(a) Reasonable written policies and procedures. A data provider must establish and maintain written policies and procedures that are reasonably designed to achieve the objectives set forth in subparts B and C of this part, including paragraphs (b) through (d) of this section. Policies and procedures must be appropriate to the size, nature, and complexity of the data provider's activities. A data provider has flexibility to design policies and procedures to avoid acting inconsistently with its other legal obligations, or in a way that could reasonably hinder enforcement against unlawful or potentially unlawful conduct. A data provider must periodically review the policies and procedures required by this section and update them as appropriate to ensure their continued effectiveness.

(b) Policies and procedures for making covered data available. The policies and procedures required by paragraph (a) of this section must be reasonably designed to ensure that:

(1) Making available covered data. A data provider creates a record of the data fields of covered data in the data provider's control or possession, what covered data are not made available through a consumer or developer interface pursuant to an exception in § 1033.221, and the reasons the exception applies. Indicia that a data provider's record of such data fields complies with the requirements of this paragraph (b)(1) include listing data fields that conform to those published by a consensus standard.

(2) Denials of developer interface access. When a data provider denies a third party access to a developer interface pursuant to § 1033.321, the data provider:

(i) Creates a record substantiating the basis for denial; and

(ii) Communicates in a timely manner to the third party, electronically or in writing, the reason(s) for the denial.

(3) Denials of information requests. When a data provider denies a request for information for a reason described in § 1033.331(c), to the extent the communication of the denial is not required to be standardized by § 1033.311(b), the data provider:

(i) Creates a record substantiating the basis for the denial; and

(ii) Communicates in a timely manner to the consumer or third party, electronically or in writing, the type(s) of information denied, if applicable, and the reason(s) for the denial.

(c) Policies and procedures for ensuring accuracy—(1) In general. The policies and procedures required by paragraph (a) of this section must be reasonably designed to ensure that covered data are accurately made available through the data provider's developer interface.

(2) Elements. In developing its policies and procedures regarding accuracy, a data provider must consider, for example:

(i) Implementing the format requirements of § 1033.311(b); and

(ii) Addressing information provided by a consumer or a third party regarding inaccuracies in the covered data made available through its developer interface.

(3) Indicia of compliance. Indicia that a data provider's policies and procedures regarding accuracy are reasonable include whether the policies and procedures conform to a consensus standard regarding accuracy.

(d) Policies and procedures for record retention. The policies and procedures required by paragraph (a) of this section must be reasonably designed to ensure retention of records that are evidence of compliance with subparts B and C of this part.

(1) Retention period. Records that are evidence of a data provider's actions in response to a consumer's or third party's request for information or a third party's request to access a developer interface must be retained for at least three years after a data provider has responded to the request. All other records that are evidence of compliance with subparts B and C of this part must be retained for a reasonable period of time of at least three years from the date of the action required under subparts B and C of this part.

(2) Certain records retained pursuant to policies and procedures. Records retained pursuant to policies and procedures required under paragraph (a) of this section must include, without limitation:

(i) Records documenting requests for a third party's access to an interface, actions taken in response to such requests, and reasons for denying access, if applicable, for at least three years after the data provider has responded to the request;

(ii) Records providing evidence of fulfillment of requests for information, actions taken in response to such requests, and reasons for not making the information available, if applicable, for at least three years after the data provider has responded to the request;

(iii) Records documenting that the third party has followed the authorization procedures in § 1033.401 to access data on behalf of a consumer, for at least three years after such records are generated;

(iv) Records providing evidence of actions taken by a consumer and a data provider to revoke a third party's access pursuant to any revocation method made available by a data provider, for at least three years after the revocation;

(v) Records providing evidence of commercially reasonable performance described in § 1033.311(c)(2)(ii), for at least three years after the period recorded;

(vi) Written policies and procedures required under this section for three years from the time such material was last applicable; and

(vii) Disclosures required under § 1033.341, for three years from the time such material was disclosed to the public.