UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 6-K
Report of
Foreign Issuer
Pursuant to Rule 13a-16 or 15d-16
of the Securities Exchange Act of 1934
For the month of December, 2024
Commission File Number: 001-15276
Itaú Unibanco Holding S.A.
(Exact name of registrant as specified in its charter)
Itaú Unibanco Holding S.A.
(Translation of Registrant’s Name into English)
Praça
Alfredo Egydio de Souza Aranha, 100-Torre Conceicao
CEP
04344-902 São Paulo, SP, Brazil
(Address of principal executive office)
Indicate by check mark whether the registrant files or will file annual reports under cover Form 20-F
or Form 40-F.
Form
20-F ☒ Form 40-F ☐
Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation
S-T Rule 101(b)(1):
Yes ☐ No ☒
Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by
Regulation S-T Rule 101(b)(7):
Yes ☐ No ☒
Indicate by check mark whether by furnishing the information contained in this Form, the registrant is also thereby furnishing information
to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.
Yes ☐ No ☒
If “Yes” is marked, indicate below the file number assigned to the registrant in connection with Rule 12g3-2(b):
82–
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned,
thereunto duly authorized.
Date: December 9, 2024.
|
|
|
| Itaú Unibanco Holding S.A. |
|
|
| By: |
|
/s/ Gustavo Lopes Rodrigues |
| Name: |
|
Gustavo Lopes Rodrigues |
| Title: |
|
Investor Relations Officer. |
|
|
OPERATIONAL RISK AND INTERNAL CONTROLS INTEGRATED MANAGEMENT POLICY
ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - POLICY ON SOCIAL, ENVIRONMENTAL
AND CLIMATE RISKS OBJECTIVE Establishes the rules and responsibilities related to the management of Social, Environmental and Climate
Risks of Itaú Unibanco Holding SA (“Itaú Unibanco”), observing the applicable regulations, in particular CMN
Resolution 4,557/17, amended by CMN Resolution 4,943/21 (“Res. 4.557/17”). TARGET AUDIENCE This policy is applicable to the
activities of Itaú Unibanco and its subsidiaries. INTRODUCTION According to Res. 4,557/17, Social, Environmental and Climate Risks
(“SAC” or “SAC Risks”) are understood as the possibility of causing losses to the institution, including those
of a reputational nature. SAC Risks must be identified and treated based on relevance and proportionality criteria, taking into account
the following dimensions: - Social: events associated with the violation of fundamental rights and guarantees or acts harmful to the Common
Interest; - Environmental: events associated with environmental degradation; and - Climate: events associated with both the process of
transition to a low carbon economy and events associated with frequent and severe weather or long-term environmental changes, which may
be related to changes in weather patterns. SOCIAL, ENVIRONMENTAL AND CLIMATE RISK MANAGEMENT SAC Risks materialize in Traditional Risks,
with each of these risk disciplines providing for specific actions to identify, measure, evaluate, monitor, report, control and mitigate
any adverse effects resulting from their interactions with SAC Risks. Such management must be guided by the guidelines in this policy,
as well as: i. In the precepts and guidelines set out in the Social, Environmental and Climate Responsibility Policy (“PRSAC”),
in line with CMN Resolution 4,945/21; ii. In the provisions of the Risk Management Policy (Global); iii. In the principles of relevance
and proportionality; iv. In the determinations provided for in related Rules (“RG”) and Procedures (“PR”); and
v. In public commitments assumed by Itaú Unibanco. Employees who work in SAC Risk management in each of the Traditional Risk disciplines
must participate in training and awareness actions on the topic provided by the organization. Guidelines SAC Risks will be managed as
provided in the Risk Management Policy. SAC Risks must be identified from three interdependent perspectives: • financial, when an
event has the potential to materialize in monetary loss; • image, when an event has the potential to translate into a negative perception
of Itaú Unibanco's reputation by stakeholders, as defined in the internal procedure; • legal, when associated with inadequacy
or deficiency in contracts signed by the institution, sanctions due to non-compliance with legal provisions and indemnities for damages
to third parties arising from activities carried out by the institution. SAC Risks must be classified based on elements of probability
and severity. Risk Management and Governance Itaú Unibanco's risk management organizational structure adopts the three lines of
defense strategy and follows the guidelines established in Res. 4,557/17, aiming to support the proper development of activities. The
governance of risk management is structured to ensure that issues involving risk are widely discussed. In this way, the management structure
of SAC Risks includes governance composed of different committee bodies, set out in item 4.4 “Main Roles and Attributions”,
which are responsible for deliberations and recommendations, according to the specificity of each forum, valuing the risk mitigation,
in order to maintain exposure to SAC Risks at acceptable levels for the institution, in accordance with the risk appetite defined by the
Board of Directors (CA). Furthermore, Itaú Unibanco's SAC risk management provides for methodologies and processes that consider
SAC and governance criteria, such as, in the social dimension, the assessment of working conditions and impact on communities, in the
environmental dimension, the risk of disasters and contamination, in the climate dimension, the change in the hydrological cycle and in
the governance dimension, the transparency and quality of the board, in addition to the engagement with customers in improving their SAC
practices, for example, in the transition to a clean and sustainable economy or improvement control of their supply chain and labor practices.
4.4. Main Roles And Duties: The SAC risk management structure at Itaú Unibanco has the departments and committee members whose
responsibilities are indicated below. Risk Management Department (AR) - Identify, evaluate, measure, control, monitor and report, as well
as internalize SAC Risks for Traditional Risks into policies and procedures. - Periodically report the consumption of social, environmental
and climate risk appetite metrics, in accordance with the defined limits, to the Executive Committee and the Board of Directors (CA) via
the Risk and Capital Management Committee (CGRC). Business Units (Brazil and International Units) - Identify, measure, evaluate, understand
and manage SAC Risks to keep exposures within the established limits, as well as document and store information regarding losses incurred
in its activities. - Communicate promptly to AR whenever they identify potential risks not foreseen in the development of control activities.
- Maintain procedure manuals with detailed descriptions of the responsibilities and attributions of the processes and controls under their
responsibility. - Seek to engage the counterparty in improving their practices, aiming for the transition to a clean and sustainable economy.
Committee Members: Board of Directors (CA) Audit Committee - CAud Risk and Capital Management Committee - CGRC Social, Environmental and
Climate Responsibility Committee Higher ESG Committee Superior Social, Environmental and Climate Risk Committee (CRSAC Superior) Social,
Environmental and Climate Risk Committee (CRSAC) 5. RELATED EXTERNAL RULES - CMN Resolution 4,557/17 – Risk and capital management
structure and information disclosure policy. - CMN Resolution 4,945/21 – Social, Environmental and Climate Responsibility Policy
(PRSAC) and actions aimed at its effectiveness. - BCB Resolution No. 139, of 09/15/21 - publication of the Social, Environmental and Climate
Risks and Opportunities Report (GRSAC Report) - SARB Regulation 014/2014 - Banking Self-Regulation (FEBRABAN) - Creation and implementation
of the Social and Environmental Responsibility Policy. - SARB Normative 026/2023 - Banking Self-Regulation (FEBRABAN) – management
of the risk of illegal deforestation in the beef chain. - SUSEP Circular No. 666, of June 27, 2022 - Sustainability requirements, to be
observed by insurance companies and capitalization companies. - CVM Resolution No. 193, of October 20, 2023 - preparation and disclosure
of the financial information report related to sustainability, based on the international standard issued by the International Sustainability
Standards Board - ISSB. Approved by the Board of Directors on 04.25.2024 ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held
NIRE 35300010230 PUBLIC ACCESS REPORT - MARKET AND IRRBB RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market and IRRBB risk
management and control structure of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations and best
market practices. TARGET AUDIENCE This policy is applicable to all employees and activities of the Conglomerate that result in exposure
to market risk and IRRBB, with an impact on Itaú Unibanco Holding and its subsidiaries. Market and IRRBB risk control covers all
positions in the portfolios of financial and non-financial companies belonging to Itaú Unibanco, in Brazil and in the International
Units. This policy does not apply to the market risk of customer portfolios managed by the bank and/or trusteeship (for example: funds
from Wealth Management & Services - WMS). INTRODUCTION For the purposes of this policy, market risk and interest rate risk in the
banking book (IRRBB) are defined in the prudential context by: I. Market risk is the possibility of losses resulting from fluctuations
in the market values of instruments held by the institution, including: a. the risk of variation in interest rates and stock prices, for
instruments classified in the trading book; and b. the risk of exchange rate variation and commodity prices, for instruments classified
in the trading book or in the banking book. II. IRRBB: the risk, current or in the analysis horizon, of the impact of adverse movements
in interest rates on the capital and results of the financial institution, for instruments classified in the banking portfolio. The aforementioned
risks depend on the price behavior of risk factors in light of market conditions. In addition to Treasury, which operates buying and selling
bonds and securities, other departments can impact the market risk assumed by the bank. Examples include the purchasing department, when
it makes a purchase in foreign currency or even the marketing department when it sponsors an entity or event in foreign currency. Market
risk and IRRBB controls are carried out according to metrics defined internal procedure. GUIDELINES Market and IRRBB risk control processes
must strictly observe the principles defined in the Policy. These principles are reflected in the following guidelines, through which
Itaú Unibanco's market risk management and control structure must: • Ensure the use of complete databases, which reflect business
carried out using duly approved products, guaranteeing correct information and calculations, from registration to accounting; • Apply
models that reflect best market practices; • Ensure that the pricing of the portfolios is preferably based on quotations observed
in the financial markets, captured through trustworthy external sources. When no price is available, the calculation must be performed
using a pricing model that represents the fair valuation of the positions. In these cases, such assessments must be consistent and verifiable,
with market benchmarks and data used in the assessment regularly reviewed; • Calculate the results of the positions of the marked-to-market
portfolios following the governance of the Bank's models; • Have risk control departments responsible for defining and applying pricing
parameters, independent of the business departments; • Establish and ensure that the processes and systems adopted to measure, monitor
and control exposure to market risk and IRRBB: • Are compatible with the nature of the operations, the complexity of the products
and the size of the Institution's exposure to market risk and IRRBB; • Contain all sources of market risk and IRRBB; and • Generate
timely risk exposure reports for the business units, for the Institution's management and for the Board of Directors. MAIN ROLES AND RESPONSIBILITIES
The Market Risk and IRRBB control structure at Itaú Unibanco involves the parties indicated below, for which we highlight their
roles in relation to this matter. Board of Directors: - define the institution's risk appetite and review it annually. Superior Market
and Liquidity Risk Commission: - define the approval authorities related to the control of market risk and IRRBB and review them annually.
