§ 478.130 Electronic records.

Notwithstanding any regulation requiring information to be kept on paper or in a bound volume, licensees under this part may create, maintain, and store electronically all records required under the Gun Control Act, as amended, the National Firearms Act, as amended, and their implementing regulations, provided licensees meet the following minimum conditions.

  1. a.(a) Records content, format, and searchability. Licensees must use an electronic record-keeping system that ensures all records they generate, maintain, or store in the system are:

    1. 1.(1) complete, containing all information required under applicable laws and regulations;

    2. 2.(2) formatted so that electronic and printed copies are identical to physical copies of ATF forms (as applicable) and include all instructions and comments;

    3. 3.(3) unalterable (i.e., cannot be deleted or manipulated once created);

    4. 4.(4) inclusive, including or attaching supplemental documents in the same electronic file;

    5. 5.(5) searchable by key terms, including transferee name, transfer date, serial number, firearm type, model, manufacturer/importer, caliber, and size or gauge;

    6. 6.(6) sortable in one of the following ways: alphabetically (by purchaser name), chronologically (by disposition date), or numerically (by transaction number); and

    7. 7.(7) navigable, permitting viewing and toggling between at least two types of records.

  2. b.(b) Auto-populating data. For all records required to be kept by licensees under this part, licensees and their customers may enter data manually or may have that data automatically populate. When automatically populating data, licensees must comply with the provisions of § 478.124(c)(2) of this part.

  3. c.(c) Data integrity and audit trails. The electronic record-keeping system must:

    1. 1.(1) Retain any error correction as an entirely new entry, without deleting or modifying the original entry. Any correction entry must contain the date, time, reason for the correction, and name of the person who made the correction; and

    2. 2.(2) Automatically generate audit trails, which are comprehensive, user-authenticated, date- and time-stamped records of all actions performed within a system containing electronic data.

  4. d.(d) Storing electronic records. Licensees must store their electronic records securely to prevent data loss and breaches for the same records retention period as paper records. See § 478.129 of this part.

    1. 1.(1) If a licensee has more than one license, they must make the records for each license readily identifiable and must not commingle them with records for any other license.

    2. 2.(2) Licensees may store electronic records on their business premises or remotely using a domestic host facility if the server is located within the United States or its territories, or if a host facility is used, that facility must have a business premises within the United States or its territories, and must be subject to U.S. legal process. If the records are stored remotely, licensees must provide ATF with the name, address, and phone number of the host facility within 30 calendar days of engaging or transferring service. If licensees change the host facility at which they store records, and the new host facility is incapable of storing prior records, the licensees must download and maintain a digital copy of the old records at their licensed premises and maintain it in accordance with these regulations.

  5. e.(e) Data back-ups. Licensees must create a data back-up (i.e., digital copy) to protect against their electronic records being lost, stolen, or corrupted. ATF does not require licensees to print the records as part of the back-up process. Licensees:

    1. 1.(1) May determine a back-up schedule for records other than Forms 4473, depending on their volume of data, but must complete:

      1. i.(i) an incremental back-up (i.e., a back-up of new or changed data) within 24 hours of any data entry or change; and

      2. ii.(ii) a full back-up of the entire system no less than once per month. See § 478.124(h) of this part for back-up requirements for Forms 4473.

    2. 2.(2) May choose the format of their data back-ups (e.g., remote “cloud” data storage, download to USB drive), but must:

      1. i.(i) at the end of each year, download that year’s complete electronic records for each license to a physical storage medium (including, for example, an external hard drive or tapes);

      2. ii.(ii) label that medium with the license number and date range of records contained on that medium;

      3. iii.(iii) ensure the back-up files are:

        1. A.(A) openable and readable on devices other than any proprietary or specially designed licensee system;

        2. B.(B) complete, including any supplemental documents and all pages of documents with multiple pages (including instructions);

        3. C.(C) in a format specified by ATF in current guidance at the time; and

      4. iv.(iv) retain the physical storage media with annual back-ups for the records retention period specified in § 478.129 of this part.

    3. 3.(3) Who have an exceptionally large volume of transactions, and who maintain a sophisticated, secure electronic record-keeping system employing redundant data storage mechanisms, may request from ATF a variance for the annual download requirement.

