How does Itaú Unibanco (ITUB) manage environmental, social and climate (ESC) risks?

Itaú Unibanco defines ESC risks as potential financial and reputational losses from social, environmental and climate events. The policy integrates ESC risks into traditional risk disciplines, uses relevance and proportionality principles, applies sector and regional limits and conducts climate stress testing and scenario analyses.

Itaú Unibanco (ITUB) outlines comprehensive risk and capital management frameworks

Filing Impact

(Neutral)

Filing Sentiment

(Neutral)

Form Type

6-K

Rhea-AI Filing Summary

Itaú Unibanco Holding S.A. furnishes a Form 6-K presenting a broad set of updated public access policies covering how the bank manages key risks and capital. The documents detail frameworks for environmental, social and climate risks, market and IRRBB risk, operational risk, compliance, liquidity, credit risk and capital management.

Across these areas, Itaú Unibanco describes governance based on three lines of defense, the role of the Board of Directors and risk committees, and alignment with Brazilian and international regulations such as CMN Resolution No. 4,557/17 and Basel-related standards. The policies explain how risks are identified, measured, monitored and reported and how capital and liquidity buffers are planned and overseen to support the bank’s long-term resilience.

Key Figures

Common Equity Tier I minimum ratio: 4.5% Total Capital minimum ratio: 8.0% Capital conservation buffer: 2.5% +3 more

6 metrics

Common Equity Tier I minimum ratio 4.5% Regulatory minimum Common Equity Tier I capital requirement under CMN Resolution No. 4,958

Total Capital minimum ratio 8.0% Regulatory minimum Total Capital requirement under CMN Resolution No. 4,958

Capital conservation buffer 2.5% Additional Principal Capital (ACPConservação) buffer percentage for Itaú Unibanco

Systemic risk capital buffer 1.0% Additional Principal Capital (ACPSistemico) requirement for systemically important institutions

Common Equity Tier I plus buffers 8.06% Combined minimum Common Equity Tier I ratio including additional capital buffers

Total Capital plus buffers 11.56% Combined minimum Total Capital ratio including additional capital buffers

Key Terms

Environmental, Social and Climate Risks, IRRBB, Liquidity Coverage Ratio (LCR), Internal Capital Adequacy Assessment Process (ICAAP), +2 more

6 terms

IRRBB financial

"IRRBB: the risk, current or in the analysis horizon, of the impact of adverse movements in interest rates on the capital and results"

Liquidity Coverage Ratio (LCR) financial

"Short-Term Liquidity Ratio (LCR – Liquidity Coverage Ratio): measures whether the volume of high-quality liquid assets"

A liquidity coverage ratio measures whether a bank holds enough cash and easily sold, high-quality assets to cover its expected net cash outflows for 30 days under stress. Think of it as a household emergency fund that proves the bank could pay its bills for a month without selling illiquid items at fire-sale prices. Investors use it to gauge short-term resilience, regulatory compliance, and the likelihood of funding strain.

Internal Capital Adequacy Assessment Process (ICAAP) financial

"Internal Capital Adequacy Assessment Process (ICAAP) Annual exercise required by the Central Bank of Brazil"

Global Systemic Importance Index (ISG) financial

"Determination of the Global Systemic Importance Index (ISG)"

three lines of defense financial

"Itaú Unibanco's risk management organizational structure adopts the three lines of defense strategy"

See more from StockTitan in Google Search and AI answers. Adds StockTitan as a preferred source · opens Google

Add on Google

Form 6-K: How Foreign Companies Report to the SEC →

06/18/2026 - 05:29 PM


	UNITED STATES
	SECURITIES AND EXCHANGE COMMISSION
	Washington, D.C. 20549

	FORM 6-K

	Report of Foreign Issuer Pursuant to Rule 13a-16 or 15d-16 of the Securities Exchange Act of 1934



	For the month of June, 2026

	Comission File Number: 001-15276

	Itaú Unibanco Holding S.A.
(Exact name of registrant as specified in its charter)

	Itaú Unibanco Holding S.A.
(Translation of Registrant’s Name into English)

Praça Alfredo Egydio de Souza Aranha, 100 - Torre Conceição
	CEP 04344-902 São Paulo, SP, Brazil (Address of principal executive office)


Indicate by check mark whether the registrant files or will file annual reports under cover Form 20-F or Form 40-F.
	Form 20-F ☒	Form 40-F ☐

Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation S-T Rule 101(b)(1):
	Yes ☐	No ☒

Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation S-T Rule 101(b)(7):
	Yes ☐	No ☒

Indicate by check mark whether by furnishing the information contained in this Form, the registrant is also thereby furnishing information to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.
	Yes ☐	No ☒

If “Yes” is marked, indicate below the file number assigned to the registrant in connection with Rule 12g3-2(b):
	82– __________________

EXHIBIT INDEX


						99.1			ITAÚ UNIBANCO - Risk Management Policy

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.

Date: June 18, 2026.

Itaú Unibanco Holding S.A.

By: /s/ Gustavo Lopes Rodrigues

Name: Gustavo Lopes Rodrigues

Title: Investor Relations Officer.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - ENVIRONMENTAL, SOCIAL AND CLIMATE RISK POLICY 1. PURPOSE It establishes the rules and responsibilities in connection with the management of the Environmental, Social and Climate Risks of Itaú Unibanco Holding S.A. (“Itaú Unibanco”), in compliance with applicable regulations, notably CMN Resolution No. 4,557/17, as amended by CMN Resolution No. 4,943/21 (“Resolution No. 4,557/17”). 2. TARGET AUDIENCE This policy is applicable to the activities of Itaú Unibanco and its subsidiaries. 3. INTRODUCTION As Itaú Unibanco recognizes the growing importance of the Environmental, Social and Climate Risks (“ESC” or “ESC Risks”) in the global scenario and their direct impact on financial operations and business sustainability, the proper management of these risks is essential for the sustainable development and for meeting regulatory requirements and stakeholder expectations. The approach adopted in this policy factors in the integration of ESC Risks with the organization's traditional risks, based on the principles of relevance and proportionality. Accordingly, it ensures that strategic and operational decision making is driven towards the mitigation of negative impacts and the maximization of sustainable economy opportunities. 4. DEFINITIONS AND CONCEPTS According to Resolution No. 4,557/17, ESC Risks are construed as the possibility of losses arising from these activities to be incurred by the institution, which includes reputational losses. Therefore, ESC Risks must be identified and managed based on relevance and proportionality criteria, ensuring that actions taken are appropriate to and consistent with each risk. The dimensions addressed are as follows: - Social: This refers to events associated with the violation of fundamental rights and guarantees or with acts that jeopardize the Common Interest, including issues such as poor working conditions and negative impacts on local communities. Management should prioritize the protection of human rights and the promotion of social well-being. - Environmental: It involves events associated with environmental degradation, biodiversity loss, and overexploitation of natural resources. Examples include deforestation, pollution, and depletion of water resources. The approach should focus on environmental conservation, sustainable resource use, and the promotion of ecological practices. - Climate: It encompasses two main aspects: (i) the transition to a low-carbon economy, aimed to reduce or offset greenhouse gas (GHG) emissions and preserve the natural mechanisms for capturing these gases, such as forests and oceans; and (ii) the adaptation to extreme weather events and long-term environmental changes, such as severe storms, prolonged droughts, and rising sea levels, attributed to changes in climate patterns. Management should include mitigation and adaptation strategies to minimize adverse climate change impacts. 5. PRINCIPLES

ESC Risks materialize in Traditional Risks, requiring each risk discipline to develop specific actions to identify, measure, assess, monitor, report, control, and mitigate any potential adverse effects arising from their interactions with ESC Risks. These risks must be managed based on the guidelines set out in this policy, as well as: i. The principles and guidelines provided in the Environmental, Social and Climate Responsibility Policy (“PRSAC”), in line with CMN Resolution No. 4,945/21, which establishes standards for incorporating sustainability criteria into financial operations; ii. The provisions of the Risk Management Policy (Global) and the Risk Appetite Policy, which provide a comprehensive and consistent structure across the organization; iii. The principles of relevance and proportionality, ensuring that actions are appropriate to the scope and importance of each identified risk; iv. The provisions set out in related Procedures (“PR”), which outline the processes and practices to be followed; v. The public commitments assumed by Itaú Unibanco, which reflect the institution's commitment to sustainability and corporate responsibility; vi. Sustainability-related standards, as well as the best practices and market trends, ensuring that the bank is aligned with the most advanced and effective risk management standards. 6. ESC RISK MANAGEMENT GUIDELINES To identify the ESC risks to be prioritized under Itaú Unibanco's risk management, we have adopted three interdependent perspectives: • Financial: This addresses events with the potential to bring in monetary losses for Itaú Unibanco, which includes direct impacts, such as loan provisions/losses, fines and penalties, and indirect impacts, such as business opportunities lost due to environmental, social and climate risk issues. • Reputational: whenever an event has the potential to give rise to a negative perception of Itaú Unibanco's reputation among its stakeholders, according to the definition of reputational risk outlined in the specific document. • Legal: It involves risks associated with inadequacies or deficiencies in agreements entered into by the institution, as well as with sanctions due to the noncompliance with legal provisions and awards for damages to third parties arising from bank’s activities. Probability and severity elements are used for the classification of ESC Risks, which means assessing the likelihood of a risk event occurring and the severity of its potential impacts. This classification allows the institution to prioritize mitigation actions and the efficient allocation of resources. Additionally, as Itaú Unibanco monitors the concentrations of exposure to economic sectors and geographic regions most susceptible to being subject to or causing Environmental, Social and Climate damage, it may establish specific limits for such exposures based on its Risk Appetite Policy and Risk Management Policy (Global). Both classification and monitoring are ongoing processes, and Itaú Unibanco keeps records of data relevant to its management, including, when available, losses per Environmental, Social and Climate event. The data and information resulting from these processes are used to prepare management reports, as provided for in CMN Resolution No. 4,557/17, as well as to perform climate stress testing program, including scenario analyses that address cases of changes in climate patterns and transitions, enabling Itaú Unibanco to revise its response strategies to external and internal environment changes. ESG Risk Criteria for Clients, Operations subject to Credit Risk and Suppliers

