Itaú Unibanco S A : Public Access Report - Compliance Policy

ITAÚ UNIBANCO HOLDING S.A.

CNPJ 60.872.504/0001-23

Publicly-Held

NIRE 35300010230

PUBLIC ACCESS REPORT- COMPLIANCE POLICY

SUMMARY

Establishes the fundamental aspects associated with the Compliance function (compliance).

1. OBJECTIVE AND TARGET AUDIENCE

Establish the guidelines and main duties associated with the Compliance function, observing good market practices and applicable regulations.

This policy applies to Itaú Unibanco Holding and its controlled companies in Brazil and the companies abroad listed in internal procedure.

2. INTRODUCTION

The Compliance role aims to prevent and mitigate Itaú Unibanco's exposure to situations of non-compliance with standards and commitments (Compliance Risk), being responsible for governance, certification of adherence, conduct and transparency.

Regulatory or Compliance Risk is the risk of sanctions, financial losses or reputational damage arising from the lack of compliance with legal and regulatory provisions, local and international market standards, commitments with regulators, public commitments, self-regulation codes and codes of conduct adhered to by Itaú Unibanco.

Compliance risk is managed through a structured process that aims to identify changes in the regulatory environment, analyze the impacts on the institution's departments and monitor actions aimed at adherence to regulatory requirements and other commitments mentioned in the previous paragraph.

.

3. COMPLIANCE FUNCTION

The Compliance function is carried out directly by the Corporate Compliance Board and other Boards in the Risk Department, under the coordination of the Corporate Compliance Board, and in an integrated manner with the other risks incurred by the institution.

4. GUIDELINES

1. the management of compliance risks should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated for compliance with applicable standards, commitments made with regulators and requirements related to the Code of Ethics and Conduct.
2. Those responsible for the Compliance function have direct communication both with administrators, including members of the Board of Directors and the Audit Committee, and with any employee, and have access to any information necessary within the scope of their responsibilities.
3. Compliance reports and risk indicators must be clear, objective and timely, being reported to senior committees, business unit executives, the Risk executive, the Risk and Capital Management Committee, the Audit Committee and the Board of Directors, so that the level of exposure and compliance with the established limits are monitored.
4. Notes of non-compliance identified by any departments of the Conglomerate, regulators and other supervisory and inspection bodies must be monitored to ensure their effective treatment by the competent departments. The Corporate Compliance Department must encourage the individual and collective responsibility of employees for the management and governance of risks and of the organization's Compliance activities.

Corporate | Internal

1. In International Units, local and independent structures responsible for Compliance, under the responsibility of local Compliance Risk Officers (CROs), perform their function under the supervision of Regional CROs who, in turn, report to the Global CRO.

1. MAIN ROLES AND DUTIES

1. Board of Directors

The Board of Directors is responsible for:

- Approving:

1. the guidelines, strategies and policies relating to Compliance, in order to ensure a clear understanding of the roles and responsibilities for all levels of the Conglomerate; and
2. the position of the DCC in the institution's organizational structure in order to avoid possible conflicts of interest, mainly with the business departments.

• Provide the necessary means so that the activities related to the Compliance function are properly carried out, including the availability of resources to allocate sufficient personnel and with the necessary training and experience.
• Ensuring:

1. proper management of this policy;
2. effectiveness and continuity of the application of this policy;
3. communication of this policy to all employees and relevant outsourced service providers;
4. dissemination of standards of integrity and ethical conduct as part of the institution's culture; and
5. adoption of corrective measures for identified Compliance failures.

The assessment of these items by the Board of Directors will be carried out based on reports and periodic meetings between the Risk Department and the Board of Directors and its advisory committees and on the annual report coordinated by DCC, as well as by assessment carried out by the Audit Committee.

5.2. Audit Committee

The Audit Committee is responsible for:

• Validating the Compliance Policy prior to submission for approval by the Board of Directors.
• Evaluating, at least annually, the Compliance structure, in relation to the following aspects:

1. Clearly defining the duties, roles and responsibilities of the Compliance function, avoiding possible conflicts of interest, especially with the institution's business departments;
2. Positioning at an appropriate hierarchical level, independent and segregated from operational and business departments, with a duly exercised mandate regarding the definition of scope, execution of the work and communication of its results;
3. Organizational structure consistent with the needs of the Conglomerate and allocation of sufficient personnel, adequately trained and with the necessary experience to carry out the activities related to the respective functions;
4. Effectiveness of Compliance management; and
5. Adherence of the structure to the applicable regulation.

- Checking the performance of:

1. communication of this Policy to all employees and relevant outsourced service providers;
2. dissemination of standards of integrity and ethical conduct as part of the institution's culture; and
3. adoption of corrective measures for identified failures.

