 Annual terms of CMN Resolution 3.921) 02/08/1956 (effective) 4 Candido Botelho Bracher 29/04/2021 Independent Committee member 039.690.188-38 Annual (effective) 05/12/1958 1 João Moreira Salles 29/04/2021 295.520.008-58 Committee member (effective) Annual 11/04/1981 1 Roberto Egydio Setubal 29/04/2021 007.738.228-52 Chairman of the Committee Annual 13/10/1954 5 Compensation governance Our compensation strategy adopts clear and transparent processes, aimed at complying with applicable regulation and the best national and international practices, as well as at ensuring consistency with our risk management policy. _____________________________________________________________________________________________ Itaú Unibanco 50 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Formally approved on August 23, 2021 by the Board of Directors, our compensation policy is revised annually by the Compensation Committee, and is aimed at consolidating our compensation principles and practices to attract, reward, retain and motivate management members and employees in the sustainable running of business, subject to proper risk limits and always in line with the stockholders’ interests. Annually, the Compensation Committee evaluates and, if necessary, proposes improvements to the Compensation Policy. After this careful analysis by the Compensation Committee, the Policy is submitted to the Board of Directors’ evaluation. In 2017, the Extraordinary General Stockholders’ Meeting approved the formalization and ratification of the Stock Grant Plan (“Stock Grant Plan”) to consolidate general rules in connection with long-term incentive programs involving stock grant to management members and employees of the Issuer and of its direct and indirect controlled companies, as set forth by CVM Instruction No. 567/15. Among the programs mentioned in the Stock Grant Plan, managed by the Compensation Committee and with the Issuer’s management members as target audiences, we highlight the Variable Stock-Based Compensation, the Fixed StockBased Compensation (for members of the Board of Directors only), and the Partners, those also included in the information provided along the REMA table. The Stock Grant Plan is available on: www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Grant Plan. In order to bring more transparency about our compensation model, since 2020 we started to disclosure a document that consolidates the main practices and principles that guide the compensation payment to our management members. This document, named Remuneration Policy, makes public the bases of our remuneration model and is available at www.itau.com.br/investor-relations > Itaú Unibanco > Corporate Governance > Rules and Policies > Grant Plan. Additionally, since 2019 the Compensation Committee determined that Executive Committee members should retain the ownership of a minimum number of the Issuer’s shares equivalent to ten times the annual fixed compensation of the CEO and to five times the annual fixed compensation of the other members. Until December 31, 2021, the CEO and most of the Executive Committee members comply with the minimum ownership requirement. The requirement must be accomplished up to five years after taking up their functions. For 2022, the requirement remains the same. The new members of the Executive Committee and the CEO must comply with the requirement in up to five years. The Issuer also provides a Plan for Granting Stock Option (“Stock Option Plan”) to its management members and employees, as well as to the management members and employees of its controlled companies, allowing the alignment of the interests of management members to those of stockholders, as they share the same risks and gains due to their share appreciation. No option has been granted under our Stock Option Plan since 2012. For further information on Changes in the Plan, please see Note 20 to the financial statements under IFRS. The Personnel Committee is responsible for making institutional decisions and supervising the Stock Option Plan implementation and operation. For further information on the responsibilities and functions of the Personnel Committee and the Compensation Committee, please see item 12.1 of the Reference Form available on www.itau.com.br/investor.relations > Menu > Reports > CVM > Reference Form. Compensation Policy – Compensation composition _____________________________________________________________________________________________ Itaú Unibanco 51 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ We adopt compensation and benefits strategies that vary according to the area of operation and market parameters. We periodically check these parameters through: hiring of salary surveys, carried out by specialized consultants; participation in research carried out by other banks; and participation in forums specialized in remuneration and benefits. The fixed compensation of the Board of Directors and the Executive Board, as well as the benefits plan granted to the executive officers, are not impacted by performance indicators. Fiscal Council: member of the Fiscal Council are paid monthly fixed compensation amount only and are not eligible for the benefit plan. Additionally, in accordance with applicable legislation, compensation members of the Fiscal Council _____________________________________________________________________________________________ Itaú Unibanco 52 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ may not be lower, for each acting member, than 10% of the fixed compensation assigned to each officer (i.e., not including benefits, representation allowances and profit sharing). Audit Committee: The members of the Audit Committee are paid monthly fixed compensation amount only are not eligible for the benefit plan. For those members of the Audit Committee who are also part of the Board of Directors, the compensation policy of the Board of Directors is applied. Board of Directors: The monthly fixed compensation is consistent with market practices and periodically revised to attract qualified professionals. Additionally, history and résumé, among other factors, are taken into account. a) Monthly fixed compensation: it is consistent with market practices and revised frequently enough to attract qualified professionals. b) Annual fixed compensation in shares: the annual fixed compensation to the members of the Board of Directors is paid in the Issuer’s preferred shares c) Annual variable compensation in shares: for variable compensation