3Q 21 Risk and capital management Pillar 3 Third quarter of 2021

Contents Objective 1 Key indicators 1 Prudential Metrics and Risk Management 2 KM1: Key metrics at consolidated level 2 OVA: Bank risk management approach 3 Scope and main characteristics of risk management 3 Risk and Capital Governance 4 Risk Appetite 5 Risk Culture 6 Stress Testing 6 Recovery Plan 7 Capital Adequacy Assessment 8 Capital Adequacy 8 OV1: Overview of risk-weighted assets (RWA) 9 Links between financial statements and regulatory exposures 10 LIA: Explanations of differences between accounting and regulatory exposure amounts 10 LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial 11 statement categories with regulatory risk categories LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial 12 statements PV1: Prudent valuation adjustments (PVA) 12 Institutions that comprise the Financial Statement of Itaú Unibanco Holding 13 Non Consolidated Institutions 17 Material Entities 17 Composition of Capital 18 CCA: Main features of regulatory capital instuments 18 CC1: Composition of regulatory capital 19 CC2: Reconciliation of regulatory capital to balance sheet 21 Macroprudential Indicators 22 CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the 22 Countercyclical Capital Buffer GSIB1: Disclosure of G-SIB indicators 22 Leverage Ratio 22 LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) 23 LR2: Leverage ratio common disclosure 23 Liquidity Ratios 24 LIQA: Liquidity Risk Management Information 24 Framework and Treatment 24 LIQ1: Liquidity Coverage Ratio (LCR) 25 LIQ2: Net Stable Funding Ratio (NSFR) 26 Credit Risk 27 CRA: Qualitative information on credit risk management 27 CR1: Credit Quality of Assets 29 CR2: Changes in Stock of defaulted loans and debts securities 29 CRB: Additional disclosure related to the credit quality of assets Credit risk mitigation 29 Exposure by industry 30 Exposure by remaining maturity 30 Overdue exposures 31 Exposure by geographical area in Brazil and by country 31 Largest debtors exposures 32 Restructured exposures 32

CRC: Qualitative disclosure related to Credit Risk Mitigation techniques 32 CR3: Credit Risk mitigation techniques - overview 33 CR4: Standardized Approach - Credit Risk exposure and credit risk mitigation effects 34 CR5: Standardized Approach - exposures by asset classes and risk weights 34 Counterparty Credit Risk (CCR) 35 CCRA: Qualitative disclosure related to CCR 35 CCR1: Analysis of CCR exposures by approach 35 CCR3: Standardized approach - CCR exposures by regulatory portfolio and risk weights 35 CCR5: Composition of collateral for CCR exposures 36 CCR6: CCR associated with credit derivatives exposures 36 CCR8: CCR associated with Exposures to central counterparties 37 Securitization Exposures 37 SECA: Qualitative disclosure requirements related to securitisation exposures 37 SEC1: Securitisation exposures in the banking book 38 SEC2: Securitisation exposures in the trading book 38 SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements - 38 bank acting as originator or as sponsor SEC4: Securitisation exposures in the banking book and associated capital requirements - bank acting 38 as investor Market Risk 39 MRA: Qualitative disclosure requirements related to market risk 39 MR1: Market risk under standardized approach 41 MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA) 41 MR2: RWA flow statements of market risk exposures under an IMA 44 Exposures subject to market risk 44 MR3: IMA values for trading portfolios 45 MR4: Comparison of VaR estimates with gains/losses 45 Backtesting 45 Total Exposure associated with Derivatives 46 IRRBB 47 IRRBBA: IRRBB risk management objectives and policies 47 Framework and Treatment 47 Other Risks 49 Insurance products, pension plans and premium bonds risks 49 Social and Environmental Risk 49 Model Risk 50 Regulatory or Compliance Risk 50 Reputational Risk 51 Country Risk 53 Business and Strategy Risk 53 Contagion Risk 53 Operational Risk 54 Crisis Management and Business Continuity 55 Independent Validation of Risk Models 55 Glossary of Acronyms 57 Glossary of Regulations 62

Risk and Capital Management-Pillar 3 _ Objective This document presents Itaú Unibanco Holding S.A. (Itaú Unibanco) information required by the Central Bank of Brazil (BACEN) through Resolution BCB nº 54 and subsequent amendments, which addresses the d is closure of information on risks and capital management, the comparison between accounting and prudential information, the liquidity and market risk indicators, the calculation of risk-weighted assets (RWA), the calculation of the Total Capital ("Patrimônio de Referência"-PR), and the compensation of management members. 1 The referred Resolution brought several amendments in the disclosure format of the Pillar 3 information, besides changes in the scope and frequency of the information disclosed. All these amendments, implemented by the Central Bank, aim the convergence of the Brazilian financial regulation to the recommendations of the Bas el Committee, seeking to harmonize the information disclosed by financial institutions at an international level, and taking into account the structural conditions of the Brazilian economy. The disclosure policy of the Risk and Capital Management Report presents the guidelines and responsibilities of the areas involved in its preparation, as well as the description of the information that must be disclosed and the integrity endorsement and approval governance, as established by the article 56 of the Resolution nº. 4,557. Key indicators Itaú Unibanco's risk and capital management focuses on maintaining the institution in line with the risk strategy approved by the Board of Directors. The key indicators based on the Prudential Consolidation, on September 30, 2021, are summarized below. 1 Compensation of management members data is reported annually. Itaú Unibanco 1

Risk and Capital Management-Pillar 3 Prudential Metrics and Risk Management Itaú Unibanco invests in robust and company-wide risk management processes to serve as a basis for its strategic decisions intended to ensure business sustainability. The key prudential metrics related to regulatory capital and information on the bank's integrated risk management are presented below. KM1: Key metrics at consolidated level In order to ensure the soundness of Itaú Unibanco and the availability of capital to support business growth, Itaú Unibanco maintains capital levels above the minimum requirements, as demonstrated by the Common Equity Tier I, Additional Tier I Capital and Total Capital ratios. On September 30, 2021, the Total Capital (PR) reached R$ 161,099 million, R$ 141,409 million of Tier I and R$ 19,690 million of Tier II. Itaú Unibanco 2

Risk and Capital Management-Pillar 3 The Basel Ratio reached 14.7% on September 30, 2021, a decrease of 0.2 pp compared to June 30, 2021, mainly due to the foreign exchange variations and prudential adjustments in the period. Besides, Itaú Unibanco has a R$ 73,483 million capital excess in relation to its minimum required Total Capital. It corresponds to 6,7 pp above the minimum requirement (8%) and higher than the Capital Buffer requirement of 2.625% (R$ 28,749 million). Considering the Capital Buffers, the capital excess would be 4,075 pp. In September 2021, Itaú Unibanco Holding issued R$ 5.5 billion in Subordinated Financial Notes, which have a repurchase option as from 2026. These subordinated notes are authorized to compose Itaú Unibanco's Tier 2 Capital, with an estimated increase of 52 basis points in its Total Capital Ratio. The fixed assets ratio shows the commitment percentage of adjusted Referential Equity with the adjusted permanent assets. Itaú Unibanco falls within the maximum limit of 50% of adjusted PR, established by BACEN. At September 30, 2021, fixed assets ratio reached 17.6%, showing a surplus of R$ 52,232 million. OVA - Bank risk management approach Scope and main characteristics of risk management To undertake and manage risks is one of the activities of Itaú Unibanco. For this reason, the institution must have clearly established risk management objectives. In this context, the risk appetite defines the nature and the level of risks acceptable for the institution, while the risk culture guides the attitudes required to manage them. Itaú Unibanco invests in robust risk management processes, that are the basis for its strategic decisions to ensure business sustainability and maximize shareholder value creation. These processes are in line with the guidelines of the Board of Directors and Executives who , through corporate bodies, define the institution's global objectives, which are then translated into targets and thresholds for the business units that manage risks. Control and capital management units, in turn, support Itaú Unibanco's management through the processes of analysis and monitoring of capital and risk. The principles that provide the risk management and the risk appetite foundations, as well as guidelines regarding the actions taken by Itaú Unibanco's employees in their daily routines are as follows: • Sustainability and customer satisfaction: the vision of Itaú Unibanco is to be a leading bank in sustainable performance and customer satisfaction. For this reason, the institution is concerned about creating shared values for employees, customers, shareholders and society to ensure the longevity of the business. Itaú Unibanco is concerned about doing business that is good for customers and for the institution; • Risk culture: the institution's risk culture goes beyond policies, procedures and processes. It strengths the individual and collective responsibility of all employees to manage and mitigate risks consciously, respecting the ethic way of doing business. The risk culture is described in the item "Risk Culture"; • Risk Pricing: Itaú Unibanco operates and assumes risks in business that it knows and understands, avoids the ones that are unknown or that do not provide competitive advantages, and carefully assesses risk-return ratios; • Diversification: the institution has low appetite for volatility in its results . Accordingly, it operates with a diversified base of customers, products and business, seeking risk diversification and giving priority to lo w-risk transactions; Itaú Unibanco 3

Risk and Capital Management-Pillar 3 • Operational excellence: Itaú Unibanco intends to provide agility, as well as a robust and stable infrastructure, in order to offer high quality services; • Ethics and respect for regulations: at Itaú Unibanco, ethics is non-negotiable. For this reason, the institution promotes an institutional environment of integrity, educating its employees to cultivate ethical relationships and businesses, as well as respecting the norms, and therefore looking after the institution's reputation. Since August, 2017, the Resolution CMN 4,557 came into force, which established the structure of risk and capital management. The resolution highlights are the implementation of a continuous and integrated risk management framework; the requirements for the definition of the Risk Appetite Statement (RAS) and the stress test program; the establishment of a Risk Committee; the indication, before BACEN, of the Chief Risk Officer (CRO); and the CRO's roles, responsibilities and independence requirements. Risk and Capital Governance The Board of Directors is the main body responsible for establishing the guidelines, policies and authority levels regarding risk and capital management. In turn, the Risk and Capital Management Committee (CGRC) provides support to the Board of Directors in the performance of their duties relating to risk and capital management. At the executive level, corporate bodies headed by Itaú Unibanco's Chief Executive Officer (CEO) are established to manage risks and capital. Their decisions are overseen by the CGRC. Additionally, the Itaú Unibanco Holding has corporate bodies that perform delegated duties in the risk and capital management, under the responsibility of CRO (Chief Risk Officer). To support this structure, the Risk Area is structured with specialized departments. The objective is to provide independent and centralized management of the institution's risks and capital, and to ensure the accordance with the established rules and procedures. Itaú Unibanco's risk management organizational structure complies with Brazilian and international regulations in place and is aligned with the market's best practices, including governance for identifying emerging risk s, which are those with medium and long-term impact potentially material about the business. Responsibilities for risk management at Itaú Unibanco are structured according to the concept of three lines of defense, namely: • in the first line of defense, the business and corporate support areas manage risks they give rise to, by identifying, assessing, controlling and reporting such risks; • in the second line of defense, an independent unit provides central control, so as to ensure that Itaú Unibanco's risk is managed according to the risk appetite and established policies and procedures. This centralized control provides the Board and executives with a global overview of Itaú Unibanco's exposure, to ensure correct and timely corporate decisions; • in the third line of defense, internal audit provides an independent assessment of the institution's activities, so that senior management can see that controls are adequate, risk management is effective and institutional standard s and regulatory requirements are being complied with. Itaú Unibanco 4

Risk and Capital Management-Pillar 3 Itaú Unibanco uses robust automated systems for full compliance with capital regulations, as well as for measuring risks in accordance with the regulatory determinations and models in place. It also monitors adherence to the qualitative and quantitative regulators' minimum capital and risk management requirements. Risk Appetite Itaú Unibanco has a risk appetite policy, which was established and approved by the Board of Directors and guides the institution's business strategy. The bank's risk appetite is grounded on the following declaration of the Board of Directors: "We are a universal bank, operating predominantly in Latin America. Supported by our risk culture, we operate based on rigorous ethical and regulatory compliance standards, seeking high and growing results, with low volatility, by means of the long-lasting relationship with clients, correctly pricing risks, well-distributed fund-raising and proper us e of capital." Based on this declaration, the bank established five dimensions, each of which comprising a set of metrics associated with the key risks involved, combining complementary measurements and seeking a comprehensive view of its exposure: • Capitalization: establishes that Itaú Unibanco should have sufficient capital to protect itself against a serious recession or stress events without the need to adjust its capital structure under adverse circumstances. It is monitored by following up the bank's capital ratios, in usual or stress situations, and the institution's debt issue ratings. • Liquidity: establishes that the institution's liquidity should be able to support long stress periods. It is monitored by following up on liquidity ratios. • Composition of results: establishes that business will mainly focus on Latin America, where Itaú Unibanco will have a diversified range of customers and products, with low appetite for results volatility and high risk. This dimension includes business and profitability, as well as market and credit risks aspects. The metrics monitored by the bank seek to ensure, by means of exposure concentration limits such as, for example, industry sectors, quality of counterparties, countries and geographic regions and risk factors, a suitable composition of the bank's portfolios, aiming at low volatility of results and business sustainability. • Operational risk: focuses on controlling operational risk events that may adversely impact the bank's business strategy and operations. This control is carried out by monitoring key operational risk events and incurred losses. • Reputation: deals with risks that may impact brand value and the institution's reputation before its customers, employees, regulators, investors and the general public. In this dimension, risks are monitored by following up on customers' satisfaction or dissatisfaction, media exposure and observation of the institution's conduct. The Board of Directors is responsible for approving risk appetite guidelines and limits, performing its activities with the support of the Risk and Capital Management Committee (CGRC) and the Chief Risk Officer (CRO). Metrics are regularly monitored and must comply with the limits defined. The monitoring is reported to the risk commissions and to the Board of Directors, guiding the use of preventive measures to ensure that exposures are within the limits provided and in line with the bank's strategy. Itaú Unibanco 5

Risk and Capital Management-Pillar 3 Risk Culture Aiming at strengthening its values and aligning the behavior of its employees with risk management guidelines , the institution adopts several initiatives to disseminate and strengthen its Risk Culture, which is based on four principles : conscious risk taking, discussions and actions on the institution's risks, and each and everyone's responsibility for risk management. Chart 1-Risk Culture Besides the risk management policies, procedures and processes, the institution promotes its Risk Culture by emphasizing a behavior that helps people of all company levels to undertake and manage risks in a conscious way . By disseminating these principles, the institution fosters the understanding and the open discussion ab out risks, so that they are kept within the risk appetite levels established and each employee individually, regard less of their position, area or duties, may also assume responsibility for managing the risks of the business. Itaú Unibanco also makes some channels available for communication of operating failures, internal or external fraud, conflicts at the workplace, or cases that may result in inconveniences and/or losses for the institution or its customers. All employees or third parties are responsible for informing any problems immediately, as soon as they become aware of the situation. Stress Testing The stress test is a process of simulating extreme economic and market conditions on Itaú Unibanco's results, liquidity and capital. The institution has been carrying out this test in order to assess its solvency in plausible scenarios of crisis, as well as to identify areas that are more susceptible to the impact of stress that may be the subject of risk mitigation. For the purposes of the test, the economic research area estimates macroeconomic variables for each stress scenario. The elaboration of stress scenarios considers the qualitative analysis of the Brazilian and the global conjuncture, historical and hypothetical elements, short and long term risks, among other aspects, as defined in CMN Resolution 4,557. _ Itaú Unibanco 6

Risk and Capital Management-Pillar 3 In this process, the main potential risks to the economy are assessed based on the judgment of the bank's team of economists, endorsed by the Chief Economist of Itaú Unibanco and approved by the Board of Directors. Projections for the macroeconomic variables (such as GDP, the basic interest rate and inflation) and for variables in the credit market (such as raisings, lending, rates of default, margins and charges) used are based on exogenous s hocks or through use of models validated by an independent area. Then, the stress scenarios adopted are used to influence the budgeted result and balance sheet. In addition to the scenario analysis methodology, sensitivity analysis and the Reverse Stress Test are also used. Itaú Unibanco uses the simulations to manage its portfolio risks, considering Brazil (segregated into wholesale and retail) and External Units, from which the risk-weighted assets and the capital and liquidity ratios are derived. The stress test is also an integral part of the ICAAP (Internal Capital Adequacy Process), the main purpose of which is to assess whether, even in severely adverse situations, the institution would have adequate levels of capital and liquidity, without any impact on the development of its activities. This information enables potential offenders to the business to be identified and provides support for the strategic decisions of the Board of Directors, the budgeting and risk management process, as well as serving as an input for the institution's risk appetite metrics. Recovery Plan In response to the latest international crises, the Central Bank issued the Resolution No. 4,502, which requires the development of a Recovery Plan for the financial institutions that are classified in the Segment 1, with a total exposure of more than 10% of Gross Domestic Product (GDP). This plan aims to reestablish adequate levels of capital and liquidity, above the regulatory requirements, through appropriate strategies in the event of severe stress shock s of a systemic or idiosyncratic nature. Accordingly, each institution would be able to preserve its financial feasibility and, at the same time, mitigate the impact on the National Financial System. Itaú Unibanco has a Recovery Plan that contemplates the entire conglomerate, including foreign subsidiaries, and contains the description of the following items: I. Critical functions rendered by Itaú Unibanco to the market, activities that, if abruptly interrupted, could impact the National Financial System (SFN) and the functioning of the real economy; II. Institution's essential services: activities, operations or services which discontinuity could compromise the bank's viability; III. Monthly monitoring program, establishing critical levels for a set of indicators, with a view to risk monitoring and eventual trigger for the execution of the Recovery Plan; IV. Stress scenarios, contemplating events that may threaten the business continuity and the viability of the institution, including reverse tests, which seek to identify remote risk scenarios, contributing to an increase of the management sensitivity; V. Recovery strategies in response to different stress scenarios, including the main risks and barriers, as well as the mitigators of the latter and the procedures for the operationalization of each strategy; VI. Communication plan with stakeholders, seeking its timely execution with the market, regulators and other stakeholders; VII. Governance mechanisms necessary for the coordination and execution of the Recovery Plan, such as the definition of the director responsible for the exercise at Itaú Unibanco. Itaú Unibanco 7

Risk and Capital Management-Pillar 3 This plan is reviewed annually and is subjected to the approval of the Board of Directors. With this practice, Itaú Unibanco has been able to continuously demonstrate, that even in severe scenarios , with remote probability of occurrence, it has strategies capable of generating sufficient resources to ensure the sustainable maintenance of critical activities and essential services, without losses to customers, to the financial system and to other participants in the markets in which it operates. Itaú Unibanco ensures the exercise maintenance to guarantee that strategies remain up-to-date and viable in the face of organizational, competitive or systemic changes. Capital Adequacy Assessment For its capital adequacy assessment process, the annual Itaú Unibanco's procedure is as follows: • Identification of material risks and assessment of the need for additional capital; • Preparation of the capital plan, both in normality and stress situations; • Internal assessment of capital adequacy; • Structuring of capital contingency and recovery plans; • Preparation of management and regulatory reports. By adopting a prospective stance regarding capital management, Itaú Unibanco implemented its capital management structure and its ICAAP in order to comply with National Monetary Council (CMN) Resolution 4,557, BACEN Circular 3,846 and BACEN Circular Letter 3,907. The result of the last ICAAP, which includes stress tests - dated as of December 2020 - showed that, in addition to having enough capital to face all material risks, Itaú Unibanco has a significant buffer, thus ensuring the soundness of its equity position. Capital Adequacy Itaú Unibanco, through the ICAAP process, assesses the adequacy of its capital to face the incurred risks, composed by regulatory capital for credit, market and operational risks and by the necessary capital to face other risks. In order to ensure the soundness and the availability of Itaú Unibanco's capital to support business growth, the Total Capital levels were maintained above the minimum requirements. Itaú Unibanco 8

Risk and Capital Management-Pillar 3 OV1 - Overview of risk-weighted assets (RWA) According to CMN Resolution 4,193 and subsequent amendments, for assessing the minimum capital requirements, the RWA must be calculated by adding the following risk exposures: RWA = RWACPAD + RWAMINT + RWAOPAD • RWACPAD = portion related to exposures to credit risk, calculated using standardized approach; • RWAMINT = portion related to the market risk capital requirement, made up of the maximum between the internal model and 80% of the standardized model, and regulated by BACEN Circulars 3,646 and 3,674; • RWAOPAD = portion related to the operational risk capital requirement, calculated using standardized approach. Minimum capital RWA requirements RS million 09/30/2021 06130/2021 0913012021 Credit Risk: standardised approach 986,309 941,021 78 ,904 Credit risk (excluding counterpart}' credit risk) 864,316 817,765 69 ,145 Counterparty credit risk (CCR) 42,157 43 ,576 3.372 Of which: standardised approach for counterparty credit risk (SA-CCR) 26.068 27,400 2.085 Of which: Current Exposure Method approach (CEM) Of which: other CCR 16,089 16,176 1,287 Credit valuation adjustment (eVA) 7 .604 7,222 608 Equity investments in funds-look-through approach 5,700 6,223 456 Equity investments in funds-mandate-based approach 92 63 7 Equity investments in funds-fall-bad< approach 1,346 794 108 Securitisation exposures-standardised approach 1,600 1,352 128 Amounts below the thresholds for deduction 63,494 64,026 5.080 Market risk 22 ,373 25 ,581 1,790 Of which : standardised approaCh 27,966 31 ,976 2,237 Of which: internal models approach (IMA) 15,281 22 ,864 1,222 Operational risk 86,512 82,026 6,921 Total 1,095,194 1,048,628 87,615 The higher amount of credit risk-weighted assets (RWACPAD) was mainly due to the increase in lo an portfolio and foreign exchange rate variation in the period. Itaú Unibanco 9

Risk and Capital Management-Pillar 3 Links between financial statements and regulatory exposures LIA: Explanations of differences between accounting and regulatory exposure amounts The main difference between the accounting carrying value and the amounts considered for regulatory purposes is the non-consolidation of non-financial companies (especially Insurance, Pension Plan and Capitalization companies) in the regulatory consolidated, a difference that also impacts the elimination of related parties transactions. Within the regulatory scope, the procedures for assessing the need for prudent valuation adjustments (PVAs) arising from the pricing of financial instruments, as well as the description of the systems and controls used to ensure its reliability are described below. The pricing methodology for the financial instruments subject to Resolution No. 4,277, of October 31st, 2013, conducted by an independent area from the business areas, considers, in addition to benchmarks, the risks listed in the closeout uncertainty, market concentration, early termination, model risk, investing and funding costs , unearned credit spread and others. The fair value measurement at Itaú Unibanco follows the principles enclosed in the main regulatory bodies, such as CVM and BACEN. The institution follows the best practices in terms of pricing policies, procedures and methodologies and is committed to secure the pricing of financial instruments in its balance sheet with prices quoted and disclosed by the market, and in the impossibility of doing so, expends its best efforts to estimate which would be the fair price at which financial assets would be effectively traded, maximizing the use of relevant observable data and, under specific conditions, these instruments can be valued on a model bas is . In all of these situations, the organization has control over its pricing methods and model risk management. The process of independent price verification (IPV) follows the guidelines included in Resolution No. 4,277, with daily verification of prices and market inputs, which is performed by a team independent from the pricing team. This process is also subject to an independent evaluation by the internal control, internal audit and external audit teams. The institution has a hybrid model for assessing the need for prudent valuation adjustments with two components . The first component is a timely assessment model that assesses new products, operations and risk factors traded and verifies the compliance and liability with any components of the existing prudent valuation adjustments. The second is a periodic assessment that aims to analyze the existing prudent valuation adjustments in relation to adequate pricing. The process and methodology are evaluated periodically and independently by internal controls and internal audit. In the line Other Differences of the table LI2, are reported the transactions subject to credit risk and counterparty credit risk, which are not accounted for in the balance sheet or in the off-balance sheet amounts. Itaú Unibanco 10

Risk and Capital Management-Pillar 3 LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial statement categories with regulatory risk categories R$ million, at the end of the period 0913012021 Carrying values of items; Carrying values Carrying values Not subject to as reported in Subject to capital published under scope of Subject to Subject to the Subject to the counterparty requirements or financial regulatory credit risk securitis lI:tion market risk credit risk subject to statements consolidation framewor1l: framework deduction from capital Assets Current assets and long·term receivables 2,125,454 1,696,419 1,495,218 356 ,021 9 ,757 246,479 33,483 Cash 42,222 42 ,125 42 ,125 10,854 Interbank investments 241 ,985 239,502 52 ,902 186,600 16,505 Securities and derivative financial instruments 739,455 519 ,407 429,028 77,429 9 ,757 55,433 1,253 Interbank accounts 152,531 152,532 137,822 14 ,710 Interbranch accounts 260 260 260 Loan, lease and other credit operations 725,667 726,555 718,992 57,417 7,563 Other receivables 220,0S4 212,897 111 ,208 91,992 106,270 9 ,697 Deferred tax assets 58,846 49,300 9 ,546 Sundry 154,051 61 ,908 91,992 106,270 151 Other assets 3,240 3,141 3,141 Permanent assets 29,425 46,731 28,415 18,316 Investments 6,758 25,243 22 ,545 2,698 Real estate 6,267 5,773 5,773 Goodwill and Intangible assets 16,400 15,715 97 15,618 Goodwill 2 ,892 2 ,892 Intangible assets 12 ,726 12,726 Other 97 97 Total assets 2,154,819 1,943,150 1,523,833 356,021 9,757 246,479 51 ,799 Liabilities Current and Long-term Liabilities 2,001 ,458 1,789,709 302,790 208,052 1,486,9 19 Deposits 8 18 ,734 823 ,289 55,387 823,289 Deposits received under securities repurchase 281 ,805 281 ,865 261,939 19,926 agreements Fund S from acceptances and Issuance of securities 132,616 132,616 16,780 132,616 Interbank accounts 62,275 62,275 62,275 Interbranch accounts 11 ,545 11 ,549 135 11 ,549 Borrowings and on lending 93,309 93,309 9 ,329 93,309 Derivative financial instruments 70,767 70,770 40,851 696 29,919 Technical provision for insurance, pension plan and 218,544 capitalization Provisions 16,745 16,330 16,330 Allowance for financial guarantees provided and loan commitments 4 ,621 4 ,621 4 ,621 Other liabilities 290,497 293,085 125,712 293,085 Offered tax liabilities 2,345 2 ,345 Sundry 290,740 125,712 290,740 Deferred Income 3,268 3 ,329 3 ,329 Total liabilities 2,004,126 1,793,038 302,790 208,052 1,490,248 Itaú Unibanco 11

Risk and Capital Management-Pillar 3 LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial statements PV1: Prudent valuation adjustments (PVA) R$ million 09/30/2021 Carrying values of items: Subject to Subject to Subject to the Subject to the Total counterparty credit risk securitisation market risk credit risk framework framework Asset carrying value amount under scope of regulatory consolidation 1,891,351 1,523,633 356,021 9,757 246 ,479 Liabilities carrying value amount under regulatory scope of consolidation 302,790 302,790 208 ,052 Total net amount under regulatory scope of consolidation 1,588,561 1,523,633 53,231 9,757 38 ,427 Off-balance sheet amounts 157,862 135,486 22 ,376 Differences in valuations Other differences 86 ,444 (12,268) 98,712 Exposure amounts considered for regulatory purposes 1,832,867 1,646,851 174,319 9,757 38 ,427 PV1: Prudent valuation adjustments (PVA) In R$ million 09/3 0/2021 Of which: In Of which: In Equity Interest banking FX Credit Commodities Total the trading the rates book book Closeout uncertainty, of which: 34 34 33 Closeout cost 32 32 31 Concentration 2 2 2 Early termination 56 56 112 111 Model risk 11 78 89 88 Operational risk Investing and funding costs Unearned credit spreads Future administrative costs Other Total adjustment 67 168 235 3 232 Itaú Unibanco 12

Risk and Capital Management-Pillar 3 Institutions that comprise the Financial Statements of Itaú Unibanco Holding The lists below provide the institutions that comprise the financial statements and the Prudential Consolidation of Itaú Unibanco Holding S.A.. Institutions that comprise the financial statements and the Prudential Consolidation !') Country (2) % Equity share on capital A 1 Hedge Orange Master Fundo de Investimento Multimercado Brazil 100.00% Aj Tftulos Publicos Fundo de Investimento Renda Fixa Referenciado 01 Brazil 98.78% Banco Investcred Unibanco SA Brazil 50.00% Banco Itau (Suisse) S.A. Switzerland 100.00% Banco Itau Argentina S.A Argentina 100.00% Banco Itau BBA SA Brazil 100.00% Banco Itau Consignado S.A Brazil 100.00% Banco Itau International United Slates 100.00% Banco Itau Paraguay SA Paraguay 100.00% Banco Itau Uruguay S/A Uruguay 100.00% Banco Itau Vefculos SA Brazil 100.00% Banco ItauBank SA Brazil 100.00% Banco Itaucard S.A. Brazil 100.00% Banco Itauleasing SA Brazil 100.00% CLOUOWALK KICK ASS I FUNOO DE INVESTIMENTO EM OIREITOS CREOITORIOS Brazil 95.54% Oibens leasing SA-Arrendarnento Mercantil Brazil 100.00% Financeira lIau CBD SA Credito, Financiamentoe Inveslimento Brazil 50.00% Fundo A 1 Hedge Orange Fundo de lnvestimento em Colas de Fundos de Investimento Multimercado Brazil 100.00% Fundo De Invest Dir Credit6rios Nao Padron NPL II Brazil 10000% Fundo de Investimento em Direitos Credit6rios Nao-Padronizados Barzel Brazil 100.00% Fundo de Investimento em Direitos Credit6rios Rede Brazil 100.00% Fundo em Direitos Credit6rios Cielo Emissores I Brazil 89.60% Fundo Fortaleza de Investirnento Irnobiriario Brazil 100.00% Fundo Kinea Ar;;Oes Brazil 99.40% Goal Performance Argentina 100.00% Hipercard Banco MuJliplo S.A Brazil 100.00% Inlrag Distribuidora de T ftulos e Valores Mobiliilrios Uda Brazil 100.00% Iresolve Companhia Securilizadora de Creditos Financeiros SA Brazil 100.00% Itau (Panama) SA Panama 34.16% Itau Adminislradora de Cons6rcios Uda. Brazil 100.00% Itau Asset Management Colombia SA Sociedad Fiduciaria Colombia 34.15% Itau Bank & Trust Bahamas ltd. Bahamas 100.00% Itau Bank & Trust Cayman ltd. Cayman Islands 100.00% Itau Bank, ltd. Cayman Islands 100.00% Itau BBA Europe SA Portugal 100.00% Itau BBA International Pic. United Kingdom 100.00% Itau BBA USA Securities Inc. United States 100.00% Itau Cia . Securitizadora de Creditos Financeiros Brazil 100.00% Itau Comisionisia de Bolsa Colombia S.A Colombia 34.27% Itau CorpBanca Chile 39.22% Itau CorpBanca Colombia SA Colombia 34.16% Itau CorpBanca New York Branch United States 39.22% Itau Corredores de Bolsa Umitada Chile 39.22% Itau Corretora de Valores SA Brazil 100.00% 1) As of December 2019, the funds Credito Universililrio FlOC I and Credito Universitilrio FlOC II were consolidated in the lIau Unibanco Holding S.A Prudential Conglomerate. 2) The institutions operate in their respective countries of origin. 13

Risk and Capital Management-Pillar 3 Institutions that comprise the financial statements and the Prudential Consolidation P) country 121 % Equity share on capital Itau Dislribuidora de Tftulas e Valores Mobiliarios SA Brazil 100.00% Itau EU Lux-ltau latin America Equity Fund Luxembourg 95.22% Itau International Securities Inc. United Siaies 100.00% Itau Invest Casa de Balsa SA Paraguay 100.00% ItaO Kinea Private Equity Multimercado Fundo de Inveslimento em Colas de Fundos de Investimento Credito Privado Brazil 100.00% Itau OT Tltulos POblicos Renda Fixa Referenciado DI Fundo de Inveslimenlo em Colas de Fundos de Investimento Brazil 10.70% IlaO Securities Services Colombia S.A Sociedad Fiduciaria Colombia 34.44% Itau Unibanco Holding SA Brazil 100.00% ItaO Unibanco Holding SA, Grand Cayman Branch Cayman Islands 100.00% IlaO Unibanco SA Brazil 100.00% Itau Unibanco SA, Grand Cayman Branch Cayman Islands 100.00% Itau Unibanco SA, Miami Branch United States 100.00% Itau Unibanco SA, Nassau Branch Bahamas 100.00% IlaO Unibanco Vefculos Adminislradora de Cons6rcios Uda. Brazil 100.00% Ilau Valores SA Argentina 100.00% Ilauvesl Dislribuidora de Trlulos e Val. Mobiliarios SA Brazil 100.00% ITB Holding LId. Cayman Islands 100.00% Kinea AyOes Fundo de Inveslimenlo em AtyOes Brazil 100.00% Kinea CO-inveslimenlo Fulldo de Inveslimenlo Imobiliario Brazil 99 .90% Kinea I Private Equity FIP Multieslralegia Brazil 99.64% Kinea KP Fundo de Investimento Mullimercado Crectilo Privado Brazil 100.00% Kinea Ventures FIP Brazil 100.00% licania Fund limited Cayman Islands 100.00% Luizacred SA Sociedade de Crectilo, Financiamento e Irweslimenlo Brazil 50.00% MCC SA COfTedores de Bolsa Chile 100.00% Microinvesl SA Soc. de Crectilo a Microempreelldedor Brazil 100.00% OCA Dinero Electr6nico SA Uruguay 100.00% OCA SA Uruguay 100.00% Oili Fundo de Inveslimenlo Mullimercado erectilo Privado Inveslimenlo no Exterior Brazil 100.00% Redecard Inslilu~o de Pagamenlo SA Brazil 100.00% RT lIau OJ Trlulos Publicos Fundo de Jnveslimenlo Renda Fixa Referenciado 01 Brazil 100.00% RT Scala Renda Fixa-Fundo de Investimento em Colas de Fundos de Inveslimenlo Brazil 100.00% RT Voyager Renda Fixa Credilo Privado-Fundo de Inveslimenlo Brazil 100.00% Taruma Fundo Incentivado de Investimenlo em Deb~ntures de Infraestrutura Renda Fixa Crectilo Privado Brazil 100.00% 1) As of December 2019, Ihe funds Crectilo Universilario FlOC I and Credilo Universilario FlOC II were consolidated in the lIau Unibanco Holding S.A Prudential Conglomerale. 2) The institutions operate in their respective countries of origin. Itaú Unibanco 14