Itaú Unibanco's ESC Risk management provides for methodologies and processes based on ESC and governance criteria for assessing clients, and operations subject to credit and supplier risks. These methodologies may include: (i) In the social dimension, due diligence on working conditions, respect for human rights and impact on traditional communities; (ii) in the environmental dimension, assessing the risk of disasters, contamination and degradation of biomes and natural resources; (iii) in the climate dimension, assessing physical risks (such as extreme climate events) and risks of transition associated with regulatory, technology or market changes; (iv) in the governance dimension, assessing transparency, board quality and the counterparty’s capacity to manage ESC risks. Itaú Unibanco addresses specific criteria to qualify and evaluate counterparties from time to time according to their ESC risk profiles, considering factors such as their sectors and geographic regions of operation, compliance with legislation, and a proper governance structure to mitigate potential credit losses arising from ESC events. These criteria are used from a client, operational, and guarantee adequacy vision, according to their relevance. ESC Risk Criteria for Own Operations Management of Environmental, Social and Climate Risks directly arising from Itaú Unibanco's operations includes identifying, assessing, monitoring and mitigating any events that may arise from the bank's operational activities. These risks include potential environmental, social or climate impacts from internal activities, operational processes, engaged service providers or structures under the institution's direct responsibility. Accordingly, each department must ensure that its operational processes are conducted in such a way to prevent harm, reduce exposure, and guarantee the conformity with applicable internal and external regulations. In addition to identifying risks, operational departments must implement controls, record incidents, and act on to mitigate such risks on a timely basis. ESC risk management should also factor in the efficient use of resources, compliance with applicable environmental and social requirements, the adoption of low-carbon practices, and the alignment with corporate sustainability guidelines, thus ensuring that the institution minimize negative impacts and strengthens its responsible performance. Training To ensure the effectiveness of the ESC Risk management, employees involved in the management of these risks in each of the Traditional Risk disciplines must regularly take part in targeted training and capacity-building programs provided by the organization. These programs ensure ongoing updates on best practices, new regulations, and topic-related trends. Stakeholder Engagement Itaú Unibanco adopts an integrated and collaborative approach to addressing ESC Risks, involving all stakeholders, including clients, investors, suppliers, regulators, and society in general, to ensure that solutions are effective and sustainable in the long term. Transparency and clear communication about risks and mitigation measures taken are essential to build and strengthen trust and engagement with all parties involved. As part of managing our clients’ ESC Risks, in addition to assessing credit relationships and granting financing for credit approval or renewal, we also engage our clients in the adoption of more sustainable practices, such as transitioning to a clean and sustainable economy and improving control over their supply chains and labor

practices. This not only reduces associated risks but also contributes to a broader positive impact on society and the environment. Itaú Unibanco has formal mechanisms for monitoring the perception among clients, the financial market, and society in general regarding its performance, including client service aspects such as complaint analysis, satisfaction surveys, public statements, media, and social networks. The information arising from this monitoring is used to promptly identify any negative perceptions that could significantly impact the institution, feeding into management risk reports, reviewing stakeholder engagement strategies, and, where applicable, reviewing risk appetite levels and risk management policies. 7. GOVERNANCE Itaú Unibanco's risk management organizational structure adopts the three lines of defense strategy and follows the guidelines established in Resolution No. 4,557/17, aimed to ensure the proper and sustainable development of the bank’s activities, thus promoting an integrated, independent and robust risk management. Risk management governance is structured to ensure that all risk-related issues are thoroughly discussed and analyzed, which is key for informed decision-making and the implementation of effective mitigation strategies. Accordingly, the ESC Risk Management structure includes governance composed of different joint bodies, from the Board of Directors and Executive levels to the Board of Officers level, as set out in the "Main Roles and Responsibilities" section. These bodies have defined mandates and are responsible for specifically making decisions and recommendations, ensuring control and risk mitigation. The goal is to keep the exposure to ESC risks at acceptable, safe levels for the institution, in line with the risk appetite defined by the Board of Directors. 8. MAIN ROLES AND RESPONSIBILITIES The ESC Risk Management structure at Itaú is composed of departments and joint bodies that work in an integrated manner to ensure risk identification, assessment and mitigation, in conformity with regulatory and corporate guidelines. The responsibilities outlined below reflect these strategic guidelines: Risk Department (AR) - Provide guidelines and define governance for the identification, assessment, measurement, control, and monitoring of ESC Risks through corporate policies and procedures. - Monitor the integration of ESC Risks with Traditional Risks and their possible materialization. - Calculate, monitor, and periodically report the consumption of environmental, social and climate Risk Appetite metrics, according to defined limits, to the Executive Committee, the Risk and Capital Management Committee (CGRC) and the Board of Directors. - Support Business Units in the implementation of controls and advancement of ESC risk management practices. Chief Risk Officer (CRO) – Officer in charge of the Risk Department - Work in the integration of ESC Risks and the institution’s global risk management structure, being responsible for the Environmental, Social and Climate Risk Policy, and for liaising with regulators. Business Units (Brazil and International Units) - Incorporate ESC Risk management into the business processes, to ensure that these conform with defined guidelines.

- Identify, measure, assess and manage ESC Risks, by documenting and storing information regarding losses incurred. - Promptly report the AR whenever they identify any potential risks not foreseen in existing controls. - Keep procedure manuals with detailed descriptions of the roles and responsibilities of the processes and controls under their management. - Seek to engage counterparties in improving their practices, aimed at the transition to a clean and sustainable economy. - International Units must have their own governance structure, in accordance with local legislation, ensuring alignment with the corporate guidelines established by the parent company. Joint Bodies: Board of Directors Responsibilities set out in the Risk Management Policy (Global) and the Corporate Governance Policy (Global). Audit Committee (CAud) Responsibilities set out in the Corporate Governance Policy (Global). Risk and Capital Management Committee (CGRC) Responsibilities set out in the Corporate Governance Policy (Global) and the Committee's Internal Charter, available on the Investor Relations website. Regarding ESC risk management, the activities of the Risk and Capital Management Committee (CGRC) resulting from the application of this Policy will be coordinated with those of the Environmental, Social and Climate Responsibility Committee. Environmental, Social and Climate Responsibility Committee Responsibilities set out in specific document. Superior ESG Council Responsibilities set out in specific document. Superior Environmental, Social and Climate Risk Committee (CRSAC Superior) Responsibilities set out in specific document. Environmental, Social and Climate Risk Committee (CRSAC) Responsibilities set out in specific document. 9. RELATED EXTERNAL STANDARDS - National Monetary Council (CMN) Resolution No. 4,557/17– Risk and capital management structure and information disclosure policy. - National Monetary Council (CMN) Resolution No. 4,945/21 - Environmental, Social and Climate Responsibility Policy (PRSAC) and actions aimed at its enforcement. - Central Bank of Brazil (BCB) Resolution No. 139 of September 15, 2021 – disclosure of the Environmental, Social and Climate Risks and Opportunities Report (GRSAC Report) - Central Bank of Brazil (BCB) Resolution No. 151 of October 6, 2021 – remittance of information on Environmental, Social and Climate Risks (DRSAC) - Bank Self-regulation System (SARB) Regulation No. 014/2014, as amended – Banking Self-Regulation (FEBRABAN) – Regulation on Environmental, Social and Climate Risk Management and Accountability.