in shares paid to members of the Board of Directors, the compensation follows the same deferral terms, conditions and calculation of the value of shares presented in item “b) ii” below, which describes the delivery of preferred shares of the annual variable compensation. To ensure its compatibility with value creation, this compensation takes into account Itaú Unibanco Holding’s results and may be adjusted by the Compensation Committee. Board of Officers: a) Monthly fixed compensation: it is established in accordance with the position held and based on the internal equality principle, since all officers holding equivalent position earn the same monthly fixed compensation amount, also providing mobility across our different businesses. Fixed compensation amounts are defined considering market competition. b) Annual variable compensation in shares(1) : (1) Within the limits established by legislation, those Officers in charge of internal control and risk departments have their compensation determined irrespectively of the performance of the business areas they control and assess so as to avoid any conflicts of interest. However, even though compensation is not impacted by the results of the business areas, it is still subject to impacts arising from the Company’s results. _____________________________________________________________________________________________ Itaú Unibanco 53 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ b) i. Distribution of annual variable compensation(2): (2) In accordance with Resolution No. 3,921 of the National Monetary Council, a portion of the variable compensation must be deferred b) ii. Delivery of preferred shares related to the annual variable compensation of the Board of Officers: The Issuer establishes, in addition to the annual variable remuneration, which seeks to link the members who receive it to the Issuer’s projects and results, the Partner Program, which aims to align risk management in the short, medium and long term, as well as align the interests of the program participants to those of our shareholders, benefiting them in proportion to the gains obtained by the Issuer and its shareholders. _____________________________________________________________________________________________ Itaú Unibanco 54 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Compensation Policy – stock-based compensation a) General terms and conditions Stock-based payment models are in conformity with the principles pursued by the Issuer, since they tie up management members to the Issuer’s projects and results in the long-term, work as tools that motivate individual development and commitment, and retain management members, as stock-based payments are made in the long term. For illustrative purposes, in this item we provide information about all stock-based compensation models, as follows: (1) shares or stock-based instruments delivered under the Compensation Policy; (2) shares or stockbased instruments delivered under the Partners Program; and (3) options granted under the Plan for Granting Stock Option (“Stock Option Plan”), as described below: (1) Compensation Policy – stock-based compensation Annual fixed compensation in shares: This compensation is paid to the members of the Board of Directors, provided they have fully completed their terms of office. The purpose is to reward the contribution made by each member to the Itaú Unibanco conglomerate. The annual fixed compensation takes into account the history and résumé of members, in addition to market conditions and other factors that may be agreed between the member of the Board of Directors and Itaú Unibanco conglomerate. To calculate the value of the shares used to make up the compensation payable in shares or stock-based instruments, we use the average price of Itaú Unibanco Holding’s preferred shares on B3 – Bolsa, Brasil, Balcão (“B3”) in the thirty (30) days prior to calculation, which will be carried out in the seventh (7th ) business day prior to granting the shares or paying the compensation. The number of shares is calculated and granted every three years, and these shares are delivered proportionally to the number of terms of office completed in the period. Annual variable compensation in shares: _____________________________________________________________________________________________ Itaú Unibanco 55 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ (2) Partners Program Aimed at aligning the interests of our officers and employees to those of our stockholders, this program provides participants with the opportunity to invest in our preferred shares (ITUB4), sharing short-, medium- and long-term risks. This program is aimed at officers and employees in view of their history of contribution, relevant work and also outstanding performance. It has two types of appointments: Holding Partners and Partners. Main differences are as follows: _____________________________________________________________________________________________ Itaú Unibanco 56 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ (3) Stock Option Plan We have a Stock Option Plan through which our officers and employees with outstanding performance are entitled to receive stock options. These options enable them to share the risk of price fluctuations of our preferred shares (ITUB4) with other stockholders and intend to integrate participants of this program into the conglomerate’s development process in the medium- and long-terms. Our Personnel Committee manages the Stock Option Plan, including matters such as strike prices, grace periods and terms of options, in accordance with the rules set forth therein. Options may only be granted to participants if earnings are in sufficient amounts to be distributed as mandatory dividends. No option has been granted under our Stock Option Plan since 2012. For further information on Changes in the Plan, please see Note 20 to the financial statements under IFRS. _____________________________________________________________________________________________ Itaú Unibanco 57 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ For further information on the Stock Option Plan, please see the Investor Relations website: www.itau.com.br/investor-relations > Menu > Itaú Unibanco > Corporate Governance > Rules and Policies > Grant Plan.    b) Main objectives of the plan Stock-based compensation models have the primary purpose of aligning management members’ interests with those of the Issuer’s stockholders, as they