Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Trade-compliance recordkeeping program

recordkeeping-program-tradeDomain: trade-sanctionsType: policy

Description

A working trade-compliance recordkeeping program turns each export decision into an audit-ready file. The components are a records system keyed to the export transaction with each decision-making artifact attached, a retention policy calibrated to the longest applicable regime, and a litigation-hold workflow that tolls retention destruction when an investigation opens. The records in scope are not only the transactional artifacts (purchase orders, shipping documents, end-user statements) but the decision-making ones: the classification rationale, the license-determination output, the catch-all screening result, the license-exception conditions where one was claimed. Regimes layer rather than substitute. The US EAR requires five-year retention of export-transaction records, classifications, license applications, and screening hits from the date of the underlying transaction. OFAC keeps the same five-year window for sanctions-screening evidence, including list version and beneficial-ownership data captured at the time of screening. ITAR runs five years with stricter content rules for defense-article exports. EU Regulation 2021/821 sets a three-year floor that several Member State implementations extend (France carries ten years for some records). The UK Export Control Order 2008 reads as a three-year base with per-licence extensions, plus OGEL-duration-plus-three for the Cryptographic Development OGEL. Operators commonly retain to the longest of the applicable windows rather than maintaining parallel retention clocks per regime. The piece that consistently goes wrong is the classification rationale. The classification itself usually sits in the records system; the analyst's reasoning for arriving at it often lives in email, Slack, or a one-off memo, and is the artifact most likely to be requested first when a regulator opens a file. Evidence formats that hold up under examination include the published record-retention policy, the audit log of access and amendments to retained records, and copies of decision-making artifacts that show timestamps contemporaneous with the underlying transaction (not reconstructed years later). The asymmetry that makes this Control matter: a clean records file shortens an investigation; a gap-filled one widens it.

Required by (5 regulations)

  • US EAR

    15 CFR §762.6 — 5-year retention of license applications, classification documentation, end-use statements, restricted-party screening results.

    15 CFR §762.6

    Source →

  • US OFAC

    31 CFR §501.601 — 5-year retention of every transaction subject to OFAC's regulations, including screening evidence (list version, hit/miss, beneficial-ownership data).

    31 CFR §501.601

    Source →

  • EU Dual-Use

    Regulation (EU) 2021/821, Article 27 — 5-year retention floor; Member State extensions (France: 10 years for some records).

    Regulation (EU) 2021/821, Article 27

    Source →

  • UK Export Control

    Export Control Order 2008 Article 28 — 3-year base + per-licence terms; OGEL Cryptographic Development requires retention for OGEL duration + 3 years.

    Export Control Order 2008 Article 28

    Source →

  • Other Sanctions

    Per-jurisdiction recordkeeping (AU 5 years; CA 5+ years; JP 7 years FEFTA-related records; SG MAS Notice TFS-related; CH SECO 5 years base).

    Per-jurisdiction recordkeeping (AU 5 years; CA 5+ years; JP 7 years FEFTA-relate

    Source →

Fulfilled by (1)

  • In-house build · medium effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • record-retention policy
  • audit log

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn