ITAÚ UNIBANCO HOLDING S.A. PUBLIC DISCLOSURE VERSION INTEGRATED MANAGEMENT OF COMPLIANCE AND OPERATIONAL RISK POLICY 1. OBJECTIVE Establish the principles that guide the integrated management of compliance and operational risk, in accordance with the applicable regulation and market best practices, ensuring the efficiency and effectiveness of operations, the reliability of information, and compliance with laws, regulations, and internal rules. 2. TARGET AUDIENCE This policy applies to Itaú Unibanco Holding S.A. and its subsidiaries in Brazil and abroad (Itaú), as well as to all of its officers, employees, and relevant third-party service providers. In investee companies, oversight is ensured through governance mechanisms provided for in the respective shareholders’ agreements, in accordance with a specific policy. The Foundations and Institutes have their own structures for risk management, and the activities performed by relevant third parties are subject to the Supplier Purchasing and Payments Policy. 3. DEFINITIONS • Compliance risk: the risk of sanctions, financial losses, or reputational damage arising from non-compliance with legal and regulatory provisions, local and international market standards, commitments made with regulators, public commitments, self-regulation codes, and codes of conduct adhered by Itaú. • Operational risk: the possibility of losses resulting from failures, deficiencies, or inadequacies of internal processes, people, and systems, or from external events, including the legal risk associated with inadequacy or deficiency of contracts, with sanctions for non-compliance with legal provisions, and with indemnities to third parties. The taxonomy adopted for the classification of operational risk events observes the seven categories of the Basel Committee: (i) internal fraud; (ii) external fraud; (iii) labor claims and deficient safety in the workplace; (iv) inadequate practices relating to clients, products, and services; (v) damage to physical assets owned or used by the institution; (vi) business disruption; and (vii) failures in information technology systems, processes, or infrastructure. • Risk appetite: defines the nature and level of risks acceptable to the organization, considering its capacity to manage them effectively and prudently, its strategic objectives, competitive conditions, and the regulatory environment. • Control environment: the set of rules, processes, and structures that constitute the basis for the execution of internal controls at the institution. • Inherent risk: the risk in the absence of any actions that management may take to alter its likelihood or its impact. • Residual risk: the risk remaining after the application of controls and mitigating actions, reflecting the institution’s effective exposure.
4. PRINCIPLES The integrated management of compliance and operational risk observes the following principles: • Integration: compliance and operational risks are managed in an integrated and continuous manner, under the coordination of the Compliance & OpRisk Directorate (DCOR), in alignment with the institution’s other risks. • Independence: the function is exercised with hierarchical and functional independence, reporting directly to the Chief Risk Officer (CRO), with direct communication with administrators, the Risk and Capital Management Committee (CGRC), the Audit Committee, and the Board of Directors, and with access to any information necessary for the performance of its activities; the setting of targets or incentives that could compromise its independence or generate potential conflicts of interest is expressly prohibited. • Risk-based approach: the prioritization of actions considers impact, probability, and the risk appetite defined by the organization. The approach must be continuously reviewed considering internal and external changes. • Regulatory adherence: activities, products, and services, whether own or relevantly outsourced, observe external and internal rules, the commitments made with regulators, and Itaú’s Code of Ethics and Conduct, being periodically tested and assessed for their compliance, considering a risk-based approach. In addition, specific guidelines are observed: the Social, Environmental and Climate Responsibility Policy (PRSAC); the General Personal Data Protection Law (LGPD) and the Corporate Information Security and Cyber Security Policy, in the processing of biometric data and other sensitive data; and the Corporate Policy for the Prevention of Illicit Acts, in the prevention of fraud and in the prevention of money laundering and terrorism financing (AML/CFT), in alignment with the applicable regulatory requirements. • Client centricity, integrity, and ethics: standards of client centricity, integrity, and ethics are disseminated as elements of the institutional culture, with individual and collective responsibility for risk management. • Transparency and timeliness: reports to governance and regulators forums are clear, objective, and timely, supported, whenever possible, by granular data analysis and exploration. • Resilience, root cause perspective, and continuous improvement: the integrated management of compliance and operational risk is maintained in the face of disruptive events, to preserve the continuity of processes and governance. It is periodically reviewed to incorporate lessons learned, regulatory developments, and changes in the internal and external environment. When a relevant risk is identified in each process, a sweep of similar processes is carried out, to ensure the consistent mitigation of the respective root cause and continuous improvement. • Three lines model: risk management is distributed under the three lines model published by the Institute of Internal Auditors (IIA), with clear, segregated roles and responsibilities free of conflicts and of interest. The first line is represented by the Business, Support, and Community Areas, the second by the Risk Area, and the third by Internal Audit.