share the same risks and earnings provided by their share appreciation. c) How the plan contributes to these objectives Stock-based payment models are intended to motivate management members to contribute to the Issuer’s good performance and share appreciation, as they may actively take part in the results of this appreciation. Accordingly, the institution achieves the objective of the stock-based payment models by engaging management members in the organization’s long-term strategies. Management members, in turn, take part in the appreciation of shares in the Issuer’s capital stock. d) How the plan is inserted in the Issuer’s compensation policy Stock-based payment models are in conformity with the principles pursued by the Issuer, since they (i) tie up management members to the Issuer’s projects and results in the long-term, (ii) work as tools that motivate individual development and commitment, and (iii) retain management members, as stock-based payments are made in the long term. e) How the plan is aligned with the short-, medium- and long-term interests of management members and the Issuer Stock-based payment models are aligned with the interests of the Issuer and management members, since that, by enabling management members to become stockholders of the Issuer, these are encouraged to act from the perspective of being the “owners“ of the business, therefore aligning their interests with those of the stockholders. Additionally, they motivate management members to remain at the Issuer, since general rule dictates that a member leaving the company will lose their rights to stock-based payments (please see sub item “i—Effects of the management member’s leave from the Issuer’s bodies on their rights, as provided for in the stock-based compensation plan”). f) Maximum number of shares covered by the plan In order to limit the maximum dilution to which Stockholders may be subject: the sum of (i) the shares to be used as compensation, in accordance with Resolution No. 3,921 of the National Monetary Council, including those related to the Partners Program and other stock-based compensation programs of the Issuer and its controlled companies; and (ii) the options to be granted each year may not exceed the limit of 0.5% of all Issuer’s shares that stockholders hold at the balance sheet date of the same year. In the event that the number of shares delivered and options granted, in any given year, is below the limit of 0.5% of the total shares as mentioned in the paragraph above, the resulting difference may be added for compensation or option granting purposes in any of the following seven (7) fiscal years. g) Restrictions on the transfer of shares Stock-based compensation: after receiving the shares within one, two or three years, there will be no restrictions to the share transfer. If the executive chooses to invest these shares in the Partners Program as Own Shares, these shares will become unavailable for three and five years from the investment date. Partners Program: after receiving the Partners Shares within three and five years from the initial investment, such shares will become unavailable for five and eight years as from the initial investment date. _____________________________________________________________________________________________ Itaú Unibanco 58 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Stock Option Plan: the availability of shares subscribed by Beneficiaries by exercising the option may be subject to additional restrictions, according to resolutions to be adopted by the Personnel Committee upon grant. Therefore, the percentage of shares that must remain unavailable, as well as the period of this unavailability, will be defined by said Committee. As a rule, the period of this unavailability defined by the committee is two (2) years after the option is exercised. h) Criteria and events that may cause the suspension, amendment or termination of the plan Stock-based compensation: deferred shares may not be delivered in the event of a significant decrease in realized recurring net income of the Issuer or to a negative result of the applicable business area, expect when the reduction or negative result arises from extraordinary, unforeseeable events, external to Itaú Unibanco Holding, which also affect other financial institutions and are not related to the actions or omissions of the management members. The Compensation Committee may decide to apply the malus even in these cases. Additionally, the compensation model may be amended upon approval from the Compensation Committee and the Board of Directors. Partners Program: any Partners Shares still to be received may not be delivered in the event of a significant decrease in realized recurring net income of the Issuer or to a negative result of the applicable business area, expect when the reduction or negative result arises from extraordinary, unforeseeable events, external to Itaú Unibanco Holding, which also affect other financial institutions and are not related to the actions or omissions of the management members. The Compensation Committee may decide to apply the malus even in these cases. Additionally, the Partners Program may be amended upon approval from the Compensation Committee or the Personnel Committee. Stock Option Plan: the Personnel Committee may suspend the exercise of options under justifiable circumstances, such as significant market fluctuations or legal or regulatory restrictions. Additionally, the StockOption Plan may only be amended or terminated if proposed by the Personnel Committee to the Board of Directors and subsequently approved at an Extraordinary Stockholders’ Meeting. i) Effects of the management member’s leave from the Issuer’s bodies on their rights, as provided for in the stock-based compensation plan Stock-based compensation: the general rule when a member leaves is the termination of shares granted but not yet delivered. However, subject to the criteria established in the Compensation Policy, the Personnel Committee may determine the non-termination of these shares. Partners Program: the general rule when a member leaves is the termination of Partners Shares not yet delivered. However, subject to the criteria established in the internal charter, the Personnel Committee may determine the nontermination of these shares. Stock Option Plan: the general rule is that any Beneficiaries managing the Itaú Unibanco conglomerate who resign or are dismissed from position will have their options expired