- Bank Self-regulation System (SARB) Regulation No. 026/2023 – Banking Self-Regulation (FEBRABAN) – Management of the risk of illegal deforestation in the beef chain. - Superintendency of Private Insurance (SUSEP) Circular No. 666 of June 27, 2022 – Sustainability requirements to be fulfilled by insurance and capitalization companies. - Brazilian Securities and Exchange Commission (CVM) Resolution No. 193 of October 20, 2023 – preparation and disclosure of financial information reporting on sustainability, based on the international standard issued by the International Sustainability Standards Board (ISSB). 10. GLOSSARY CGRC: Risk and Capital Management Committee Common Interest: Interest associated with the group of people legally or de facto linked by the same cause or circumstance, when not related to the definition of environmental, transitional climate or physical climate risk. PRSAC: Environmental, Social and Climate Responsibility Policy PR: Itaú Unibanco’s Internal Procedures PS/PC: Itaú Unibanco’s Internal Policies ESC Risks: Environmental, Social and Climate Risks Traditional Risks: These are the risk disciplines listed in items I to V of Article 6 of CMN Resolution No. 4,557/17. Approved by the Board of Directors on 2026, May.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - MARKET AND IRRBB RISK MANAGEMENT AND CONTROL POLICY OBJECTIVE Establish the market and IRRBB risk management and control structure of Itaú Unibanco Holding SA (Itaú Unibanco), observing the applicable regulations and best market practices. TARGET AUDIENCE This policy is applicable to all employees and activities of the Conglomerate that result in exposure to market risk and IRRBB, with an impact on Itaú Unibanco Holding and its subsidiaries. Market and IRRBB risk control covers all positions in the portfolios of financial and non-financial companies belonging to Itaú Unibanco, in Brazil and in the International Units. This policy does not apply to the market risk of customer portfolios managed by the bank and/or trusteeship (for example: funds from Wealth Management & Services - WMS). INTRODUCTION For the purposes of this policy, market risk and interest rate risk in the banking book (IRRBB) are defined in the prudential context by: I. Market risk is the possibility of losses resulting from fluctuations in the market values of instruments held by the institution, including: a. the risk of variation in interest rates and stock prices, for instruments classified in the trading book; and b. the risk of exchange rate variation and commodity prices, for instruments classified in the trading book or in the banking book. II. IRRBB: the risk, current or in the analysis horizon, of the impact of adverse movements in interest rates on the capital and results of the financial institution, for instruments classified in the banking portfolio. The aforementioned risks depend on the price behavior of risk factors in light of market conditions. In addition to Treasury, which operates buying and selling bonds and securities, other departments can impact the market risk assumed by the bank. Examples include the purchasing department, when it makes a purchase in foreign currency or even the marketing department when it sponsors an entity or event in foreign currency. Market risk and IRRBB controls are carried out according to metrics defined in internal procedure. GUIDELINES Market and IRRBB risk control processes must strictly observe the principles defined in the Policy. These principles are reflected in the following guidelines, through which Itaú Unibanco's market risk management and control structure must: • Ensure the use of complete databases, which reflect business carried out using duly approved products, guaranteeing correct information and calculations, from registration to accounting; • Apply models that reflect best market practices; • Ensure that the pricing of the portfolios is preferably based on quotations observed in the financial markets, captured through trustworthy external sources. When no price is available, the calculation must be performed using a pricing model that represents the fair valuation of the positions. In these cases, such assessments must be consistent and verifiable, with market benchmarks and data used in the assessment regularly reviewed; • Calculate the results of the positions of the marked-to-market portfolios following the governance of the Bank's models; • Have risk control departments responsible for defining and applying pricing parameters, independent of the business departments; • Establish and ensure that the processes and systems adopted to measure, monitor and control exposure to market risk and IRRBB: • Are compatible with the nature of the operations, the complexity of the products and the size of the Institution's exposure to market risk and IRRBB; • Contain all sources of market risk and IRRBB; and • Generate timely risk exposure reports for the business units, for the Institution's management and for the Board of Directors.

MAIN ROLES AND RESPONSIBILITIES The Market Risk and IRRBB control structure at Itaú Unibanco involves the parties indicated below, for which we highlight their roles in relation to this matter. Board of Directors: - define the institution's risk appetite and review it annually. Superior Market and Liquidity Risk Commission: - define the approval authorities related to the control of market risk and IRRBB and review them annually. - monitor market risk and IRRBB indicators, taking the necessary decisions and respecting risk appetite. Chief Risk Officer: - responsible for market risk and IRRBB management at Itaú Unibanco. Market Risk Control and IRRBB: - identify, measure, control, monitor and report exposure to market risk and IRRBB to business departments and report to superior committees; - monitor compliance with exposures in relation to approved limits, trigger alerts and other measures to control market risk and IRRBB, reporting any non-compliance to the competent authorities and requesting an action plan for reclassification; - maintain specialized and appropriately sized teams to support market risk and IRRBB processes and systems, which are under its governance and development management. Daily Managerial Result Control: - carry out the calculation of the managerial result of the positions and disclose it to the competent departments, enabling monitoring and assistance in decision-making. Treasury: At the most fundamental level, the employee is expected to fully understand the nature of the risk in the portfolios under management and the effective management of this risk, ensuring its transparency for desk managers and compliance with established limits. MARKET AND IRRBB RISK CONTROL Market and IRRBB Risk control at Itaú Unibanco is carried out through governance and processes that guarantee compliance with the following determinations or parameters: • The Institution must operate in accordance with the risk appetite defined by the Board of Directors (CA), reviewed and approved annually based on a structure of limits and alerts. The limits are dimensioned by evaluating the projected results of the balance sheet, the size of equity, liquidity, complexity and volatilities of the markets, as well as the Institution's risk appetite; • Limit consumption must be reported by the Market Risk department to the Business Departments and bank executives. The alerts work as indicators of the pre-established limit; • The institution's limits and alerts structure is made up of aggregated metrics, which monitor and limit risk globally, and granular ones, which aim to avoid an excessive concentration of risk in specific risk factors; • The limits are figures that the operation desks of the trading book and trading desks of the banking book must respect. Alerts are metrics that send a signal to the institution, based on which, through defined governance, procedures are established to be adopted if the alert is triggered; • The mark-to-market (pricing) process of positions must be carried out based on quotations captured from external sources or, if this is not possible, calculated from models developed and validated according to guidelines established in specific policies; • Information relating to prices and traded positions is stored in a single, corporate historical database, with controls that ensure its integrity and completeness, with functionalities that allow consultation of historical information; • The models used must capture the correct sensitivity, market fluctuations, based on the application of periodic adherence tests for the total portfolio and subportfolios, including all risk categories. Its results must be analyzed and used to improve the models and manage the Institution's risk. Additionally, the managerial result must be used to verify the adherence of market risk measurement models; • The measurement of potential risk in extreme market situations, which complement the statistical risk measures, with the application of stress tests for all positions contained in the portfolios of financial and non-financial companies; • For portfolio positions that do not have prices directly observed in the market, that are not very liquid or that are evaluated using an internal pricing model, particularly TVMs (securities) and derivatives, apply prudential adjustments that correct possible marking errors, respecting criterion of relevance

and materiality. RELATED EXTERNAL RULES Central Bank of Brazil Circular 3.354/07, which establishes the minimum criteria for classifying transactions in the trading book; Resolution 4,557/17 of the Brazilian National Monetary Council, which provides for the implementation of a risk management structure. Approved by the Board of Directors on 04.30.2025

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - OPERATIONAL RISK MANAGEMENT POLICY 1. PURPOSE This policy establishes guidelines and responsibilities associated with operational risk management. It applies to all directors and employees of Itaú Unibanco Holding S.A. and its subsidiaries in Brazil and abroad (“Itaú”). 2. GUIDELINES Operational Risk Management is aligned with the Policy Risk Management, observing current regulations and best practices. The steps involved in this process are: Identification of Operational Risks Continuous identification of internal and external events that may adversely impact the achievement of strategic objectives in activities, projects, or products/services. When a relevant risk is identified, a sweep of similar processes should be conducted to ensure consistent mitigation throughout the bank. Assessment of Operational Risks Classification of residual risk, considering inherent impact and the quality of the control environment. The assessment should include possible changes in internal and external environments, and its result should guide actions in response to operational risk. Awnswer to Operational Risk A structured set of decisions and actions adopted by the institution to accept, avoid, transfer, or mitigate operational risks. These responses must ensure that residual risk is within the risk appetite and must be subject to continuous review and reporting to governance bodies. Monitoring Monitoring the quality of the control environment, seeking, whenever possible, to do so on a recurring basis, using data analysis and exploration techniques, with a granular view of clients or transactions, and aiming for timely addressing of failures to correct the root cause and realign with Itaú’s risk appetite. In the continuous monitoring process, whenever there are relevant organizational changes that impact the level of management or community, continuity of processes and risk management must be ensured, as described in the specific procedure. Reporting of Operational Risks Issuance of an independent opinion on the quality of the control environment reported to the appropriate authorities and preparation of regulatory reports. The forums and committees for risk management are provided for in a specific procedure. 3. RESPONSABILITIES To adequately manage its risks, Itaú uses the three “lines” model (First, Second, and Third) published by the IIA (Institute of Internal Auditors). First Line Represented by Business, Support, or Community areas, they are directly responsible for the identification, assessment, response, monitoring, and reporting of operational risks. Second Line Represented by the Risk Area (AR), its objective is to ensure, independently and centrally, that Itaú’s risks are managed according to policies and procedures, aiming to define parameters for the risk management process and its supervision. Board of Compliance & OPRisk (DCOR) Its mission is to enable the management of regulatory and operational risks, independently supporting the first line, ensuring compliance and client centrality through a risk-based approach that includes:

▪ Monitoring the effectiveness of operational and regulatory risk management performed by the first line; ▪ Issuing an independent opinion on the quality of the control environment; ▪ Developing and providing products to enable operational and regulatory risk management by the first and second lines. DCOR is independent in the exercise of its functions, with direct communication with any director or employee, and access to any information necessary for the performance of its activities. Chief Risk Officer (CRO) The CRO is responsible for approving, and informing the CEO about, the mission and strategic objectives of DCOR, as well as the scope of its activities, which are reflected in the annual strategic planning. In International Units, the structure responsible for monitoring local controls and risk environments, independently from the first line of governance, is under the responsibility of the local CROs, who report to the Regional CROs on the status of risks of the entities under their scope, as well as on the measures taken to keep risks within established levels. Regional CROs are responsible for the integrated and preventive management of risks in the region, ensuring their effectiveness and reporting their status to the Itaú Unibanco Holding CRO (Global CRO). The roles and responsibilities of the Global, Regional, and Local CROs are described in the specific procedure. Third Line Represented by the Internal Audit Area, which is segregated and independent from the other areas of Itaú. Its responsibilities are detailed in the Internal Audit Policy. Approved by the Board of Directors on 11.27.2025