Risk and Capital Management-Pillar 3 Institutions that comprise the Financial Statements of Itaú Unibanco Holding Institutions that comprise the Financial Statements of ltau Unibanco Holding Institutions that comprise only the Financial Statements Country I' ) % Equity share on capital Aj II Titulos Publicos Fundo de Investimento Renda Fixa Referenciado 0 1 Brazil 57.96% Albarus SA Paraguay 10000% Ank Platform SA Argentina 10000% BICSA Holdings, Ltd. Cayman Islands 10000% Borsen Renda Fixa Credito Privado-Fundo de Investimento Brazil 10000% CGB II SPA Chile 10000% CGB III SPA Chile 10000% Cia . Itau de Capitalizayao Brazil 10000% Estrel Servic;;os Administrativos SA Brazil 10000% FC Recovery SAU. Argentina 100.00% FIC Promotora de Vendas Ltda. Brazil 50.00% iCarros Ltda. Brazil 10000% IGA Participac;6es SA Brazil 10000% Investimentos Bemge S.A. Brazil 86 .81% Itau Administradora General de Fondos SA Chile 39.22% Itau Asesorias Financieras Limitada Chile 39.22% Itau Asia Limited Hong Kong 100.00% Itau Asset Management Administradora de Fondos Patrimoniales de Inversi6n SA Paraguay 10000% Itau Asset Management SA Sociedad Gerente de Fondos Comunes de Inversi6n Argentina 10000% Itau Bahamas Directors Ltd. Bahamas 10000% Itau Bahamas Nominees Ltd. Bahamas 10000% Itau BBA International (Cayman) Ltd. Cayman Islands 10000% Itau BBA Mexico, SA de CV (2) Uruguay 100.00% Itau BBA Trading SA Brazil 100.00% Itau Chile Inversiones, Servicios y Admin istracion SA Chile 10000% Itau Consultoria de Valores Mobiliarios e Participac;6es SA Brazil 10000% Itau Corredor de Seguros Colombia SA Colombia 31 .37% Itau Corredores de Seguros SA Chile 39.22% Itau Corretora de Seguros SA Brazil 100.00% Itau Europa Luxembourg SA Luxembourg 100.00% Beta Correspondente e Tecnologia Ltda. (3) Brazil 10000% Itau Institucional Renda Fixa Fundo de Investimento Brazil 10000% Itau International Holding Limited United Kingdom 10000% Itau Participayao Ltda. Brazil 100.00% Itau Rent Administrayao e Participac;6es Ltda. Brazil 10000% Itau Seguros Paraguay SA (4) Paraguay 10000% Itau Seguros SA Brazil 10000% Itau Unibanco Asset Management Ltda. Brazil 10000% 1) The institutions operate in their respective countries of origin. 2) The company is transferring its location from Mexico to Uruguay. Awaiting local approvals. 3) Current denomination of Itau Gestao de Vendas Ltda. 4) Current denomination of Providencia SA de Seguros. Itaú Unibanco 15

Risk and Capital Management-Pillar 3 The institutions presented in the tables above represent the total scope of companies of Itaú Unibanco Holding. Institutions that comprise only the Financial Statements Country (') % Equity share on capital Itau USA Asset Management Inc. United States 10000% Itau Vida e Previdencia SA Brazil 10000% Itauseg Participac;oes SA Brazil 10000% Itauseg Saude SA Brazil 10000% Itauseg Seguradora SA Brazil 10000% ITB Holding Brasil Participac;oes Ltda. Brazil 10000% IU Corretora de Seguros Ltda. Brazil 10000% IUPP SA Brazil 10000% Karen International Limited Bahamas 10000% Kinea Investimentos Ltda. Brazil 8000% Itau Unibanco Comercializadora de Energia Ltda. (2) (2) Brazil 10000% Maxipago Serviyos de Internet Ltda. Brazil 10000% MCC Asesorias SpA Chile 10000% Mundostar SA Uruguay 10000% Proserv-Promociones y Servicios, SA de CV. Mexico 100.00% Provar Negocios de Varejo Ltda. Brazil 100.00% Recaudaciones y Cobranzas Limitada Chile 39.22% Recovery do Brasil Consultoria SA Brazil 10000% RT Aim 5 Fundo de Investimento Renda Fixa Brazil 10000% RT Aim Soberano 2 Fundo de Investimento Renda Fixa Brazil 10000% RT Defiant Multimercado-Fundo de Investimento Brazil 10000% RT Endeavour Renda Fixa Credito Privado-Fundo de Investimento Brazil 10000% RT Multigestor 4 Fundo de Investimento em Cotas de Fundos de Investimento Multimercado Brazil 10000% RT Nation Renda Fixa-Fundo de Investimento Brazil 10000% RT Valiant Renda Fixa-Fundo de Investimento Brazil 10000% SAGA II SPA Chile 10000% SAGA III SPA Chile 10000% SP Aclimac;ao Ltda. Brazil 10000% SP Augusta Ltda. Brazil 10000% SP Av Juscelino Kubitschek Ltda. Brazil 10000% SP Av Luis Carlos Berrini Ltda. Brazil 10000% SP Av Morumbi Ltda. Brazil 10000% SP Bairro Sumarezinho Ltda. Brazil 10000% SP Chacara Santo Antonio Ltda Brazil 100.00% SP Rua da Consolac;ao Ltda. Brazil 10000% SP Sao Judas Tadeu Ltda. Brazil 10000% Topaz Holding Ltd. Cayman Islands 10000% Tulipa SA Brazil 10000% Union Capital AFAP SA Uruguay 10000% Zup LT. Soluyoes em Informatica Ltda. Brazil 52.96% 1) The institutions operate in their respective countries of origin. 2) Current denomination of Linear Comercializadora de Energia Ltda. The institutions presented in the tables above represent the total scope of companies of Itau Unibanco Holding. Itaú Unibanco 16

Risk and Capital Management-Pillar 3 Non Consolidated Institutions Material entities Total assets, stockholders' equity, country and the activities of the material entities, including those subject to the risk weight for the purpose of capital requirements are as follows: Non Consolidated Institutions Non consolidated Institutions (1) Country (2) % Equity share on capital BSF Holding SA Brazil 4900% Compania Uruguaya de Medios de Procesamiento SA Uruguay 29.24% Conectcar Soluc;;oes de Mobilidade Eletr6nica SA Brazil 5000% Gestora de Inteligencia de Credito S.A Brazil 19.64% Kinea Private Equity Investimentos SA Brazil 8000% Olimpia Promoc;ao e Servi90s SA Brazil 5000% Porto Seguro Itau Unibanco Participac;;oes SA Brazil 42.93% PravalerSA Brazil 52.64% Rias Redbanc SA Uruguay 2500% Tecnologia Bancaria SA Brazil 2805% 1) XP Cayman Company was spun off to XP Part on 05/31 /2021 . 2) The institutions operate in their respective countries of origin. Material entities Total assets, stockholders' eq uity, country and the activities of the material entities, including those subject to the risk weig ht for the purpose of capital requirements are as follows: R$ million 09/3 012021 0613012021 Institutions Country Activity Total Assets Equity Total Assets Equity Cia. Ilau de CapitaHzayao Brazil Premium bonds 3,785 375 3,907 356 Itau Consultoria de Valores MobHiarios e Partjcipa~s SA Brazil Financial institution holding company 1.477 984 1,389 1.337 Ilau Correlora de Seguros SA Brazil Insuranoe, pension plans and health brokers 1,453 758 1,272 646 Itau Seguros SA Brazil Insurance 5,948 1,631 6,045 1,568 Itau Vida e Previdl!ncia SA Brazil Pension plan 215,275 3,229 219,265 3,464 Itauseg Participayoes SA Brazil Non financial institution holding company 10,162 10,131 10,342 10,332 ITB Holding Brasil Partlcipa¢es ltda. Brazil Financial institution holding company 25,206 24,177 23,379 22,522 Provar Neg6cios de Varejo ltda. Brazil Other auxilial)' activities for financial services 2,341 2,287 2,303 2,254 Itaú Unibanco 17

Risk and Capital Management-Pillar 3 Composition of Capital CCA: Main features of regulatory capital instruments The authorized regulatory capital instruments may be extinguished according to the criteria established in Resolution nº 4,192 in articles 17, item XV, or 20, item X, such as non-compliance with the minimum regulatory ratios, decree of temporary special administration regime or intervention, application of public resources or upon the Central Bank of Brazil determination. Should any criteria for the extinction of subordinated instruments be triggered, the area responsible for Itaú Unibanco's Capital management will activate the areas involved to execute the following action plan: • The treasury, through the payment agent of the subordinated instruments or straight through the central depository, will notify its holders and take actions to ensure that Itaú Unibanco's trading desks c ease to trade such instruments; • The operational and accounting areas will carry out the necessary procedures for the proper treatment of the extinction; and • The Investor Relations area will communicate the market of the extinction of the subordinated instruments. The table CCA-Main features of regulatory capital instruments, is available at www.itau.com.br/inves tor -relations , section "Results and Reports", "Regulatory Reports", "Pillar 3". Itaú Unibanco 18

Risk and Capital Management-Pillar 3 CC1-Composition of regulatory capital CC1-Composition of regulatory capital 09/3012021 Value (R' Balance Sheet Thousand) Reference Common Equity Tier I: instruments and reserves 1 Instruments Eligible for the Common Equity Tier I 90 ,729,000 ('I 2 Revenue reserves 50 ,255,321 (II 3 Other revenue and other reserve (1 ,003,882) (ml 5 Common share capital issued by subsidiaries and held by third parties (amount allowed in group CET1 capital) 10,059,304 UI • Common Equity Tier I before regulatory adjustments 150,039,743 Common Equity Tier I: prudential adjustments 7 Prudential adjustments related to the pricing of finanCial instruments 234,913 8 Goodwill (net of related tax liability) 3,766,398 ('I 9 Intangible assets 12,726,296 (h ) / (I) Tax credits arising from income lax losses and social contribution lax loss carryfowards and those Originating from this contribution 10 3,557,031 (bl related to determination periods ended until December 31 , 1998 11 Adjustments related to the mari(et value of derivative financial instruments used to hedge the cash flows of protected items whose mari(- (7 ,662) to-mari(et adjustments are not recorded in the books. 15 Actuarial assets related to defined benefit pension funds ('I 16 Shares or other instruments issued by the bank authorized to compose the Core Capital, acquired directly, indirectly or synthetically 527 ,809 (01 17 Reciprocal cross-holdings in common equity Total value of adjustments related to net non-significant investments in the Common Equity TIer I of companies that are similar to non-18 consolidated financial institutions, insurance companies, reinsurance companies, capitalization companies and sponsored pension fund entities Total value of adjustments related to net significant investments in the Common Equity Tier I of companies that are similar to non-19 consolidated financial institutions, insurance companies, reinsurance companies, capitalization companies and sponsored pension fund entities, that exceeds 10% of the amount of the Common Equity Tier I, disregarding specific adjustments Total value of adjustments related to tax credits arising from temporary differences that depend on the generation of income or future 21 taxable income for their realization, above the limit of 10% of the Common Equity TIer I, disregarding specific deductions 1,467,093 22 Amount that exceeds 15% of the Common Equity Tier I 4,220,991 Of which: arising from net investments in the Common Equity Tier I of companies that are similar to non-consolidated financial 23 1,823,509 institutions, insurance companies, reinsurance companies, capitalization companies and open ended pension entities 25 Of which: arising from tax credits resulting from temporary differences that depend on the generation of income or future taxable income 2,397,482 for their realization 26 National specific regulatory adjustments 26. a Deferred permanent assets (,I 26.b Investment in dependence, financial Institution abroad or non-financial entity that is part of the conglomerate, with respect to which the Central Bank: of Brazil does not have access to information, data and documents 26.d Increase of unauthorized capital 26.e Excess of the amount adjusted of Common Equity Tier I 26.f Deposit to cover capital deficiency 26.g Amount of intangible assets established before Resolution No. 4,192 of 2013 comes into effect (i) 26.h Excess of resources invested on permanent assets 26.i Total capitaldetadled 26.j Other residual differences concerning the Common Equity Tier I calculation methodology for regulatory purposes 27 Other residual differences related to the calculation of the Common Equity Tier I for regulatory purposes 28 Total regulatory deductions from the Common Equity Tier I 26,492,869 29 Common Equity Tier I 123,546,874 Additional Tier I Capital: instruments 30 Instruments eligible for the Additional Tier I Capital 17,713,001 31 Of which: classified as equity under applicable accounting standards 32 Of which: classified as liabilities under applicable accounting standards 17,713,001 33 Instruments authOrized to compose the Additional Tier I capital before Resolution No . 4, 192 of 2013 comes into effect 34 Additional Tier 1 instruments issued by subsidiaries and hekl by third parties (amount allowed in group additional Tier 1 capital) 149,280 35 Of which: instruments issued by subsidiaries before Resolution No. 4, 192 of 2013 comes into effect 36 Additional Tier I Capital before regulatory adjustments 17,862,281 Itaú Unibanco 19

Risk and Capital Management-Pillar 3 Additional Tier I Capital: regulatory adjustments Shares or other instruments issued by the bank: authorized to compose the Additional TIer I Capital, acquired directly, indirectly or 37 synthetically 38 Reciprocal cross-holdings in additional Tier 1 instruments Total value of adjustments related to net non-signifICant investments in the Additional Tier I Capital of institutions authorized to operate by 39 the Central Bank of Brazil Of by a financial institution abroad outside the scope of regulatory consolidation Total value of adjustments related to net significant investments in the Additional Tier I Capital of Institutions authorized to operate by the 40 Central Bank of Brazil or by a financial institution abroad outside the scope of regulatory consolidation 41 National specific regulatory adjustments 41.b Non-controlling interest in Additional Tier I Capital 41 .c Other residual differences concerning the Additional Tier I Capital calculation methodology for regulatory purposes 42 Regulatory adjustments applied to the Additional Tier I Capital due to the insufficient Tier II Capital to cover deductions 43 Total regulatory deductions from the Additional Tier I Capital 44 Additional Tier I Capital (AT1) 17,862,281 45 Tier I 141 ,409,155 Tier II: Instruments 46 Instruments eligible for Tier II 17,050,159 47 Instruments that are authorized to compose Tier II before Resolution No. 4,192 of 2013 comes into effect 2,559,815 48 Tier 2 instruments issued by subsidiaries and hekl by third parties (amount allowed in group Tier 2) 79,572 49 Of which: instruments issued by subsidiaries before Resolution No. 4,192 of 2013 comes into effect 51 Tier II before regulatory adjustments 19,689,546 Tier II: regulatory adjustments 52 Shares or other instruments issued by the bank authorized to compose Tier II , acquired directly, indirectly or synthetically 53 Reciprocal cross-holdings in Tier 2 instruments Total value of adjustments related to net non-signifICant investments in the Tier II and other TLAC liabilities of institutions authorized to 54 operate by the Central Bank of Brazil or by a financial institution abroad outside the scope of regulatory consolidation Total value of adjustments related to net significant investments In the Tier II and other TLAC liabilities of institutions authorized to operate 55 by the Central Bank of Brazil or by a financial institution abroad outside the scope of regulatory consolidation 56 National specific regulatory adjustments 56.b Non-controlling interest in Tier II 56.c Other residual differences concerning Tier II calculation methodology for regulatory purposes 57 Total regulatory deductions from Tier II Capital 58 Tier II 19,689,546 59 Referential Equity (Tier I + Tier II) 161 ,098,701 60 Total risk-weighted assets 1,095,193,630 S IS Ratios and Additional Capital Buffers 61 Common Equity Tier I Ratio 11 ,3% 62 Tier I Ratio 12.9% 63 SIS Ratio 14.7% 64 Additional Capital Buffers (% of RWA) 2.625% 65 Of which: capital conservation buffer requirement 1.625% 66 Of which: bank-specific countercyclical buffer requirement 67 Of which: capital buffer for institutions that are systemically important at global level (G-SIB) 1.0% 68 Common Equity Tier 1 capital available after meeting the bank's minimum capital requirements (% of RWA) 4.0% Amounts below the limit for deduction (non-weighted by risk) Total value, subject to risk weighting, of non-significant investments in the Common Equity Tier I of institutions authorized to operate by the Central Bank of Brazil, non-consolklated overseas financial institutions, companies that are similar to non-consolklated financial institutions, 72 insurance companies, reinsurance companies, capitalization companies and open ended pension entities, as well as non-signifICant 1,235,594 investments In the Additional Tier I, Tier II and other TLAC liabilities of institutions authorized to operate by the Central Bank of Brazil or by a financial institution abroad outside the scope of regulatory consolidation Total value, subject to risk weighting, of sign indicant investments in the Common Equity Tier I of institutions authorized to operate by the 73 Central Bank of Brazil, non-consolklated overseas financial institutions, companies that are similar to non-consolklated financial institutions, 8,006,017 (f) / (a) insurance companies, reinsurance companies, capitalization companies and sponsored pension fund entities 75 Tax credits arising from temporary differences, not deducted from the Common Equity TIer I 17,951 ,733 (oj Instruments authorized to compose the Referential Equity before Resolution No. 4,192 of 2013 comes into effect (applicable between October 1, 2013 and J January 1, 2022) 82 Instruments that are authorized to compose the Additional TIer I Capital before Resolution No. 4,192 of 2013 comes into effect 83 Amount excluded from the Additional Tier I Capita! due to the line 82 limit 84 Instruments that are authorized to compose Tier II before Resolution No. 4,192 of 2013 comes into effect 2,559,815 85 Amount excluded from Tier II due to the line 84 limit 36,885,31 t Itaú Unibanco 20

