The Question Every OnlyFans Creator Eventually Asks
"OnlyFans verifies my ID, so I'm covered for 2257 — right?"
No. OnlyFans verifies its own obligations as a platform. You, as the person who actually filmed the content, are the primary producer under federal law, and your obligations are separate, non-transferable, and personally enforced.
This guide walks through exactly what 18 U.S.C. § 2257 requires of you as an OnlyFans creator in 2026, including the record-keeping changes driven by Mastercard's AN 5196 and Visa's Integrity Risk Program (VIRP), which now apply to every dollar that flows through the card networks — including the dollars OnlyFans pays you.
Why OnlyFans Creators Are Primary Producers
The federal regulations at 28 CFR Part 75 define a primary producer as anyone who "actually films, videotapes, photographs, creates a picture, digital image, or digitally- or computer-manipulated image of an actual human being" engaged in sexually explicit conduct.
If you point a camera at yourself or anyone else and capture explicit content, you are a primary producer. It does not matter where you upload it. It does not matter who you sell it through. The act of producing creates the obligation.
OnlyFans is a secondary producer under the same regulation — they publish and distribute, but they did not film. Their compliance work covers their secondary-producer obligations. Yours sit with you.
The Five Things You Must Have on File
For every piece of explicit content you publish on OnlyFans, you must be able to produce — on demand, at a physical address — the following:
1. Government-Issued Photo ID
A valid, unexpired government ID for every performer in the content, including yourself. Driver's license, passport, or state ID card. The ID must:
- Show legal name
- Show date of birth proving age 18 or over at the time of production
- Include a photograph that matches the performer
OnlyFans' own ID check covers their secondary obligations. You need your own copy of every performer's ID, including your own.
2. A Cross-Reference Index
A searchable index linking every piece of content to every performer in it. The index must be searchable by:
- Each performer's legal name
- Each performer's stage names, screen names, and aliases — including your OnlyFans handle
- The title or identifier of each piece of content
If you've ever changed your screen name, every version goes in the index. If a performer in your scene has worked under three names, all three go in.
3. A Designated Custodian of Records (COR)
Federal regulations require a named Custodian of Records with a physical address where records can be inspected during business hours. This is the requirement that catches most solo creators by surprise. You have three real choices:
| Option | Reality |
|---|---|
| Use your home address | Becomes public record. Listed on every piece of content. Stalking and safety risk. |
| Rent a compliance office | $2,000–5,000/month plus staff coverage during business hours. |
| Use a COR service | Third party becomes your Custodian. Their address goes on your 2257 statement. |
The COR service path is why Easy2257 exists. We become your designated Custodian, our address appears in your statement, and we make records available for inspection at our location — so yours stays private.
4. A 2257 Statement on Every Page
Every page where your explicit content lives must display a 2257 statement naming:
- The Custodian of Records
- The physical address where records are kept
For OnlyFans, this means your profile bio or pinned post needs to include the statement, or you need a linked page (often hosted off-platform) that contains it. The OnlyFans 2257 page references the platform's records — not yours.
5. Retention for 7+ Years
Records must be retained for seven years from the date of production, or five years after you cease producing, whichever is later (28 CFR 75.5). The clock does not start when you stop posting; it starts when you stop producing entirely. In practice, retain forever.
What AN 5196 and VIRP Added in 2026
Federal 2257 is the floor. The card networks have raised the ceiling.
Mastercard AN 5196 now requires every acquiring bank that processes adult content payments to verify the merchant has documented age, identity, and consent for every performer in every piece of content monetized through the network. OnlyFans satisfies this for their platform. If you sell anything direct — Cash App tips, off-platform clips, custom content invoiced outside OnlyFans — you carry it.
Visa Integrity Risk Program (VIRP) adds:
- A defined takedown SLA (hours, not days)
- A public-facing removal portal anyone depicted can submit to without an account
- Annual third-party attestation for higher-volume merchants
- A monthly acquirer compliance report showing removal volume and resolution times
The TAKE IT DOWN Act (2025) federalizes a 48-hour non-consensual-intimate-imagery removal obligation across all platforms and producers. The intake must be unauthenticated. Civil penalties enforced by the FTC.
For most OnlyFans creators these requirements don't bite — until they sell direct, start their own site, or migrate to a smaller platform. At that point, you need the full stack: model releases, the removal portal, the monthly report.
What Counts as a Performer (Including You)
The regulation is performer-centric, not co-performer-centric. Solo content counts. If you film yourself, you are the performer; you also have to maintain a record for yourself with your own ID and verification.
This trips up solo creators who assume "no one else is in the scene, so 2257 doesn't apply." It does. The cross-reference index needs an entry for every scene, even solo ones. The performer in that entry is you.
For collaborative content — duets, threesomes, paid talent — every performer needs:
- A copy of their government ID
- A signed model release (AN 5196 / VIRP requirement)
- A cross-reference entry linking them to the specific scene
You cannot maintain compliance for a collab by trusting that the other performer is "handling their side." If your name is on the published content, you are the primary producer with the record-keeping obligation.
What Happens If You Get Inspected
DOJ inspections under 2257 happen with reasonable notice during business hours at the COR address listed on your 2257 statement. The inspector will ask to see:
- The full set of performer ID records
- The cross-reference index
- Sample records pulled by performer name
- Sample records pulled by content title
You have to produce them on site, in the inspection visit, in an organized form. Records "stored in a Google Drive somewhere" does not count. Records produced from a third-party Custodian's organized system does.
Penalties: up to 5 years federal imprisonment for a first offense, up to 10 years for repeat offenses, plus forfeiture of all content produced in violation. These are criminal penalties, prosecuted by the United States Attorney's Office.
The Practical Setup for an OnlyFans Creator
If you are a solo OnlyFans creator producing your own content, the minimum compliant setup is:
- Verify your own ID with a system that authenticates the document (not just photographs it) and links it to a facial scan taken on the same device
- Record every piece of content in a cross-reference index — content title, production date, performer (you), aliases (every screen name you've used)
- Designate a Custodian of Records — either rent space and staff it during business hours, or use a COR service
- Add the 2257 statement to your OnlyFans bio or a linked off-platform page, naming your Custodian's address
- Retain records for at least seven years, with integrity hashing so you can prove they haven't been altered
- Run a removal intake if you sell direct off-platform — VIRP requires it, and the TAKE IT DOWN Act sets the SLA
For collab content, add a signed model release per performer per scene.
For anyone selling direct (your own site, custom content invoiced outside OnlyFans, Cash App tips), add the monthly acquirer report.
How Easy2257 Handles This
Easy2257's Solo Creator plan is built for this exact use case:
- Self-verification — bank-grade ID document authentication and facial comparison from your phone
- Content log — register every piece of content as you publish it; the cross-reference index builds itself
- Custodian of Records included — our address appears on your 2257 statement, not yours
- Producer attestation — timestamped record that you personally verified your own ID before producing
- AES-256 encrypted storage with SHA-256 integrity hashing on every record
- Removal portal at
/report/removal— VIRP / TAKE IT DOWN compliant, 48-hour SLA enforced automatically - Monthly acquirer report auto-generated and emailed on the 2nd of each month for creators selling direct
- Annual compliance archive — ZIP of every record, ready to hand to an inspector or auditor
Solo Creator plan is $9.95/month or $107.40/year for annual. For collab content (multiple performers per scene), upgrade to Per Scene or Producer tiers — same record-keeping stack, with model releases and multi-performer attestation.
See pricing · How it works · Get started free
Related reading:
- Complete 2257 compliance guide (2026)
- Do OnlyFans creators need 2257 records?
- Mastercard AN 5196 and Visa VIRP explained
- How to set up a Custodian of Records
This guide is informational and does not constitute legal advice. Consult an attorney for guidance specific to your situation.