# 202.1001 Due diligence for restricted transactions.
(a) *Data compliance program.* By no later than October 6, 2025, U.S. persons engaging in any restricted transactions shall develop and implement a data compliance program.
(b) *Requirements.* The data compliance program shall include, at a minimum, each of the following requirements:
(1) Risk-based procedures for verifying data flows involved in any restricted transaction, including procedures to verify and log, in an auditable manner, the following:
(i) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;
(ii) The identity of the transaction parties, including any ownership of entities or citizenship or primary residence of individuals; and
(iii) The end-use of the data and the method of data transfer;
(2) For restricted transactions that involve vendors, risk-based procedures for verifying the identity of vendors;
(3) A written policy that describes the data compliance program and that is annually certified by an officer, executive, or other employee responsible for compliance;
(4) A written policy that describes the implementation of the security requirements as defined in § 202.248 and that is annually certified by an officer, executive, or other employee responsible for compliance; and
(5) Any other information that the Attorney General may require.