Risk and Capital Management-Pillar 3 CC2: Reconciliation of regulatory capital to balance sheet R$ million, at the end of the period 0913012021 Balance Sheet as in Under regulatory published financial scope of Reference 121 statements consolidation Consolidated Balance Sheet PJ Assets Current assets and Long-term receivables 2,125,454 1,896,419 Cash 42,222 42 ,125 Interbank investments 241 ,985 239,502 Securities and derivative financial instruments 739 ,455 519,407 Interbank accounts 152,531 152,532 Interbank accounts 260 260 Loan, lease and other credit operations 725 ,667 726 ,555 Other receivables 220 ,094 212 ,897 Deferred tax assets 58,846 (b)l(e ) Sundry 154,051 (b) l(d ) Other assets 3,240 3,141 Permanent assets 29,425 46,731 Investments 6,758 25,243 (a) I (e)I(' ) Real estate 6,267 5,773 Goodwill and Intangible assets 16,400 15,715 Goodwill 2,892 (e) Intangible assets 12,726 (h) I O) Other 97 Total assets 2,154,879 1,943,150 Liabilities Current and Long -term Liabilities 2,001,458 1,789,709 Deposits 818,734 823,289 Deposits received under securities repurchase agreements 281 ,805 281 ,865 Funds from acceptances and issuance of securities 132,616 132, 616 Interbank accounts 62,275 62,275 tnterbranch accounts 11 ,545 11 ,549 Borrowings and onlending 93,309 93 ,309 Derivative financial instruments 70,767 70,770 Technical provision for insurance, pension plan and capitalization 218,544 Provisions 16,745 16,330 Allowance for financial guarantees provided and loan commitments 4,621 4,621 Other liabilities 290,497 293,085 Deferred lax liabilities 2,345 (b)1 (e) Sundry 290,740 (d ) Deferred income 3,268 3,329 Non-controlling interest in subsidiaries 10,805 10,660 OJ Stockholders' equity 139,348 139,452 Capital 90,729 90,729 (k) Other Revenues and Other Reserves (2,259) (1,004) (m) Revenue reserves 51,406 50 ,255 (I) (Treasury shares) (528) (528 ) (n) Total liabilities and stockholders' equity 2,154,879 1,943,150 1) Differences are mainly due to non-consolldation of non financial companies (highlighting the following companies: Insurance, Pension Plan and Premium Bonds) within the Prudencial Conglomerate and also by the eliminations of transactions with related parties. 2) Prudential information that is presented in the Template CC1 of this document. Itaú Unibanco 21

Risk and Capital Management-Pillar 3 Macroprudential Indicators CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer The following table details the geographic distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer, according to Circular 3,769 of 29 October 2015: RS million 09130/2021 Exposure values and/or risk- weighted assets (RWA) used in the computation of the countercyclical capital buffer Bank-specific Geographical breakdown Countercyclical Countercyclical capital Amount of credit risk exposure countercyclical capital buffer amount l3'1 capital buffer rate buffer rate to the non-banking private RWACPrNB sector Brazil 1,511,889 635 ,189 Luxembourg 0.50% 1,017 636 Norway 1.00% 362 247 Hong Kong '.00% 114 114 Sum (1) 1,513,382 636 ,186 Total 121 1,845,444 855,765 1) Sum of RWACPrNBi portions related to credit risk exposures to the non-banking private sector in Brazil and jurisdictions with a percentage of the countercyclical buffer with values greater than zero. 2) Total ofRWA for non-bank private credit risk exposures to aU jurisdictions in which the bank has exposure, including jurisdictions with no countercyclical buffer percentage applied or with a countercyclical percentage equal to zero. 3) Calculated according to Circular 3.769, employing the discretionary exclusion of jurisdiction. GSIB1: Disclosure of G-SIB indicators The GSIB1 table, disclosure of global systemically important bank (G-SIB) indicators, will be available on the website www.itau.com.br/investor-relations, section "Reports", "Pillar 3 and Global Systemically Important Banks ", within the period stipulated by BACEN Circular 3.751/15. Leverage Ratio The Leverage Ratio is defined as the ratio between Tier I Capital and Total Exposure, calculated according to BACEN Circular 3,748. The ratio is intended to be a simple measure of non-risk-sensitive leverage, and so it does not take into account risk weights or risk mitigation. As required by BACEN Circular Letter 3,706, Itaú Unibanco monthly reports to BACEN the Leverage Ratio, which minimum requirement is of 3%. The following information is based on the methodology and standard format introduced by BACEN Circular 3,748. Itaú Unibanco 22

Risk and Capital Management-Pillar 3 LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) LR2: Leverage ratio common disclosure LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) 0913012021 06130(2021 R$ million Total consolidated assets as published financial statements 2,154,879 2,065,744 Adjustment from differences of consolidation (211 ,729) (215,060) Total assets of the individual balance sheet or of the regulatory consolidation, in the case of Leverage Ratio on a consolidated basis 1,943,150 1,850,684 Adjustments for derivative financial instruments 22,796 29,603 Adjustment for securities financing transactions (ie repos and similar secured lending) 15,744 14,151 Adjustment for off-balance sheet items (ie conversion to credit equivalent amounts of off-balance sheet exposures) 141 ,979 140,071 Other adjustments (154,152) (151 ,121 ) Total Exposure 1,969,517 1,883,388 LR2: Leverage ratio common disclosure RS million 09/3012021 06f30/2021 Items shown in the Balance Sheet Balance sheet items except derivative financial instruments, securities received on loan and resales for settlement under repurchase transactions 1,553,170 1,493,401 Adjustments for equity items deducted in the calculation of Tier I (28,162) (23 ,770) Total exposure s hown In the Balance Sheet 1,525,008 1 ,469,631 Transactions using Derivative Financial Instruments Replacement value for derivatives transactions 55,136 46,564 Potential future gains from derivatives transactions 15,298 15,591 Adjustment for collateral in derivatives transactions Adjustment related to the deduction of the exposure because of the qualified central counterparty (QCCP) in derivative transactions on behalf of clients in which there is no contractual obligation to reimburse due to bankruptcy or default of the (6 ,452) (9,384) entities responsible for the settlement and compensation of transactions Reference value for credit derivatives 16,581 23,718 Adjustment of reference value calculated for credit derivatives (4 ,244) (3,960) Total exposure for derivative financial instruments 76,319 74,529 Repurchase Transactions and Securities Lending (TVM) Investments in repurchase transactions and securities lending 166,600 159,040 Adjustment for repurchases for settlement and creditors of securities lending Amount of counterparty credit risk 15,744 14,151 Amount of counterparty credit risk in transactions as intermediary 23,867 25,966 Total exposure for repurchase transactions and securities lending 226,211 199,157 Off-balance sheet Items Reference value of off-balance sheet transactions 453,297 435,217 Adjustment for application of FCC specific to off-balance sheet transactions (311 ,318) (295 ,146) Total off-balance sheet exposure 141 ,979 140,071 Capital and Total Exposure Tier I 141 ,409 141 ,674 Total Exposure 1,969,517 1,883,388 Leverage Ratio Basel 111 Leverage Ratio 7,2% 7.5% Itaú Unibanco 23

Risk and Capital Management-Pillar 3 Liquidity Ratios LIQA: Liquidity Risk Management Information Framework and Treatment Liquidity risk is defined as the likelihood of the institution not being able to effectively honor its expected and unexpected obligations, current and future, including those from guarantees commitment, without affecting its daily operations or incurring in significant losses. In line with the fundraising strategy, Itaú Unibanco has diversified and stable sources of funding available, monitored through concentration and maturity indicators, in order to mitigate liquidity risks, in accordance with the ins titution's risk appetite. The governance of the liquidity risk management is based on advisory boards, subordinated to the Board of Directors or the executive structure of Itaú Unibanco. Such boards establish the institution's risk appetites , define the limits related to the liquidity control and monitor the liquidity indicators. The control of the liquidity risk is carried out by an area that is independent of the business areas, responsible for defining the composition of the reserve, estimating the cash flow and the exposure to liquidity risk in different time horizons and monitoring short and long term liquidity indicators (LCR and NSFR respectively). In addition, it proposes minimum limits to absorb losses in stress scenarios for each country where Itaú Unibanco operates and reports any non-compliance to the competent authorities. All activities are subject to verification by the independent validation, internal controls and audit departments. Additionally, and pursuant to the requirements of Resolution 4,557, BACEN Circular 3,749 and Circular 3,869, the Liquidity Risk Statement (DRL-LCR) and the Long Term Liquidity Statement (D LP-NSFR) are monthly sent to BACEN. Finally, the following items are periodically prepared and submitted to senior management for monitoring and decision support: • Stress of liquidity indicators based on macroeconomic scenarios, simulation of reverse stress based on risk appetite, and projection of the main liquidity indicators to support decisions; • Contingency and recovery plans for crisis situations, with actions that provide for a gradation according to the level of criticality determined by the easiness of implementation, taking into account the characteristic s of the local market in which it operates, seeking a rapid restoration of liquidity indicators; • Reports and graphs that describe risk positions; • Concentration indicators of funding providers and time. The document that details the liquidity risk control institutional policy is on the Investor Relations website https://www.itau.com.br/investor-relations,section "Itaú Unibanco", under "Corporate Governance", "Rules and Policies, Reports". Itaú Unibanco 24

Risk and Capital Management-Pillar 3 LIQ1: Liquidity Coverage Ratio (LCR) Itaú Unibanco has High Quality Liquidity Assets (HQLA) that amounted to R$ 315.8 billion on average for the quarter, mainly composed of Sovereign Securities, Central Bank Reserves and Cash. Net Cash Outflows amounted to R$ 184.6 billion on average for the quarter, which are mostly comprised of Retail Funding, Wholesale, Additional Requirements, Contractual and Contingent Obligations, offset by Cash inflows from loans and other Cash inflows. The table shows that the average LCR in the quarter is 171.1%, above the limit of 100% and therefore the institution has high quality liquidity resources comfortably available to support the losses in the standardized stress scenario for the LCR. 09/30/2021 (1) 06/30/2021 (1) Total unweighted Total weighted Total unweighted Total weighted value (In value (In value (In value (In thousand R$) 12) thousand RS) P) thousand RS) (2) thousand RS) P! High Quality Liquidity Assets (HQLA) Total High Quality Liquid Assets (HQLAI 315,791,488 324,439,861 Cash Outflows (4) Retail deposits and deposits from small business customers, of which: 456,955,585 42 ,091 ,736 449,155,165 39,851 ,660 Stable deposits 237 ,783.681 11 ,889,184 231 ,699,402 11 ,584 ,970 Less stable deposits 219,171 ,904 30 ,202,552 217,455,763 28 ,266,690 Unsecured wholesale funding , of which: 306,251,532 131 ,120,979 294 ,191,317 128,861,456 Operational deposits (all counterparties) and deposits in networks of cooperative banks 14,859,977 3,876,056 4 ,225,785 883 ,301 Non-operatr:mal deposits (aU counterparties) 290,680,822 126,534 ,190 288,992,011 127,004,634 Unsecured debt 710,733 710,733 973,521 973,521 Secured wholesole funding 24 ,364 ,829 19,272,569 Additional requirements, of which: 278,520,861 30 ,478,049 279,804,945 34 ,116.228 Outflows related to derivative exposures and other collateral requirements 26,329,596 12,494,428 36,908,048 16 ,828,182 Outflows related to loss of funding on debt products 550,584 550,584 874,988 874 ,988 Credit and liquidity facilities 251 ,640,681 17,433,037 242 ,021 ,909 16,413,058 Other contractual funding obligations 73,119,922 73 ,119,922 69 ,263,858 69 ,263,858 Other contingent funding obligations 140 ,094,481 20 ,841 ,761 131 ,236,223 22 ,057,334 Total Cash Outflows 322,017,276 313.423,105 Cash Inflows (4) Secured lending leg reverse repos) 147,065,585 1,184,488 177,069,032 924 ,418 Inflows from fully performing exposures 33,981,209 21,402,711 36,675,413 23 ,573,123 Other cash inflows 126,874,398 114,862,352 122,623,573 109,603 ,625 Total Cash Inflows 307,921 ,192 137,449,551 336,368,018 134,101 ,166 Total Adjusted Total Adjusted Value (5) Value (5) Total HQLA 315 ,791,488 324,4 39,861 Total net cash outflows 184,567,725 179,321 ,939 Liquidity Coverage Ratio (%) 171.1% 180.9% Itaú Unibanco 25

Risk and Capital Management-Pillar 3 LIQ2: Net Stable Funding Ratio (NSFR) LlQ2: Net Stable Funding Ratio (NSFR) Value per residual effeetive maturity term (R5 thousand) Greater than or equal r Weighted Value Lower than six Greater than or equal 0913012021 No Maturity ") l1l to six months, and (In thousand months to 1 year(1) lower than 1 year " RS )121 ' Available Stable Funding (ASF) Capital 197,682,759 197,682,759 Reference Enquiry. gross of regularity deductions 150,120,522 150,120,522 Other capital instruments not included in line 2 47,562,231 41,562,231 Retail Funding: 211 ,740,533 262,900,049 3,057,444 25,207,243 487,153,609 Stable Funding 128,240,650 112,003,910 118,298 87,369 228,432,063 less Stable Funding 83,499,883 150,896,139 2,939,146 25,119,814 236,121 ,526 Wholesale Funding: 75,662,375 610,098,300 53,773,225 115,099,937 311 ,184,277 Operational deposits and deposit of member cooperatives 15,580,433 1,190,211 OIlier Wholesale Fundng 60,081 ,942 610,098,300 53,773,225 115,099,937 303,364,060 Operations In which the Institution acts exclusively as intermediary}'. not undertaking any rights or obligations, even if eORtingen! 83,783,695 12,951 ,705 1 ,035,318 Other liability, In which: 101 ,797,914 125,357,582 87,252 2,787,462 2,811 ,068 Derivatives whose replace values are lower than zero 15,879,079 OIlier liabillity or equily elements no/ ",eluded ! e 101,797,914 109,678,503 87,252 2.167,462 2,611,088 Total Available Stable Funding (ASF) 978,801,733 131 Required Stable Funding (RSF1 Total NSFR high quality liquid assets (HQLA) 23,681 ,129 Operational deposits held at other financial Institutio ns Performing loans and securities (financial institutions, corporates and central banks) 5,269,016 402,108,S6ll 110,826,347 488,188,855 578,858,878 Performing loans 10 financial instituations secumd by Levell HQl.A 2,023,335 41 ,099,468 1,072,481 5,364,761 Performing loans 10 financial institutions secumd by non-Levell HQl.A and unsecumd performing loans 10 3,033,644 34,388,299 7,925,589 41 ,446,069 51 ,119,189 financial institutions Performing loans to non-financial corporate clients, loans 10 retail and small business customers, and loans 10 211 ,831 300,153,114 61 ,968,536 225,241 ,063 319,515,211 sovereigns, central banks, of which; With a risk weight of/less Illan or equal 35%. approach for credit risk, according to Circular 3,644. 4,756,290 3,091,589 Performing residential mongages. of which; 6,457,805 6,261,503 106,761 ,843 88,736,664 Which are In accordance to Circular 3,644, 2013, art 22 67,644,310 52,852,157 Securities that are not in default and do not qualify as NOLA, including exchange-traded equities 19,409,602 14,610,119 113,661,399 114,043,053 Operations In which the Institution acts exclusively as intermediary, not undertaking any righis or 93,592,919 9,436,601 1 ,273,040 obligations, even if contingent Other assets, In which: 71 ,374,197 167,270,135 8,026,081 85,957,057 187,988,626 Transactions will gold and commodilies, including 111058 willi expected physical sell/emenr Assets pos/ed as mitial margFl for derivaliV'es con/racts and participation in mutual guarantee funds of 14,676,151 12,646,428 clearinghouses or providers of clearing and settlement services which acts as central counterparty. Denvalives whose replacement values are higher than or equal 10 zero 21 ,598,333 1,080,441 1,080,44 1 Den'valives whose replacement values are less Ihan zero. gross of the deduction of { any collateral provided as 1,106,996 1,108,996 a result of deposit of variation margin AN other assets not included m the about categories 11 ,314,191 145,611 ,802 8,026,081 68,689,469 113,152,161 Off balance sheet transactions 530,048,459 7, 195,696 20,901,544 Total Required Stable Funding (RSF) 811 ,430,178 NSFR('1,) 120,6% 1) Corresponds to the total amount 01 available Stable funding (ASFjor Required Stable funding (RSF) 2) corresponds. to the amount after 01 . 3) to the Available funding (ASF) or Required state Funding (RSF) Total Adjusted Value (1 ) R$ thousand 09/30/2021 06/30/2021 Total Available Stable Funding (ASF) 978,801,733 949.810.938 Total Required Stable Funding (RSF) 811 ,430,178 774.164.845 NSFR (%) 120.6% 122.7% 1) Corresponds to the amount calculated after application of the weighting factors and limits set forth in BACEN Circular 3,869 Itaú Unibanco 26

Risk and Capital Management-Pillar 3 Itaú Unibanco has High Quality Liquidity Assets (HQLA) that amounted to R$ 978.8 billion on average for the quarter, mainly composed of Sovereign Securities, Central Bank Reserves and Cash. Net Cash Outflows amounted to R$ 811.4 billion on average for the quarter, which are mostly comprised of Retail Funding, Wholesale, Additional Requirements, Contractual and Contingent Obligations, offset by Cash inflows from loans and other Cash inflows. The table shows that the average LCR in the quarter is 120.6%, above the limit of 100%, and therefore the institution has high quality liquidity resources comfortably available to support the losses in the standardized stress scenario for the LCR. Credit Risk CRA: Qualitative information on credit risk management Itaú Unibanco defines credit risk as the risk of loss associated with: failure by a borrower, issuer or counterparty to fulfill their respective financial obligations as defined in the contracts; value loss of credit agreements resulting from deterioration of the borrower's, issuer's or counterparty's credit rating; reduction of profits or income; benefits granted upon subsequent renegotiations; or debt recovery costs. The management of credit risk is intended to preserve the quality of the loan portfolio at levels compatible with the institution's risk appetite for each market segment in which Itaú Unibanco operates. The governance of credit risk is managed through corporate bodies, which report to the Board of Directors or to the Itaú Unibanco executive structure. Such corporate bodies act primarily by assessing the competitive market conditions, setting the credit limits for the institution, reviewing control practices and policies, and approving these actions at the respective authority levels. The risk communication and reporting process, including disclosure of institutional and supplementary policies o n credit risk management, are also function of this structure. Itaú Unibanco manages the credit risk to which it is expos ed during the entire credit cycle, from before approval, during the monitoring process and up to the collection or recovery phase, with the periodic monitoring of troubled assets, which are defined as: • Overdue Transactions for more than 90 days; • Restructured Operations for Troubled Assets; • Counterparties that present inability to pay, whether by legal measures, bankruptcy, loss, among others; • Significant deterioration in credit quality, which can be identified by deterioration in internal rating metrics , guarantees honored, overdue exposure, among others. Additionally, if it is identified that a CNPJ may contaminate the counterparties, they may be marked as Troubled Assets. The monitoring contains information on significant exposures, including recovery history and prospects, as well a s restructuring information. These analyzes are generated monthly for executives and quarterly for the Board of Directors through the Risk and Capital Management Committee (CGRC). There is a credit risk management and control structure, centralized and independent of the business units which defines operational limits, risk mitigation mechanisms and processes, and instruments to measure, monitor and control the credit risk inherent to all products, portfolio concentrations and impacts to potential changes in the economic environment. Such structure is subjected to internal and external auditing processes. The credit's portfolio, policies and strategies are continuously monitored so as to ensure compliance with the rules and laws in effect in each country. The key assignments of the business units are (i) monitoring of the portfolios under their responsibility, Itaú Unibanco 27

