SEC Announces Big Changes to EDGAR Access
September 13, 2023
The SEC has proposed a significant revamp of the process by which EDGAR is accessed for filers and filing agents. If you file Section 16 forms on behalf of company insiders, this is something you are going to want to keep an eye on.
Why Change? Fake EDGAR Filings Are a Thing
The SEC is proposing this change to try to mitigate the problem of fake EDGAR filings. This is a thing—see the ongoing saga chronicled in TheCorporateCounsel.net blog. These filings can harm investors, so the SEC has determined that action to prevent them is necessary.
Background: The Current Process
Currently, EDGAR filers submit a notarized Form ID to gain access to EDGAR. After the filer’s Form ID is accepted, the SEC issues the filer a CIK and passphrase. The filer then uses the CIK and passphrase to generate the rest of the EDGAR codes necessary to submit filings and maintain their EDGAR account. These are the CCC number, password, and password modification authorization code (PMAC).
Anyone who knows a filer’s CIK and CCC numbers can submit filings on behalf of the insider. Thus, currently, CCC numbers should be very carefully guarded (CIK numbers are public). Unfortunately, the SEC has found that filers aren't always as careful as they should be with CCC numbers. As noted in the proposal:
Commission staff understands that some filers have shared EDGAR access codes with co-registrants, filing agents, and various employees through non-secure means and without tracking or recording the names and identities of the recipients.
If you are responsible for submitting filings on behalf of the insiders at your company, you can currently use either of the following approaches to do so:
- Apply for your own access to EDGAR and submit filings through your own account using insiders’ CIK and CCC numbers. (This is the approach I recommend.)
- Log into EDGAR using the insiders’ credentials and submit their filings through their accounts.
Proposed Change #1: Designated Filer Administrators and Users
The first proposed change is that each filer (i.e., insider, for our purposes) will be required to designate at least one administrator who will be able to manage their EDGAR account and submit filings on their behalf. Presumably insiders can act as their own filer administrators if they want (who am I kidding—no one wants that). An insider can designate a maximum of 20 administrators.
The initial account administrator(s) will be designated on the insider's Form ID. Once an insider's access to EDGAR is established, the insider will have a "dashboard" in EDGAR that their account administrators can access. The account administrators will be able to designate additional administrators for the insider's account as necessary through the insider's dashboard.
Account administrators can also designate individual users who can submit filings on behalf of the insider, but don’t have the ability to manage the insider’s account.
As a result of this proposed change, only designated individuals/entities will be able to submit filings on behalf of an insider. It will no longer be possible for just anyone who has managed to come across an insider’s CIK and CCC number to submit filings on their behalf.
Personally, I think this is a helpful additional security measure. It means that you no longer need to change all your insiders’ CCC numbers whenever someone on your staff who had access to those numbers leaves. Or, if you weren’t changing their CCC numbers, it means you are no longer relying on the discretion of those former employees to ensure the integrity of your insiders’ EDGAR filings and accounts.
There is, however, a major drawback to this process. If you onboard a new insider who already has an EDGAR account (e.g., a new director who is already a Section 16 insider at another company), you will need the insider's existing account administrator to designate you as an administrator or user on the insider's account. Without this access, you won't be able to submit filings on behalf of the insider. And vice versa: when insiders at your company take on new insider roles at other companies, you'll need to designate individuals at those companies as administrators or users for the insider, so they can submit on the insider's behalf. It's a good thing stock compensation professionals are generally a pretty friendly bunch.
Proposed Change #2: Multifactor Authentication
The second proposed change is that the SEC would require anyone who accesses EDGAR (i.e., to submit filings and manage filer accounts) to establish login credentials to EDGAR through a third party website (most likely login.gov) that uses a multifactor identification method. This layers on an additional security measure to access a filer's EDGAR account—for example, entering a code that is texted to you in addition to entering your ID and password. There are five different authentication methods to choose from.
In the context of Section 16, this means that anyone serving as an account administrator or a user for Section 16 insiders will need to establish login credentials through this third-party website. It isn't going to be possible for you to log into EDGAR using your insiders' credentials.
Proposed Change #3: Annual Confirmation
Account administrators would be required to annually confirm who should have access to insiders' accounts and that the information for all insiders' is accurate. Failure to do so will ultimately result in deactivation of the insider's account. The insider would have to submit a new Form ID to reactivate the account.
Form ID Still Required
You might be hoping that this means Form ID will no longer be necessary. I'm sorry to disappoint you but Form ID isn't going anywhere, at least for now. EDGAR filers will still be required to submit a notarized Form ID to the SEC. In fact, the form is going to get longer. In addition to requiring filers to designate an account administrator, the form is going to require more specific contact information and ask whether the filer has been subject to civil or criminal enforcement for securities law violations.
Third-Party Filing Tools
The SEC is also proposing to create application programming interfaces (APIs) that will allow submission of filings through third-party systems. The SEC's first EDGAR access proposal (issued back in September 2021) would not have accommodated filing submissions from third-party tools, so this is welcome news (and I think the APIs will be an improvement over how third-party tools currently submit EDGAR filings).
If you work for a third-party filer, the SEC has provided an overview of the APIs that you probably want to check out and is working on a toolkit. In addition, The SEC is hosting a series of API development support Q&A sessions from September 26 to October 10—you might want to get started on your APIs now, so that you can take advantage of these sessions if you have questions. See the EDGAR Next page for more information.
The SEC is launching a beta program that will run from around now to March 15 of next year (as of September 18, the beta program is not yet available). Learn more about the beta program on the EDGAR Next page. If you participate in the beta and would be open to sharing your feedback with me, I am very interested in hearing it. I am considering submitting a comment letter on the program to the SEC; your feedback would help me determine what to comment on.
Don’t Panic: Comment Period and Transition
No need to panic: nothing is happening right away. The comment period on the proposal will be open until 60 days after the proposal is published in the Federal Register (which hadn't happened yet as of September 18).
If the SEC goes forward with the proposal, they have proposed an enrollment period that would start one month after adoption of the final rules and would remain open for six months. Compliance with the new rules would not be required until the end of the enrollment period.
During the enrollment period, existing insiders would be able to upgrade to the new access system without submitting Form ID. The SEC contemplates providing a bulk enrollment function that will theoretically allow you to upgrade all your insiders' access at the same time. Insiders that don't upgrade by the end of the enrollment period will lose access to EDGAR and will have to submit a new Form ID to reactivate their accounts.