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT- COMPLIANCE POLICY SUMMARY Establishes the fundamental aspects associated with the Compliance function (compliance). 1. OBJECTIVE AND TARGET AUDIENCE Establish the guidelines and main duties associated with the Compliance function, observing good market practices and applicable regulations. This policy applies to Itaú Unibanco Holding and its controlled companies in Brazil and the companies abroad listed in internal procedure. 2. INTRODUCTION The Compliance role aims to prevent and mitigate Itaú Unibanco's exposure to situations of non-compliance with standards and commitments (Compliance Risk), being responsible for governance, certification of adherence, conduct and transparency. Regulatory or Compliance Risk is the risk of sanctions, financial losses or reputational damage arising from the lack of compliance with legal and regulatory provisions, local and international market standards, commitments with regulators, public commitments, self-regulation codes and codes of conduct adhered to by Itaú Unibanco. Compliance risk is managed through a structured process that aims to identify changes in the regulatory environment, analyze the impacts on the institution's departments and monitor actions aimed at adherence to regulatory requirements and other commitments mentioned in the previous paragraph. . 3. COMPLIANCE FUNCTION The Compliance function is carried out directly by the Corporate Compliance Board and other Boards in the Risk Department, under the coordination of the Corporate Compliance Board, and in an integrated manner with the other risks incurred by the institution. 4. GUIDELINES a) the management of compliance risks should address existing or new processes, products and services, including relevant outsourced services. Such processes, products and services must be periodically tested and evaluated for compliance with applicable standards, commitments made with regulators and requirements related to the Code of Ethics and Conduct. b) Those responsible for the Compliance function have direct communication both with administrators, including members of the Board of Directors and the Audit Committee, and with any employee, and have access to any information necessary within the scope of their responsibilities. c) Compliance reports and risk indicators must be clear, objective and timely, being reported to senior committees, business unit executives, the Risk executive, the Risk and Capital Management Committee,

the Audit Committee and the Board of Directors, so that the level of exposure and compliance with the established limits are monitored. d) Notes of non-compliance identified by any departments of the Conglomerate, regulators and other supervisory and inspection bodies must be monitored to ensure their effective treatment by the competent departments. The Corporate Compliance Department must encourage the individual and collective responsibility of employees for the management and governance of risks and of the organization's Compliance activities. e) In International Units, local and independent structures responsible for Compliance, under the responsibility of local Compliance Risk Officers (CROs), perform their function under the supervision of Regional CROs who, in turn, report to the Global CRO. 5. MAIN ROLES AND DUTIES 5.1. Board of Directors The Board of Directors is responsible for: - Approving: a) the guidelines, strategies and policies relating to Compliance, in order to ensure a clear understanding of the roles and responsibilities for all levels of the Conglomerate; and b) the position of the DCC in the institution's organizational structure in order to avoid possible conflicts of interest, mainly with the business departments. - Provide the necessary means so that the activities related to the Compliance function are properly carried out, including the availability of resources to allocate sufficient personnel and with the necessary training and experience. - Ensuring: a) proper management of this policy; b) effectiveness and continuity of the application of this policy; c) communication of this policy to all employees and relevant outsourced service providers; d) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and e) adoption of corrective measures for identified Compliance failures. The assessment of these items by the Board of Directors will be carried out based on reports and periodic meetings between the Risk Department and the Board of Directors and its advisory committees and on the annual report coordinated by DCC, as well as by assessment carried out by the Audit Committee. 5.2. Audit Committee The Audit Committee is responsible for: - Validating the Compliance Policy prior to submission for approval by the Board of Directors.

- Evaluating, at least annually, the Compliance structure, in relation to the following aspects: a) Clearly defining the duties, roles and responsibilities of the Compliance function, avoiding possible conflicts of interest, especially with the institution's business departments; b) Positioning at an appropriate hierarchical level, independent and segregated from operational and business departments, with a duly exercised mandate regarding the definition of scope, execution of the work and communication of its results; c) Organizational structure consistent with the needs of the Conglomerate and allocation of sufficient personnel, adequately trained and with the necessary experience to carry out the activities related to the respective functions; d) Effectiveness of Compliance management; and e) Adherence of the structure to the applicable regulation. - Checking the performance of: a) communication of this Policy to all employees and relevant outsourced service providers; b) dissemination of standards of integrity and ethical conduct as part of the institution's culture; and c) adoption of corrective measures for identified failures. 5.3. First Line The business and support departments must: - Maintain compliance with standards and regulatory requirements. - Define and implement action plans to address non-conformity notes. - Promptly communicate to the Compliance department whenever changes or non-compliance with current rules and regulations or Compliance risks are identified. - Inform and train employees and relevant outsourced service providers on matters relating to Compliance, with the support of the Corporate Compliance Department. - Maintain a relationship with the Regulatory, Self-regulatory, Supervisory and Inspecting Bodies, as established in the Policy on Relationship with Regulatory, Self-regulatory, Supervisory and Inspecting Bodies; - Identify, measure and manage Compliance risk events that may influence the fulfillment of the Conglomerate's strategic and operational objectives; and - Maintain an effective control environment consistent with the nature, size, complexity, structure, risk profile and business model of the operations carried out, in order to ensure the effective management of Compliance risks, maintaining exposure to risks at acceptable levels according to the risk appetite established for the Conglomerate. 5.4. Second Line Represented by the Risk Department’s boards, responsible for risk control activities, which are fully segregated from internal audit and legal activities, being independent in the exercise of their functions. These boards cannot manage businesses or processes that could compromise their independence or generate conflicts of interest. Their goals and remuneration cannot be related to the performance of the business departments.

The Risk Department, under the coordination of DCC, is responsible for: - Supporting the first line in observing their direct responsibilities. - Disseminating standards of integrity and ethics as part of the Conglomerate's culture and disseminate good practices and policies related to the Compliance function. - Guiding and advising the Conglomerate's administrators and employees on compliance with internal standards related to the Integrity and Ethics Program , and on compliance with external standards, reporting possible irregularities or identified failures. - Ensuring that the teams responsible for carrying out Compliance functions have appropriate authority and are adequate, both in resources and knowledge, through a structured training program. - Managing compliance risks through performance indicators, regulatory monitoring, tests and controls, including automated tests using data, internal and external complaints, prioritizing risks according to their severity reporting the results to Senior Management and, when requested, to the Regulatory Bodies. - Reviewing and monitoring the action plans adopted to address the notes made by regulatory bodies and by the independent auditor in the report on non-compliance with legal and regulatory provisions. - Coordinating activities related to the internal audit compliance function and the risk management structure, through periodic meetings and, in the second case, joint execution of operational activities and reports. - Disseminating to the IUs the best practices and Compliance methodology adopted by the Head Office, including those related to the Corporate Integrity and Ethics Program. - Coordinating the governance of Compliance Programs of international regulations relevant to the conglomerate. It is exclusively up to DCC: i. Define principles and guidelines for disseminating risk management of Compliance, including training. ii. Manage the process of monitoring of adherence to new regulations, with the support of the Risk Spec Backoffice Department (BOE). iii. Report systematically and in a timely manner to the Board of Directors, directly or through its advisory committees, relevant information both from the results of the Compliance assessments carried out that have identified material flaws and significant changes in the regulatory environment. iv. Manage the Integrity and Ethics Program, interacting with the Inspectorate and Ombudsman as necessary. v. Coordinate the relationship with regulators and other inspection and supervision bodies with centralized management, following up on formalized action plans, facilitating the sharing of information and ensuring the consistency of institutional positioning. vi. Develop and make available the methodologies, tools, systems, infrastructure and governance necessary to support the Compliance function in the Conglomerate's activities. vii. Coordinate the governance of Itaú Unibanco's policies and procedures, in accordance with applicable regulations, maintaining evidence of approval of all documents by the established approval authorities, including the approval of this Policy.

