2257 Compliance in 2026: Records, Custodian of Records, and Federal Penalties Explained

The Short Answer

If you produce explicit content — solo or with anyone else — federal law requires four things on file before you publish:

1. Government-issued photo ID for every performer (including yourself), verified before the camera turns on.
2. A cross-reference index linking each piece of content to every performer in it, searchable by every name they've used.
3. A designated Custodian of Records with a physical address where those records are available during business hours.
4. A 2257 statement on every page or piece of content naming the Custodian and that address.

Penalties for failure: up to 5 years federal prison for a first offense, up to 10 years for repeat offenses, plus forfeiture of all content. This is criminal liability, not a civil fine.

The rest of this guide explains each requirement in detail, what's changed in 2026 (Mastercard AN 5196, Visa Integrity Risk Program, the TAKE IT DOWN Act), and what "compliant" actually looks like for solo creators vs. studios.

What Is 18 U.S.C. § 2257?

18 U.S.C. § 2257 is the federal record-keeping law for producers of "actual sexually explicit conduct." Enacted in 1988 and substantially expanded by the Adam Walsh Act of 2006, it requires every producer to create, maintain, and make inspectable records proving every performer was at least 18 at the time of production.

The regulations live at 28 CFR Part 75. Enforcement runs through the Department of Justice — specifically the Child Exploitation and Obscenity Section. Inspections are unannounced and on-site.

If you produce adult content involving anyone — including yourself as a solo creator — the law applies to you.

Who Does 2257 Apply To?

The law applies to primary producers (those who actually film or photograph the content) and secondary producers (those who publish, duplicate, or distribute it). Key groups include:

• Independent producers shooting scenes with other performers
• Studios of any size producing explicit content
• Clip site sellers on platforms like ManyVids, Clips4Sale, and IWantClips
• OnlyFans creators who produce sexually explicit content
• Photographers shooting explicit still images
• Distributors and publishers who reissue content

Important: 18 U.S.C. § 2257 applies to all producers of visual depictions of actual sexually explicit conduct. The statute requires records for every performer portrayed, including yourself. Consult a qualified attorney for guidance on your specific situation.

The Five Core Requirements

1. Collect Government-Issued Photo ID

For every performer appearing in sexually explicit content, you must collect and inspect a valid government-issued photo identification document. This ID must contain:

• The performer's legal name
• Date of birth
• A photograph

Acceptable documents include driver's licenses, passports, and state-issued ID cards. You must verify that the performer is at least 18 years old before any production begins.

2. Maintain Detailed Records

You must create and maintain an index that cross-references:

• Each performer's legal name
• Any stage names, aliases, or maiden names used
• Date of birth
• The title, description, or identifier of each piece of content they appear in
• The date of production

These records must be organized so that an inspector can locate any performer's records by searching for any name the performer has used.

3. Designate a Custodian of Records (COR)

Every producer must designate a Custodian of Records - a person or entity responsible for maintaining the required records and making them available for inspection. The COR must:

• Maintain all required records in an organized, accessible manner
• Make records available for inspection during normal business hours at a designated physical location
• Produce records on demand when requested by authorized inspectors (typically the Attorney General's office)

4. Display the COR Statement

Every piece of content you produce must display a compliance statement including:

• The name of the Custodian of Records
• The physical address where records can be inspected

This statement must appear on the content itself or be readily accessible (e.g., on a website page for online content).

5. Retain Records for the Required Period

Under 28 CFR 75.5, records must be maintained for seven years from the date of production, or five years after you cease producing sexually explicit content, whichever is later. As a practical matter, most producers should retain records for the duration of their career and beyond.

The Custodian of Records Problem

The COR requirement is where most independent producers get stuck. The law requires records to be available at a physical location during business hours. For independent producers, this creates an impossible choice:

This is exactly the problem that COR services like Easy2257 solve. By designating a third-party service as your Custodian of Records, you fulfill the legal requirement without exposing your home address or renting office space.

Penalties for Non-Compliance

Failure to comply with 2257 carries serious penalties:

• First offense: Up to 5 years imprisonment
• Subsequent offenses: Up to 10 years imprisonment
• Forfeiture of content produced in violation

These are federal criminal penalties, not civil fines. The law is enforced by the Department of Justice, and inspections can occur with reasonable notice during business hours.

What Changed in 2026: Payment Processors, AN 5196, and VIRP

Federal 2257 law has been stable for over a decade, but the *enforcement environment* has shifted dramatically. In 2026, the binding pressure on adult producers no longer comes only from the DOJ — it comes from the card networks.

Mastercard AN 5196

Mastercard's AN 5196 (Announcement to Customers, bulletin 5196) requires every acquiring bank that processes adult content payments to verify that the merchant has documented age and consent for every performer in every piece of content monetized through the network. In practice, your payment processor will ask for:

• Proof of performer ID verification
• A signed model release per performer per scene
• A monthly compliance report showing removal-request volume and resolution times
• A documented Custodian of Records arrangement

If your acquirer can't verify those, they drop you. There is no appeals process.

Visa Integrity Risk Program (VIRP)

Visa's Integrity Risk Program imposes parallel requirements with two additional teeth: a takedown SLA (you must remove flagged content within defined hours) and annual third-party attestation for higher-volume merchants. VIRP also requires a public-facing takedown intake — an unauthenticated form where anyone depicted in your content can request removal.

TAKE IT DOWN Act (2025)

Signed into federal law in 2025, the TAKE IT DOWN Act imposes a 48-hour removal obligation for non-consensual intimate imagery (NCII) reported through a defined intake. Adult platforms and producers are squarely in scope. Failure to meet the SLA triggers civil penalties enforceable by the FTC.

What this means in practice

You can be 100% compliant with 2257 itself and still lose your processor if you don't carry the AN 5196 / VIRP paperwork. The federal law sets the floor. The card networks set the ceiling. Most producers underestimate how much of their actual compliance burden comes from the second category.

Easy2257 generates the monthly acquirer report, hosts the unauthenticated takedown portal at /report/removal, and enforces the TAKE IT DOWN 48-hour SLA automatically. These aren't separate products — they're included in every paid plan because they're not optional for anyone monetizing adult content in 2026.

How to Comply: Step-by-Step

Step 1: Before Production

1. Collect a valid government-issued photo ID from every performer
2. Verify the performer is at least 18 years old
3. Record the performer's legal name, date of birth, and any aliases
4. Have the performer sign a model release that includes their legal name, stage name, and date of birth

Step 2: During/After Production

1. Document the title or identifier of the content produced
2. Record the date of production
3. Record all performers who appeared in the content
4. Cross-reference performer records with content identifiers

Step 3: Record Maintenance

1. Store all records in an organized, indexed system
2. Ensure records are searchable by performer name (including aliases)
3. Ensure records are searchable by content title/identifier
4. Maintain records at the designated COR location
5. Keep records for the duration the content is available + 5 years

Step 4: Display Requirements

1. Include the COR statement (name and address) on all content
2. For websites, include a dedicated 2257 compliance page
3. For physical media, include the statement on packaging

Digital vs. Paper Records

The original 2257 regulations were written for a paper-based world. Today, most producers maintain digital records. While the regulations don't explicitly require paper records, the physical location requirement for the COR creates ambiguity.

Best practice: Maintain digital records (for efficiency and backup) while ensuring your designated COR can produce physical copies on demand if required during an inspection. Modern compliance platforms handle this by storing all records digitally with the ability to generate printed reports.

Common Mistakes

1. Not collecting ID before production. The law requires age verification *before* production begins. Collecting IDs after the fact doesn't protect you.

1. Accepting photocopies or photos of IDs. While digital ID verification is increasingly accepted, you should use a verification system that authenticates the document, not just captures an image.

1. Incomplete cross-referencing. Your records must link performers to specific content. Having a folder of IDs without tying them to productions is not compliant.

1. Using your home address as the COR location. While technically compliant, this exposes your home address publicly. Use a COR service or registered agent.

1. Not updating records when content is redistributed. If you license content to a distributor, records still need to be maintained.

1. Forgetting the display requirement. Every piece of content needs the COR statement. This includes content on tube sites, clip sites, and social media platforms.

OnlyFans, Fansly, and Clip-Site 2257 Obligations

OnlyFans, Fansly, ManyVids, Clips4Sale, and iWantClips all run their own 2257 verification flows for content uploaded to their platforms. That covers their obligations as a secondary producer or distributor. It does not cover yours.

As the primary producer — the person who actually filmed or photographed the content — you are independently and personally responsible for:

• Maintaining a complete records set under 28 CFR Part 75
• Designating a Custodian of Records with a physical address
• Displaying a 2257 statement on every page or piece of content you publish anywhere
• Retaining those records for at least seven years from production date

The platform's 2257 page is *their* compliance statement, not yours. When the DOJ inspects, they inspect the producer — which is you. Posting on OnlyFans doesn't shift that obligation to OnlyFans.

The same is true for AN 5196 and VIRP: your platform's processor relationship doesn't insulate you from your own. If you sell direct, you carry it. If you take payments through any channel outside the host platform, you carry it.

For deeper, platform-specific guides:

• OnlyFans 2257 compliance requirements for creators
• Clip-site 2257 compliance: ManyVids, Clips4Sale, IWantClips

How Easy2257 Handles This

Easy2257 is a 2026-built compliance platform designed around the actual regulatory environment — 2257, AN 5196, VIRP, and the TAKE IT DOWN Act — rather than the 1988 paper-records world the law was written for.

1. Create a production and add scenes, or use the Solo Creator flow if you produce alone
2. Invite talent via secure links — they complete ID verification and sign model releases on their own phone, with no one else seeing their documents
3. Bank-grade ID verification with document authentication and facial comparison; we never let unverified performers reach the scene-close step
4. Signed model releases stored as PDF — required by AN 5196 and VIRP, not optional
5. Depiction storage — keep a copy of the actual content tied to the performer record (28 CFR 75.2(a)(1))
6. Producer attestation — timestamped, IP-logged confirmation that you personally examined each ID (18 U.S.C. 2257(b)(1))
7. AES-256 encryption on every record, with SHA-256 integrity hashing for inspection-ready chain of custody
8. Custodian of Records service included on every paid plan — our address and contact appears in your 2257 statement, not yours
9. Unauthenticated removal portal at /report/removal — required by VIRP and the TAKE IT DOWN Act, with a 48-hour SLA enforced automatically
10. Monthly acquirer report generated and emailed on the 2nd of each month, ready to forward to your processor

Solo Creator plan starts at $9.95/mo ($107.40/yr annual). Studio and Enterprise tiers handle multi-producer organizations.

See pricing · How it works · Get started free

This guide is for informational purposes only and does not constitute legal advice. Consult an attorney for guidance specific to your situation.