Risk and Capital Management-Pillar 3 (ii) granting of credit, taking into account current approval levels, market conditions, the macroeconomic pros pec ts and changes in markets and products, and (iii) credit risk management aimed at making the business sustainable. Itaú Unibanco's credit policy is based on internal factors, such as: client rating criteria, performance and evolution of the portfolio, default levels, return rates and allocated economic capital, among others; and also take into acc account external factors such as: interest rates, market default indicators, inflation and changes in consumption, among others. With respect to individuals, small and medium companies, retail public, the credit ratings are as signed bas ed on statistical application (in the early stages of relationship with a customer) and behavior score (used for customers with whom Itaú Unibanco already has a relationship) models. For wholesale public, the classification is based on information such as the counterparty's economic and financial situation, its cash-generating capacity, and the business group to which it belongs , the current and prospective situation of the economic sector in which it operates. Credit proposals are analyzed on a case-by-case basis through the approval governance. The concentrations are monitored continuously for economic sectors and largest debtors , allowing preventive measures to be taken to avoid the violation of the established limits. Itaú Unibanco also strictly controls credit exposure to clients and counterparties, acting to reverse occasional limit breaches. In this sense, contractual covenants may be used, such as the right to demand early payment or require additional collateral. To measure credit risk, Itaú Unibanco takes into account the probability of default by the borrower, issuer or counterparty, the estimated amount of exposure in the event of default, past losses from default and concentration of borrowers. Quantifying these risk components is part of the lending process, portfolio management and definition of limits. The models used by Itaú Unibanco are independently validated, to ensure that the databases used in constructing the models are complete and accurate, and that the method of estimating parameters is adequate. Itaú Unibanco also has a specific structure and processes aimed at ensuring that other aspects of credit risk, such as country risk, are managed and controlled, described in the item "Other Risks". In compliance with CMN Resolution 4,557, the document "Public Access Report-Credit Risk," which d describes the guidelines established in the institutional ruling on credit risk control, can be viewed on the website www.itau.com.br/investor-relations, section "Itaú Unibanco", under "Corporate Governance", "Rules and Policies", "Reports". Itaú Unibanco 28

Risk and Capital Management-Pillar 3 CR1: Credit Quality of Asset 09/3012021 RS million Gross carrying values of Allowa nces, Unearned Revenues and Eel Non· defaulted Net values (a+b-c) Defaulted exposures (a) exposures (b) accounting provision Ie) Loans 27,528 848,361 129,887 746,003 Debt Securities 258 434 ,944 7,131 428,071 in which: Sovereigns 252,086 3,095 248,991 in which: Other Debts 258 182,858 4,036 179,080 Off· balance sheet exposures 452 ,463 745 451,717 Total 27,786 1,735,768 137,763 1,625,791 CR2: Changes in Stock of defaulted loans and debts securities Total R$ million Defauned loans and debt securilies at end of the previous reporting period (06130/2021) 24 ,879 Loans and debt securities that have defauned since the last reporting period 8,729 Amount returned to non-defauned status (4 17) Amount written off (5,937) Other changes 532 Defaulted loans and debt securities at end of the reporting period (09/30/2021) 27,786 CR2: Changes in Stock of defaulted loans and debts securities CRB: Additional disclosure related to the credit quality of assets The tables below contain additional disclosure related to the credit quality exposures reported in the table CR1. Where is informed breakdown of exposures by geographical area, industry and defaulted exposures. In addition, the total exposures by residual maturity by delay range, the total of restructured exposures and the percentage of the ten and one hundred largest exposures are reported. Itaú Unibanco 29

Risk and Capital Management-Pillar 3 Exposure by industry Exposure by remaining maturity Total Exposure Total defaulted loans and debt securities CR Portfolio Portfolio Total E)lposure (Net Total Exposure Defaulted Expected Credit values) (Gross values) Exposures Loss Companies 985,337 1,024,739 Companies 9,758 5,397 Public sector 309,987 314,078 Public: sector Energy 705 705 Ener9Y Petrochemical and Chemical 3,849 3,855 Petrochemical and Chemical Sundry 305,433 309,518 Sundry Private sector 615,350 710,661 Private sector 9,758 5,397 Sugar and Alcohol 9,415 9,941 Sugar and Alcohol 46 14 Agribusiness and Fertilizers 29,631 30,477 Agribusiness and Fertilizers 208 127 Food and Beverage 31 ,491 32.911 Food and Beverage 424 220 Banks and Other Financial institutions 65,824 66,744 Banks and Other Financial institutions 25 " capital Assets 10,818 11 ,289 Capital Assets 69 41 Pulp and Paper 4,648 4,7 16 Pulp and Paper 12 6 Electronic and IT 16,056 16,839 E~clronic and IT 24lJ " Packaging 5,532 5,729 Packaging " 5 Energy and Sewage 44,138 45,013 Energy and Sewage 12 (' ) Educible 6,543 6,944 Educible 95 47 Pharmaceuticals and Cosmetics 18,681 19,201 Pharmaceuticals and Cosmetics '" 78 Real Estale Agents 44,717 48,015 Real Estate Agents 890 622 Entertainment and Tourism 12,082 14,776 Entertainment and Tourism 799 411 Wood and Future 7,950 8,565 Wood and Furniture 107 59 Construction Matenal 10,847 11 ,618 Construction Matenal! '" 60 Steel and Metallurgy 14,286 15,034 Steel and Metallurgy 209 Media 1,247 1,291 Media 8 4 Mining 8,565 9,206 Mining 494 252 Infrastructure Work 15,207 16,245 Infrastructure Work 95 48 Oil and Gas 13,665 14,369 Oil and Gas '38 78 Petrochemical and Chemical 17,770 18,201 Petrochemical and Chemical 76 40 Healthcare 12,187 12,572 Health Care 47 24 Insurance and Reinsurance and Pension Plans 207 210 Insurance and Reinsurance and Pension Plans Telecommunications 11 ,878 12,206 Telecommunications 22 12 Clothing and Footwear 7,533 8,335 Clothing and Footwear 192 105 Trading 4,054 4,195 Trading 39 21 Transportation 37,865 40,927 Transportation 289 158 Domestic::: Appliances 4,634 4,728 Domestic Appliances 25 13 Vehicles and Auto parts 24 ,013 25,252 Vehicles and Auto parts 267 139 Third Sector 3,819 3,871 Third Sect Of 2 2 Publishing and Printing 3,412 3,789 Publishing and Printing 122 59 Commerce-Sundry 49,135 52,812 Commerce-Sundry 1,701 976 Industry- Sundry 13,622 13,734 Industry-Sundry 30 17 Sundry Services 65,223 69,418 Sundry Services 2,454 1,560 Sundry 48,655 51 ,488 Sundry 328 135 Exposure by remaining Remaining maturities of transactions (Net values) 1' 1 Remaining maturities of transactions (Gross values) 1' 1 up to 6 months 6 to 12 months 1 to 5 years above 5 years Total up to 6 months 6 to 12 months 1 to 5 years above 5 years Total 331 ,640 107,548 490,735 320,675 1,250,598 355 ,764 110,340 550,436 371,637 1,388,177 1) Do not consider the amount of credits to be released, Itaú Unibanco 30

Risk and Capital Management-Pillar 3 Overdue exposures Exposure by geographical area in Brazil and by country Overdue exposures R$ million 09/30/2021 Gross portfolio Overdue amounts (1) Less than 30 days 6,303 31 to 90 days 10,494 91 to 180 days 12,120 181 to 365 days 12,910 above 365 days 2,755 Total 44,582 1) According to Circular Letter 4,068, the table follows the same scope as table CRl. Exposure by geographical area in Brazil and by country Total Exposure Total defaulted loans and debt securities R$ million 09/3012021 R$ million 09/30/2021 Portfolio Portfolio Total Exposure (Net Total Exposure Defaulted Expected Credit values) (Gross values) Exposures Loss Southeast 740,275 811,919 Southeast 16.598 8,385 South 117,202 132 ,296 South 2,713 1,338 North 20 ,562 25,913 North 766 374 Northeast 94,433 11 1,809 Northeast 3,666 1,953 Midwest 53,412 61 ,583 Midwest 1,533 755 National territory (1) 248,992 252,051 National territory (1) Brazil 1 ,274,876 1,395,571 Brazil 25,276 12,805 Argentina 6,895 7.278 Argentina 51 46 Chile 183,371 189 ,280 Chile 1,71 1 1,044 Colombia 44 ,157 53,350 Colombia 566 379 United States 21,456 21,605 United States 13 9 Paraguay 16,271 16,566 Paraguay 93 74 United Kingdom 15,704 15 ,857 United Kingdom Swiss 3.576 3,577 Swiss Uruguay 26,090 26,442 Uruguay 76 64 Other 33 ,395 34 ,028 Other Foreign 350,915 367 ,993 Foreign 2,510 1,616 Total 1 ,625,791 1,763,554 Total 27,786 14,421 1) Considers only Brazilian treasury bonds_ Itaú Unibanco 31

Risk and Capital Management-Pillar 3 Largest debtors exposures Restructured exposures R$ million 09/30/2021 Loans, Deb! Securities and Off-balance sheet exposures (CR1 I (1) Exposure % of portfolio 10 largest debtors 318.731 20.0% 100 largest debtors 457.261 28.0% 1) According to Circular Letter 4,068, the table follows the same scope as table CR1, in which the exposure value considers sovereign debt securities. Restructured exposures 09/30/2021 R$ million Overdue Others Restructured Exposures 4,976 18,922 CRC: Qualitative disclosure related to Credit Risk Mitigation techniques Itaú Unibanco uses guarantees to increase its recovery capacity in operations subject to credit risk. The guarantees used can be financial, credit derivatives, fiduciary, real, legal structures with mitigation power and offsetting agreements. For these guarantees to be considered as credit risk mitigating instruments, it is necessary that they comply with the requirements and determinations of the that regulate them, whether internal or external, and that they are legally enforceable (effective), enforceable and regularly evaluated. The information regarding the possible concentration associated with the mitigation of credit risk considers these different mitigating instruments, segregating by type and by provider. For reasons of confidentiality , the institution determines the non-disclosure of information beyond the classification of the type of guarantor, but ensuring adherence to the general requirements. • Financial Guarantees: the borrower or third party highlights a financial as set (deposits, bonds , shares, shares of low-risk equity, among others), in such a way as to guarantee the creditor's reimbursement in case of default. • Fiduciary Guarantees and credit derivatives: a third party assumes the responsibility for fulfilling the obligation contracted by the debtor, which falls on the general equity of that third party. Avals, sureties and CD S are examples of these guarantees. Fiduciary guarantees are segregated into the following providers: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions, Sovereigns, National Treasury or Central Bank. Itaú Unibanco also uses credit derivatives to mitigate the credit risk of its securities portfolios. These instruments are priced based on models that use the fair price of market variables, such as credit spreads, recovery rates, Itaú Unibanco 32

Risk and Capital Management-Pillar 3 and interest rates. They are also segregated into: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions and Sovereigns. • Real Guarantees: the borrower himself or a third party highlights an asset or a set of as sets , movable or immovable, in such a way as to guarantee the reimbursement of the creditor in case of default. Examples of instruments and assets: mortgages on real estate, pledge of goods, fiduciary sale of real estate, vehicles, machinery and equipment. These guarantees are segregated by type: financial collateral, bilateral contracts and assets. • Clearing and Settlement of Obligations Agreement and legal structures with mitigating power: the clearing agreement aims to reduce the risk of credit exposure of one party to the other, resulting from transactions entered into between them, so that, in case of maturity, after offsetting, the net amount owed by the debtor to the creditor is identified. It is commonly used in derivative transactions, but it can also cover other types of financial transactions. In legal structures with mitigation power and compensation agreements, mitigation is based on methodologies established and approved by the business units responsible for credit risk management and by the centralized credit risk control area. Such methodologies consider factors related to the legal enforceability of the guarantees, the costs necessary for such and the expected value in the execution, taking into account the volatility and liquidity of the market. To control the mitigating instruments, there is periodic monitoring that monitors the level of compliance with the use of each instrument when compared to internal measurement policies, even including corrective action plans when there is noncompliance, analyzing concentration, types, providers, formalization. The parameters used are: HE (Haircut of execution) which evaluates the probability of success in executing the guarantee, HV (Volatility Haircut) rep resents the liquidity of the collateral being offered, and LMM (Maximum Mitigation Limit) which is the mitigation ceiling for real guarantees. CR3: Credit Risk mitigation techniques-overview(1) 09f30/2021 R$ million Exposures Exposures Exposures Unsecured Secured secured by Exposures Exposures secured by financial secured by collateral guarantees credit derivatives Loans 660,894 81 ,735 11 ,033 70 ,702 Debt securities 421,024 434 434 in which: Sovereigns 133,059 3,351 925 2,426 in which: Other Debts 345.440 4 .325 4,325 Total 1,560,417 89.845 16,717 73,128 Of which defaulted 6 ,586 246 34 212 1) The mitillatir'lg instruments contemplated in this table ilre those foreseen in SACEN Circular 3,809. Increase in credit concession mainly observed in the lines of companies and in retail, in credit card. In debt securities and other operations, the main variation comes from exposures to private securities Itaú Unibanco 33

Risk and Capital Management-Pillar 3 CR4: Standardized Approach - Credit Risk exposure and credit risk mitigation effects R$ million 0913012021 Exposures before CCF and CRM Exposures post-CCF and CRM RWA and RWA density Off- balance On. balance sheet Off. balance On- ballance Off· balance Asset classes amount(a) sheet amount (b) sheet amount (e) sheet amount (d) RWA(e) sheet amount [el(c+d)J Sovereigns and their central barlks 492,768 492,768 16,535 3% Non-cenlral government public sector entities 4,614 161 4,614 81 3.806 81% Multilateral development banis 357 357 Banks and other Financial Institutions authorized by Brazil Central Bank 120,041 4,945 120,041 2,038 44,032 36% Corporales 404,872 123,845 404,872 67 ,400 418,771 89% Regulatrny retail portfolios 286,930 313,157 286,930 62,551 241,648 69% Secured by residential property 103,602 2,834 103,602 2.834 38,280 36% Secured by commerdal real estate 235 226 235 226 230 50% Equity stake 19,611 19,611 18,912 96% Other assets 80,822 2,561 80,822 1.280 82,102 100% 52. Total 1,51 3,852 447,729 1,5 13,852 136,410 864,316 CR5: Standardized Approach-exposures by asset classes and risk weights R$m IlJlon Risk weight{FPR) 0913012<121 Total Asset classes 0% 10% 50% 85% 100% Others credit exposures ". '" '" amount/post CCF and posl..c RM) Sovereigns and the central banks 466,900 1,212 16,519 4,346 1,791 492,768 Non-cenlral government publIC sector entrt~ 90 33 '" 4,003 228 4,695 Mu~ilaleral development banks '" '" Sanks and other Financial authorized by Brazil Central Bank 1,676 56,717 2,527 S8,710 2,449 122.079 Corporates 11,671 14,373 229,211 216.399 '" 472,272 Regulatory retail portfolios e."" 48,946 286,721 3,229 349,481 Secured by resident... , property 99,699 6.656 "' 106.436 Seemed by commercial real eSlale ." ." EQUity slake ' .665 14 ,946 19,611 Other assets 82,102 82,102 Tobl 489,219 57,962 102,226 148,006 288,121 237,939 320,410 5,659 1,650,262 CR5: Standardized Approach - exposures by asset classes and risk weights The increase in the total exposure in tables CR4 and CR5 occurred mainly in the in the corporates and retail exposures and was partially offset by the reduction in exposures linked to governments and central banks Itaú Unibanco 34