automatically. Management members’ stock options will expire on the date such members cease to exercise their functions on a permanent basis, that is, in the event of a garden leave agreement (the period of leave prior to the formal end of the employment or statutory relationship), these options will expire when said agreement becomes effective. However, the aforementioned automatic expiry may not occur if, for example, this member is dismissed simultaneously to their election as a management member of the Itaú Unibanco conglomerate or if they take up another statutory position in the Itaú Unibanco conglomerate. Additionally, subject to criteria established in the internal charter, the Personnel Committee may choose not to have these options expired. _____________________________________________________________________________________________ Itaú Unibanco 59 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ REM1: Remuneration awarded during the financial year It was considered only the members of the Board of Officers and Board of Directors who are remunerated. REM2: Special payments The sample related to special payments is insufficient to guarantee the confidentiality and, therefore, values have been omitted, under BACEN Resolution 54, art 3. REM3: Deferred remuneration _____________________________________________________________________________________________ Itaú Unibanco 60 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Other Risks Insurance products, pension plans and premium bonds risks Products that compose portfolios of insurance companies of Itaú Unibanco are related to life and elementary insurance, as well as pension plans and premium bonds. The main risks inherent in these products are described below and their definitions are given in their respective chapters. Underwriting Risk: possibility of losses arising from insurance products, pension plans and premium bonds that go against institution’s expectations, directly or indirectly associated with technical and actuarial bases used for calculating premiums, contributions and technical provisions; Market Risk; Credit Risk; Operational risk; Liquidity risk. In line with domestic and international best practices, Itaú Unibanco has a risk management structure which ensures that risks resulting from insurance, pension and special savings products are properly assessed and reported to the relevant forums. The process of risk management for insurance, pensions and premium bond plans is independent and focus on the special nature of each risk. The aim of Itaú Unibanco is to ensure that assets serving as collateral for long-term products, with guaranteed minimum returns, are managed according to the characteristics of the liabilities, so that they are actuarially balanced and solvent over the long term. Social and Environmental Risk Itaú Unibanco understands social and environmental risk as the risk of potential losses due to exposure to social and environmental events arising from the performance of its activities, according to CMN Resolution 4,327/14. The Social and Environmental Responsibility and Sustainability Policy (PRSA) establishes the guidelines, strategies and main principles for social and environmental management, starting from institutional issues, and addressing, through specific procedures, the most relevant risks to the institution’s operation. Mitigation actions on social and environmental risk are carried out through the mapping of processes, risks and controls, the monitoring of new regulations on the subject, and the listing of occurrences in internal databases. In addition to identification, the stages of prioritization, risk response, monitoring and reporting of the assessed risks complement the management of this risk at Itaú Unibanco. The management of this risk is carried out by the first line of defense, business areas that manage it in their daily activities, following the PRSA guidelines, manuals and specific procedures supplemented by the specialized assessment of the dedicated teams of Corporate Compliance, Modeling and Credit Risk and Legal and Institutional department, which work integrated in the management of all the dimensions of Social and Environmental Risk linked to the Conglomerate activities. Business units also have the governance for the approval of new products and services, _____________________________________________________________________________________________ Itaú Unibanco 61 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ which includes the social and environmental risk assessment, that ensures the compliance in the new products and processes employed by the institution, as well as with specific social and environmental processes applicable to the institution’s own operation (equity, branch infrastructure and technology), suppliers, credit, investments and key subsidiaries. The second line of defense, in turn, is represented by Modeling and Credit Risk, Internal Controls, as well as Compliance, through the Social and Environmental Risk Management, which supports and ensures the governance of the activities of the first line. The third line of defense, composed of Internal Audit, acts independently, carrying out the mapping and assessment of the risk’s management, controls and governance. The Social and Environmental Risk Governance also includes the Social and Environmental Risk Committee, which is primarily responsible for debating and deciding on institutional and strategic issues, as well as deciding on products, operations, services, among others, that involve Social and Environmental Risk, including Climate Risk. Itaú Unibanco constantly seeks to evolve in the management of social and environmental risk, always attentive to the challenges demands of society. Therefore, among other actions, Itaú Unibanco has assumed and incorporated into Itaú Unibanco’s internal processes a number of national and international voluntary commitments and pacts aimed at integrating social, environmental and governance aspects into Itaú Unibanco business. The main ones are the Principles for Responsible Investment (PRI), the Charter for Human Rights – Ethos, the Equator Principles (EP), the Global Pact, the Carbon Disclosure Project (CDP), the Brazilian GHG Protocol Program, the Pacto Nacional para Erradicação do Trabalho Escravo (National Pact for Eradicating Slave Labor), the Task Force on Climate-Related Financial Disclosures (TCFD), among others. Itaú Unibanco efforts to increase the knowledge of the assessment of