5. MANAGEMENT CYCLE The integrated management of compliance and operational risk observes a continuous cycle, as described below: • Identification: recognition of internal and external events, including changes in the regulatory environment, that may adversely impact the strategic objectives of Itaú. • Assessment and Measurement: definition of the residual risk, considering the inherent impact, the quality and effectiveness of the control environment, and relevant changes in the internal and external environments. This stage is carried out through self-assessment by the first line, and the result is challenged based on data by the second line. The measurement contemplates tail scenarios and the quantification of operational risk for regulatory and managerial capital purposes, in accordance with the Capital Management and Model Risk policies. • Response: conscious and structured decisions to accept (assumption), avoid, transfer, or mitigate the risk, aiming to bring the residual risk within the limits established in the Risk Appetite Statement (RAS). The risk response contemplates physical, logical, and organizational controls, including segregation of duties, authority levels, and procedures, as well as business continuity and recovery plans, conducted under Itaú’s Organizational Resilience Program. • Monitoring: monitoring of the effectiveness of controls and of regulatory adherence, with timely addressing of failures and correction of the root cause, contemplating the assessment of operational losses and of the other indicators of the control and regulatory environment, ensured by an audit trail of the systems and by technology security testing. • Reporting: escalation of events, deficiencies, and instances of non-compliance, observing formal criteria of materiality, criticality, and maximum communication deadlines, ensuring timely reporting to the competent authority levels, to the Audit Committee, the Risk and Capital Management Committee (CGRC), the Board of Directors, and, where applicable, to regulators. 6. ROLES AND RESPONSIBILITIES 6.1. Board of Directors Approves this Policy and the positioning of DCOR within the organizational structure, so as to preserve its independence and avoid potential conflicts of interest; provides the means necessary for the adequate exercise of the integrated compliance and operational risk management functions, including the availability of resources to allocate personnel in sufficient numbers and with the necessary training and experience; ensures the adequate management, effectiveness, and communication of the Policy to the target audience, as well as the dissemination of standards of integrity and ethical conduct as part of the institution’s culture and the adoption of corrective measures when failures are identified. 6.2. Audit Committee Validates this Policy prior to its submission to the Board of Directors; assesses, at least annually, the structure, effectiveness, and regulatory adherence of the integrated management function for compliance and operational risk, including the clear definition of roles and responsibilities, independence, and the adequacy of resources to the activities performed; verifies that this Policy
has been communicated to the target audience, the dissemination of standards of integrity and ethical conduct as part of the institution’s culture, and the adoption of corrective measures when failures are identified. 6.3. First Line: Business, Support, and Community Areas Represented by the Business, Support, and Community Areas, it is primarily responsible for the integrated management of compliance and operational risk, in accordance with the management cycle: identification, through the mapping of processes, risks, and controls associated with its activities; assessment and measurement, based on the Compliance & OpRisk methodology; risk response, which includes mitigation, through the definition and implementation of action plans for non-compliance issues, or the assumption approved at the competent authority level, always in alignment with Itaú’s risk appetite, as well as the training of its employees as a structuring mitigating action that is transversal to the entire risk management cycle; monitoring and reporting carried out in a timely manner to the competent authority levels regarding identified changes or instances of non-compliance, as well as the relationship with regulatory authorities, in accordance with a specific policy, with the objective of maintaining an effective control environment, consistent with the nature, size, complexity, and risk profile of the operations. 6.4. Second Line: Risk Area Represented by the departments of the Risk Area, with no business management or incentives that compromise its independence and with activities entirely segregated from the Internal Audit Area. DCOR has the mission of enabling the management of operational and regulatory risks, independently supporting the first line and supporting decisions that maximize sustainable value for the bank, ensuring compliance and centricity on the client. Its responsibilities include: • defining guidelines for the integrated management of compliance and operational risk, including the governance of exceptions. • issuing an independent opinion on the quality of the control environment, using the Compliance & OpRisk methodology and challenging the actions of the first line. • systematically and timely reporting to the Audit Committee, the Risk and Capital Management Committee (CGRC), the Board of Directors, and, where applicable, to regulators, any identified instances of non-compliance or significant changes in the integrated management of compliance and operational risk. • coordinating the relationship with the main regulatory and supervisory authorities, such as Bacen, CVM, and SUSEP. • managing the Integrity and Ethics Program, ensuring the dissemination of standards through training and communications, as well as the assessment of its effectiveness and continuous improvement, in accordance with the Code of Ethics and Conduct. • designing the guidelines for DCOR’s products and services, as well as ensuring the regulatory adherence of such products.
• coordinating the governance of Itaú’s policies and procedures with respect to the review frequency and the approval authority levels. • submitting an annual report on the management of compliance and operational risk to the Audit Committee, the Risk and Capital Management Committee, and the Board of Directors, containing, at a minimum: (i) a summary of the activities carried out during the period by the compliance function and by operational risk management, including tests, monitoring, controls, and other actions; (ii) compliance and operational risk deficiencies identified, with their respective materiality and risk classification; (iii) recommendations issued by DCOR for addressing the deficiencies; and (iv) measures adopted by administrators and by the other areas to correct the deficiencies noted, including the status of the related action plans. The documents and other information evidencing the integrated management will be kept available to the Central Bank of Brazil for a minimum period of five years. • distributing the Compliance & OpRisk methodology to the International Units. 6.5. Chief Risk Officer (CRO) Approves the mission, strategic objectives, and scope of action of DCOR, informing the CEO. In the International Units, the Local and Regional CROs are responsible for the local application of this policy, under the coordination of the CRO, in accordance with specific roles and responsibilities procedure. 6.6. Third Line: Internal Audit The responsibilities are detailed in the Internal Audit Policy (Global), with emphasis on the independent and recurring assessment of the adequacy and effectiveness of the organization’s governance, risk management, and internal controls, and of the quality of the execution of the responsibilities assigned to achieve the goals established by the organization. The coordination between DCOR and Internal Audit is exercised in a structured manner, through the Combined Assurance initiative, observing the independence of each function and the prohibition of conflicts of interest. Approved by the Board of Directors on 2026, June.