viii. Send to the Audit Committee, the Risk and Capital Management Committee and to the Board of Directors the Annual Compliance Report containing a summary of the results of activities related to Compliance topics, main conclusions, recommendations and action plans adopted for treatment of the identified deficiencies. In International Units, the Local CROs are responsible for the responsibilities of the above items in accordance with the governance established in internal procedures. 5.5. Third Line Represented by Internal Audit, which independently and periodically verifies the adequacy of risk identification and management processes and procedures, including integrated operational risk management, internal controls and Compliance, in accordance with the guidelines established in the internal policy and submits the results of their notes to the Audit Committee. 5.6. Common to All Departments of Itaú Unibanco - Conduct training on integrity and ethics and risk management provided by Itaú Unibanco. - Annually sign the Term “Corporate Integrity Policies” attesting to its knowledge and agreement with what is established in this Policy. - Define, implement and comply with policies and procedures for adherence to regulations. - Comply with the provisions established by the Conglomerate's external rules and internal policies. - Report facts or suspected violations of the Code of Ethics and Conduct, of the Integrity, Ethics and Conduct Policy or of this policy. 6. RELATED EXTERNAL RULES Basel Committee on Banking Supervision - Compliance and the Compliance function in Banks (April 2005) Resolution No. 4,968/21 of the Brazilian National Monetary Council: provides for the implementation and implementation of an internal control system Resolution No. 4,557/17 of the Brazilian National Monetary Council: addresses the risk management structure and the capital management structure Resolution No. 4,595/17 of the Brazilian National Monetary Council: addresses the compliance policy of financial institutions and other institutions authorized to operate by the Central Bank of Brazil. Resolution No. 65/21 of the Central Bank of Brazil: addresses the compliance policy of consortium administrators and payment institutions. Resolution No. 416/21 of the Brazilian National Private Insurance Council: provides for the Internal Controls System, the Risk Management Structure and the Internal Audit activity. Approved by the Board of Directors on 2024, May.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT – CORPORATE POLICY FOR LIQUIDITY RISK MANAGEMENT AND CONTROL This policy sets forth the framework for liquidity risk management and control of Itaú Unibanco Holding S.A., in accordance with applicable regulations and best market practices. It applies to all activities of the conglomerate that result in exposure to liquidity risk, including all financial companies controlled by Itaú Unibanco in Brazil and abroad, except for the liquidity risk of client portfolios managed or administered by the bank (Wealth Management & Services – WMS funds). 1. Concept Liquidity risk is defined as the possibility that the Institution may not be able to efficiently and timely meet its financial obligations. This risk may arise when there is a mismatch between cash flows (assets and liabilities) that affects operations or produces significant losses. The liquidity risk appetite and the entire limit framework are established by the Board of Directors and the Senior Committees. Based on these parameters, control is performed by an independent area and aims to compare assets (generally the most liquid) with financial obligations (generally shorter-term), ensuring that Itaú Unibanco’s cash availability is sufficient to meet its obligations. 2. Specific Guidelines: Measurement: the measurement of liquidity risk exposure is based on the daily analysis of the evolution of cash flows and compliance with regulatory ratios. It must cover all financial operations of Itaú Unibanco companies, as well as possible contingent exposures (exposures without a defined occurrence date) or unexpected exposures (changes in cash inflows or outflows). These situations commonly arise from settlement services, provision of sureties and guarantees, contracted and unused credit lines, occurrence of adverse events that impact technical provisions, etc. Another fundamental aspect is Itaú Unibanco’s ability to hold liquid assets and cash. The measurement of liquid assets is composed of cash balances in Brazil, abroad, and all assets immediately convertible (D0) into means of payment. Key Controls and Metrics: Short-Term Liquidity Ratio (LCR – Liquidity Coverage Ratio): measures whether the volume of high-quality liquid assets of the prudential conglomerate is sufficient to withstand a severe liquidity stress scenario over a 30-day period, according to assumptions defined by the Central Bank of Brazil; Long-Term Liquidity Ratio (NSFR – Net Stable Funding Ratio): measures whether the prudential conglomerate has available stable funding exceeding that required by cash outflows in a one-year stress scenario; Funding Provider Concentration: demonstrates that the prudential conglomerate has diversified exposure to liquidity-providing counterparties; Contingency, Recovery and Orderly Exit Plans (PRSO): aim to restore adequate liquidity levels and preserve the bank’s viability in response to stress situations. The plans must contain the list of actions, with the respective volumes, timeframes and owners; Note: actions in the plans must include a gradation by level of criticality, and the order of actions must be determined by ease of implementation and market conditions; Projected cash flow (Business Continuity scenario): demonstrates expected cash flows, considering business continuity under normal operating conditions; Social Media Monitoring: monitoring of events in social media, monitored by the marketing team (specific document). If there is any indication of impact on the bank’s liquidity, daily monitoring of liquidity maps and indicators will be carried out, and any action plans approved by the Crisis Committee (specific document) may be executed. Foreign Currency Portfolio Liquidation scenario (run-off): demonstrates expected cash flows, considering liquidation of current portfolios and business discontinuation;

SUSEP Portfolio Liquidation scenario and the Own Risk and Solvency Assessment (ORSA), in compliance with Resolution (CNPS) No. 471/24 : demonstrates cash flows under normal and adverse scenarios for companies regulated by SUSEP. Breaches of the defined limits: must be reported by the liquidity risk control area to senior management, to the relevant areas for immediate re-alignment of the exposure, and to the relevant committees. 3. Responsibilities The Liquidity Risk process at Itaú Unibanco starts in the governance for limit approval and goes through to the execution of cash inflows and outflows. Limit Approval Governance: the Board of Directors annually defines the liquidity risk appetite and the contingency and recovery plans. The other approval forums, according to the level of granularity of the metric, range from the CSRML (Senior Market Risk and Liquidity Committee) to approvals made by the directors of the Risk and Treasury areas. Liquidity Risk Management, Control and Execution: involves the operating dynamics of certain Itaú Unibanco areas: ALM / GCP Treasury, which carries out the cash strategy and planning; Liquidity Risk, which carries out the control, monitoring and forecasting of liquidity; Reserve Pilots, which calculate the reserve balance and monitor the bank’s debit and/or credit postings; and Information Technology, which supports liquidity risk processes and systems. In the case of SUSEP-supervised entities, there is also the involvement of GIS (Global Institutional Solutions), which is responsible for liquidity management of proprietary portfolios and technical reserve portfolios. 4. Review and Update: This policy is the responsibility of DCRML (Capital, Market Risk and Liquidity Directorate) and is approved annually by the Board of Directors. Approved by the Board of Directors on 2026, May.

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - CREDIT RISK MANAGEMENT AND CONTROL POLICY 1. OBJECTIVE To establish the governance and control of Credit Risk at Itaú Unibanco Holding S.A., in accordance with applicable regulations and market best practices. 2. TARGET AUDIENCE Financial institutions controlled by Itaú Unibanco Holding S.A. (Itaú Unibanco), both in Brazil and abroad, that are exposed to credit risk, covering all segments (individuals and legal entities). 3. INTRODUCTION The Política de Gestão e Controle de Risco de Crédito of Itaú Unibanco is the document that sets forth the guidelines, governance, and procedures necessary to identify, measure, assess, monitor, report, control, and mitigate credit risks. These risks include potential financial losses resulting from default, deterioration in the credit rating of counterparties, devaluation of contracts, recovery costs, reputational impacts, and other credit- related factors. Credit risk management is essential to ensure Itaú Unibanco’s financial soundness, business sustainability, and regulatory compliance. This policy reflects the institution’s commitment to best practices in credit risk management and to complying with applicable regulations. It also ensures that credit risk exposures are aligned with the risk appetite defined by management, contributing to operational, systemic, and managerial stability. According to the institution’s corporate risk dictionary (PR-485), Credit Risk is understood as the risk of losses arising from: • The failure of the borrower, issuer, or counterparty to fulfill their respective financial obligations under the agreed terms; • The devaluation of a credit contract due to deterioration in the credit rating of the borrower, issuer, or counterparty; • Reduction in earnings or returns; • Concessions granted in subsequent renegotiations; • Credit recovery costs; • Reputational damage from credit operations that conflict with social, environmental, and climaterelated aspects. Credit risk control processes must support the institution, strictly observing the principles defined in internal policies. Centralized credit risk control is carried out independently by the Risk Area (AR), which is segregated from the Business Units and the internal audit activity execution area. In International Units, the independent structure that controls local risks is under the responsibility of the local Chief Risk Officers (CROs), who report to their respective Local CEOs and Regional CROs, operating in a coordinated manner and aligned with the Credit Risk and Wholesale Modeling Department (DRCMA) and Retail (DRCMV). Regional CROs are responsible for the integrated and preventive management of regional risks, ensuring their effectiveness and reporting their status to the CRO of Itaú Unibanco Holding. The roles and responsibilities of Holding, Regional, and Local CROs are defined in interna procedure. This structure enables credit risk management and must consider both operations classified in the trading book and those classified in the non-trading book. 4. DIRETRIZES Credit Risk management structures must be proportional to the size and relevance of risk exposures, compatible with the business model, the nature of operations, and the complexity of Itaú Unibanco’s products, services, activities, and processes. To this end, they must maintain specialized and adequately sized teams to support the credit risk processes and systems under their governance. The Credit Risk management structure must include: • Clearly documented policies and strategies for risk management, establishing limits and procedures aimed at keeping risk exposure in line with the Risk Appetite. These must also consider the prior identification of credit risks inherent to: o New products and services; o Significant changes to existing products or services; o Major changes in the institution’s processes, systems, operations, and business model. • Hedging strategies and risk-taking initiatives;

• Significant corporate reorganizations; • Aspects related to social, environmental, and climate risk; • Changes in macroeconomic outlooks; • Monitoring processes to identify non-compliance with credit risk management policies, including the respective justifications and expected actions to resolve discrepancies; • Systems, routines, and procedures for credit risk management, including their updates; • Periodic management reports for the board, committees, and other forums where Credit Risk is discussed; • Models or alternative methods for better credit risk measurement; • Criteria and procedures for identifying, monitoring, and controlling exposures classified as problematic assets; • Classification, estimation, documentation, monitoring, and control of PD (Probability of Default), LGD (Loss Given Default), EAD (Exposure at Default), and CCF (Credit Conversion Factor) parameters. The aforementioned guidelines must be applied to credit, counterparty, and country risks, as well as to situations such as disbursements to honor guarantees, sureties, co-obligations, credit commitments, or other similar operations, in addition to losses associated with failure to meet obligations related to the settlement of transactions involving bilateral flows, including the trading of financial assets or derivatives. All changes to criteria, parameters, or procedures used for risk classification must be documented and made available for regulatory review. 5. KEY ROLES AND RESPONSIBILITIES Controle de Risco de Crédito • Credit Risk Control • Define the environment for centralized credit risk control and monitoring; • Conduct periodic reviews of related policies, strategies, and procedures, with the aim of establishing operational limits, mitigation mechanisms, and practices that keep credit risk exposure within levels acceptable to management; • Submit the reviews to the appropriate approval authorities, ensuring alignment with institutional guidelines; • Disseminate credit decisions, corporate policies, and credit risk management strategies broadly to Business Units and to the Chief Risk Officers (CROs) of International Units, in compliance with the requirements of CMN Resolution No. 4,557/17. Credit Risk Modeling • Contribute to the execution of Credit Risk Control activities, in accordance with the responsibilities set forth in the Política de Risco de Modelos. Finance • Define rules for conducting simulations and calculations in line with applicable standards and regulations, as well as publish financial statements and other reports that support and complement Credit Risk Control and Management. Risk Area Committees • Responsible for decision-making according to the specificity of each forum, aiming at risk mitigation to maintain credit risk exposure at levels acceptable to management. While the Board of Directors defines the Credit Risk Appetite, the Senior Committees are responsible for governance, monitoring, and management of the metrics under their purview. Business Units (Brazil and International Units) • Ensure visibility of the credit risk incurred in their operations and that it is in compliance with the established rules and limits; • Additionally, business areas must maintain procedure manuals with detailed descriptions of the responsibilities and duties of the processes and controls under their responsibility. Internal Audit • Perform the role of independent assessment of the effectiveness of internal controls, risk management, and compliance with applicable policies and regulations. The work must be guided by impartiality and objectivity, ensuring a comprehensive and reliable view of the processes and practices adopted by the Institution. Furthermore, the Board of Directors is responsible for