- monitor market risk and IRRBB indicators, taking the necessary decisions and respecting risk appetite. Chief Risk Officer: - responsible
for market risk and IRRBB management at Itaú Unibanco. Market Risk Control and IRRBB: - identify, measure, control, monitor and
report exposure to market risk and IRRBB to business departments and report to superior committees; - monitor compliance with exposures
in relation to approved limits, trigger alerts and other measures to control market risk and IRRBB, reporting any non-compliance to the
competent authorities and requesting an action plan for reclassification; - maintain specialized and appropriately sized teams to support
market risk and IRRBB processes and systems, which are under its governance and development management. Daily Managerial Result Control:
- carry out the calculation of the managerial result of the positions and disclose it to the competent departments, enabling monitoring
and assistance in decision-making. Treasury: At the most fundamental level, the employee is expected to fully understand the nature of
the risk in the portfolios under management and the effective management of this risk, ensuring its transparency for desk managers and
compliance with established limits. MARKET AND IRRBB RISK CONTROL Market and IRRBB Risk control at Itaú Unibanco is carried out
through governance and processes that guarantee compliance with the following determinations or parameters: • The Institution must
operate in accordance with the risk appetite defined by the Board of Directors (CA), reviewed and approved annually based on a structure
of limits and alerts. The limits are dimensioned by evaluating the projected results of the balance sheet, the size of equity, liquidity,
complexity and volatilities of the markets, as well as the Institution's risk appetite; • Limit consumption must be reported by the
Market Risk department to the Business Departments and bank executives. The alerts work as indicators of the pre-established limit; •
The institution's limits and alerts structure is made up of aggregated metrics, which monitor and limit risk globally, and granular ones,
which aim to avoid an excessive concentration of risk in specific risk factors; • The limits are figures that the operation desks
of the trading book and trading desks of the banking book must respect. Alerts are metrics that send a signal to the institution, based
on which, through defined governance, procedures are established to be adopted if the alert is triggered; • The mark-to-market (pricing)
process of positions must be carried out based on quotations captured from external sources or, if this is not possible, calculated from
models developed and validated according to guidelines established in specific policies; • Information relating to prices and traded
positions is stored in a single, corporate historical database, with controls that ensure its integrity and completeness, with functionalities
that allow consultation of historical information; • The models used must capture the correct sensitivity, market fluctuations, based
on the application of periodic adherence tests for the total portfolio and subportfolios, including all risk categories. Its results must
be analyzed and used to improve the models and manage the Institution's risk. Additionally, the managerial result must be used to verify
the adherence of market risk measurement models; • The measurement of potential risk in extreme market situations, which complement
the statistical risk measures, with the application of stress tests for all positions contained in the portfolios of financial and non-financial
companies; • For portfolio positions that do not have prices directly observed in the market, that are not very liquid or that are
evaluated using an internal pricing model, particularly TVMs (securities) and derivatives, apply prudential adjustments that correct possible
marking errors, respecting criterion of relevance and materiality. RELATED EXTERNAL RULES Central Bank of Brazil Circular 3.354/07, which
establishes the minimum criteria for classifying transactions in the trading book; Resolution 4.557/17 of the Brazilian National Monetary
Council, which provides for the implementation of a risk management structure. Approved by the Board of Directors on 04.25.2024. ITAÚ
UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held Company NIRE 35300010230 PUBLIC ACCESS REPORT – OPERATIONAL RISK AND
INTERNAL CONTROLS INTEGRATED MANAGEMENT POLICY (GLOBAL) OBJECTIVE This policy establishes guidelines and responsibilities associated with
operational risk management. It is applicable to all managers and employees of Itaú Unibanco Holding S.A. and its subsidiaries
in Brazil and abroad (“Itaú”). GUIDELINES Operational Risk must be managed in accordance with Itaú's general
risk management guidelines, defined in internal, policy. It must also comply with current regulations, best practices and the following
management steps: Identifying Operational Risk Continuous identification of internal and external events that could have an adverse impact
on activities, projects, products or services. Operational Risk Assessment Risk impact classification, considering Itaú's risk
appetite. The assessment should include possible changes in the external environment and its result should direct actions to respond to
operational risk. For an effective analysis, it is important to consider the following risk dimensions: ▪ Reputational and Regulatory
Risk: related to the risk of internal practices and/or external factors that may generate negative perception or risk by acting contrary
to regulatory requirements. ▪ Financial, Customer Relations and Legal: related to the risk of financial losses, impact on customers
or legal risk resulting from failures or inadequacy of internal processes, people, technology or external events, directly associated
with the complexity of the environment in which it operates. ▪ Strategic and Business Risk: arising from a negative impact on revenue
or capital because of flawed strategic planning, adverse strategic decision-making, Itaú's inability to implement appropriate strategic
plans and/or changes in its business environment. Operational Risk Response Prevention or reduction of losses if risk events materialize,
the definition of which is based on Itaú's risk appetite. At this stage, the following actions can be taken to treat the risk:
• Avoid: discontinuation of the activity/operation generating the risk. • Mitigate: mechanisms or controls are established to
reduce the probability of the operational risk materializing or the impact of any materialization. • Share: total or partial transfer
of the risk, for example by taking out insurance. • Assume: live with the risk beyond the governance period. Monitoring Monitoring
of the control environment, seeking whenever possible to do so on a recurring basis, using data analysis and exploitation techniques,
with a granular view of clients or transactions and with a view to addressing failures in good time to correct the root cause and bring
them back into line with Itaú's risk appetite. Operational Risk Reporting Issuance of independent opinions on the control environment,
reported to the competent authorities. The forums and collegiate bodies for risk management are provided for in the internal procedure.
RESPONSIBILITIES In order to properly manage its risks, Itaú uses the model of three “lines” (First, Second and Third)
published by the Institute of Internal Auditors (IIA) and formalized internally in internal policy. In Operational Risk, the responsibilities
are summarized below: First Line Represented by the Business, Support or Communities areas, they are directly responsible for identifying,
evaluating, responding to, monitoring and reporting the risks of their areas, with a view to meeting Itaú's risk appetite. Second
Line Represented by the Risk Area (RA), its objective is to ensure, in an independent and centralized manner, that Itaú's risks
are managed in accordance with policies and procedures, with a view to defining parameters for the risk management process and its supervision.
Operational Risk Department (DRO) It is responsible for enabling operational risk management through a risk-based approach that includes:
• the monitoring of the effectiveness of operational risk management carried out by the first line; • issuing an independent
opinion on the control environment, including the preparation of periodic reports to comply with current regulations; • the development
and availability of methodologies and tools to enable operational risk management. The DRO is independent in the exercise of its functions,
with direct communication with any manager or employee, and access to any information necessary for the performance of its activities.
Chief Risk Officer (CRO) In addition to the provisions of internal policy the CRO is responsible for approving the guidelines, strategies
and policies relating to operational risk management. The CRO also approves the DRO's mandate, mission, objectives, result indicators
and scope of action, which are reflected in the annual strategic plan. The responsibilities of the Local and Regional CROs in the international
Units are described in the specific procedure. Third Line Represented by the Internal Audit Area, which is segregated and independent
from Itaú's other areas. Its responsibilities are detailed in a specific policy. RELATED EXTERNAL STANDARDS AND DOCUMENTS - CMN
Resolution 4557/17: regulates the risk management structure, the capital management structure. - CMN Resolution 4968/21: regulates the
internal control systems of financial institutions and other authorized institutions. - BCB Resolution 260/22: provides, among other things,
for the internal control systems of consortium administrators, payment institutions, foreign exchange and securities brokers, and DTVMs.
- CNSP Resolution 416/21: regulates Internal Controls, the Risk Management Structure and the Internal Audit activity. - Sarbanes Oxley
Act: rules for Corporate Governance relating to disclosure and the issuing of financial reports. - COSO (Committee of Sponsoring Organizations
of the Treadway Commission) (https://www.coso.org/). Approved by the Board of Directors on 11.28.2024 ITAÚ UNIBANCO HOLDING S.A.
CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT- COMPLIANCE POLICY SUMMARY Establishes the fundamental aspects
associated with the Compliance function (compliance). 1. OBJECTIVE AND TARGET AUDIENCE Establish the guidelines and main duties associated
with the Compliance function, observing good market practices and applicable regulations. This policy applies to Itaú Unibanco
Holding and its controlled companies in Brazil and the companies abroad listed in internal procedure. 2. INTRODUCTION The Compliance role
aims to prevent and mitigate Itaú Unibanco's exposure to situations of non-compliance with standards and commitments (Compliance
Risk), being responsible for governance, certification of adherence, conduct and transparency. Regulatory or Compliance Risk is the risk
of sanctions, financial losses or reputational damage arising from the lack of compliance with legal and regulatory provisions, local
and international market standards, commitments with regulators, public commitments, self-regulation codes and codes of conduct adhered
to by Itaú Unibanco. Compliance risk is managed through a structured process that aims to identify changes in the regulatory environment,
analyze the impacts on the institution's departments and monitor actions aimed at adherence to regulatory requirements and other commitments
mentioned in the previous paragraph. . 3. COMPLIANCE FUNCTION The Compliance function is carried out directly by the Corporate Compliance
Board and other Boards in the Risk Department, under the coordination of the Corporate Compliance Board, and in an integrated manner with
the other risks incurred by the institution. 4. GUIDELINES a) the management of compliance risks should address existing or new processes,
products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated
for compliance with applicable standards, commitments made with regulators and requirements related to the Code of Ethics and Conduct.
b) Those responsible for the Compliance function have direct communication both with administrators, including members of the Board of
Directors and the Audit Committee, and with any employee, and have access to any information necessary within the scope of their responsibilities.
c) Compliance reports and risk indicators must be clear, objective and timely, being reported to senior committees, business unit executives,
the Risk executive, the Risk and Capital Management Committee, the Audit Committee and the Board of Directors, so that the level of exposure
and compliance with the established limits are monitored. d) Notes of non-compliance identified by any departments of the Conglomerate,
regulators and other supervisory and inspection bodies must be monitored to ensure their effective treatment by the competent departments.
The Corporate Compliance Department must encourage the individual and collective responsibility of employees for the management and governance
of risks and of the organization's Compliance activities. e) In International Units, local and independent structures responsible for
Compliance, under the responsibility of local Compliance Risk Officers (CROs), perform their function under the supervision of Regional
CROs who, in turn, report to the Global CRO. 5. MAIN ROLES AND DUTIES 5.1. Board of Directors The Board of Directors is responsible for:
- Approving: a) the guidelines, strategies and policies relating to Compliance, in order to ensure a clear understanding of the roles
and responsibilities for all levels of the Conglomerate; and b) the position of the DCC in the institution's organizational structure
in order to avoid possible conflicts of interest, mainly with the business departments. - Provide the necessary means so that the activities
related to the Compliance function are properly carried out, including the availability of resources to allocate sufficient personnel
and with the necessary training and experience. - Ensuring: a) proper management of this policy; b) effectiveness and continuity of the
application of this policy; c) communication of this policy to all employees and relevant outsourced service providers; d) dissemination
of standards of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified
Compliance failures. The assessment of these items by the Board of Directors will be carried out based on reports and periodic meetings
between the Risk Department and the Board of Directors and its advisory committees and on the annual report coordinated by DCC, as well
as by assessment carried out by the Audit Committee. 5.2. Audit Committee The Audit Committee is responsible for: - Validating the Compliance
Policy prior to submission for approval by the Board of Directors. - Evaluating, at least annually, the Compliance structure, in relation
to the following aspects: a) Clearly defining the duties, roles and responsibilities of the Compliance function, avoiding possible conflicts
of interest, especially with the institution's business departments; b) Positioning at an appropriate hierarchical level, independent
and segregated from operational and business departments, with a duly exercised mandate regarding the definition of scope, execution of
the work and communication of its results; c) Organizational structure consistent with the needs of the Conglomerate and allocation of
sufficient personnel, adequately trained and with the necessary experience to carry out the activities related to the respective functions;
d) Effectiveness of Compliance management; and e) Adherence of the structure to the applicable regulation. - Checking the performance
of: a) communication of this Policy to all employees and relevant outsourced service providers; b) dissemination of standards of integrity
and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for identified failures. 5.3. First Line
The business and support departments must: - Maintain compliance with standards and regulatory requirements. - Define and implement action
plans to address non-conformity notes. - Promptly communicate to the Compliance department whenever changes or non-compliance with current
rules and regulations or Compliance risks are identified. - Inform and train employees and relevant outsourced service providers on matters
relating to Compliance, with the support of the Corporate Compliance Department. - Maintain a relationship with the Regulatory, Self-regulatory,
Supervisory and Inspecting Bodies, as established in the Policy on Relationship with Regulatory, Self-regulatory, Supervisory and Inspecting
Bodies; - Identify, measure and manage Compliance risk events that may influence the fulfillment of the Conglomerate's strategic and operational
objectives; and - Maintain an effective control environment consistent with the nature, size, complexity, structure, risk profile and
business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining exposure to
risks at acceptable levels according to the risk appetite established for the Conglomerate. 5.4. Second Line Represented by the Risk Department’s
boards, responsible for risk control activities, which are fully segregated from internal audit and legal activities, being independent
in the exercise of their functions. These boards cannot manage businesses or processes that could compromise their independence or generate
conflicts of interest. Their goals and remuneration cannot be related to the performance of the business departments. The Risk Department,
under the coordination of DCC, is responsible for: - Supporting the first line in observing their direct responsibilities. - Disseminating
standards of integrity and ethics as part of the Conglomerate's culture and disseminate good practices and policies related to the Compliance
function. - Guiding and advising the Conglomerate's administrators and employees on compliance with internal standards related to the
Integrity and Ethics Program , and on compliance with external standards, reporting possible irregularities or identified failures. -
Ensuring that the teams responsible for carrying out Compliance functions have appropriate authority and are adequate, both in resources
and knowledge, through a structured training program. - Managing compliance risks through performance indicators, regulatory monitoring,
tests and controls, including automated tests using data, internal and external complaints, prioritizing risks according to their severity
reporting the results to Senior Management and, when requested, to the Regulatory Bodies. - Reviewing and monitoring the action plans
adopted to address the notes made by regulatory bodies and by the independent auditor in the report on non-compliance with legal and regulatory
provisions. - Coordinating activities related to the internal audit compliance function and the risk management structure, through periodic
meetings and, in the second case, joint execution of operational activities and reports. - Disseminating to the IUs the best practices
and Compliance methodology adopted by the Head Office, including those related to the Corporate Integrity and Ethics Program. - Coordinating
the governance of Compliance Programs of international regulations relevant to the conglomerate. It is exclusively up to DCC: i. Define
principles and guidelines for disseminating risk management of Compliance, including training. ii. Manage the process of monitoring of
adherence to new regulations, with the support of the Risk Spec Backoffice Department (BOE). iii. Report systematically and in a timely
manner to the Board of Directors, directly or through its advisory committees, relevant information both from the results of the Compliance
assessments carried out that have identified material flaws and significant changes in the regulatory environment. iv. Manage the Integrity
and Ethics Program, interacting with the Inspectorate and Ombudsman as necessary. v. Coordinate the relationship with regulators and other
inspection and supervision bodies with centralized management, following up on formalized action plans, facilitating the sharing of information
and ensuring the consistency of institutional positioning. vi. Develop and make available the methodologies, tools, systems, infrastructure
and governance necessary to support the Compliance function in the Conglomerate's activities. vii. Coordinate the governance of Itaú
Unibanco's policies and procedures, in accordance with applicable regulations, maintaining evidence of approval of all documents by the
established approval authorities, including the approval of this Policy. viii. Send to the Audit Committee, the Risk and Capital Management
Committee and to the Board of Directors the Annual Compliance Report containing a summary of the results of activities related to Compliance
topics, main conclusions, recommendations and action plans adopted for treatment of the identified deficiencies. In International Units,
the Local CROs are responsible for the responsibilities of the above items in accordance with the governance established in internal procedures.