the social and environmental criteria have been recognized as models in Brazil and abroad, as shown by the recurring presence of the institution in the major sustainability indexes abroad, such as the Dow Jones Sustainability Index, and recently, in Sustainability Index Euronext Vigeo – Emerging 70, and in Brazil, for example in the Corporate Sustainability Index, as well as the numerous prizes which Itaú Unibanco has been awarded. Model Risk The model risk arises from the incorrect development or maintenance of models, such as mistaken assumptions, and inappropriate use or application of the model. The use of models can lead to decisions that are more accurate and therefore it is a major practice in the institution. The models have supported strategic decisions in several contexts, such as credit approval, pricing, volatility curve estimation, calculation of capital, among others. Due to the increasing use of models, driven by the application of new technologies and the expansion of data use, Itaú Unibanco has improved its governance in relation to its development, implantation, use and monitoring, through the definition of guidelines, policies and procedures aimed at assuring the quality and mitigation of the associated risks. The performance of the areas responsible for models is evaluated by the Operational Risk and Internal Audit teams to ensure adherence to such policies. The opportunities for improvement found during these assessments are duly addressed with action plans, which are followed up by the 3 lines of defense and by senior management until their conclusion. Regulatory or Compliance Risk Regulatory or Compliance risk is the risk associated with any nature, financial losses or damage to reputation, arising from non-compliance with external or internal standards, commitments to regulators, or other commitments undertaken voluntarily by adhering codes of self-regulation, methods or codes of conduct related to the activities of the Conglomerate. _____________________________________________________________________________________________ Itaú Unibanco 62 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ This risk is managed through a structured process aimed at identifying changes in the regulatory environment, analyzing their impacts on the departments of the institution and monitoring the actions directed at adherence to the regulatory requirements and other commitments mentioned above. This structured process includes the following actions: (i) to understand the changes in the regulatory environment; (ii) to monitor regulatory trends; (iii) to care for the relationship between the institution and the regulator, self-regulatory bodies and the representation entity; (iv) to monitor action plans on regulatory or self-regulatory compliance; (v) to coordinate a program to comply with significant norms, such as Integrity and Ethics; and (vi) to report regulatory issues in Operational and Compliance Risk forums, according to the structure of committees established in internal policies. Reputational Risk Itaú Unibanco understands reputational risk as the risk arising from internal practices and/or external factors that may generate a negative perception of Itaú Unibanco by customers, employees, shareholders, investors, regulatory bodies, government, suppliers, the press and the society in general. It can impact the bank’s reputation, the value of its brand and/or result in financial losses. Besides, this can affect the maintenance of existing business relationships, access to sources of fundraising, the attraction of new business and talent to compose the company’s staff or even the license to operate. The institution believes that its reputation is extremely important for achieving its long-term goals, which is why it seeks the alignment of the speech, the action and the ethical and transparent practice, essential to raise the confidence of Itaú Unibanco’s stakeholders. Itaú Unibanco’s reputation depends on its strategy (vision, culture and skills) and derives from direct or indirect experience of the relationship between Itaú Unibanco and its stakeholders. Since the reputational risk directly or indirectly permeates all operations and processes of the institution, Itaú Unibanco’s governance is structured in a way to ensure that potential risks are identified, analyzed and managed still in the initial phases of its operations and analysis of new products, including the use of new technologies. The treatment given to reputational risk is structured by means of many processes and internal initiatives, which, in turn, are supported by internal policies, and their main purpose is to provide mechanisms for the monitoring, management, control and mitigation of the main reputational risks. Among them are (i) risk appetite statement; (ii) process for the prevention and fight against unlawful acts; (iii) crisis management process and business continuity; (iv) processes and guidelines of the governmental and institutional relations; (v) corporate communication process; (vi) brand management process; (vii) ombudsman offices initiatives and commitment to customer satisfaction; and (vii) ethics guidelines and prevention of corruption. Financial institutions play a key role in preventing and fighting illegal acts, in particular money laundering, terrorist financing and fraud, in which the challenge is to identify and suppress increasingly sophisticated operations that seek to conceal the origin, location, disposition, ownership and movement of goods and money derived, directly or indirectly, from illegal activities. Itaú Unibanco has introduced a corporate policy in order to prevent its involvement in illegal acts and to protect its reputation and image towards employees, clients, strategic partners, suppliers, service providers, regulators and society, through a governance structure based on transparency, strict compliance with rules and regulations, including BACEN Circular 3,978/20 among others, and cooperation with police and judicial authorities. It also seeks a continuously alignment with local and international best practices for preventing and fighting against illegal acts, through investing and training eligible employees. In compliance with the guidelines of this corporate policy, Itaú Unibanco established a program to prevent and fight against illegal acts based on the following pillars: Policies and Procedures; _____________________________________________________________________________________________ Itaú