Risk and Capital Management-Pillar 3 Counterparty Credit Risk (CCR) CCRA: Qualitative disclosure related to CCR Counterparty credit risk is the possibility of noncompliance with obligations related to the settlement of transactions that involve the trading of financial assets with a bilateral risk. It encompasses derivative financial instruments, settlement pending transactions, securities lending and repurchase transactions. Itaú Unibanco has well-defined rules for calculating its managerial and regulatory exposure to this risk, and the models developed are used both for the governance of consumption of limits and management of counterparties sub-limits, as well as for the allocation of capital, respectively. The managerial volatility of the potential credit risk (PCR) of derivatives (interpreted as the amount of potential financial exposure that an operation can reach until its maturity) and the volatility of repurchase agreements and foreign exchange transactions are monitored periodically to maintain the exposure at levels considered acceptable by the institution's management. The risk may be mitigated by the use of margin call, initial margin or other mitigating instrument. Currently, Itaú Unibanco does not have impact in the amount of collateral that the bank would be required to provide given a credit rating downgrade. The regulatory exposures of counterparty credit risk are presented as follows. CCR1: Analysis of CCR exposures by approach CCR3: Standardised approach - CCR exposures by regulatory portfolio and risk weights CCR1: Analysis of CCR exposures by approach 09/3012021 R$ million Replacement Multiplier applied to Potential future EAD the calculation of RWA cost exposure post mitigation EAD SA-CCR Approach 16,176 7,756 1.4 33,505 25,627 GEM Approach Simple Approach for CCR mitigation (for SFTs and asset loans) Comprehensive Approach for CCR mitigation (for SFTs and asset loans) 486,821 13,674 Total 39,301 CCR3: Standardised approach-CCR exposures by regulatory portfolio and risk weights Risk weight (FPR) 0913012021 R$ million Counterparties 0% 10% 20% 50% 75% 85% 100% 150"" Others Total Sovereigns 147,981 147,983 Non-oentral government public: sector entities 40 " Muilateral development banks and other Financial authorized by Brazil central Bank 79.185 880 13,513 " 94,193 Corporales 242,818 18,201 16,134 277,153 RegulalO!)' retail portfolios Other Counlerparties "9 '87 '" 953 Total 470,733 882 13,700 18,241 16,n O 520,326 In the tables CCR1 and CCR3 there was an increase in the exposure of repo operations mainly in central governments and central banks and in financial institutions and others authorized by the Central Bank of Brazil. Itaú Unibanco 35

Risk and Capital Management-Pillar 3 CCR5: Composition of collateral for CCR exposures CCR6: CCR associated with credit derivatives exposures CCR5: Composition of collateral for CCR exposures million 09/30/2021 R$ Collateral used in derivative transactions Collateral used in SFTs and asset loans Fair value of co llateral received Fair value of posted collateral Fair value of Fair value of 1 collateral received posted collateral Segregated Unsegregated Segregated Unsegregated Cash-domestic currency 5,186 181 ,395 218,712 Cash-other currencies 374 4 ,039 5,206 47,709 Domestic sovereign debt 3,466 238,935 182,254 Government agency debt 6,947 2 3,545 4,285 Corporate bonds 1,694 25,350 63 Equity securities 177 5 Other collateral Total 5,186 12,481 4,041 454,608 453,028 CCR6: CCR associated with credit derivatives exposures In R$ million 09/30/2021 Protection bought Protection sold Nationals Single-name credit default swaps 5,378 9, 816 Index credit default swaps 54 Total return swaps 6 ,711 Total notionals 5,378 16,581 Fair values 143 (68) Positive fair value (asset) 155 75 Negative fair value (liability) (12) (143) Itaú Unibanco 36

Risk and Capital Management-Pillar 3 CCR8: CCR associated with Exposures to central counterparties 09/30/2021 R$ million EAD (post-CRM) RWA Exposures to qualifying CCPs (QCCPs total) 2 ,856 Exposures for trades at accps (excluding initial margin and default fund contributions); of which 16,764 445 (i) over-the-counter (OtC) derivatives (ii) Exchange-traded derivatives 16,577 441 (iii) Securities financing transactions 177 4 (iv) Netting sets where cross-product netting has been approved 10 Segregated initial margin Non-segregated initial margin 6,436 2,357 Pre-funded default fund contributions 72 54 Exposures to non-QCCPs (total) Exposures for trades at non-OCCPs (excluding initial margin and default fund contributions); of which (i) over-the-counter (OTC) derivatives (ii) Exchange-traded derivatives (iii) Securities financing transactions (iv) Netting sets where cross-product netting has been approved Segregated initial margin Non-segregated initial margin Pre-funded default fund contributions There was a decrease in exposures associated with operations to be settled with central counterparties (QCCP), especially in the line of non-segregated initial margin. Securitisation Exposures SECA: Qualitative disclosure requirements related to securitisation exposures Currently, Itaú Unibanco coordinates and distributes issues of securitized securities in the capital mark et with or without a firm placement guarantee. In case of exercising the firm guarantee, the bank will assume the risk as an investor in the operation. Itaú Unibanco does not act as a sponsoring counterpart of any specific purpose company with the objective of operating in the securitisation market, nor does it manage entities that acquire securities issued or originated by their own. In relation to accounting, it should be noted that (i) assets representing third -party securitisations are accounted for as well as other assets owned by the Bank, according to the brazilian accounting standards; and (ii) securitisation credits originating from Itaú Unibanco's own portfolio remain accounted for in cases of credit assignment with co-obligation. In 2021, Itaú Unibanco did not carry out the sale of credit assets without substantial risk retention and did not as sign exposures with substantial risk retention, which have been honored, repurchased or written off as loss. Itaú Unibanco 37

Risk and Capital Management-Pillar 3 SEC1: Securitisation exposures in the banking book SEC2: Securitisation exposures in the trading book R$ million 09130/2021 Bank acts as originator Bank acts as sponsor Banks acts as investor Traditional Synthetic Subtotal Traditional Synthetic Subtotal Traditional Synthetic Subtotal Retail (total) · of which 2,922 2,922 residential mortgage credit card 777 777 other retail exposures 2,145 2,145 re- securitisation Wholesale (total) • of which 1,405 1,405 loans to corporales 1,405 1,405 commercial mortgage lease and receivables other wholesale re- securitisation In Itaú Unibanco's current securitization portfolio, there are no exposures to be reported in table SEC2. SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements - bank acting as originator or as sponsor In Itaú Unibanco's current securitization portfolio, there are no exposures to be reported in table SEC3. SEC4: Securitisation exposures in the banking book and associated capital requirements-bank acting as investor R$ million 0913012021 Exposure values (by risk weight bands) Exposure values (by RWA (by regulatory Capital Requirements regulatory approach) approach) 20"1. " FPR 60% S FPR 100% S FPR Standardized Standardized Standardized 5200/. 1250% 1250% 1250°" 1250% < 50% < 100% < 1,250% approach approach approach Total exposures 4 ,045 '" '" 2 4,325 1,578 22 '" Traditional securltlsation 4,045 157 123 2 4,325 1,578 22 126 Of which securitisation 4 ,045 '" '" 2 4,325 1,578 22 126 Of which retail underlying 2 ,640 '" '" 2 2,920 1.226 22 98 Of which wholesale 1,405 1,405 352 28 01 which re· securitisation Synthetic securitisation 01 which securitisation Of which retail underlying Of which wholesale Of which re- securitisation Itaú Unibanco 38

Risk and Capital Management-Pillar 3 Market Risk MRA: Qualitative disclosure requirements related to market risk Market risk is the possibility of losses resulting from fluctuations in the market values of positions held by a financial institution, including the risk of operations subject to variations in foreign exchange rates, interest rates , equity and commodity prices, as set forth by CMN. Price Indexes are also treated as a risk factor group. The institutional policy for market risk is in compliance with Resolution 4,557 and establishes the management structure and market risk control, which has the function of: • Provide visibility and comfort for all senior management levels that market risks assumed must be in line with Itaú Unibanco risk-return objectives; • Provide a disciplined and well informed dialogue on the overall market risk profile and its evolution over time; • Increase transparency as to how the business works to optimize results; • Provide early warning mechanisms to facilitate effective risk management, without obstructing the business objectives; and • Monitoring and avoiding the concentration of risks. Market risk is controlled by an area independent of the business units, which is responsible for the daily activities: (i) measuring and assessing risk, (ii) monitoring stress scenarios, limits and alerts, (iii) applying, analyzing and stress testing scenarios, (iv) reporting risk to the individuals responsible in the business units , in c compliance with Itaú Unibanco´s governance, (v) monitoring the measures needed to adjust positions and /or risk levels to make them viable, and (vi) supporting the secure launch of new financial products. The market risk management framework categorizes transactions as part of either the Trading Book or the Baking Book, in accordance with general criteria established by CMN Resolution 4,557 and BACEN Circular 3,354. Trading Book is composed of all trades with financial and commodity instruments (including derivatives) undertaken with the intention of trading. Banking Book is predominantly characterized by portfolios originated from the banking business and operations related to balance sheet management, are intended to be either held to maturity, or sold in the medium and in the long term. The market risk management is based on the following key metrics: • Value at Risk (VaR): a statistical metric that quantifies the maximum potential economic loss expected in normal market conditions, considering a defined holding period and confidence interval; • Losses in Stress Scenarios (Stress Testing): a simulation technique to evaluate the impact, in the as sets , liabilities and derivatives of the portfolio, of various risk factors in extreme market situations (based on prospective and historic scenarios); • Stop Loss: metrics that trigger a management review of positions, if the accumulated losses in a given period reach specified levels; • Concentration: cumulative exposure of certain financial instrument or risk factor calculated at mark et value ("MtM-Mark to Market"); and Itaú Unibanco 39

Risk and Capital Management-Pillar 3 • Stressed VaR: statistical metric derived from VaR calculation, aimed at capturing the biggest risk in simulations of the current trading portfolio, taking into consideration the observable returns in historical scenarios of extreme volatility. In addition to the risk metrics described above, sensitivity and loss control measures are also analyzed. They include: • Gap Analysis: accumulated exposure of the cash flows by risk factor, which are marked -to-market and positioned by settlement dates; • Sensitivity (DV01 - Delta Variation Risk): impact on the market value of c ash flows when a 1 basis point change is applied to current interest rates or on the index rates; and • Sensitivities to Various Risk Factors (Greeks): partial derivatives of a portfolio of options on the prices of the underlying assets, implied volatilities, interest rates and time. In an attempt to fit the transactions into the defined limits, Itaú Unibanco hedges its client transactions and proprietary positions, including investments overseas. Derivatives are the most commonly used instruments for carrying out these hedging activities, and can be characterized as either accounting or economic hedge, both of which are governed by institutional regulations at Itaú Unibanco. The structure of limits and alerts is in alignment with the board of directors' guidelines, being reviewed and approved on an annual basis. This structure extends to specific limits and is aimed at improving the process of risk monitoring and understanding as well as preventing risk concentration. Limits and alerts are calibrated based on projections of future balance sheets, stockholders' equity, liquidity, complexity and market volatility, as well as the Itaú Unibanco's risk appetite. The consumption of market risk limits is monitored and disclosed daily through exposure and sensitivity maps . The market risk area analyzes and controls the adherence of these exposures to limits and alerts and reports them timely to the Treasury desks and other structures foreseen in the governance. Itaú Unibanco uses proprietary systems to measure the consolidated market risk. The processing of these systems takes place in an access-controlled environment, being highly available, which has data safekeeping and recovery processes, and counts on an infrastructure to ensure the continuity of business in contingency (disaster recovery ) situations. Itaú Unibanco 40

Risk and Capital Management-Pillar 3 MR1: Market risk under standardized approach There is a reduction in the Market Risk-Weighted Assets (compared to the previous quarter) both under the standardized approach and in the calculation considering the internal model. In both metrics, the reduction is due to lower exposures to interest risk factors in the Brazilian market and also to real interest rates in foreign units. MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA) In the internal models approach, the stressed VaR and VaR models are used. These models are applied to operations in the Trading Book and Banking Book. For the Trading Book, the risk factors considered are: interest rates, inflation rates, exchange rates, stocks and commodities. For the Banking Book, exchange rates and commodities are considered. The VaR and stressed VaR models are used in the companies of the prudential conglomerate that are presented in the following table Itaú Unibanco 41

Risk and Capital Management-Pillar 3 Institution Model considered for Market Risk A 1 Hedge Orange Master Fundo de Investimento Multimercado VaR and Stressed VaR Aj Titulos Publicos Fundo de Investimento Renda Fixa Referenciado 01 VaR and Stressed VaR Banco Investcerd Unibanco SA. VaR and Stressed VaR Banco Itau (Suisse)S.A . VaR and Stressed VaR Banco Itau Argentina S.A VaR and Stressed VaR Banco Itau BBA SA VaR and Stressed VaR Banco ltau Consignado S.A. VaR and Stressed VaR Banco Itau International VaR and Stressed VaR Banco Itau Paraguay SA VaR and Stressed VaR Banco Itau Uruguay S/A VaR and Stressed VaR Banco Ilau Veiculos S.A VaR and Stressed VaR Banco ItauBank: SA. VaR and Stressed VaR Banco Itaucard S.A. VaR and Stressed VaR Banco Itauleasing SA. VaR and Stressed VaR CLOUDWALK KICK ASS I FUNDO DE INVESTIMENTO EM DIRETIOUS CREDITORIOS VaR and Stressed VaR Credito Universitario FIDS I VaR and Stressed VaR Credito Universitario FIDC II VaR and Stressed VaR Dibens Leasing SA-Arrendamento Mercantil VaR and Stressed VaR Financeira Itati CSD SA Credito, Financiamento e Investimento VaR and Stressed VaR Fundo A1 Hedge Orange Fundo de Investimento em Cotas de Fundos de Investimento Mullimercado VaR and Stressed VaR Fundo De Invest DirCredit6rios Nao Padron NPL II VaR and Stressed VaR Fundo de Investimento em Direitos Credit6rios Nao-Padronizados Barzel VaR and Stressed VaR Fundo de Investimento em Direitos Credit6rios Rede VaR and Stressed VaR Fundo em Direitos Credit6rios Cielo Emissores I VaR and Stressed VaR Fundo Fortaleza de Investimento Imobiliario VaR and Stressed VaR Fundo Kinea Acoes VaR and Stressed VaR Goal Performance VaR and Stressed VaR Hipercard Banco Multiplo SA VaR and Stressed VaR Intrag Distribuidora de Titulos e Valores Mobiliarios Ltda. VaR and Stressed VaR Iresolve Companhia Securitizadora de Creditos Financeiros SA VaR and Stressed VaR lIau (Panama) SA VaR and Stressed VaR Itau Administradora de Cons6rcios Ltda. VaR and Stressed VaR ltau Asset Management Colombia SA Sociedad Fiduciaria VaR and Stressed VaR Itau Bank & Trust Bahamas Ltd. VaR and Stressed VaR lIau Bank & Trust Cayman Ud. VaR and Stressed VaR Itau Bank, Ud. VaR and Stressed VaR ltau BBA Europe SA VaR and Stressed VaR ltau BBA International Pic. VaR and Stressed VaR ltau BBA USA Securities Inc. VaR and Stressed VaR !tau Cia. Securitizadora de Creditos Financeiros VaR and Stressed VaR ltau Comisionisla de Bolsa Colombia SA VaR and Stressed VaR ltau CorpBanca VaR and Stressed VaR ltau CorpBanca Colombia SA VaR and Stressed VaR ltau CorpBanca New York Branch VaR and Stressed VaR ltau Corredores de Bolsa Limitada VaR and Stressed VaR ltau Corretora de Valores SA VaR and Stressed VaR ltau Oistribuidora de Titulos e Valores Mobiliarios SA VaR and Stressed VaR ltau EU Lux-Itau Latin America Equity Fund VaR and Stressed VaR Itau International Securities Inc_ VaR and Stressed VaR !tau Invest Casa de Bolsa S.A . VaR and Stressed VaR Itau Kinea Private Equity Mu!timercado Fundo de Investirnento em Cotas de Fundos de Investimento Credilo Privado VaR and Stressed VaR !tau OT Tilulos Publicos Renda Fixa Referenciado 01 Fundo de Investimento em Colas de Fundos de Inveslimento VaR and Stressed VaR Itau Securities Services Colombia SA Sociedad Fiduciaria VaR and Stressed VaR !tau Unibanco Holding SA VaR and Stressed VaR _ Itaú Unibanco 42

Risk and Capital Management-Pillar 3 Institution Model considered for Market Risk Itau Unibanco Holding SA, Grand Cayman Branch VaR and Stressed VaR ltau Unibanco SA VaR and Stressed VaR ltau UnibancoS.A., Grand Cayman Branch VaR and Stressed VaR ltau UnibancoS.A. , Miami Branch VaR and Stressed VaR Itau UnibancoS.A., Nassau Branch VaR and Stressed VaR Itau Unibanco Veiculos Administrator de Cons6rcios Ltda. VaR and Stressed VaR Itau Valores SA VaR and Stressed VaR Itauvest Distribuidora de litulose Val. Mobiliarios SA VaR and Stressed VaR ITB Holding Ltd . VaR and Stressed VaR Kinea Ac;:6es Funda de Investimento em Acoes VaR and Stressed VaR Kinea CO-investimenlo Funda de Investimenlo Imobitiario VaR and Stressed VaR Kinea I Private Equity FIP Mullieslralegia VaR and Stressed VaR Kinea KP Funda de Inveslimento Multimercado eredilo Privado VaR and Stressed VaR Kinea Ventures FIP VaR and Stressed VaR Licania Fund Limited VaR and Stressed VaR Luizacred SA Sociedade de Gredilo, Financiamento e Investimento VaR and Stressed VaR MeC SA Corredores de Bolsa VaR and Stressed VaR Microinvest SA Soc. de eredilo a Microempreendedor VaR and Stressed VaR OCA Dinero Electronico SA VaR and Stressed VaR OCA SA VaR and Stressed VaR Oiti Fundo de Investimento Mullimercado Credito Privado Investimento no Exterior VaR and Stressed VaR Redecard instituicao de Pagamento S.A VaR and Stressed VaR RT ltau DJ Titulor Publicos Fundo de Inveslimento Renda Fixa Referenciado DI VaR and Stressed VaR RT Scala Renda Fixa-Fundo de Investimento em Cotas de Fundos de Investimento VaR and Stressed VaR RT Voyager Renda Fixa Credito Privado-Fundo de Investimento VaR and Stressed VaR Taruma Fundo Incentivado de Investimento em Debentures de Infrestructure Renda Fixa Credito Privado VaR and Stressed VaR Itaú Unibanco, for regulatory purposes, uses the historical simulation methodology to calculate the VaR and Stressed VaR. This methodology uses the returns observed in the past to calculate the gains and losses of a portfolio over time, with a 99% confidence interval and a holding period of at least 10 days. On September 30, 2021, VaR represented 47% of the capital requirement, while the stressed VaR represented 53%. The same methodology is used for management purposes, that is, there are no differences between the managerial and regulatory models. In relation to the VaR model, the historical returns are daily updated. Itaú Unibanco uses in its VaR model both the unweighted approach, in which historical data have the same weight, and the weighted by the volatility of returns. For the calculation of volatilities, the Exponentially Weighted Moving Average method is used. The Historical VaR methodology with 10-day maintenance periods assumes that the expected distribution for possible losses and gains for the portfolio can be estimated from the historical behavior of the returns of the market risk factors to which this portfolio is exposed. The returns observed in the past are applied to current operations, generating a distribution of probability of losses and simulated gains that are used to estimate the Historical VaR, according to the 99% confidence level and using a historical period of 1,000 days. Losses and gains from linear operations are calculated by multiplying mark-to-market by returns, while non-linear operations are recalculated using historical returns. The returns used in simulating the movements of risk factors are relative. Regarding the Stressed VaR model, the calculation is performed for a time horizon of 10 working days, considering the 99% confidence level and simple returns in the historical period of one year. The historical stress period is periodically calculated for the period since 2004 and can be revised whenever deemed necessary. This can occur when the composition of Itaú Unibanco's portfolios changes significantly, when changes are observed in the results of the simulation of historical returns or when a new market crisis occurs. Losses and gains from linear operations are calculated by multiplying mark to market by returns, while non-linear operations are recalculated using historic al returns. Itaú Unibanco 43