5.5. Third Line Represented by Internal Audit, which independently and periodically verifies the adequacy of risk identification and management
processes and procedures, including integrated operational risk management, internal controls and Compliance, in accordance with the guidelines
established in the internal policy and submits the results of their notes to the Audit Committee. 5.6. Common to All Departments of Itaú
Unibanco - Conduct training on integrity and ethics and risk management provided by Itaú Unibanco. - Annually sign the Term “Corporate
Integrity Policies” attesting to its knowledge and agreement with what is established in this Policy. - Define, implement and comply
with policies and procedures for adherence to regulations. - Comply with the provisions established by the Conglomerate's external rules
and internal policies. - Report facts or suspected violations of the Code of Ethics and Conduct, of the Integrity, Ethics and Conduct
Policy or of this policy. 6. RELATED EXTERNAL RULES Basel Committee on Banking Supervision - Compliance and the Compliance function in
Banks (April 2005) Resolution No. 4,968/21 of the Brazilian National Monetary Council: provides for the implementation and implementation
of an internal control system Resolution No. 4,557/17 of the Brazilian National Monetary Council: addresses the risk management structure
and the capital management structure Resolution No. 4,595/17 of the Brazilian National Monetary Council: addresses the compliance policy
of financial institutions and other institutions authorized to operate by the Central Bank of Brazil. Resolution No. 65/21 of the Central
Bank of Brazil: addresses the compliance policy of consortium administrators and payment institutions. Resolution No. 416/21 of the Brazilian
National Private Insurance Council: provides for the Internal Controls System, the Risk Management Structure and the Internal Audit activity.
Approved by the Board of Directors on 2024, May. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230
PUBLIC ACCESS REPORT - LIQUIDITY RISK MANAGEMENT AND CONTROL POLICY 1. OBJECTIVE Establish the liquidity risk management and control structure
of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations and best market practices. 2. TARGET AUDIENCE
This policy is applicable to all financial companies controlled by Itaú Unibanco in Brazil and abroad. This policy is also applicable
to all activities of the conglomerate that result in exposure to liquidity risk, with an impact on Itaú Unibanco Holding and its
subsidiaries. This policy does not apply to the liquidity risk of customer portfolios managed by the bank and/or trusteeship (e.g. funds
from Wealth Management & Services - WMS). 3. INTRODUCTION Liquidity risk is defined as the possibility of the Institution not being
able to efficiently and timely honor its financial obligations. Liquidity risk may occur when there is a mismatch between cash flows (assets
and liabilities) that affects its operations or produces significant losses. Liquidity risk control is carried out by a department independent
of the business departments. The objective is to compare assets (generally the most liquid) with financial obligations (generally with
shorter maturities) and ensure that sufficient cash is available to meet the obligations. Liquidity risk is controlled in accordance with
the Limits Framework established by the Board of Directors and the Higher Committees. 4. GUIDELINES The liquidity risk management and
control processes must strictly observe the principles defined in this policy. The measurement of liquidity risk must cover all financial
operations of Itaú Unibanco companies, as well as possible contingent exposures (exposure situations with no expected date to occur)
or unexpected exposures (changes in cash inflows or outflows). These situations are commonly caused by: - settlement services (for example:
significant decrease in tax collection, settlement of bank slips or bank transfers); - provision of guarantees and endorsements (for example:
customers who execute guarantees and/or warranties for non-payment of loans); - contracted and unused credit lines. (for example: increased
use of overdraft or credit card limits); - Realization of adverse events that impact technical provisions (Occurrence of incidents, redemption
or portability of pension plan, redemption or inclusion in capitalization draws) The main measure in controlling liquidity risk should
be measurement of liquid assets, which is composed of: - cash in the country (federal government bonds, cash, BACEN deposits, any asset
that can be immediately traded and converted into cash without significant loss of value); - cash abroad (assets that can be immediately
traded and converted into cash abroad without significant loss of value, such as, for example, cash, cash in other banks) - all assets
immediately convertible (D0) into means of payment. Liquidity Risk Control includes contingency and liquidity recovery plans to clearly
define actions to restore liquidity in different stress situations. 5. MAIN ROLES AND DUTIES The Liquidity Risk control structure at Itaú
Unibanco involves the parties indicated below, for which we highlight their roles in this matter. Board of Directors - define the institution's
risk appetite and review it annually. - review the contingency plan annually Superior Market and Liquidity Risk Commission: - define the
powers related to liquidity risk control and review them annually. - monitor liquidity risk indicators, taking the necessary decisions,
respecting the defined risk appetite. - submit for approval by the Board of Directors, at least annually, the liquidity contingency plan
(Brazil); Liquidity Risk Control - Explain the composition of the reserve, in accordance with the guidelines established by higher management;
- identify, assess, monitor, control and report daily exposure to liquidity risk. - propose liquidity risk limits; - monitor the contingency
and recovery plans, as well as the limits established for each of these plans and report any non-compliance to the competent approval
authorities. - carry out liquidity risk simulations under stress conditions. - through the Teams’ group 'Gestão de Crises_Crises
reputacionais' (Crisis Management_Reputational Crises), follow up on events in social media, monitored by the marketing team. If it is
suspected that there may be any impact on the bank's liquidity, monitor the liquidity maps and indicators daily and execute any action
plans approved by the Crises Committee. - periodically report the main liquidity risk controls in Brazil and the External Units, as well
as situations of sudden reductions in liquidity and relevant aspects of the measures in progress to the collegiate bodies, Treasury, Superintendence
of Integrated Capital Management, CRO and the Board of Directors; - Inform any non-compliance, both in the managerial risk appetite and
in the Contingency and Recovery triggers. Also inform the Integrated Capital Management Superintendence of the daily LCR (Liquidity Cover
Ratio) indicator levels, ensuring support for monitoring the Recovery Plan; - in relation to risk appetite metrics, monitor, analyze and
report the information that makes up the Risk Appetite Report, in addition to communicating relevant aspects to those involved, such as
committee decisions, requests for action plans and notices on points of attention. - maintain specialized and adequately sized teams to
support the liquidity risk processes and systems under its governance and development management. Institutional Treasury (Brazil and International)
- centralizing the management of Itaú Unibanco's liquidity risk, ensuring adequate and sufficient levels of liquidity; Reserve
Pilot (see Glossary): - identify, evaluate, monitor and alert on cash needs for operations carried out during the day; GIS (Global Institutional
Solutions): -Responsible for managing the liquidity of proprietary portfolios and technical reserve portfolios of companies supervised
by SUSEP. Information Technology: - maintain specialized and adequately sized teams to support the liquidity risk processes and systems
that are under the governance and management of technology development, and for the Hosting processes defined in specific service provision
agreements; 6. LIQUIDITY RISK CONTROL The control of Liquidity Risk at Itaú Unibanco includes measuring, monitoring, controlling
and reporting exposure levels, in addition to contingency plans and liquidity recovery. The measurement of exposure to liquidity risk
is based on the daily analysis of the evolution of cash flows and compliance with regulatory indices, as described below: - Projected
cash flow (Business Continuity Scenario): demonstrates cash flow expectations, considering business continuity in normal conditions; -
Portfolio Settlement Scenario (run-off): demonstrates the expected cash flows, considering the settlement of current portfolios and the
discontinuation of business. - Portfolio Settlement Scenario (Stressed) demonstrates cash flows in adverse idiosyncratic scenarios for
companies regulated by Susep. - Short-Term Liquidity Cover Ratio (LCR): demonstrates that the prudential conglomerate 's high-quality
liquid assets are sufficient to withstand a severe liquidity crisis, for a period of 30 days, according to premises defined by the Central
Bank of Brazil; and - Net Stable Funding Ratio (NSFR): demonstrates that the prudential conglomerate has available stable resources higher
than required by cash outflows in a one-year stress scenario. - Concentration of Funding Providers: demonstrates that the prudential conglomerate
has diversified exposure to liquidity provider counterparties. The use of liquidity risk limits must be verified against the approved
limits. Noncompliance with the established limits and indicators must be reported by the liquidity risk control to senior management,
the relevant departments for immediate reclassification of exposure and the relevant committees. The contingency and recovery plans are
designed to restore adequate levels of liquidity and preserve Itaú Unibanco's viability in response to stress situations. The plans
must contain a list of actions to be implemented, covering volumes, deadlines and those responsible for them. The actions of the contingency
plan must contemplate a gradation by level of criticality. The order of actions should be determined by the ease of implementation, taking
into account the characteristics of the market. Details of specific procedures and rules linked to this policy can be accessed at ItaúConecta/Policy
and Norms/Policies (Simplified Model) / Ethics, Risks and Governance/Risks/Liquidity. 7. GLOSSARY Reserve Pilot: structure responsible
for continuously calculating the bank reserve balance and monitoring all debit and/or credit entries of the financial institution. Funding
Providers: counterparties that invest funds in the Institution through various products, such as Demand Deposits, Term Deposits, Financial
Bills, among others. Reserve: total assets that can be converted into cash immediately, according to the considerations of the markets
and regulatory bodies where the unit is located. Run-Off: scenario in which assets and liabilities expire and are not renewed. Approved
by the Board of Directors on 2024, May. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held Company NIRE 35300010230
CREDIT RISK MANAGEMENT AND CONTROL POLICY 1. OBJECTIVE Establish the Governance and Credit Risk Control of Itaú Unibanco Holding
SA, observing applicable regulations and best market practices. 2. TARGET AUDIENCE Financial institutions controlled by Itaú Unibanco
Holding S.A. (Itaú Unibanco), in Brazil and abroad, that incur credit risk, covering all segments (individuals and legal entities).