Unibanco 63 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Client Identification Process; Know Your Customer (KYC) Process; Know Your Partner (KYP) Process; Know Your Supplier (KYS) Process; Know Your Employee (KYE) Process; Assessment of New Products and Services; Compliance with Sanctions; Monitoring, Selection and Analysis of Suspicious Operations or Situations; Reporting Suspicious Transactions to the Regulatory Bodies; and Training. This program applies to the entire institution, including subsidiaries and affiliates in Brazil and abroad. The preventing and combating unlawful acts governance is carried out by the Board of Directors, Audit Committee, Operational Risk Committee, Risk and Capital Management Commitee and Anti-Money Laundering Committees. The document that presents the guidelines established in the corporate program to prevent and combat unlawful acts may be seen on the www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy for Prevention and Fight Against Illegal Acts. In addition, Itaú Unibanco has been developing various data analysis models to improve customer risk classification, transaction monitoring and KYC methodology to provide greater accuracy in its analysis and to decrease false-positives. Itaú Unibanco has also been innovating its modeling solutions using new methods based on machine learning techniques to identify potentially suspicious activities. Moreover, Itaú Unibanco is committed to protecting corporate information and ensuring client and general public privacy in any transactions. To this end, it has a Corporate Information Security Policy and Cyber Secutity and has a monitoring process and a control structure that covers technology, business areas and international units, adhering to principal regulatory bodies and external audits, and best market practices and certifications. Additionally, a Security Operation Center (SOC) that works 24/7 contributes to the cyber security of Itaú Unibanco’s electronic channels and IT infrastructure, to the monitoring of operations and thus the minimization of the risk of a security incident. The Corporate Information Security and Cyber Security Policy can be viewed on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy on Information Security and Cyber Security. _____________________________________________________________________________________________ Itaú Unibanco 64 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Country Risk The country risk is the risk of losses related to non-compliance with obligations in connection with borrowers, issuers, counterparties or guarantors, as a result of political-economic and social events or actions taken by the government of the country. Itaú Unibanco has a specific structure for the management and control of country risk, consisting of corporate bodies and dedicated teams, with responsibilities defined in policies. The institution has a structured and consistent procedure, including: (i) establishment of country ratings; (ii) determination of limits for countries; (iii) monitoring the use of limits. Business and Strategy Risk Business and strategy risk is the risk of a negative impact on the results or capital as a consequence of a faulty strategic planning, the making of adverse strategic decisions, the inability of Itaú Unibanco to implement the proper strategic plans and/or changes in its business environment. Itaú Unibanco has implemented many mechanisms that ensure that both the business and the strategic decision-making processes follow proper governance standards, have the active participation of executives and the Board of Directors, are based on market, macroeconomic and risk information and are aimed at optimizing the risk-return ratio. Decision-making and the definition of business and strategy guidelines, count on the full engagement of the Board of Directors, primarily through the Strategy Committee, and of the executives, through the Executive Committee. In order to handle risk adequately, Itaú Unibanco has governance and processes to involve the Risk Area in business and strategy decisions, so as to ensure that risk is managed and decisions are sustainable in the long term. They are: (i) qualifications and incentives of board members and executives; (ii) budget process; (iii) product assessment; (iv) evaluation and prospecting of proprietary mergers and acquisitions; and (v) a risk appetite framework which, for example, restricts the concentration of credit and exposure to specific and material risks. Contagion Risk Contagion Risk is the possibility of losses occurring for entities that are part of the Prudential Conglomerate as a result of financial support to unconsolidated entities, in a stressful situation, in the absence or in addition to the obligations provided for in the contract. Itaú Unibanco has a structure for risk management and control, a dedicated team and a policy that defines roles and responsibilities. This structure covers (i) the identification of entities in relation to the potential generation of contagion risk, (ii) the assessment of risks in relationships, (iii) the monitoring, control and mitigation of contagion risk, (iv) the assessment of impact on capital and liquidity and (v) reports. It is part of the scope of contagion risk governance: Related Party audiences, mainly composed of controllers, controlled and related entities (as defined in Res. 4,693 / 18), foundations, investments in non-consolidated entities, suppliers of critical products and services, assigness, buyers and sellers of relevant assets, third parties with products distributed by Itaú Unibanco and third parties to whom Itaú Unibanco distributes products, besides all the analysis of the international Units. _____________________________________________________________________________________________ Itaú Unibanco 65 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Operational Risk Operational risk is defined as the possibility of losses arising from failure, deficiency or inadequacy of internal process, people or systems or from external events that affect the achievement of strategic, tactical or operational objectives. It includes legal risk associated with inadequacy or deficiency in contracts signed by the institution, as well as penalties due to noncompliance with laws and punitive damages to third parties arising from the activities undertaken by the institution. Itaú Unibanco internally classifies its risk events in: Internal fraud; External fraud; Labor claims