Risk and Capital Management-Pillar 3 _ In addition to the use of VaR, Itaú Unibanco carries out daily risk analysis in extreme scenarios through a diversified framework of stress tests, in order to capture potential significant losses in extreme market situations. The scenarios are based on historical, prospective crises and predetermined shocks in risk factors . One factor that has a great influence on the results of the tests, for example, is the correlation between the assets and the respective risk factors, and this effect is simulated in several ways in the various scenarios tested. In order to identify its greatest risks and assist in the decision-making of treasury and senior management, the results of stress tests are assessed by risk factors, as well as on a consolidated basis. The effectiveness of the VaR model is proven by backtesting techniques, by comparing hypothetical and actual daily losses and gains, with the estimated daily VaR, according to BACEN Circular 3,646. The number of exceptions to the established VaR limits must be compatible, within an acceptable statistical margin, with three different confidence intervals (99%, 97.5% and 95%), in three different historical windows (250, 500 and 750 working days). This includes nine different samples, therefore ensuring the statistical quality of the historical VaR hypothesis. Itaú Unibanco has a set of processes, which are periodically executed by the internal control teams, whose objective is to independently replicate the metrics that influence market risk capital by internal models. In addition to the results of the periodic processes, Itaú Unibanco assesses the process of measuring time horizons by risk factors and the estimate of the stress period for calculating the stressed VaR. The validation of the internal model includes several topics considered essential for the critical analysis of the model, such as, the evaluation of the model's limitations, the adequacy of the parameters used in the volatility estimate and the comprehensiveness and reliability of the input data. MR2: RWA flow statements of market risk exposures under an IMA Exposures subject to market risk The following table presents the exposures subject to market risk in the internal models approach, for calculating the capital requirement. R$ million VaR Stressed VaR Other Total RWA,.'NL- RWAMINT-06/30/2021 6,684 6,949 9,231 22,864 Movement in risk levels (1,490) 133 (1,357) Updates/changes to the internal model Methodology and regulation Acquisitions and disposals Foreign exchange movements (695) (1,995) (2,690) Other (3,536) (3,536) RWAMINT-09/30/2021 4,499 5,087 5,695 15,281 The decrease in RWAMINT compared to the previous quarter was mainly due to the increase in the effect of diversification of the positions held by Itaú Unibanco. _ Itaú Unibanco 44

Risk and Capital Management-Pillar 3 _ MR3: IMA values for trading portfolios The following table presents the VaR and stressed VaR values determined by the internal market risk models. VaR and stressed VaR at the end of the quarter increased from the previous quarter due to increased exposure to interest rates. MR4: Comparison of VaR estimates with gains/losses Backtesting The effectiveness of the VaR model is validated by backtesting techniques, comparing daily hypothetical and actual results with the estimated daily VaR. The daily VaR is calculated over a one-day maintenance horizon, according to the 99% confidence level and using a historical period of 1,000 days. The percentage of capital requirement associated with this model is 100%. The backtesting analysis presented below considers the ranges suggested by the Basel Committee on Banking Supervision (BCBS). The ranges are divided into: • Green (0 to 4 exceptions): backtesting results that do not suggest any problem with the quality or accuracy of the adopted models; • Yellow (5 to 9 exceptions): intermediate range group, which indicates an early warning monitoring and may indicate the need to review the model; and • Red (10 or more exceptions): need for improvement actions. Itaú Unibanco 45

Risk and Capital Management-Pillar 3 The following chart shows the comparison between VaR and actual and hypothetical results: The Backtesting presented zero exceptions in relation to the hypothetical results and zero exceptions in relation to the actual results in the period. This number of exceptions falls within the green range. The actual results do not include fees, brokerage fees and commissions. There are no profit reserves. Total Exposure associated with Derivatives The main purpose of the derivative positions is to manage risks in the Trading Book and in the Banking Book in the corresponding risk factors. Derivatives: Trading and Banking Itaú Unibanco 46

Risk and Capital Management-Pillar 3 IRRBBA: IRRBB risk management objectives and policies BACEN's (Central Bank of Brazil) Circular 3,876, published in January 2018, states on methodologies and procedures for evaluation of the capital adequacy, held to cover interest rates risk from instruments held in the banking book. For the purposes of this Circular, are defined: • â^†EVE (Delta Economic Value of Equity) is defined as the difference between the present value of the s um of repricing flows of instruments subject to IRRBB in a base scenario, and the present value of the sum of repricing flows of the same instruments in an interest-rate shocked scenario; • â^†NII (Delta Net Interest Income) is defined as the difference between the result of financial intermediation of instruments subject to IRRBB in a base scenario, and the result of financial intermediation of the same instruments in an interest-rate shocked scenario. The sensibility analysis introduced here are just a static evaluation of the portfolio interest rate exposure, and, therefore, don´t consider the dynamic management of the treasury desk and risk control areas, which hold the responsibility for measures to mitigate risk under an adverse situation, minimizing significant losses. Moreover, it is highlighted, though, the results presented do not translate into accountable or economic results for certain, because this analysis has, only, an interest rate risk disclosure purpose and to demonstrate the principle protection actions , considering the instruments fair value, apart from any accounting practices adopted by Itaú Unibanco. The institution uses an internal model to measure â^†EVE and â^†NII. â^†EVE results do not represent immediate impact in the stockholders' equity. Meanwhile, â^†NII results indicate potential volatility in the projected interest rates results. In compliance with the circular 3,876, the following demonstrates qualitative details of risk management for IRRBB in Itaú Unibanco. Framework and Treatment Interest rate risk in the banking book refers to the potential risk of impact on capital sufficiency and/or on the results of financial intermediation due to adverse movements in interest rates, taking into account the principal flows of instruments held in the banking book. The main point of assets and liabilities management is to maximize the risk -return ratio of positions held in the banking book, taking into account the economic value of these assets/liabilities and the impact on actual and future bank's results. The interest rate risk managing on transactions held in the banking book occurs within the governance and hierarchy of decision-making bodies and under a limits structure and alerts approved specifically for these purpose, which is sensitive due to different levels and classes of market risk. The management structure of IRRBB has it owns risk policies and controls intended to ensure adherence to the bank's risk appetite. The IRRBB framework has granular management limits for several other risk metrics and consolidated limits for â^†EVE and â^†NII results, besides the limits associated with stress tests. The asset and liability management unit is responsible for managing timing mismatches between asset and liability flows, and minimizes interest rate risk by through strategies as economic hedge and accounting hedge. All the models associated with IRRBB have a robust independent validation process and are approved by a CTAM (Technical Model Assessment Commission). In addition, all the models and processes are assessed by internal audit. _ Itaú Unibanco 47

Risk and Capital Management-Pillar 3 The interest rate risk framework in the banking book uses management measurements that are calculated daily for limit control. The EVE and NII metrics are calculated according to the risk appetite limits and the other risk metrics in terms of management risk limits. In the process of managing interest rate risk of the banking book, transactions subject to automatic options are calculated according to internal market models which split the products, as far as possible, into linear and non -linear payoffs. The linear payoffs are treated similarly to any other instruments without options, and for non-linear payoffs an additional value is computed and added on the EVE and NII metrics. In general terms, transactions subject to behavioral options are classified as deposits with no contractual maturity date defined or products subject to early repayment. Non-maturity deposits are classified according to their nature and stability to guarantee compliance with regulatory limits. A survival analysis model treats the products subject to pre-payment, using the historical dataset to calibrate its parameters. The instruments flows with homogeneous characteristics are adjusted by specific models to reflect, in the most appropriate way , the repricing flows of the instruments. The banking book consists of asset and liability transactions originating in different commercial channels (retail and wholesale) of Itaú Unibanco. The market risk exposures inherent in the banking book consists of various risk factors, which are primary components of the market in price formation. IRRBB also includes hedging transactions intended to minimize risks deriving from strong fluctuations of mark et risk factors and their accounting asymmetries. Market risk generated from structural mismatches is managed by a variety of financial instruments, such as exchange-traded and over-the-counter derivatives. In some cases, operations using derivative financial instruments can be classified as accounting hedges, depending on their risk and cash flow characteristics. In these cases , the supporting documentation is analyzed to enable the effectiveness of the hedge and other changes in the accounting process to be continuously monitored. The accounting and administrative procedures for hedging are defined in BACEN Circular 3,082. The IRRBB model includes a series of premises: EVE and NII are measured on the basis of the cash flows of the banking book instruments, broken down into their risk factors to isolate the effect of the interest rate and the spread components; For non-maturity deposits, the models are classified according to their nature and stability and distributed over time considering the regulatory limits; The institution uses survival analysis models to handle credit transactions subject to prepayment, and empirical models for transactions subject to early redemption. _ Itaú Unibanco 48

Risk and Capital Management-Pillar 3 Other Risks Insurance products, pension plans and premium bonds risks Products that compose portfolios of insurance companies of Itaú Unibanco are related to life and elementary insurance, as well as pension plans and premium bonds. The main risks inherent in these products are described below and their definitions are given in their respective chapters. Underwriting Risk: possibility of losses arising from insurance products, pension plans and premium bonds that go against institution's expectations, directly or indirectly associated with technical and actuarial bases used for calculating premiums, contributions and technical provisions; Market Risk; Credit Risk; Operational risk; Liquidity risk. In line with domestic and international best practices, Itaú Unibanco has a risk management structure which ensures that risks resulting from insurance, pension and special savings products are properly assessed and reported to the relevant forums. The process of risk management for insurance, pensions and premium bond plans is independent and focus on the special nature of each risk. The aim of Itaú Unibanco is to ensure that assets serving as collateral for long -term products, with guaranteed minimum returns, are managed according to the characteristics of the liabilities, so that they are actuarially balanced and solvent over the long term. Social and Environmental Risk Itaú Unibanco understands social and environmental risk as the risk of potential losses due to exposure to social and environmental events arising from the performance of its activities, according to CMN Resolution 4,327/14. The Social and Environmental Responsibility and Sustainability Policy (PRSA) establishes the guidelines, strategies and main principles for social and environmental management, starting from institutional issues, and addressing, through specific procedures, the most relevant risks to the institution's operation. Mitigation actions on social and environmental risk are carried out through the mapping of processes, risks and controls, the monitoring of new regulations on the subject, and the listing of occurrences in internal databases . In addition to identification, the stages of prioritization, risk response, monitoring and reporting of the assessed risks complement the management of this risk at Itaú Unibanco. The management of this risk is carried out by the first line of defense, business areas that manage it in their daily activities, following the PRSA guidelines, manuals and specific procedures supplemented by the specialized assessment of the dedicated teams of Corporate Compliance, Modeling and Credit Risk and Legal and Institutional department, which work integrated in the management of all the dimensions of Social and Environmental Risk linked to the conglomerate activities. Business units also have the governance for the approval of new products and Itaú Unibanco 49

Risk and Capital Management-Pillar 3 services, which includes the social and environmental risk assessment, that ensures the compliance in the new products and processes employed by the institution, as well as with specific social and environmental processes applicable to the institution's own operation (equity, branch infrastructure and technology), suppliers, credit, investments and key subsidiaries. The second line of defense, in turn, is represented by Modeling and Credit Risk, Internal Controls, as well as Compliance, through the Social and Environmental Risk Management, which supports and ensures the governance of the activities of the first line. The third line of defense, composed of Internal Audit, acts independently, carrying out the mapping and assessment of the risk's management, controls and governance. The Social and Environmental Risk Governance also includes the Social and Environmental Risk Committee, which is primarily responsible for debating and deciding on institutional and strategic issues, as well as deciding on pro ducts, operations, services, among others, that involve Social and Environmental Risk, including Climate Risk. Itaú Unibanco constantly seeks to evolve in the management of social and environmental risk, always attentive to the challenges demands of society. Therefore, among other actions, Itaú Unibanco has assumed and incorporated into Itaú Unibanco's internal processes a number of national and international voluntary commitments and pacts aimed at integrating social, environmental and governance aspects into Itaú Unibanco business. The main ones are the Principles for Responsible Investment (PRI), the Charter for Human Rights - Ethos, the Equator Principles (EP), the Global Pact, the Carbon Disclosure Project (CDP), the Brazilian GHG Protocol Program, the Pac to Nacional para Erradicação do Trabalho Escravo (National Pact for Eradicating Slave Labor), the Task Force on Climate -Related Financial Disclosures (TCFD), among others. Itaú Unibanco efforts to increase the knowledge of the assessment of the social and environmental criteria have been recognized as models in Brazil and abroad, as shown by the recurring presence of the institution in the major sustainability indexes abroad, such as the Dow Jones Sustainability Index, and recently, in Sustainability Index Euronext Vigeo - Emerging 70, and in Brazil, for example in the Corporate Sustainability Index, as well as the numerous prizes which Itaú Unibanco has been awarded. Model Risk The model risk arises from the incorrect development or maintenance of models, such as mistaken assumptions, and inappropriate use or application of the model. The use of models can lead to decisions that are more accurate and therefore it is a major practice in the institution. The models have supported strategic decisions in several contexts, such as credit approval, pricing, volatility curve estimation, calculation of capital, among others. Due to the increasing use of models, driven by the application of new technologies and the expansion of data use, Itaú Unibanco has improved its governance in relation to its development, implantation, use and monitoring, through the definition of guidelines, policies and procedures aimed at assuring the quality and mitigation of the associated risks. Regulatory or Compliance Risk Regulatory or Compliance risk is the risk associated with any nature, financial losses or damage to reputation, arising from non-compliance with external or internal standards, commitments to regulators, or other commitments undertaken voluntarily by adhering codes of self-regulation, methods or codes of conduct related to the activities of the Conglomerate. This risk is managed through a structured process aimed at identifying changes in the regulatory environment, analyzing their impacts on the departments of the institution and monitoring the actions directed at adherence to the regulatory requirements and other commitments mentioned above. Itaú Unibanco 50

Risk and Capital Management-Pillar 3 includes the following actions: (i) to understand the changes in the regulatory environment; (ii) to monitor regulatory trends; (iii) to care for the relationship between the institution and the regulator, self -regulatory bodies and the representation entity; (iv) to monitor action plans on regulatory or self-regulatory compliance; (v) to coordinate a program to comply with significant norms, such as Integrity and Ethics ; and (vi) to report regulatory issues in Operational and Compliance Risk forums, according to the structure of committees established in internal policies. Reputational Risk Itaú Unibanco understands reputational risk as the risk arising from internal practices and/or external factors that may generate a negative perception of Itaú Unibanco by customers, employees, shareholders, investors, regulatory bodies, government, suppliers, the press and the society in general. It can impact the bank's reputation, the value of its brand and/or result in financial losses. Besides, this can affect the maintenance of existing business relationships, access to sources of fundraising, the attraction of new business and talent to compose the company's staff or even the license to operate. The institution believes that its reputation is extremely important for achieving its long -term goals, which is why it seeks the alignment of the speech, the action and the ethical and transparent practice, essential to raise the confidence of Itaú Unibanco's stakeholders. Itaú Unibanco's reputation depends on its strategy (vision, culture and skills) and derives from direct or indirect experience of the relationship between Itaú Unibanco and its stakeholders. Since the reputational risk directly or indirectly permeates all operations and processes of the institution, Itaú Unibanco's governance is structured in a way to ensure that potential risks are identified, analyzed and managed still in the initial phases of its operations and analysis of new products, including the use of new technologies. The treatment given to reputational risk is structured by means of many processes and internal initiatives, which, in turn, are supported by internal policies, and their main purpose is to provide mechanisms for the monitoring, management, control and mitigation of the main reputational risks. Among them are (i) risk appetite statement; (ii) process for the prevention and fight against unlawful acts; (iii) crisis management process and business continuity; (iv) processes and guidelines of the governmental and institutional relations; (v) corporate communication process; (vi) brand management process; (vii) ombudsman offices initiatives and commitment to customer satisfaction; and (vii) ethics guidelines and prevention of corruption. Financial institutions play a key role in preventing and fighting illegal acts, in particular money laundering, terrorist financing and fraud, in which the challenge is to identify and suppress increasingly sophisticated operations that seek to conceal the origin, location, disposition, ownership and movement of goods and money derived, directly or indirectly, from illegal activities. Itaú Unibanco has introduced a corporate policy in order to prevent its involvement in illegal acts and to protect its reputation and image towards employees, clients, strategic partners, suppliers, service providers, regulators and society, through a governance structure based on transparency, strict compliance with rules and regulations, including BACEN Circular 3,978/20 among others, and cooperation with police and judicial authorities. It also seeks a continuously alignment with local and international best practices for preventing and fighting against illegal acts, through investing and training eligible employees. In compliance with the guidelines of this corporate policy, Itaú Unibanco established a program to prevent and fight against illegal acts based on the following pillars: Policies and Procedures; Client Identification Process; Itaú Unibanco 51