Corporate | Internal

5.3. First Line

The business and support departments must:

• Maintain compliance with standards and regulatory requirements.
• Define and implement action plans to address non-conformity notes.
• Promptly communicate to the Compliance department whenever changes or non-compliance with current rules and regulations or Compliance risks are identified.
• Inform and train employees and relevant outsourced service providers on matters relating to Compliance, with the support of the Corporate Compliance Department.
• Maintain a relationship with the Regulatory, Self-regulatory, Supervisory and Inspecting Bodies, as established in the Policy on Relationship with Regulatory, Self-regulatory, Supervisory and Inspecting Bodies;
• Identify, measure and manage Compliance risk events that may influence the fulfillment of the Conglomerate's strategic and operational objectives; and
• Maintain an effective control environment consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining exposure to risks at acceptable levels according to the risk appetite established for the Conglomerate.

5.4. Second Line

Represented by the Risk Department's boards, responsible for risk control activities, which are fully segregated from internal audit and legal activities, being independent in the exercise of their functions.

These boards cannot manage businesses or processes that could compromise their independence or generate conflicts of interest. Their goals and remuneration cannot be related to the performance of the business departments.

The Risk Department, under the coordination of DCC, is responsible for:

• Supporting the first line in observing their direct responsibilities.
• Disseminating standards of integrity and ethics as part of the Conglomerate's culture and disseminate good practices and policies related to the Compliance function.
• Guiding and advising the Conglomerate's administrators and employees on compliance with internal standards related to the Integrity and Ethics Program , and on compliance with external standards, reporting possible irregularities or identified failures.
• Ensuring that the teams responsible for carrying out Compliance functions have appropriate authority and are adequate, both in resources and knowledge, through a structured training program.
• Managing compliance risks through performance indicators, regulatory monitoring, tests and controls, including automated tests using data, internal and external complaints, prioritizing risks according to their severity reporting the results to Senior Management and, when requested, to the Regulatory Bodies.
• Reviewing and monitoring the action plans adopted to address the notes made by regulatory bodies and by the independent auditor in the report on non-compliance with legal and regulatory provisions.
• Coordinating activities related to the internal audit compliance function and the risk management structure, through periodic meetings and, in the second case, joint execution of operational activities and reports.
• Disseminating to the IUs the best practices and Compliance methodology adopted by the Head Office, including those related to the Corporate Integrity and Ethics Program.
• Coordinating the governance of Compliance Programs of international regulations relevant to the conglomerate.

Corporate | Internal

It is exclusively up to DCC:

1. Define principles and guidelines for disseminating risk management of Compliance, including training.
2. Manage the process of monitoring of adherence to new regulations, with the support of the Risk Spec Backoffice Department (BOE).
3. Report systematically and in a timely manner to the Board of Directors, directly or through its advisory committees, relevant information both from the results of the Compliance assessments carried out that have identified material flaws and significant changes in the regulatory environment.
4. Manage the Integrity and Ethics Program, interacting with the Inspectorate and Ombudsman as necessary.
5. Coordinate the relationship with regulators and other inspection and supervision bodies with centralized management, following up on formalized action plans, facilitating the sharing of information and ensuring the consistency of institutional positioning.
6. Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to support the Compliance function in the Conglomerate's activities.
7. Coordinate the governance of Itaú Unibanco's policies and procedures, in accordance with applicable regulations, maintaining evidence of approval of all documents by the established approval authorities, including the approval of this Policy.
8. Send to the Audit Committee, the Risk and Capital Management Committee and to the Board of Directors the Annual Compliance Report containing a summary of the results of activities related to Compliance topics, main conclusions, recommendations and action plans adopted for treatment of the identified deficiencies.

In International Units, the Local CROs are responsible for the responsibilities of the above items in accordance with the governance established in internal procedures.

5.5. Third Line

Represented by Internal Audit, which independently and periodically verifies the adequacy of risk identification and management processes and procedures, including integrated operational risk management, internal controls and Compliance, in accordance with the guidelines established in the internal policy and submits the results of their notes to the Audit Committee.

5.6. Common to All Departments of Itaú Unibanco

• Conduct training on integrity and ethics and risk management provided by Itaú Unibanco.
• Annually sign the Term "Corporate Integrity Policies" attesting to its knowledge and agreement with what is established in this Policy.
• Define, implement and comply with policies and procedures for adherence to regulations.
• Comply with the provisions established by the Conglomerate's external rules and internal policies.
• Report facts or suspected violations of the Code of Ethics and Conduct, of the Integrity, Ethics and Conduct Policy or of this policy.

6. RELATED EXTERNAL RULES

Basel Committee on Banking Supervision - Compliance and the Compliance function in Banks (April 2005)

Resolution No. 4,968/21 of the Brazilian National Monetary Council: provides for the implementation and implementation of an internal control system

Corporate | Internal

Resolution No. 4,557/17 of the Brazilian National Monetary Council: addresses the risk management structure and the capital management structure

Resolution No. 4,595/17 of the Brazilian National Monetary Council: addresses the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil.

Resolution No. 65/21 of the Central Bank of Brazil: addresses the compliance policy of consortium administrators and payment institutions.

Resolution No. 416/21 of the Brazilian National Private Insurance Council: provides for the Internal Controls System, the Risk Management Structure and the Internal Audit activity.

Approved by the Board of Directors on 2024, May.

Corporate | Internal