3. INTRODUCTION According to the institution's corporate risks dictionary, Credit Risk is understood as the risk of losses arising from:
• Non-compliance by the borrower, issuer or counterparty with their respective financial obligations under the agreed terms, •
Credit agreement devaluation resulting from deterioration in the risk rating of the borrower, the issuer or the counterparty, • Reduction
of earnings or remuneration, • Advantages granted in subsequent renegotiations: Credit recovery costs; • Image and reputation
with credit operation in disagreement with the social, environmental and climate aspects. The credit risk control processes must support
the institution, strictly observing the principles defined in internal Policy. The centralized control of credit risk is carried out independently
by the Risk Management Department (AR), segregated from the Business Units and the area executing the internal audit activity. At the
International Units,1 the independent structure responsible for controlling local risks is under the responsibility of the local Chief
Risk Officers (CROs), who report to the respective Local CEOs and Regional CROs, acting in a coordinated and aligned manner with the Credit
Risk and Modeling Wholesale (DRCMA) and Retail (DRCMV) Board. The Regional CROs are responsible for the integrated and preventive management
of risks in the region, ensuring their effectiveness and reporting their status to the CRO of Itaú Unibanco Holding. The roles
and responsibilities of the Holding’s, Regional and Local CROs are defined in internal procedure. This structure enables the continuous
and integrated management of credit risk and must consider the operations classified in the trading portfolio and those classified in
the non-trading portfolio as well. 1 In this document the term International Units includes Representation Offices. 4. GUIDELINES Risk
management must be integrated, thus enabling identification, measurement, evaluation, monitoring, reporting, control and mitigation of
Credit Risk. Credit Risk management structures must be proportional to the risk exposure dimension and relevance, compatible with the
business model, the nature of transaction operations and the complexity of Itaú Unibanco products, services, activities and processes.
Therefore, specialized and properly dimensioned teams must be maintained to support the credit risk processes and systems that are under
their governance. The Credit Risk management structure must provide: • Clearly documented risk management policies and strategies
that establish limits and procedures for maintaining risks exposure in accordance with the Risk Appetite Statement. It should also take
into account the prior identification of credit risks inherent to: o New products and services; o Relevant modifications to existing products
or services; o Significant changes in processes, systems, operations and business model of the institution; • Protection strategies
(hedge) and risk assumption initiatives; • Significant corporate reorganizations; • Aspects related to social risk, environmental
risk and climate risk; • Changes in macroeconomic scenarios. • Monitoring processes, in order to identify points in non-compliance
with credit risk management policies, including the respective justifications and expected actions to resolve any divergences; •
Systems, routines and procedures for credit risk management, including their updates; • Periodic management reports for the board,
committees, as well as for other forums where the topic of Credit Risk is on the agenda. • Alternative models or methods for better
measurement of credit risk. The above-mentioned guidelines must be applied to risks of credit, counterparty, country, disbursement events
to honor endorsements, sureties, co-obligations, credit commitments or other operations of a similar nature and losses associated with
non-compliance with obligations related to settlement transactions involving bilateral flows, including the trading of financial assets
or derivatives. 5. MAIN ROLES AND DUTIES Credit Risk Control Must: • Define centralized credit risk monitoring and control environment;
• Periodically review the policies, strategies and procedures for establishing operational limits, risk mitigation mechanisms and
procedures designed to maintain the credit risk exposure at acceptable levels by management, and approve them at the competent approval
authority levels; and • Disclose credit decisions, corporate policies and strategies for managing credit risk to the Business Units
and CROs of the International Units. Credit Risk Modeling Must contribute to the execution of Credit Risk Control activities, following
the assignments provided for in the Model Risk Policy. Finance Define rules for performing simulations and calculations in line with applicable
standards and regulations, in addition to publishing financial statements and other reports that assist and complement Credit Risk Management
and Control. Risk Management Department Committee Members Responsible for decision making according to the specificity of each forum,
striving for risk mitigation in order to maintain credit risk exposure at acceptable levels for management. Business Units (Brazil and
International Units) Ensure visibility of the credit risk incurred in their operations and that it falls within established rules and
limits. Additionally, the business departments shall maintain procedure manuals with detailed descriptions of the responsibilities and
assignments for the processes and controls under their accountability. 6. CREDIT RISK CONTROL 6.1 - ECONOMIC GROUPS Itaú Unibanco
Holding's credit risk management process has governance for the formation and alteration of economic groups, which has as its target audience
all commercial segments that grant or manage credit, which includes international units. 6.2 - COUNTERPARTY CREDIT RISK This is the risk
of non-compliance, by a certain counterparty, with obligations related to settlement of operations that involve trading of financial assets
with bilateral risk. It covers financial derivatives instruments, transactions to be settled, asset loans and repurchase agreements and
bilateral energy contracts. Measuring counterparty credit risk involves converting it into the equivalent credit risk exposure through
specific models. The Potential Credit Risk (PCR) measurement models are used to measure the equivalent credit exposure in transactions
subject to counterparty credit risk. The development and approval of these models follow the governance described in a specific procedure.
The procedure for Development of Market Risk Models defines the counterparty credit risk measurement for certain products and businesses,
as priority in relation to PCR models and has as purpose: • Considering, when measuring credit risk, the presence of mitigating instruments,
as long as they are not explicitly considered in the PCR models; • Defining the measurement of counterparty credit risk for certain
products and businesses where there are material risks not captured by the PCR models; and • Defining the risk measurement for certain
products and businesses in which there is no specific model developed. 6.3 - COUNTRY RISK Itaú Unibanco maintains relationships
with borrowers, issuers, counterparties and guarantors in various locations worldwide, regardless of having an external unit in these
locations. Therefore, Country Risk is a risk present in the institution. Such risk is defined, at Itaú Unibanco, as the risk of
losses arising from the failure to comply with financial obligations, within the agreed terms, by borrowers, issuers, counterparties or
guarantors, as a result of actions carried out by the government of the country where the borrower is located, issuer, counterparty or
guarantor, or political, economic and social events related to that country; being subdivided into: • Sovereign risk, defined as
the risk of central governments (Treasury and Central Bank) inability to generate resources to honor their commitments; • Transfer
risk, defined as the risk resulting from the total or partial impossibility of transferring assets held in a jurisdiction abroad to the
jurisdiction of the country using a legal vehicle of Itaú Unibanco, due to the barriers arising in the conversion exchange rate
as a consequence of macroeconomic events or actions taken by the central government of the jurisdiction where the resource is located;
leaving the borrower, issuer, counterparty or guarantor incapable of honoring the payment of its commitments in foreign currency. The
current Country Risk management flow consists of an assessment flow as it provides for the management of the following risks: a) Credit
Risk of External Units. Defined as the credit risk of operations at Itaú Unibanco's External Units, financed with local funds.