and deficient security in the workplace; Inadequate practices related to clients, products and services; Damages to own physical assets or assets in use by Itaú Unibanco; Interruption of Itaú Unibanco’s activities; Failures in information technology (IT) systems, processes or infrastructure; Failures in the performance, compliance with deadlines and management of activities at Itaú Unibanco. Operational risk management includes conduct risk, which is subject to mitigating procedures to assess product design and incentive models. The inspection area is responsible for fraud prevention. Irrespective of their origin, specific cases may be handled by risk committees and integrity and ethics committees. Itaú Unibanco has a governance process that is structured through forums and corporate bodies composed of senior management, which report to the Board of Directors, with well-defined roles and responsibilities in order to segregate the business and management and control activities, ensuring independence between the areas and, consequently, well-balanced decisions with respect to risks. This is reflected in the risk management process carried out on a decentralized basis under the responsibility of the business areas and by a centralized control carried out by the internal control, compliance and operational risk department, by means of methodologies, training courses, certification and monitoring of the control environment in an independent way. The managers of the executive areas use corporate methods constructed and made available by the Operational Risk and Corporate Compliance and Money Laundering Prevention Areas. Among the methodologies and tools used are the self-evaluation and the map of the institution’s prioritized risks, the approval of processes, products, the monitoring of key risk indicators and the database of operational losses, guaranteeing a single conceptual basis for managing processes, risks, projects and new products and services. Within the governance of the risk management process, regularly, the consolidated reports on risk monitoring, controls, action plans and operational losses are presented to the business area executives. In line with CMN Resolution 4,557, the document “Public Report – Integrated Management of Operational Risk /Internal Controls/Compliance”, summarized version of the institutional operational risk management policy can be found on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Reports. _____________________________________________________________________________________________ Itaú Unibanco 66 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Crisis Management and Business Continuity Itaú Unibanco’s Business Continuity Program’s purpose is to protect its employees, ensure the continuity of the critical functions of its business lines and sustain both the stability of the markets in which it operates and the confidence of its customers and strategic partners in its provision of services and products. It establishes the Business Continuity Plan (BCP), which consists of modular procedures that are available for use in the event of incidents. The descriptions/characteristics of the existing plans are: Disaster Recovery: it aims to ensure the availability and integrity of Information Technology resources and communication in the event of a failure in the primary Data Center to maintain the processing of critical systems; Workplace Contingency: alternative facilities to perform the activities in the event the administrative buildings become unavailable; Operational Contingency: alternatives to carry out critical processes whether they are systemic, procedural or emergency responses. In order to keep the continuity solutions aligned with the business requirements (processes, minimum resources, legal requirements, etc) the Program applies the following tools to assess the institution: Business Impact Analysis (BIA): evaluates the criticality and resumption requirement of the processes that support the delivery of products and services. Threats and Vulnerabilities Analysis (AVA): identification of threats near to Itaú Unibanco’s buildings. Considering the dependence that some processes have on third-party services, the Business Continuity Program conducts an assessment of the risk of unavailability of services provided with a view to resilience to threats of interruption. The institution has a Crisis Management Program, which is aimed at managing business interruption events, natural disasters, impacts of an environmental, social, and infrastructure/operational (including information technology) or of any other nature that jeopardize the image and reputation and/or viability of Itaú Unibanco’s processes with its employees, clients, strategic partners and regulators, with timely and integrated responses. The Program establishes a frequent flow of acculturation with the company’s senior management, as well as a constant analysis of high-impact scenarios and events to establish response plans in line with current threats. To assess efficiency and identify points for improvement in crisis response plans, tests are carried out at least once a year. Independent Validation of Risk Models Itaú Unibanco validates the processes and risk models independently. This is done by a department which is separate from the business and risk control areas, to ensure that its assessments are independent. The validation method, defined in an internal policy, meets regulatory requirements such as those of BACEN Circulars 3,646 and 3,674 and Resolutions 2,682 and 4,557. The validation stages include: _____________________________________________________________________________________________ Itaú Unibanco 67 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Verification of mathematical and theoretical development of the models; Qualitative and quantitative analysis of the models, including the variables, construction of an independent calculator and the use of appropriate technical; When applicable, comparison with alternative models and international benchmarks; Historical Backtesting of the model; The correct implementation of the models in the systems used. Additionally, the validation area assesses the stress testing program. The performance of the independent validation area and the validation of the processes and models are assessed by Internal Audit and reported to the specific senior management committees. Action plans are prepared to address opportunities identified during the independent