StacksVerified U.S. regulatory reference

28 CFR §202.1101

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)Records. Except as otherwise provided, U.S. persons engaging in any transaction subject to the provisions of this part shall keep a full and accurate record of each such transaction engaged in, and such record shall be available for examination for at least 10 years after the date of such transaction.
  2. (b)Additional recordkeeping requirements. U.S. persons engaging in any restricted transaction shall create and maintain, at a minimum, the following records in an auditable manner:
    1. (1)A written policy that describes the data compliance program and that is certified annually by an officer, executive, or other employee responsible for compliance;
    2. (2)A written policy that describes the implementation of any applicable security requirements as defined in § 202.248 and that is certified annually by an officer, executive, or other employee responsible for compliance;
    3. (3)The results of any annual audits that verify the U.S. person's compliance with the security requirements and any conditions on a license;
    4. (4)Documentation of the due diligence conducted to verify the data flow involved in any restricted transaction, including:
      1. (i)The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
      2. (ii)The identity of the transaction parties, including any direct and indirect ownership of entities or citizenship or primary residence of individuals; and
      3. (iii)A description of the end-use of the data;
    5. (5)Documentation of the method of data transfer;
    6. (6)Documentation of the dates the transaction began and ended;
    7. (7)Copies of any agreements associated with the transaction;
    8. (8)Copies of any relevant licenses or advisory opinions;
    9. (9)The document reference number for any original document issued by the Attorney General, such as a license or advisory opinion;
    10. (10)A copy of any relevant documentation received or created in connection with the transaction; and
    11. (11)An annual certification by an officer, executive, or other employee responsible for compliance of the completeness and accuracy of the records documenting due diligence.