Controlling this risk is the responsibility of the local CROs. b) Convertibility Risk. Defined as the risk arising from the impossibility
of converting a local currency into a foreign currency, without the need to transfer this foreign currency abroad. c) Investment by Itaú-Unibanco
abroad (PL). The investment (net equity) of Itaú-Unibanco in subsidiaries abroad or the expected value of remittances of dividends
from these subsidiaries to Brazil are not evaluated in the country risk management structure. The PL is an investment without a defined
term or contractual flow, so that a temporary interruption in the possibility of remittance of these funds to Brazil does not necessarily
imply a breach of contractual obligation (default). d) Indirect country risk The assessment of the cash generation capacity of the company
or economic group is made in the context of each customer's credit analysis and considers, whenever relevant, elements of indirect country
risk when determining limits and ratings. Within this context, the credit team assesses the dependence on external markets in the import
of inputs or exports and/or concentration of companies' cash flow to certain countries with the aim of identifying possible impacts on
credit risk. These impacts can be of different types: greater difficulty or cost in obtaining inputs, restrictions on access to consumer
markets, difficulty in receiving amounts owed or dividends from investees. Itaú Unibanco has a specific structure for managing
and controlling country risk, comprised by collegiate bodies and dedicated teams, all with formally defined responsibilities. In order
to consistently assess the risks inherent to each country, Itaú Unibanco defines the rating of the countries by taking into account
both the sovereign risk and the transfer risk. The local sovereign rating reflects the payment capacity of the sovereign issuer (Treasury
and Central Bank) against its obligations settled in local currency. The external sovereign rating reflects the ability of a country to
generate foreign exchange (foreign currency) and, therefore, it is the rating used to assess the capacity of the sovereign issuer (Treasury
and Central Bank) to honor its obligations to be settled in foreign currency, as well as to assess the transfer risk. The inability to
generate foreign exchange can lead to two consequences: (i) default of the sovereign issuer on its debts in foreign currency and/or (ii)
imposition of capital controls that prevent transferring private resources between jurisdictions (restrictions for converting national
currency into foreign currency). Itaú Unibanco establishes limits based on ratings and transaction terms, aiming to control the
country risk exposure. Such limits are periodically reviewed, and extraordinary revisions may occur in light of a new material fact. 6.4
– SOCIAL, ENVIRONMENTAL AND CLIMATE RISK Social, environmental and climate risk events in the counterparty may result in credit
losses. Due to this, Itaú Unibanco defined a set of guidelines to guide the establishment and maintenance of credit relationships
and operations with credit risk with Customers, which are detailed in internal procedure. 6.5 - CREDIT PORTFOLIO MONITORING Portfolio
monitoring is understood as the follow-up of indicators related to credit operations. In general, monitoring indicators are observed for
the balance of active portfolio, credit concession in the month (also known as the harvest), and default indicators (balance in arrears
in relation to the portfolio or harvest balance) and quality. The portfolio monitoring has as purpose verifying the financial health of
credit operations, adapting credit strategies to the conglomerate risk appetite. Any deviations identified in relation to the maximum
and minimum levels of the Global Policy are reported as follows: centralized monitoring in Brazil is periodically reported to the Credit
Risk Policy Committee (CPRC). Consolidated harvest and portfolio indicators for the retail segment are reported monthly to the Higher
Retail Credit and Collection Commission (CSCCV) and for the wholesale segment bimonthly (may be changed according to demand) to the Wholesale
Higher Credit and Collection Commission (CSCCA). Regarding the indicators of the International Units, monitoring is reported at the International
Units Risks Committee (CRUI-R)(HN and Conesul) and CIR – Integrated Risk Committee (Itaú Chile), with the participation of
the Holding, Regional and Local CROs. Credit portfolio monitoring is described in internal procedure. Additionally, part of the monitoring
process is the control of the risk of activities performed by the conglomerate's institutions as creditors within open credit card arrangements.
This process also includes controlling the risk of credit card issuers, in accordance with internal policy, and the risks inherent to
Merchants and Facilitators, in accordance with in internal procedure. 6.6 - REVIEW OF PORTFOLIOS AND CREDIT PROCESSES The review must
consist of analyzing the quality and integrity of the credit process of each business unit, ranging from correct compliance with credit
policies, assessing the quality of the concession, assessing the payment capacity of customers , the adequacy of the assigned ratings
and the client's vulnerability/indebtedness condition (in applicable segments). This analysis must be carried out by an independent team
of reviewers and the result must be reported to the senior credit management (Credit Director), risk management of the assessed business
units (Credit Risk Director or CRO and the Holding Credit Risk Department ). 6.7 ASSESSMENT OF CREDIT STRATEGIES AND POLICIES Establish
the responsibilities and general rules relative to the process of determining and approving changes in credit policies and business rules
that impact on credit risk exposure. For proprietary portfolios, the policies address the credit granting and maintenance, as well as
the acquisition, in the market, of instruments with credit risk. For third-party portfolios, the policies address the rules for discretionary
decision making in assets with credit risk. Change in credit policy is any action that affects the risk assumed or that may have an impact
on the consumption of credit limit and on Allocated Economic Capital. Credit policies can be divided into three types: 1. Credit granting
and maintenance policies: amendments and changes in credit models, segmentation, income/revenue, etc.; changes in credit approval authorities
(composition and values); impact at risk due to annual re-segmentations; change of cutoff point; new segmentations (breaks) that change
the credit decisions. 2. Risk measurement policies: mitigation by guarantees; definition or change of the application criteria for potential
credit risk (PCR) models; definition or change of parameters for calculating capital and limit consumption. 3. Global Credit Policy: maximum
or minimum levels for a set of indicators and variables reflecting credit risk in the bank, which must be considered in all retail and
wholesale policies. The specific definitions of credit policies for each segment, the approval process and authorities, the monitoring
and responsibilities of each department, are described in internal procedure. 6.8 CONCENTRATION RISK Concentration risk is the risk of
financial loss resulting from the excessive concentration of operations with credit risk in clients, sectors, geographic regions or mitigating
instruments, on a directly or correlated way. Aiming to ensure low outcome volatility, the concentration risk management is conducted
from different perspectives within the bank, so as to observe that the institution is not significantly exposed to a single source of
risk. This way, Concentration Risk is monitored from the following perspectives: individual, top 10, by country, by sector of the economy
and of the institution’s activity. The Board of Directors and Executive Board monitor these indicators on a monthly basis, and are
also responsible for adjusting and approving metrics and their limits. The limits are defined according to each dimension variables. In
order to define the individual concentration limits and the top 10 conglomerates, we evaluated the inherent credit risk of the conglomerates,
respecting the maximum limits of CMN Resolution 4677. For concentration by country, the risk diversification is based on the credit risk
presented by each country and the bank strategy. For concentration by segment, diversification is based on bank strategy and its operation’s
business result volatility, while for concentration by sector, the limits are defined according to the sector's credit portfolio’s
risk profile, its profitability, and the sector’s relevance in the economy. The limits defined for each metric, as well as more
details on calculation methodologies, are found in the Risk Appetite Manual. 6.9 - INCOME Determines the types of income and how to define
the income for Individuals. When capturing any customer income information (such as proven, certified income, ability to pay or other
income information approved under exception) and using it for granting credit, maintenance, or any other purpose of income for individuals,
it is mandatory to follow the guidance in internal procedure respecting the document type, its validity and exceptions, in case of seasonality.
