Skip to content
LexBuild

28 CFR § 202.1101 - Records and recordkeeping requirements. 

---
identifier: "/us/cfr/t28/s202.1101"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "28 CFR § 202.1101 - Records and recordkeeping requirements."
title_number: 28
title_name: "Judicial Administration"
section_number: "202.1101"
section_name: "Records and recordkeeping requirements."
chapter_name: "DEPARTMENT OF JUSTICE"
part_number: "202"
part_name: "ACCESS TO U.S. SENSITIVE PERSONAL DATA AND GOVERNMENT-RELATED DATA BY COUNTRIES OF CONCERN OR COVERED PERSONS"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "50 U.S.C. 1701  50 U.S.C. 1601  E.O. 14117, 89 FR 15421."
regulatory_source: "90 FR 1706, Jan. 8, 2025, unless otherwise noted."
cfr_part: "202"
---

# 202.1101 Records and recordkeeping requirements.

(a) *Records.* Except as otherwise provided, U.S. persons engaging in any transaction subject to the provisions of this part shall keep a full and accurate record of each such transaction engaged in, and such record shall be available for examination for at least 10 years after the date of such transaction.

(b) *Additional recordkeeping requirements.* U.S. persons engaging in any restricted transaction shall create and maintain, at a minimum, the following records in an auditable manner:

(1) A written policy that describes the data compliance program and that is certified annually by an officer, executive, or other employee responsible for compliance;

(2) A written policy that describes the implementation of any applicable security requirements as defined in § 202.248 and that is certified annually by an officer, executive, or other employee responsible for compliance;

(3) The results of any annual audits that verify the U.S. person's compliance with the security requirements and any conditions on a license;

(4) Documentation of the due diligence conducted to verify the data flow involved in any restricted transaction, including:

(i) The types and volumes of government-related data or bulk U.S. sensitive personal data involved in the transaction;

(ii) The identity of the transaction parties, including any direct and indirect ownership of entities or citizenship or primary residence of individuals; and

(iii) A description of the end-use of the data;

(5) Documentation of the method of data transfer;

(6) Documentation of the dates the transaction began and ended;

(7) Copies of any agreements associated with the transaction;

(8) Copies of any relevant licenses or advisory opinions;

(9) The document reference number for any original document issued by the Attorney General, such as a license or advisory opinion;

(10) A copy of any relevant documentation received or created in connection with the transaction; and

(11) An annual certification by an officer, executive, or other employee responsible for compliance of the completeness and accuracy of the records documenting due diligence.