  6. f.(f) Temporary unavailability of electronic record-keeping system.

    1. 1.(1) If the electronic record-keeping system is unavailable, licensees using such a system may instead use paper forms and keep paper records. The paper forms and records must:

      1. i.(i) be kept in accordance with ATF regulations; and

      2. ii.(ii) be accompanied by a copy of the system audit log identifying the temporary disruption in service.

    2. 2.(2) If the licensee’s electronic record-keeping system is unavailable for more than ten calendar days, the licensee must contact its local ATF office and follow directions from the industry operations area supervisor on continued record-keeping.

    3. 3.(3) If the electronic record-keeping system will not permit a licensee to properly complete a form, the licensee may complete a paper form. The licensee must note on the form the reason the form could not be completed electronically and must, if reasonably feasible, report the problem to the software developer or vendor.

  7. g.(g) ATF access and licensee responsibilities.

    1. 1.(1) Nothing in this regulation changes a licensee’s responsibility, within the required timeframe(s), to make records available for ATF compliance inspections and to respond to trace requests and other law enforcement inquiries.

    2. 2.(2) Any electronic record-keeping system must permit records to be downloaded and printed at the licensed business premises.

    3. 3.(3) Licensees must have at least one computer terminal available for use during the compliance inspection.

  8. h.(h) Discontinuing business operations. If a licensee ends operations without a successor and surrenders the related valid federal firearms license(s), the licensee must:

    1. 1.(1) Conduct a full system back-up of all firearms records electronically generated and stored for each license. Those records must be downloaded to a physical storage medium (such as a hard drive or USB device) and labeled with the license number and records’ date range;

    2. 2.(2) Extract from the full system back-up all required documents and provide them to the ATF National Tracing Center’s (NTC) Out-of-Business Records Center (OOBRC) within 30 calendar days of the end of operations (e.g., license, Forms 4473, Forms 6/6A, and acquisition and disposition records), in accordance with § 478.127 of this part;

    3. 3.(3) Provide the required records to the OOBRC on the physical storage medium in an electronic format suitable for imaging (e.g., .pdf, .tiff, .jpeg), with search functions disabled to permit NTC to convert these records into static image files not searchable by name; and

    4. 4.(4) Not submit electronic records in a non-commercial, proprietary file format.

  9. i.(i) Record-keeping in a single medium. Nothing in this regulation should be construed to require federal firearms licensees to create, maintain, and store required records electronically, except that —

    1. 1.(1) If a licensee chooses to create, maintain, and store required records electronically, the licensee must generate and keep all such records in that medium, unless otherwise provided in paragraph (2).

    2. 2.(2) The requirement in paragraph (1) does not apply to paper records resulting from temporary system unavailability that are required by subsection (f).

  10. j.(j) Older records in paper or scanned form.

    1. 1.(1) Licensees who have paper records completed prior to [INSERT EFFECTIVE DATE OF FINAL RULE], may elect to digitally scan these older records, including supplemental forms or documents that are part of a transaction. However, any such scans created after this date must comply with this section’s requirements. Only after meeting and verifying these conditions may the licensee destroy the original paper records.

    2. 2.(2) A completed record is one in which the firearm transfer has occurred or a transaction in which the transfer was denied or cancelled, the licensee made a final entry and closed the transaction, or the transferee abandoned the transaction — and no firearm was transferred or delivered.

    3. 3.(3) Licensees who scanned older paper records before [INSERT EFFECTIVE DATE OF FINAL RULE] in accordance with previous ATF rulings may retain those records as scanned. Such licensees may elect to continue generating paper records for future transactions or may elect to generate electronic records going forward.

      1. i.(i) If you elect to proceed with electronic record-keeping, records generated after the date above must comply with the requirements in this section for other electronic records.

      2. ii.(ii) If you elect to generate paper records after the date above, you may scan such records, but records scanned after the date above must comply with the requirements in this section for other electronic records. Only after meeting and verifying these conditions may you destroy the original paper records.

  11. k.(k) In accord with law and regulation. This section does not extend to any records for which federal law or regulation expressly disallows electronic record-keeping.