6.10 - REVENUE Determine the types of revenue and the way to obtain income for the legal entity. When capturing any customer revenue information
(such as evidence, certificate, ability to pay or other approved information in an exception) and use it for credit granting, maintenance
or any other purpose, it is mandatory to follow the guidance in internal procedure observing the respective procedures, types of documents,
their validity and any exceptions. 6.11 - INCOME COMMITMENT The income commitment (CR) is the debt divided by gross income of the Individual
Customer. It is used in the granting and maintenance, through credit policies and business rules of Individual Retail, as a measure to
assess the customer risk, considering their current indebtedness and the impact of the requested credit on that debt. The specific use
of CR is described in each product policies. The rules for calculating CR and the guidelines for recalculating this information are described
in internal procedure. 6.12 - GUARANTEES Guarantees are instruments that have as purpose reducing the occurrence of losses in operations
with credit risk, including, without distinction, financial guarantees, real guarantees, agreements for compensation and settlement of
obligations, personal and fiduciary guarantees, and credit derivatives. For these guarantees to be considered as a risk reduction instrument,
they must comply with the requirements and determinations of the standards that regulate them. 6.13 - ASSESSMENT OF COLLECTION POLICIES
AND STRATEGIES Collection strategies refer to the recovery and renegotiation of credit operations that are in arrears. To assess collection
strategies, portfolios are monitored (default, batch and portfolio), with focus on renegotiation products. The monitoring of these actions
carried out by the Wholesale and Retail Modeling Credit Risk Board aims to mitigate risks in the collection strategies and operations
carried out by the Business Units. 6.14 - UPDATE AND DEVELOPMENT OF RISK PARAMETERS FOR PROVISION AND CAPITAL Risk parameters are the
necessary inputs that qualify the calculations of provisions or capital allocation performed by the finance area for accounting and/or
management purposes. Parameters are assigned by parameter developer units (UDPs) through premises and calculations to ensure the Bank's
solvency in the face of expected and/or unexpected changes in past, current and future scenarios. The definitions and concepts of each
parameter must be aligned between the parameter developer unit (UDP) and the parameter user unit (UUP). 7. RELATED EXTERNAL RULES •
CMN Resolution No. 4,557/2017, which provides for the implementation of a credit risk management structure, amended by CMN Resolution
4,943/2021, which provides for the risk management structure, the capital management structure and the dissemination of information. •
CMN Resolution 2,682, which establishes criteria for classifying credit operations and rules for establishing a provision for settlement
credits. • CMN Resolution No. 4,966/2021, which provides for the accounting concepts and criteria applicable to financial instruments,
as well as for the designation and recognition of hedging relationships (hedge accounting) by financial institutions and other institutions
authorized to operate by the Central Bank of Brazil. • CMN Resolution No. 4,945/2021, which provides for the Social, Environmental
and Climate Responsibility Policy (PRSAC) and actions aimed at its effectiveness. • CMN RESOLUTION No. 5,089, OF JUNE 29, 2023, which
Amends Resolution No. 4,557, of February 23, 2017, which provides for the risk management structure, the capital management structure
and the information disclosure policy, and Resolution No. 4,606, of October 19, 2017, which provides for the simplified optional methodology
for determining the minimum requirement for Simplified Reference Equity (PRS5), the requirements for opting for this methodology and the
additional requirements for the simplified structure for continuous risk management. • Law 11,418/2021 which provides for the prevention
and treatment of over-indebted individual clients • Decree 11,567/2023 on the value of the regulated existential minimum • CMN
Resolution 4949/21 definition of the vulnerable public • SARB Regulation no.23 (Relationship with Potentially Vulnerable Consumers)
Approved by the Board of Directors on 2024, July. ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held Company NIRE
35300010230 PUBLIC ACCESS REPORT - CAPITAL MANAGEMENT POLICY (GLOBAL) OBJECTIVE To define rules and responsibilities pertaining to Itaú
Unibanco Holding S.A. (Itaú Unibanco) capital management activities. (Itaú Unibanco), in accordance with the applicable
regulations and best market practices. TARGET AUDIENCE The capital management process must cover all companies in the conglomerate controlled
by Itaú Unibanco in Brazil and abroad. INTRODUCTION For any company to be able to operate, it is necessary that it has capital,
which is the investment made by shareholders. In addition, the resources that the company generates and that are not distributed, being
kept in its equity, are also called capital. For financial institutions, the Central Bank of Brazil requires a minimum capital (required
capital), which is the capital necessary to face the risks to which the institution is exposed, guaranteeing its solvency. Capital management
is a fundamental instrument for the sustainability of the financial system. Methods for identifying, evaluating, controlling, mitigating
and monitoring risks support financial institutions in adverse moments. Itaú Unibanco considers capital management essential for
the decision-making process, which contributes to the optimization and efficiency of the use of capital in its operations. In this management,
Itaú Unibanco companies in Brazil and abroad are considered. Changes in the global financial environment, such as the integration
between markets, the emergence of new transactions and products, increasing technological sophistication and new regulations have made
financial activities and their risks increasingly complex. Additionally, lessons from financial crises reinforce the importance of risk
management (Public Access Report - Risk) and capital management to strengthen the financial health of the banking industry. The Brazilian
participation in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international prudential standards
in the Brazilian regulatory framework. In line with this perspective, Itaú Unibanco invests in the continuous improvement of capital
management processes and practices, in accordance with international market, regulatory and supervisory benchmarks. Itaú Unibanco's
capital management consists of a continuous process of planning, evaluation, control and monitoring of the capital necessary to face the
relevant risks of the Conglomerate and support the capital requirements required by the regulator, or those defined internally by the
Institution, with the objective of optimize capital allocation. The departments defined in the capital management structure, together
with the support of some specific departments of each theme, answer together or individually for: a. Identification of the risks to which
the institution is exposed and analysis of their materiality; b. Assessment of the capital needed to support the risks; c. Development
of methodologies for quantification of additional capital; d. Capital quantification and internal capital adequacy assessment; e. Internal
Capital Adequacy Assessment Process (ICAAP) f. Projection of capital ratios; g. Determination of reference equity (PR) and Calculation
of capital ratios; h. Preparation of the capital plan and contingency plan; i. Preparation of the recovery plan; j. Monitoring the solvency
and liquidity regularization plan of SUSEP companies; k. Capital stress tests; l. Determination of the Global Systemic Importance Index
(ISG); m. Preparation of the quarterly risk and capital management report – Pillar 3; n. Monitoring the Cost of Capital of the Holding
and External Units; o. Monitoring the capital of the External Units. Itaú Unibanco's capital management structure allows the monitoring
and control of the capital held by the Institution, the assessment of the need for capital to face the risks to which the Institution
is exposed and the planning of goals and capital needs, considering the Institution's strategic objectives and/or considering adverse
situations. As a result, Itaú Unibanco adopts a prospective approach, anticipating the need for capital arising from possible changes
in market conditions. Due to sensitivity and specificity, an internal policy to protect the capital index was created, which is also periodically
reviewed. Concepts Required capital: it is the capital necessary to face the risks to which the institution is exposed, guaranteeing its
solvency and including international units. The requirements are regulated by BACEN for Brazil and by local regulatory bodies at international
units. Such requirements are expressed in the form of indices that relate available capital to total risk-weighted assets (RWA –
Risk Weighted Assets). The Reference Equity (PR) used to verify compliance with the operating limits imposed by BACEN consists of the
sum of three items, called: . Principal Capital: sum of capital stock, reserves and retained earnings, minus deductions and prudential
adjustments; . Complementary Capital: composed of perpetual instruments that meet eligibility requirements. Added to the Principal Capital,
it makes up Level I; . Tier II: composed of defined-maturity subordinated debt instruments that meet eligibility requirements. Added to
the Principal Capital and the Complementary Capital, it makes up the PR (Total Capital). For the purposes of calculating these minimum
capital requirements, the total amount of RWA is determined by adding together the portions of assets weighted by credit, market and operational
risks. (according to Res. CMN No. 4,958): ������ = ��������������+��������������+��������������+
�������������� + ��������������
�������������� = portion related to
exposures to credit risk, calculated according to a standardized approach; ��������������
= portion relating to credit risk exposures calculated according to internal credit risk rating systems (IRB – Internal Ratings-Based
approaches), authorized by the Central Bank of Brazil; ��������������
= portion relative to the capital required for market risk, calculated using a standardized approach; ��������������
= portion relative to the capital required for market risk, calculated according to internal model approaches, authorized by the Central
Bank of Brazil; �������������� = portion
related to the capital required for operational risk, calculated according to a standardized approach. In addition to regulatory minimums,
BACEN rules establish Additional Principal Capital (ACP or CET1), corresponding to the sum of the ACPConservação, ACPContracíclico
and ACPSistemico installments which, together with the aforementioned requirements, increase the need for capital: . ACPConservação:
represents an extra “cushion” of capital to absorb possible losses . ACPContracíclico: is an additional cushion of
capital to be accumulated during the expansion phase of the credit cycle and to be consumed during its contraction phase . ACPSistemico:
for institutions with systemic importance, an additional capital is required to face systemic risk. The values of each installment and