overseeing the effectiveness of internal controls, using Internal Audit reports and recommendations as a basis for strategic decisions and for strengthening corporate Governance. . 6. CREDIT RISK MANAGEMENT Management Process The credit risk management process at Itaú Unibanco Holding includes governance for the formation and modification of conglomerates and economic subgroups, targeting all commercial segments that grant or manage credit, including international units. Credit risk management is structured to ensure efficiency throughout all stages of the credit cycle, beginning with a detailed analysis of the counterparty using classification systems that assess its payment capacity and risk profile. These systems are based on quantitative and qualitative models that consider factors such as financial history, economic conditions, industry sector, and other relevant indicators. Credit granting is carried out with strict criteria, respecting the limits established for each counterparty and the risk appetite parameters defined by the Institution. The process includes, but is not limited to the validation of guarantees, scenario analysis, and the application of internal policies that ensure consistency and transparency in decision-making. Once approved, credit is continuously monitored, with periodic reviews of the counterparty’s risk classification and performance, allowing for adjustments in case of changes in market conditions or client profile. Mitigants As an integral part of the credit classification and granting system, the bank adopts the treatment of risk-mitigating guarantees to strengthen credit risk management and comply with applicable regulations. Guarantees are classified as eligible and non-eligible, according to the criteria established by Circular No. 3,809 of the Central Bank of Brazil. Eligible guarantees are those with transparent market value, proven enforceability, and that meet regulatory requirements for risk mitigation. Non-eligible guarantees, although considered in the credit analysis process, are not recognized for the purpose of reducing regulatory capital. Additionally, the bank establishes specific conditions for accepting derivatives as risk mitigants, as provided in Article 15 of Circular No. 3,809, when applicable. The use of regulatory haircuts and recognized netting agreements is incorporated into the process, ensuring that guarantee values are prudently adjusted and aligned with regulatory requirements. To ensure the effectiveness and legal security of guarantees and mitigation agreements, the bank conducts legal and operational validation procedures, which include document analysis, verification of compliance with applicable regulations, and assessment of enforceability in case of default. Measurement Models Itaú Unibanco adopts validation and backtesting of the models used to measure credit risk, including PD (Probability of Default), LGD (Loss Given Default), and EAD (Exposure at Default) models. These models undergo periodic reviews by the validation area, as established in internal procedure. Responsibilities for validation and backtesting are clearly defined, ensuring independence of analysis and adherence to best governance practices. Additionally, stress tests are conducted to assess model resilience under adverse scenarios, allowing the identification of potential weaknesses and ensuring that the models adequately reflect the risks associated with credit exposures. 6.1. COUNTERPARTY CREDIT RISK Counterparty credit risk is the risk that a given counterparty fails to fulfill obligations related to the settlement of transactions involving the trading of financial assets with bilateral risk. It includes derivative financial instruments, securities lending, forward foreign exchange, repurchase agreements, and bilateral energy contracts. 6.2. COUNTRY RISK Itaú Unibanco maintains relationships with borrowers, issuers, counterparties, and guarantors in various locations around the world, regardless of whether it has an external unit in those locations. Therefore, Country Risk is a present risk for the institution. At Itaú Unibanco, this risk is defined as the risk of losses resulting from the failure to fulfill financial obligations, under the agreed terms, by borrowers, issuers, counterparties, or guarantors, due to actions taken by the government of the country where the borrower, issuer, counterparty, or guarantor is located, or due to political, economic, and social events related to that country. It is subdivided into: • Sovereign risk, defined as the risk of central governments (Treasury and Central Bank) being unable to generate resources to meet their commitments; • Transfer risk, defined as the risk arising from the total or partial inability to transfer assets held in a foreign jurisdiction to the jurisdiction of an Itaú Unibanco legal entity, due to obstacles in currency conversion resulting from macroeconomic events or actions taken by the central government of the jurisdiction where the asset is located; causing the borrower, issuer, counterparty, or guarantor to be unable to meet their commitments in foreign currency.

The following risks are not part of the current Country Risk management flow: (i) Credit Risk of External Units; (ii) Convertibility Risk; (iii) Itaú Unibanco’s investment abroad (Equity); (iv) Indirect Country Risk. Itaú Unibanco establishes ratings for sovereigns, as well as limits and maximum terms for transactions, aiming to control exposure to Country Risk. These limits and ratings are reviewed periodically, and extraordinary reviews may occur in light of new relevant facts. 6.3. SOCIAL, ENVIRONMENTAL AND CLIMATE RISK (“RSAC” or “SAC RISKS”) AC Risk events involving a counterparty may result in credit losses. Therefore, Itaú Unibanco has defined a set of guidelines for managing SAC Risks in credit relationships and credit risk operations Itaú Unibanco clients based in Brazil. 6.4. CONCENTRATION RISk Concentration risk is defined as the possibility of financial loss resulting from excessive concentration of credit operations in clients, sectors, geographic regions, or mitigating instruments, either directly or through correlation. To ensure low result volatility, the Bank manages concentration risk from different perspectives, ensuring that the institution is not significantly exposed to a single source of risk. In this context, Concentration Risk is monitored through indicators that are part of the institution’s Risk Appetite, including views by: individual exposure, top 10 conglomerates, country, economic sector, and business segment of the institution. These indicators are monitored monthly by the Executive Board, Risk Committee, and Board of Directors, who are also responsible for calibrating and approving the metrics and their respective limits. Limits are defined according to specific variables for each evaluation. For individual and top 10 conglomerate concentration, the inherent credit risk of these conglomerates is assessed, respecting the maximum limits defined by CMN Resolution No. 4,677. In the case of country concentration, risk diversification is guided by the credit risk of each country and the bank’s strategy. For segment concentration, limits are defined considering the institution’s strategy and the volatility of business results in each segment. Sectoral concentration limits are determined based on the credit portfolio’s risk profile, profitability, and relevance in the economy. The limits defined for each metric, as well as further details on the calculation methodologies, are contained in the Risk Appetite Manual. 7. CREDIT PORTFOLIO MONITORIN The purpose of credit portfolio monitoring is to assess the financial health of credit operations, ensuring that the strategies adopted are aligned with the risk appetite defined by the conglomerate. The guidelines and procedures related to credit portfolio monitoring are detailed in internal procedure. Additionally, the monitoring process includes risk control of activities performed by the conglomerate’s institutions acting as acquirers within open credit card arrangements. This process also includes risk control of credit card issuers.. Deviations identified in relation to the maximum and minimum thresholds established by the Global Policy are specifically addressed for the Retail segment. Centralized monitoring conducted in Brazil is periodically reported to the Retail Credit Risk Policy Committee (CPRC). Consolidated indicators of vintage and portfolio for the retail segment are reported monthly to the Retail Credit and Collections Senior Committee (CSCCV), and for the wholesale segment quarterly (subject to change based on demand) to the Wholesale Credit and Collections Senior Committee (CSCCA). Regarding indicators from International Units, monitoring is reported to the International Units Risk Committee (CRUI-R) (HN and Conesul) and CIR – Integrated Risk Committee (Itaú Chile), with participation from Holding, Regional, and Local CROs. 8. CREDIT POLICY AND STRATEGY EVALUATION This section establishes responsibilities and general rules related to the process of evaluating and approving changes to credit policies and business rules that impact credit risk exposure. For proprietary portfolios, the policies address credit granting and maintenance, as well as the acquisition of instruments with credit risk in the market. For third-party portfolios, the policies address rules for discretionary decision-making in assets with credit risk. Any change to credit policy or action that impacts the assumed risk or may affect credit limit consumption and Allocated Economic Capital is subject to evaluation. Credit policies may be classified into three types: i. Credit granting and maintenance policies: • Changes and replacements in credit models, segmentation, income/revenue, etc.; • Changes in credit approval authorities (composition and amounts); • Risk impact due to annual internal resegmentations; cutoff point changes; new internal segmentations that alter credit decisions. ii. Risk measurement policies:

• Mitigation through guarantees; definition or modification of criteria for applying Potential Credit Risk (PCR) models; • Definition or modification of parameters for capital calculation and limit consumption. Global Credit Policy: Maximum or minimum thresholds for a set of indicators and variables that reflect credit risk at the bank and must be considered in all retail and wholesale policies. Specific definitions of credit policies and collection strategies for each segment, the credit approval process and authorities, monitoring, and responsibilities of each executive board are described in internal procedure. 8.1 – UPDATE AND DEVELOPMENT OF RISK PARAMETERS FOR PROVISIONING AND CAPITAL Parameters are assigned by the Parameter Development Units (UDPs) through assumptions and calculations aimed at ensuring the Bank’s solvency in the face of expected and/or unexpected changes in past, current, and future scenarios. The definitions and concepts of each parameter must be aligned between the UDP and the Parameter User Unit (UUP). 9. RELATED EXTERNAL REGULATIONS • CMN Resolution No. 4,557/2017, which addresses the risk management structure, capital management structure, and information disclosure policy. • CMN Resolution No. 4,966/2021, which addresses the concepts and accounting criteria applicable to financial instruments, as well as the designation and recognition of hedging relationships (hedge accounting) by financial institutions and other institutions authorized to operate by the Central Bank of Brazil. • CMN Resolution No. 4,945/2021, which addresses the Social, Environmental, and Climate Responsibility Policy (PRSAC) and actions aimed at its effectiveness. • CMN Resolution No. 5,089, which amends Resolution No. 4,557 of February 23, 2017 (on risk management structure, capital management structure, and information disclosure policy), and Resolution No. 4,606 of October 19, 2017 (on the optional simplified methodology for calculating the minimum requirement of Simplified Reference Equity – PRS5, the requirements for opting for this methodology, and the additional requirements for the simplified structure of continuous risk management). • CMN Resolution No. 4,949/2021, which defines the vulnerable public. • SARB Normative No. 23 (Relationship with Potentially Vulnerable Consumers). • Bacen Resolution No. 303, which addresses the criteria and procedures for calculating credit risk and for establishing provisions for losses associated with credit operations Approved by the Board of Directors on 2025, September

ITAÚ UNIBANCO HOLDING S.A. CNPJ 60.872.504/0001-23 Publicly-Held NIRE 35300010230 PUBLIC ACCESS REPORT - CAPITAL MANAGEMENT POLICY OBJECTIVE To define rules and responsibilities pertaining to Itaú Unibanco Holding S.A. (Itaú Unibanco) capital management activities. (Itaú Unibanco), in accordance with the applicable regulations and best market practices. TARGET AUDIENCE The capital management process must cover all companies in the conglomerate controlled by Itaú Unibanco in Brazil and abroad. INTRODUCTION For any company to be able to operate, it is necessary that it has capital, which is the investment made by shareholders. In addition, the resources that the company generates and that are not distributed, being kept in its equity, are also called capital. For financial institutions, the Central Bank of Brazil requires a minimum capital (required capital), which is the capital necessary to face the risks to which the institution is exposed, guaranteeing its solvency. Capital management is a fundamental instrument for the sustainability of the financial system. Methods for identifying, evaluating, controlling, mitigating and monitoring risks support financial institutions in adverse moments. Itaú Unibanco considers capital management essential for the decision-making process, which contributes to the optimization and efficiency of the use of capital in its operations. In this management, Itaú Unibanco companies in Brazil and abroad are considered. Changes in the global financial environment, such as the integration between markets, the emergence of new transactions and products, increasing technological sophistication and new regulations have made financial activities and their risks increasingly complex. Additionally, lessons from financial crises reinforce the importance of risk management (Public Access Report - Risk) and capital management to strengthen the financial health of the banking industry. The Brazilian participation in the Basel Committee on Banking Supervision (BCBS) encourages the timely implementation of international prudential standards in the Brazilian regulatory framework. In line with this perspective, Itaú Unibanco invests in the continuous improvement of capital management processes and practices, in accordance with international market, regulatory and supervisory benchmarks. Itaú Unibanco's capital management consists of a continuous process of planning, evaluation, control and monitoring of the capital necessary to face the relevant risks of the Conglomerate and support the capital requirements required by the regulator, or those defined internally by the Institution, with the objective of optimize capital allocation. The departments defined in the capital management structure, together with the support of some specific departments of each theme, answer together or individually for: a. Identification of the risks to which the institution is exposed and analysis of their materiality; b. Assessment of the capital needed to support the risks; c. Development of methodologies for quantification of additional capital; d. Capital quantification and internal capital adequacy assessment; e. Internal Capital Adequacy Assessment Process (ICAAP) f. Own Risk and Solvency Assessment (ORSA) for the group’s insurance companies; g. Projection of capital ratios; h. Determination of reference equity (PR) and Calculation of capital ratios; i. Preparation of the capital plan and contingency plan; j. Preparation of the recovery plan; k. Monitoring the solvency and liquidity regularization plan of SUSEP companies; l. Capital stress tests; m. Determination of the Global Systemic Importance Index (ISG); n. Preparation of the quarterly risk and capital management report – Pillar 3; o. Monitoring the Cost of Capital of the Holding and External Units; p. Monitoring the capital of the External Units.

Itaú Unibanco's capital management structure allows the monitoring and control of the capital held by the Institution, the assessment of the need for capital to face the risks to which the Institution is exposed and the planning of goals and capital needs, considering the Institution's strategic objectives and/or considering adverse situations. As a result, Itaú Unibanco adopts a prospective approach, anticipating the need for capital arising from possible changes in market conditions. Due to sensitivity and specificity, the Capital Ratio Protection Policy was created, which is also periodically reviewed. Concepts Required capital: it is the capital necessary to face the risks to which the institution is exposed, guaranteeing its solvency and including international units. The requirements are regulated by BACEN for Brazil and by local regulatory bodies at international units. Such requirements are expressed in the form of indices that relate available capital to total risk-weighted assets (RWA – Risk Weighted Assets). The Reference Equity (PR) used to verify compliance with the operating limits imposed by BACEN consists of the sum of three items, called: . Principal Capital: sum of capital stock, reserves and retained earnings, minus deductions and prudential adjustments; . Complementary Capital: composed of perpetual instruments that meet eligibility requirements. Added to the Principal Capital, it makes up Level I; . Tier II: composed of defined-maturity subordinated debt instruments that meet eligibility requirements. Added to the Principal Capital and the Complementary Capital, it makes up the PR (Total Capital). For the purposes of calculating these minimum capital requirements, the total amount of RWA is determined by adding together the portions of assets weighted by credit, market and operational risks (according to Res. CMN No. 4,958): 𝑅𝑊𝐴 = 𝑅𝑊𝐴𝐶𝑃𝐴𝐷 + 𝑅𝑊𝐴𝐶𝐼𝑅𝐵 + 𝑅𝑊𝐴𝑀𝑃𝐴𝐷 + 𝑅𝑊𝐴𝑀𝐼𝑁𝑇 + 𝑅𝑊𝐴𝑂𝑃𝐴𝐷+ 𝑅𝑊𝐴𝐷𝑅𝐶 + 𝑅𝑊𝐴𝐶𝑉𝐴 𝑅𝑊𝐴𝐶𝑃𝐴𝐷 = portion related to exposures to credit risk, calculated according to a standardized approach; 𝑅𝑊𝐴𝐶𝐼𝑅𝐵 = portion relating to credit risk exposures calculated according to internal credit risk rating systems (IRB – Internal Ratings-Based approaches), authorized by the Central Bank of Brazil; 𝑅𝑊𝐴𝑀𝑃𝐴𝐷 = portion relative to the capital required for market risk, calculated using a standardized approach; 𝑅𝑊𝐴𝑀𝐼𝑁𝑇 = portion relative to the capital required for market risk, calculated according to internal model approaches, authorized by the Central Bank of Brazil; 𝑅𝑊𝐴𝑂𝑃𝐴𝐷 = portion related to the capital required for operational risk, calculated according to a standardized approach; 𝑅𝑊𝐴𝐷𝑅𝐶 = portion related to exposures to credit risk of financial instruments classified in the trading book; and 𝑅𝑊𝐴𝐶𝑉𝐴 = portion related to exposures to the risk of changes in the value of derivative financial instruments due to changes in the credit quality of the counterparty. In addition to regulatory minimums, BACEN rules establish Additional Principal Capital (ACP or CET1), corresponding to the sum of the ACPConservação, ACPContracíclico and ACPSistemico installments which, together with the aforementioned requirements, increase the need for capital: . ACPConservação: represents an extra “cushion” of capital to absorb possible losses . ACPContracíclico: is an additional cushion of capital to be accumulated during the expansion phase of the credit cycle and to be consumed during its contraction phase . ACPSistemico: for institutions with systemic importance, an additional capital is required to face systemic risk. The values of each installment and the regulatory minimums, as defined in CMN Resolution No. 4,958, are described in the following table: Common Equity Tier I 4.5%