validation process, and are monitored by the 3 lines of defense and by senior management until the conclusion. _____________________________________________________________________________________________ Itaú Unibanco 68 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Glossary of Acronyms A ASF – Available Stable Funding AT1 – Additional Tier 1 Capital AVA – Avaliação de Vulnerabilidade e Ameaças(Threats and Vulnerabilities Analysis) B BACEN—Banco Central do Brasil (Central Bank of Brazil) BCB—Banco Central do Brasil (Central Bank of Brazil) BCP – Business Continuity Plan BCBS—Basel Committee on Banking Supervision BIA – Business Impact Analysis BIS – Bank for International Settlements C CCF – Credit Conversion Factor CCP – Non-Qualified Central Counterparty CCR – Counterparty Credit Risk CDP – Carbon Disclosure Project CEM—Current Exposure Method CEO—Chief Executive Officer CET 1—Common Equity Tier I CGRC—Comitê de Gestão de Risco e Capital (Risk and Capital Management Committee) CMN—Conselho Monetário Nacional (National Monetary Council) Comef—Comitê de Estabilidade Financeira (Financial Stability Committee) CRI – Real State Receivables Certificate _____________________________________________________________________________________________ Itaú Unibanco 69 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CRM – Credit Risk Mitigation CRO—Chief Risk Officer CTAM – Comissão Técnica de Avaliação de Modelos (Technical Model Assessment Commission) CVA—Credit Valuation Adjustment CVM—Comissão de Valores Mobiliários (Brazilian Securities and Exchange Commission) D DLP—Long- Term Liquidity Statement DRL—Liquidity Risk Statement D-SIB—Domestic Systemically Important Banks DV—Delta Variation E EAD – Exposure at Default ECL – Expected Credit Losses EMD – Entidades Multilaterais de Desenvolvimento (Multilateral Development Entities) EP – Equator Principles EVE – Economic Value of Equity F FIDC – Credit Rights Investment Funds FCC—Credit Conversion Credit FPR—Fator de Ponderação de Risco(Weighting Factor) G GAP—Gap Analysis GDP—Gross Domestic Product GHG – Greenhouse Gas Protocol _____________________________________________________________________________________________ Itaú Unibanco 70 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Greeks – Sensitivities to Various Risk Factors G-SIB – Global Systemically Important Banks H HE – Haircut of Execution HQLA – High Quality Liquid Assets HV – Volatility Haircut I ICAAP – Internal Capital Adequacy Assessment Process IMA – Internal Models Approach IPV – Independent Price Verification IRRBB – Interest Rate Risk in the Banking Book IT – Information Technology K KYC – Know your Customer KYP – Know your Partner KYS – Know your Supplier KYE – Know your Employee L LCR – Liquidity Coverage Ratio LMM—Limite de Mitigação Máxima (Maximum Mitigation Limit) M MtM— Mark to Market N NII – Net Interest Income _____________________________________________________________________________________________ Itaú Unibanco 71 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ NSFR – Net Stable Funding Ratio O OTC – Over-the-Counter P PR – Patrimônio de Referência (Total Capital) PRI – Principles for Responsible Investments PRSA – Política de Sustentabilidade e Responsabilidade Socioambiental (The Social and Environmental Responsability and Sustainability Policy) PCR – Potential Credit Risk PVA – Prudent Valuation Adjustments Q QCCP – Qualified Central Counterparties R RA – Leverage Ratio RAS—Risk Appetite Statement RSF – Required Stable Funding RWA—Risk Weighted Assets RWACPAD—Portion relating to exposures to credit risk RWACPrNB—amount of risk-weighted assets corresponding to credit risk exposures to the non-banking private sector, calculated for jurisdictions whose ACCPi is different from zero RWAMINT—Portion relating to exposures to market risk, using internal approach RWAMPAD— Portion relating to exposures to market risk, calculated using standard approach RWAOPAD—Portion relating to the calculation of operational risk capital requirements S SA – Joint-Stock Company _____________________________________________________________________________________________ Itaú Unibanco 72 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ SA-CCR – Standardised Approach to Counterparty Credit Risk SFN – Sistema Financeiro Nacional(National Financial System) SFT – Securities Financing Transactions SOC – Security Operation Center T TCFD – Task Force on Climate-Related Financial Disclosures TLAC – Total Loss-Absorbing Capacity TVM—Títulos de valores mobiliários(Securities) V VaR—Value at Risk _____________________________________________________________________________________________ Itaú Unibanco 73 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ Glossary of Regulations BACEN Circular No. 3,354, of June 27th, 2007 BACEN Circular No. 3,644, of March 4th, 2013 BACEN Circular No. 3,646, of March 04th, 2013 BACEN Circular No. 3,674, of October 31st, 2013 BACEN Circular No. 3,748, of February 26th, 2015 BACEN Circular No. 3,749, of March 05th, 2015 BACEN Circular No. 3,751 of March 19th, 2015 BACEN Circular No. 3,769, of October 29th, 2015 BACEN Circular No. 3,809, of August 25th, 2016 BACEN Circular No. 3,846, of September 13rd, 2017 BACEN Circular No. 3,869, of December 19th, 2017 BACEN Circular Letter No. 3,706 of May 05th, 2015 BACEN Circular Letter No. 3,907 of September 10th, 2018 BACEN Circular Letter No. 4,068 of July 7th, 2020 BACEN Circular Letter No. 3,876 of January 31st, 2018 BACEN Circular Letter No. 3,082 of January 30th, 2012 BACEN Circular Letter No. 3,978 of January 23rd, 2020 BACEN Communication No. 37.942, of November 18th, 2021 BCB Resolution No. 54, of December 16th, 2020 CMN Resolution No. 2,682, of December 22nd, 1999 CMN Resolution No. 4,192, of March 1st, 2013 CMN Resolution No. 4,193, of March 1st, 2013 _____________________________________________________________________________________________ Itaú Unibanco 74 Corporativo | Interno

Risk and Capital Management—Pillar 3 _____________________________________________________________________________________________ CMN Resolution No. 4,327, of April 25th, 2014 CMN Resolution No. 4,502, of June 30th, 2016 CMN Resolution No. 4,557, of February 23rd, 2017 CMN Resolution No. 4,589, of June 29th, 2017 CMN Resolution No. 4,693, of October 29th, 2018 CMN Resolution No. 4,783, of March 6th, 2020 _____________________________________________________________________________________________ Itaú Unibanco 75 Corporativo | Interno