the regulatory minimums, as defined in CMN Resolution No. 4,958, are described in the following table: When triggering the ACPContracyclical
in jurisdictions where the institution has exposures on its balance sheet, the calculation of the additional amount must follow BCB Circular
No. 3,769, increasing the regulatory minimum required of the conglomerate. Internal Capital Adequacy Assessment Process (ICAAP) Annual
exercise required by the Central Bank of Brazil whose objective is to assess the capital adequacy of Itaú Unibanco, thus providing
a general and comprehensive view of the institution's risk and capital management and demonstrating the results related to the self-assessment
of the adequacy of its capital level according to the risk profile. The ICAAP comprises the Capital Plan and the Contingency Plan, described
below: Capital Plan The capital plan is a section of the ICAAP that discusses how the bank's capital planning takes place in order to
maintain an adequate and sustainable level of capital, incorporating the limits established by the risk appetite and the analyses of economic
and regulatory environments. Additionally, it is structured consistently with Itaú Unibanco's strategic planning. This plan presents
the financial and capital forecasts in the short and medium term (at least three years following the base date year), both in normality
and stress scenarios, together with its main sources of capital, distribution policy results and contingency plan. Capital Contingency
Plan Itaú Unibanco has a capital contingency plan for cases in which at least one capital ratio is found to be lower than those
defined by the Board of Directors (Conselho de Administração (CA)), or for unforeseen events that may affect the capital
adequacy of the institution. The plan includes a set of contingency actions and those responsible for them, which allows Itaú Unibanco
to increase its capitalization levels and must contain, at least, the definition of the capital limits that trigger its activation and
the corresponding governance, aiming to maintain the adequate capitalization level of Itaú Unibanco in an adverse situation. Recovery
Plan Itaú Unibanco has a Recovery Plan that aims to reestablish adequate levels of capital and liquidity above regulatory operating
limits, in the face of severe stress shocks of a systemic or idiosyncratic nature, in order to preserve its financial viability, and at
the same time mitigate impact on the National Financial System. The Recovery Plan covers the entire conglomerate, including subsidiaries
abroad, and is reviewed annually and submitted for approval by the Board of Directors. Its normative basis is CMN Resolution No. 4,502,
and contains the critical functions and essential services provided by Itaú Unibanco that can impact the National Financial System
and the institution's own viability. Additionally, it discusses stress scenarios, communication plans with interested parties and governance
mechanisms necessary for the coordination and execution of Common Equity Tier I 4.5% Tier I 6.0% Total Capital 8.0% Additional Capital
Buffers (ACP) 3.56% conservation 2.5% countercyclical (1) 0.06% systemic 1.0% Common Equity Tier I + ACP 8.06% Total Capital + ACP 11.56%
Prudential adjustments deductions 100% (1) the countercyclical capital buffer is fixed by the Financial Stability Committee (Comef)based
on discussions about the pace of credit expansion, and currently is set to zero (Bacen communication Nº 39,425/22). Should the requirement
increase, the new percentage takes effect twelve months after the announcement. the plan. Stress Test The stress test, an integral part
of the Institution's Capital Plan, is a process of simulating the effects of extreme economic and market conditions on the institution's
results and capital. Stress scenarios must be approved by the Board of Directors and their results must be considered when defining Itaú
Unibanco's business and capital strategy. The stress test, for Itaú Unibanco, can be divided into internal and regulatory. The
first seeks to measure the vulnerability and strength of the conglomerate in hypothetical, but plausible, economic crisis scenarios based
on macroeconomic simulations and projections developed by the institution itself. The regulatory stress test has the same objective, but
uses a scenario developed by the Central Bank. In both processes, the main analyzes are on the Bank's results (DRE - P&L), its distribution
among the conglomerate's portfolios and activities and on the institution's level of capital and liquidity. Additionally, to complement
the results according to the processes described above, sensitivity analyzes and reverse stress tests are carried out annually. The capital
management framework should provide assessments of impacts on capital from the definition of severe scenarios chosen by the institution
and include them in the results of the stress test program. Solvency and Liquidity Regularization Plan – SUSEP This plan provides
for the minimum capital required for the operation of insurance and reinsurance companies, where the capital sufficiency indicator is
monitored monthly. Based on the verification of its insufficiency, jointly with the asset management departments of the insurance group,
measures to regularize the solvency and liquidity ratios of companies subject to SUSEP guidelines are defined. Global Systemic Importance
Index (GSI) Methodology defined by the Bank for International Settlements (BIS), and ratified by the Financial Stability Board, this index
measures the importance of each financial institution in the global market, whose bankruptcy could cause an international threat to the
financial system, and is made up of five main indicators: - Size: which reflects the relative participation of the institution in the
global activity; - Activity abroad: relative participation of the institution in international activities; - Interconnection: relative
participation of the institution in the interbank market and with the global capital market; - Substitution: relative participation of
the institution in the global offer of financial services; - Complexity: relative participation of the institution in complex or low liquidity
instruments. Information regarding the ISG calculation is published annually on the Investor Relations website, in accordance with BACEN
Resolution No. 171. Capital and Risk Management Report – Pillar 3 It is a report that contains information relating to prudential
indicators and risk management, comparison between accounting and prudential information, capital composition, macro prudential indicators,
leverage ratio, liquidity indicators, credit risk, counterparty credit risk, exposures of securitization, market risk, risk of variation
in interest rates on instruments classified in the banking portfolio and remuneration of administrators, published quarterly on the Institution's
Investor Relations website (Pillar3), in accordance with BCB Resolution No. 54. GUIDELINES Capital management must support the institution
according to the principles defined in the Risk Management policy and those defined in this policy. These principles are reflected in
the following guidelines, according to which Itaú Unibanco's capital management structure must: - Ensure that policies and strategies
for capital management are clearly documented and establish mechanisms and procedures to maintain the Reference Equity (RE), Level I,
and Principal Capital compatible with the risks incurred by the institution. - Maintain procedures for managing capital. - Be compatible
with the nature of its operations, the complexity of the products and services offered and the dimension of risk exposure. - Ensure the
submission of capital management policies and strategies, as well as the capital plan, for approval and review, at least annually, by
the Board of Directors, in order to determine their compatibility with the institution's strategic planning and with market conditions.
- Generate reports for the institution's departments, the Risk and Capital Management Committee (CGRC)) and the Board of Directors, pointing
out the adequacy of the levels of PR, Level I and Brazilian Capital Principal to the risks incurred or any deficiencies of the capital
management framework, as well as actions to correct them. - Ensure that the Solvency and Liquidity Regularization Plan required by SUSEP
is met in the event of insolvency or non-liquidity by one or more companies in the insurance industry, ensuring that the areas involved
in the asset management of these companies are activated for the definition of a corrective action proposal, as well as submitting it
to impact assessment. - Define the governance and responsibilities of the capital management process, and disclose decisions and policies
related to this process to the affected areas, as well as monitor the regulatory capital of Itaú Unibanco and international units.
- Business units and international units must ensure that approved decisions and policies are properly implemented. - Ensure that the
information disclosed in the Risk and Capital Management report - Pillar 3 has adequate detailing to the scope, complexity of operations,
sophistication of systems, institution’s risk management processes and ensure that any relevant differences relating to other information
disclosed by the institution is clarified; - Ensure that published information adheres to the current rules established by regulatory
bodies. MAIN ROLES AND DUTIES Itaú Unibanco's management is directly involved in the internal process of assessing capital adequacy
and its risk assessment. Among the committees and internal commissions that discuss the capital management process include: . Board of
Directors (CA) . Risk and Capital Management Committee (CGRC) . Asset Liability Capital Committee (ALCCO) Risk Management Department:
The Risk Management Department aims to ensure that Itaú Unibanco's risks are managed in accordance with established policies and
procedures, in addition to being responsible for centralizing the institution's capital management. The purpose of centralized control
is to provide the Board of Directors and senior management with a global view of Itaú Unibanco's exposures to risks, as well as
a prospective view of capital adequacy in order to optimize and streamline corporate decisions. Information Providing Departments: At
the most fundamental level, the areas are expected to provide the necessary information for the identification of risks, for the analysis
of their materiality and for the measurement of the required capital, as well as for the preparation of the capital budget, capital plan,
contingency plan, recovery plan, risk and capital management report - Pillar 3 and other regulatory and management reports, ensuring their
completeness, integrity and consistency and considering both the growth and evolution of the business's expected risk profile of the unit.
The areas involved in the capital management process must be able to carry out the required actions whenever they are called upon. Details
of the responsibilities of each of the departments involved in the capital management process are described in the internal procedures.
Approved by the Board of Directors on 2024, September.
Itau Unibanco (NYSE:ITUB)
過去 株価チャート
から 11 2024 まで 12 2024
Itau Unibanco (NYSE:ITUB)
過去 株価チャート
から 12 2023 まで 12 2024