Tier I 6.0% Total Capital 8.0% Additional Capital Buffers (ACP) 3.56% conservation 2.5% countercyclical (1) 0.06% systemic 1.0% Common Equity Tier I + ACP 8.06% Total Capital + ACP 11.56% Prudential adjustments deductions 100% (1) the countercyclical capital buffer is fixed by the Financial Stability Committee (Comef)based on discussions about the pace of credit expansion, and currently is set to zero (Bacen communication Nº 39,425/22). Should the requirement increase, the new percentage takes effect twelve months after the announcement. When triggering the ACPContracyclical in jurisdictions where the institution has exposures on its balance sheet, the calculation of the additional amount must follow BCB Circular No. 3,769, increasing the regulatory minimum required of the conglomerate. Internal Capital Adequacy Assessment Process (ICAAP) Annual exercise required by the Central Bank of Brazil whose objective is to assess the capital adequacy of Itaú Unibanco, thus providing a general and comprehensive view of the institution's risk and capital management and demonstrating the results related to the self-assessment of the adequacy of its capital level according to the risk profile. The ICAAP comprises the Capital Plan and the Contingency Plan, described below: Capital Plan The capital plan is a section of the ICAAP that discusses how the bank's capital planning takes place in order to maintain an adequate and sustainable level of capital, incorporating the limits established by the risk appetite and the analyses of economic and regulatory environments. Additionally, it is structured consistently with Itaú Unibanco's strategic planning. This plan presents the financial and capital forecasts in the short and medium term (at least three years following the base date year), both in normality and stress scenarios, together with its main sources of capital, distribution policy results and contingency plan. Capital Contingency Plan Itaú Unibanco has a capital contingency plan for cases in which at least one capital ratio is found to be lower than those defined by the Board of Directors (Conselho de Administração (CA)), or for unforeseen events that may affect the capital adequacy of the institution. The plan includes a set of contingency actions and those responsible for them, which allows Itaú Unibanco to increase its capitalization levels and must contain, at least, the definition of the capital limits that trigger its activation and the corresponding governance, aiming to maintain the adequate capitalization level of Itaú Unibanco in an adverse situation. Recovery and Resolution Plan (PRSO) Itaú Unibanco has a Recovery and Resolution Plan that aims to reestablish adequate levels of capital and liquidity above regulatory operating limits, in the face of severe stress shocks of a systemic or idiosyncratic nature, in order to preserve its financial viability, and at the same time mitigate impact on the National Financial System. The PRSO covers the entire conglomerate, including subsidiaries abroad, and is reviewed every two years or whenever mandated by BACEN, and submitted for approval by the Board of Directors. Its normative basis is CMN Resolution No. 5,187,and contains the critical functions and essential services provided by Itaú Unibanco that can impact the National Financial System and the institution's own viability. Additionally, it discusses stress scenarios, communication plans with interested parties and governance mechanisms necessary for the coordination and execution of the plan. Stress Test The stress test, an integral part of the Institution's Capital Plan, is a process of simulating the effects of extreme economic and market conditions on the institution's results and capital. Stress scenarios must be approved by the Board of Directors and their results must be considered when defining Itaú Unibanco's business and capital strategy. The stress test, for Itaú Unibanco, can be divided into internal and regulatory. The first seeks to measure the vulnerability and strength of the conglomerate in hypothetical, but plausible, economic crisis scenarios based on macroeconomic simulations and projections developed by the institution itself. The regulatory stress test has the same objective, but uses

a scenario developed by the Central Bank. In both processes, the main analyzes are on the Bank's results (DRE - P&L), its distribution among the conglomerate's portfolios and activities and on the institution's level of capital and liquidity. Additionally, to complement the results according to the processes described above, sensitivity analyzes and reverse stress tests are carried out annually. The capital management framework should provide assessments of impacts on capital from the definition of severe scenarios chosen by the institution and include them in the results of the stress test program. Solvency and Liquidity Regularization Plan – SUSEP This plan provides for the minimum capital required for the operation of insurance and reinsurance companies, where the capital sufficiency indicator is monitored monthly. Based on the verification of its insufficiency, jointly with the asset management departments of the insurance group, measures to regularize the solvency and liquidity ratios of companies subject to SUSEP guidelines are defined. Global Systemic Importance Index (GSI) Methodology defined by the Bank for International Settlements (BIS), and ratified by the Financial Stability Board, this index measures the importance of each financial institution in the global market, whose bankruptcy could cause an international threat to the financial system, and is made up of five main indicators: - Size: which reflects the relative participation of the institution in the global activity; - Activity abroad: relative participation of the institution in international activities; - Interconnection: relative participation of the institution in the interbank market and with the global capital market; - Substitution: relative participation of the institution in the global offer of financial services; - Complexity: relative participation of the institution in complex or low liquidity instruments. Information regarding the ISG calculation is published annually on the Investor Relations website, in accordance with BACEN Resolution No. 171. Capital and Risk Management Report – Pillar 3 It is a report that contains information relating to prudential indicators and risk management, comparison between accounting and prudential information, capital composition, macro prudential indicators, leverage ratio, liquidity indicators, credit risk, counterparty credit risk, exposures of securitization, market risk, risk of variation in interest rates on instruments classified in the banking portfolio and remuneration of administrators, published quarterly on the Institution's Investor Relations website (Pillar3), in accordance with BCB Resolution No. 54. GUIDELINES Capital management must support the institution according to the principles defined in the Risk Management policy and those defined in this policy. These principles are reflected in the following guidelines, according to which Itaú Unibanco's capital management structure must: - Ensure that policies and strategies for capital management are clearly documented and establish mechanisms and procedures to maintain the Reference Equity (RE), Level I, and Principal Capital compatible with the risks incurred by the institution. - Maintain procedures for managing capital. - Be compatible with the nature of its operations, the complexity of the products and services offered and the dimension of risk exposure. - Ensure the submission of capital management policies and strategies, as well as the capital plan, for approval and review, at least annually, by the Board of Directors, in order to determine their compatibility with the institution's strategic planning and with market conditions. - Generate reports for the institution's departments, the Risk and Capital Management Committee (CGRC)) and the Board of Directors, pointing out the adequacy of the levels of PR, Level I and Brazilian Capital Principal to the risks incurred or any deficiencies of the capital management framework, as well as actions to correct them.

- Ensure that the Solvency and Liquidity Regularization Plan required by SUSEP is met in the event of insolvency or nonliquidity by one or more companies in the insurance industry, ensuring that the areas involved in the asset management of these companies are activated for the definition of a corrective action proposal, as well as submitting it to impact assessment. - Define the governance and responsibilities of the capital management process, and disclose decisions and policies related to this process to the affected areas, as well as monitor the regulatory capital of Itaú Unibanco and international units. - Business units and international units must ensure that approved decisions and policies are properly implemented. - Ensure that the information disclosed in the Risk and Capital Management report - Pillar 3 has adequate detailing to the scope, complexity of operations, sophistication of systems, institution’s risk management processes and ensure that any relevant differences relating to other information disclosed by the institution is clarified; - Ensure that published information adheres to the current rules established by regulatory bodies. MAIN ROLES AND DUTIES Itaú Unibanco's management is directly involved in the internal process of assessing capital adequacy and its risk assessment. Among the committees and commissions that discuss the capital management process include: . Board of Directors . Risk and Capital Management Committee . Asset Liability Capital Committee Risk Management Department: The Risk Management Department aims to ensure that Itaú Unibanco's risks are managed in accordance with established policies and procedures, in addition to being responsible for centralizing the institution's capital management. The purpose of centralized control is to provide the Board of Directors and senior management with a global view of Itaú Unibanco's exposures to risks, as well as a prospective view of capital adequacy in order to optimize and streamline corporate decisions. Information Providing Departments: At the most fundamental level, the areas are expected to provide the necessary information for the identification of risks, for the analysis of their materiality and for the measurement of the required capital, as well as for the preparation of the capital budget, capital plan, contingency plan, recovery plan, risk and capital management report - Pillar 3 and other regulatory and management reports, ensuring their completeness, integrity and consistency and considering both the growth and evolution of the business's expected risk profile of the unit. The areas involved in the capital management process must be able to carry out the required actions whenever they are called upon. The details of the responsibilities of each of the departments involved in the capital management process are described in the internal procedures RELATED EXTERNAL RULES Bacen Circular 3911, of 08/31/2018. Bacen Circular Letter 3907, of 09/10/2018. CMN Resolution 4,557, of 02/23/2017 and 4,388, of 12/18/2014. CNSP Resolution No. 321, of 2015. Approved by the Board of Directors on 2025, September

Source: View Original Filing on SEC EDGAR

FAQ

What does Itaú Unibanco (ITUB) disclose in this Form 6-K filing?

The filing furnishes several public access policies detailing how Itaú Unibanco manages environmental, social and climate risks, market and IRRBB risk, operational risk, compliance, liquidity, credit risk and capital, outlining governance structures and alignment with Brazilian and international prudential regulations.

What market and IRRBB risk practices does Itaú Unibanco (ITUB) describe?

The bank defines market risk and interest rate risk in the banking book (IRRBB), requires independent pricing and complete data, and uses models aligned with best practices. It sets limits, monitors exposures daily and reports metrics to business units, management and the Board of Directors.

How are operational and compliance risks governed at Itaú Unibanco (ITUB)?

Operational risk is managed through continuous identification, assessment, response, monitoring and reporting, using a three-lines structure. Compliance risk is handled by dedicated boards in the Risk Department, with direct access to senior governance and responsibility for monitoring regulatory adherence and integrity and ethics programs.

What liquidity risk controls are highlighted for Itaú Unibanco (ITUB)?

Liquidity risk is defined as the possibility of not meeting obligations efficiently and on time. The policy describes daily cash flow analysis, use of LCR and NSFR ratios, funding concentration metrics, contingency and recovery plans, and governance for limit breaches reported to senior management and committees.

How does Itaú Unibanco (ITUB) approach credit risk management?

The credit risk policy covers governance, limits and procedures for identifying, measuring and mitigating defaults, rating deterioration and concentration. It uses PD, LGD, EAD and CCF models, independent risk control, concentration limits by client, sector, country and segment, and explicit treatment of social, environmental and climate factors.

What capital management framework does Itaú Unibanco (ITUB) describe?

The capital management policy explains planning and monitoring of capital to meet regulatory and internal requirements. It details Reference Equity components, risk-weighted assets, additional capital buffers, the ICAAP process, stress testing, contingency and recovery plans, and reporting through the quarterly Pillar 3 risk and capital report.

Filing Exhibits & Attachments

1 document

Press Releases

EX-99.1 EX-99.1 100.7 KB