Risk and Capital Management-Pillar 3 Know Your Customer (KYC) Process; • Know Your Partner (KYP) Process; • Know Your Supplier (KYS) Process; • Know Your Employee (KYE) Process; • Assessment of New Products and Services; • Compliance with Sanctions; • Monitoring, Selection and Analysis of Suspicious Operations or Situations; • Reporting Suspicious Transactions to the Regulatory Bodies; and • Training. This program applies to the entire institution, including subsidiaries and affiliates in Brazil and abroad. The preventing and combating unlawful acts governance is carried out by the Board of Directors, Audit Committee, Operational Risk Committee, Risk and Capital Management Commitee and Anti-Money Laundering Committees. The document that presents the guidelines established in the corporate program to prevent and combat unlawful acts may be seen on the www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy for Prevention and Fight Against Illegal Acts. In addition, Itaú Unibanco has been developing various data analysis models to improve customer risk classification, transaction monitoring and KYC methodology to provide greater accuracy in its analysis and to decrease false -positives. Itaú Unibanco has also been innovating its modeling solutions using new methods based on machine learning techniques to identify potentially suspicious activities. Moreover, Itaú Unibanco is committed to protecting corporate information and ensuring client and general public privacy in any transactions. To this end, it has a Corporate Information Security Policy and Cyber Secutity and has a monitoring process and a control structure that covers technology, business areas and international units, adhering to principal regulatory bodies and external audits, and best market practices and certifications. Additionally, a Security Operation Center (SOC) that works 24/7 contributes to the cyber security of Itaú Unibanco's electronic channels and IT infrastructure, to the monitoring of operations and thus the minimization of the risk of a security incident. The Corporate Information Security and Cyber Security Policy can be viewed on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy on Information Security and Cyber Security. Itaú Unibanco 52

Risk and Capital Management-Pillar 3 Country Risk The country risk is the risk of losses related to non-compliance with obligations in connection with borrowers, issuers , counterparties or guarantors, as a result of political-economic and social events or actions taken by the government of the country. Itaú Unibanco has a specific structure for the management and control of country risk, consisting of corporate bodies and dedicated teams, with responsibilities defined in policies. The institution has a structured and consistent procedure, including: (i) establishment of country ratings; (ii) determination of limits for countries; (iii) monitoring the use of limits. Business and Strategy Risk Business and strategy risk is the risk of a negative impact on the results or capital as a consequence of a faulty strategic planning, the making of adverse strategic decisions, the inability of Itaú Unibanco to implement the proper strategic plans and/or changes in its business environment. Itaú Unibanco has implemented many mechanisms that ensure that both the business and the strategic decision-making processes follow proper governance standards, have the active participation of executives and the Board of Directors, are based on market, macroeconomic and risk information and are aimed at optimizing the risk-return ratio. Decision-making and the definition of business and strategy guidelines, count on the full engagement of the Board of Directors, primarily through the Strategy Committee, and of the executives, through the Executive Committee. In order to handle risk adequately, Itaú Unibanco has governance and processes to involve the Risk Area in business and strategy decisions, so as to ensure that risk is managed and decisions are sustainable in the long term. They are: (i) qualifications and incentives of board members and executives; (ii) budget process; (iii) product assessment; (iv) evaluation and prospecting of proprietary mergers and acquisitions; and (v) a risk appetite framework which, for example, restricts the concentration of credit and exposure to specific and material risks. Contagion Risk Contagion Risk is the possibility of losses occurring for entities that are part of the Prudential Conglomerate as a result of financial support to unconsolidated entities, in a stressful situation, in the absence or in addition to the obligations provided for in the contract. Itaú Unibanco has a structure for risk management and control, a dedicated team and a policy that defines roles and responsibilities. This structure covers (i) the identification of entities in relation to the potential generation of contagion risk, (ii) the assessment of risks in relationships, (iii) the monitoring, control and mitigation of contagion risk , (iv ) the assessment of impact on capital and liquidity and (v) reports. It is part of the scope of contagion risk governance: Related Party audiences, mainly composed of controllers , controlled and related entities (as defined in Res. 4,693 / 18), foundations, investments in non-consolidated entities, suppliers of critical products and services, assigness, buyers and sellers of relevant assets, third parties with products distributed by Itaú Unibanco and third parties to whom Itaú Unibanco distributes products, besides all the analys is of the international Units. Itaú Unibanco 53

Risk and Capital Management-Pillar 3 Operational Risk Operational risk is defined as the possibility of losses arising from failure, deficiency or inadequacy of internal process, people or systems or from external events that affect the achievement of strategic, tactical or operational objectives. It includes legal risk associated with inadequacy or deficiency in contracts signed by the institution, as well as penalties due to noncompliance with laws and punitive damages to third parties arising from the activities undertaken by the institution. Itaú Unibanco internally classifies its risk events in: • Internal fraud; • External fraud; • Labor claims and deficient security in the workplace; • Inadequate practices related to clients, products and services; • Damages to own physical assets or assets in use by Itaú Unibanco; • Interruption of Itaú Unibanco's activities; • Failures in information technology (IT) systems, processes or infrastructure; • Failures in the performance, compliance with deadlines and management of activities at Itaú Unibanco. Operational risk management includes conduct risk, which is subject to mitigating procedures to assess product design (suitability) and incentive models. The inspection area is responsible for fraud prevention. Irrespective of their origin, specific cases may be handled by risk committees and integrity and ethics committees. Itaú Unibanco has a governance process that is structured through forums and corporate bodies composed of senior management, which report to the Board of Directors, with well-defined roles and responsibilities in order to segregate the business and management and control activities, ensuring independence between the areas and, consequently, well -balanced decisions with respect to risks. This is reflected in the risk management process carried out on a decentralized basis under the responsibility of the business areas and by a centralized control carried out by the internal control, compliance and operational risk department, by means of methodologies, training courses, certification and monitoring of the control environment in an independent way. The managers of the executive areas use corporate methods constructed and made available by the internal control, compliance and operational risk area. Among the methodologies and tools used are the self-evaluation and the map of the institution's prioritized risks, the approval of processes, products, and system development products and projects, the monitoring of key risk indicators that and the database of operational losses, guaranteeing a s ingle conceptual basis for managing processes, systems, projects and new products and services. Within the governance of the risk management process, regularly, the consolidated reports on risk monitoring, controls, action plans and operational losses are presented to the business area executives. In line with CMN Resolution 4,557, the document "Public Report - Integrated Management of Operational Risk /Internal Controls/Compliance", summarized version of the institutional operational risk management policy can be found on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Reports. Itaú Unibanco 54

Risk and Capital Management-Pillar 3 Crisis Management and Business Continuity Itaú Unibanco's Business Continuity Program's purpose is to protect its employees, ensure the continuity of the critical functions of its business lines and sustain both the stability of the markets in which it operates and the confidence of its customers and strategic partners in its provision of services and products. It establishes the Business Continuity Plan (BCP), which consists of modular procedures that are available for use in the event of incidents. The descriptions/characteristics of the existing plans are: • Disaster Recovery: it aims to ensure the availability and integrity of Information Technology resources and communication in the event of a failure in the primary Data Center to maintain the processing of critical systems; • Workplace Contingency: alternative facilities to perform the activities in the event the administrative buildings become unavailable; • Operational Contingency: alternatives to carry out critical processes whether they are systemic, procedural or emergency responses. In order to keep the continuity solutions aligned with the business requirements (processes, minimum resources, legal requirements, etc) the Program applies the following tools to assess the institution: • Business Impact Analysis (BIA): evaluates the criticality and resumption requirement of the processes that support the delivery of products and services. • Threats and Vulnerabilities Analysis (AVA): identification of threats near to Itaú Unibanco's buildings. Considering the dependence that some processes have on third-party services, the Business Continuity Program conducts an assessment of the risk of unavailability of services provided with a view to resilience to threats of interruption. The institution has a Crisis Management Program, which is aimed at managing business interruption events, natural disasters, impacts of an environmental, social, and infrastructure/operational (including information technology) or of any other nature that jeopardize the image and reputation and/or viability of Itaú Unibanco's processes with its employees, clients, strategic partners and regulators, with timely and integrated responses. The Program establishes a frequent flow of acculturation with the company's senior management, as well as a constant analysis of high-impact scenarios and events to establish response plans in line with current threats. To assess efficiency and identify points for improvement in crisis response plans, tests are carried out at least once a year. Independent Validation of Risk Models Itaú Unibanco validates the processes and risk models independently. This is done by a department which is separate from the business and risk control areas, to ensure that its assessments are independent. The validation method, defined in an internal policy, meets regulatory requirements such as those of BACEN Circulars 3,646 and 3,674 and Resolutions 2,682 and 4,557. The validation stages include: Itaú Unibanco 55

Risk and Capital Management-Pillar 3 Verification of mathematical and theoretical development of the models; • Qualitative and quantitative analysis of the models, including the variables, construction of an independent calculator and the use of appropriate technical; • When applicable, comparison with alternative models and international benchmarks; • Historical Backtesting of the model; • The correct implementation of the models in the systems used. Additionally, the validation area assesses the stress testing program. The performance of the independent validation area and the validation of the processes and models are assessed by Internal Audit and reported to the specific senior management committees. Action plans are prepared to ad dress opportunities identified during the independent validation process, and are monitored by the 3 lines of defense and by senior management until the conclusion. Itaú Unibanco 56

Risk and Capital Management-Pillar 3 Glossary of Acronyms A • ASF - Available Stable Funding • AT1 - Additional Tier 1 Capital • AVA - Avaliação de Vulnerabilidade e Ameaças(Threats and Vulnerabilities Analysis) B • BACEN-Banco Central do Brasil (Central Bank of Brazil) • BCB-Banco Central do Brasil (Central Bank of Brazil) • BCP - Business Continuity Plan • BCBS-Basel Committee on Banking Supervision • BIA - Business Impact Analysis • BIS - Bank for International Settlements C • CCF - Credit Conversion Factor • CCP - Non-Qualified Central Counterparty • CCR - Counterparty Credit Risk • CDP - Carbon Disclosure Project • CEM-Current Exposure Method • CEO-Chief Executive Officer • CET 1-Common Equity Tier I • CGRC-Comitê de Gestão de Risco e Capital (Risk and Capital Management Committee) • CMN-Conselho Monetário Nacional (National Monetary Council) • Comef-Comitê de Estabilidade Financeira (Financial Stability Committee) • CRI - Real State Receivables Certificate Itaú Unibanco 57

Risk and Capital Management-Pillar 3 CRM - Credit Risk Mitigation • CRO-Chief Risk Officer • CTAM - Comissão Técnica de Avaliação de Modelos (Technical Model Assessment Commission) • CVA-Credit Valuation Adjustment • CVM-Comissão de Valores Mobiliários (Brazilian Securities and Exchange Commission) D • DLP-Long- Term Liquidity Statement • DRL-Liquidity Risk Statement • D-SIB-Domestic Systemically Important Banks • DV-Delta Variation E • EAD - Exposure at Default • ECL - Expected Credit Losses • EMD - Entidades Multilaterais de Desenvolvimento (Multilateral Development Entities) • EP - Equator Principles • EVE - Economic Value of Equity F • FIDC - Credit Rights Investment Funds • FCC-Credit Conversion Credit • FPR-Fator de Ponderação de Risco(Weighting Factor) G • GAP-Gap Analysis • GDP-Gross Domestic Product • GHG - Greenhouse Gas Protocol Itaú Unibanco 58

Risk and Capital Management-Pillar 3 • Greeks - Sensitivities to Various Risk Factors • G-SIB - Global Systemically Important Banks H • HE - Haircut of Execution • HQLA - High Quality Liquid Assets • HV - Volatility Haircut I • ICAAP - Internal Capital Adequacy Assessment Process • IMA - Internal Models Approach • IPV - Independent Price Verification • IRRBB - Interest Rate Risk in the Banking Book • IT - Information Technology K • KYC - Know your Customer • KYP - Know your Partner • KYS - Know your Supplier • KYE - Know your Employee L • LCR - Liquidity Coverage Ratio • LMM-Limite de Mitigação Máxima (Maximum Mitigation Limit) M • MtM- Mark to Market Itaú Unibanco 59

Risk and Capital Management-Pillar 3 N • NII - Net Interest Income • NSFR - Net Stable Funding Ratio O • OTC - Over-the-Counter P • PR - Patrimônio de Referência (Total Capital) • PRI - Principles for Responsible Investments • PRSA - Política de Sustentabilidade e Responsabilidade Socioambiental (The Social and Environmental Responsability and Sustainability Policy) • PCR - Potential Credit Risk • PVA - Prudent Valuation Adjustments Q • QCCP - Qualified Central Counterparties R • RA - Leverage Ratio • RAS-Risk Appetite Statement • RSF - Required Stable Funding • RWA-Risk Weighted Assets • RWACPAD-Portion relating to exposures to credit risk • RWACPrNB-amount of risk-weighted assets corresponding to credit risk exposures to the non-banking private sector, calculated for jurisdictions whose ACCPi is different from zero • RWAMINT-Portion relating to exposures to market risk, using internal approach • RWAMPAD- Portion relating to exposures to market risk, calculated using standard approach • RWAOPAD-Portion relating to the calculation of operational risk capital requirements Itaú Unibanco 60 Risk and Capital Management-Pillar 3 _ N • NII - Net Interest Income • NSFR - Net Stable Funding Ratio O • OTC - Over-the-Counter P • PR - Patrimônio de Referência (Total Capital) • PRI - Principles for Responsible Investments • PRSA - Política de Sustentabilidade e Responsabilidade Socioambiental (The Social and Environmental Responsability and Sustainability Policy) • PCR - Potential Credit Risk • PVA - Prudent Valuation Adjustments Q • QCCP - Qualified Central Counterparties R • RA - Leverage Ratio • RAS-Risk Appetite Statement • RSF - Required Stable Funding • RWA-Risk Weighted Assets • RWACPAD-Portion relating to exposures to credit risk • RWACPrNB-amount of risk-weighted assets corresponding to credit risk exposures to the non-banking private sector, calculated for jurisdictions whose ACCPi is different from zero • RWAMINT-Portion relating to exposures to market risk, using internal approach • RWAMPAD- Portion relating to exposures to market risk, calculated using standard approach • RWAOPAD-Portion relating to the calculation of operational risk capital requirements Itaú Unibanco 60

Risk and Capital Management-Pillar 3 S • SA - Joint-Stock Company • SA-CCR - Standardised Approach to Counterparty Credit Risk • SFN - Sistema Financeiro Nacional(National Financial System) • SFT - Securities Financing Transactions • SOC - Security Operation Center T • TCFD - Task Force on Climate-Related Financial Disclosures • TLAC - Total Loss-Absorbing Capacity • TVM-Títulos de valores mobiliários(Securities) V • VaR-Value at Risk Itaú Unibanco 61

Risk and Capital Management-Pillar 3 Glossary of Regulations • BACEN Circular No. 3,354, of June 27th, 2007 • BACEN Circular No. 3,644, of March 4th, 2013 • BACEN Circular No. 3,646, of March 04th, 2013 • BACEN Circular No. 3,674, of October 31st, 2013 • BACEN Circular No. 3,748, of February 26th, 2015 • BACEN Circular No. 3,749, of March 05th, 2015 • BACEN Circular No. 3,751 of March 19th, 2015 • BACEN Circular No. 3,769, of October 29th, 2015 • BACEN Circular No. 3,809, of August 25th, 2016 • BACEN Circular No. 3,846, of September 13rd, 2017 • BACEN Circular No. 3,869, of December 19th, 2017 • BACEN Circular Letter No. 3,706 of May 05th, 2015 • BACEN Circular Letter No. 3,907 of September 10th, 2018 • BACEN Circular Letter No. 4,068 of July 7th, 2020 • BACEN Circular Letter No. 3,876 of January 31st, 2018 • BACEN Circular Letter No. 3,082 of January 30th, 2012 • BACEN Circular Letter No. 3,978 of January 23rd, 2020 • BACEN Communication No. 37.609, of August 31st, 2021 • BCB Resolution No. 54, of December 16th, 2020 • CMN Resolution No. 2,682, of December 22nd, 1999 • CMN Resolution No. 4,192, of March 1st, 2013 • CMN Resolution No. 4,193, of March 1st, 2013 Itaú Unibanco 62

Risk and Capital Management-Pillar 3 CMN Resolution No. 4,327, of April 25th, 2014 • CMN Resolution No. 4,502, of June 30th, 2016 • CMN Resolution No. 4,557, of February 23rd, 2017 • CMN Resolution No. 4,589, of June 29th, 2017 • CMN Resolution No. 4,693, of October 29th, 2018 • CMN Resolution No. 4,783, of March 6th, 2020 Itaú Unibanco 63

Attachments

  • Original document
  • Permalink

Disclaimer

Itaú Unibanco Holding SA published this content on 04 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 04 November 2021 15:44:05 UTC.