Following a request for comment on the topic in 2021, on September 13, 2023, the Securities and Exchange Commission (“SEC") proposed amendments to Rules 10 and 11 of Regulation S-T and Form ID regarding potential technical changes to Electronic Data Gathering, Analysis, and Retrieval System (“EDGAR") filer access and account management (referred to by the SEC as “EDGAR Next").
EDGAR Next is intended to “enhance EDGAR's security and further improve filers' access to the EDGAR system" said SEC Chair Gary Gensler in a statement (available here). The Proposing Release (available here) indicates that the changes should “facilitate the responsible management of filer credentials, and simplify procedures for accessing EDGAR." EDGAR Next would require filers to authorize designated account administrators to manage the filers' accounts and make filings on the filers' behalf and would require these account administrators and any other authorized users to have their own individual account credentials to access EDGAR Next. As described below, the Form ID application process and ongoing flings will require slightly more coordination between a filer and individuals it has authorized to file on its behalf, the new application process will require additional information (e.g., history of securities law violations) when filing a Form ID, and new annual confirmations and other security measures might be burdensome for certain filers. All considered, the additional security and flexibility these changes will provide will likely outweigh these inconveniences.
Individual Account Credentials Would Replace Filer Password, PMAC, and Passphrase
Currently, each filer, whether a company or individual, has a central index key (“CIK") and only one login, consisting of one password along with a passphrase used during the Form ID application and CIK confirmation code (“CCC") and password modification authorization code (“PMAC") that are each generated after a filer is granted access to EDGAR. EDGAR allows any individual in possession of a filer's password and CCC to access the filer's EDGAR account and make filings. EDGAR Next would continue to use the CCC, but retire the EDGAR password, PMAC, and passphrase. Instead, account administrators and authorized users would need to login with their own individual credentials and would have access to the CCC on the filer's dashboard. The CIK would continue to be used and the CCC would still be required for filing. The updated access protocols thus provide additional security and traceability by limiting access to a filer's account to only those individuals directly authorized by the filer or the filer's account administrator and requiring such individuals to have their own EDGAR accounts.
In practice, the amendments would require that each individual serving as an account administrator obtain individual account credentials through Login.gov, a U.S. government service, and use multi-factor authentication at sign-in. An account administrator could be an employee of the filer or an individual holding a notarized power of attorney authorizing them to serve as account administrator. Account administrators would have access to the filer's dashboard, allowing them to add or remove authorized users, account administrators, and technical administrators, to delegate authority to a delegated entity (such as a filing agent) to file on the filer's behalf, and to otherwise maintain the filer's account and make necessary annual confirmations of account information. Each individual filer or single-member company would be required to authorize at least one account administrator and each filer that is not an individual or single-member company would be required to authorize at least two account administrators, with each account administrator having equal authority.
Types of Authorized Roles. The individuals in each of the authorized roles—account administrator, user, technical administrator, and delegated entity—would each need to have their own EDGAR account and would have a dashboard with functionalities commensurate with their respective role. The Proposing Release provides the following helpful chart depicting the key functions of each role:
|Role||Submit filings, view CCC||Generate/ change CCC||Manage account administrators, users, technical administrators, and delegated entities||Delegate to/accept delegated entity status from another filer||Manage delegated users||Manage filer API token||Manage user API token|
|Account Administrator||X||X||X||X|| || ||X|
|User||X|| || || || || ||X|
|Technical Administrator|| || || || || ||X|| |
|Delegated Administrator||X|| || || ||X|| ||X|
|Delegated User||X|| || || || || ||X|
Changes to Form ID. Changes to the Form ID application process include requiring applicants to designate on the Form ID individuals authorized to be account administrators and requiring the attachment of a power of attorney for each account administrator. Among other changes, additional questions would be added to Form ID relating to federal or state securities law violations of relevant individuals, a company's good standing, and more specific contact information for the filer, account administrator, authorized individual, and billing contact. Once the Form ID application is granted, account administrators would be able to login to EDGAR with their individual credentials to access the filer's dashboard and generate a CCC. Once the account administrators have access to the filer's dashboard, they can add additional account administrators, as noted above, without the need to provide additional powers of attorney for each new administrator.
Changes to EDGAR User Interface. EDGAR Next would include optional Application Program Interfaces (“APIs"), which allow machine-to-machine authentication as an alternative to making filings through the EDGAR website, a process commonly used by filing agents. To use these APIs, filers would be required to authorize two technical administrators to manage the APIs, including to generate filer API tokens used along with user API tokens to authenticate the filer's account administrators or users in place of manual individual account credentials. Three initial APIs would allow filers to make live and test submissions, check the status of submissions, and check operational status of EDGAR. According to Chair Gensler, these APIs “will help enhance how filers, including registrants and their agents, can access EDGAR, retrieve information, and submit bulk filings" and would “promote efficiency for filers and the Commission alike."
Beta Testing and Comments
On September 18, 2023, the SEC opened a public beta environment (available here) for filers to test and provide feedback on the technical functionality of the changes contemplated by EDGAR Next, which will be available for at least six months. Details regarding how to access the EDGAR Next beta environment and related resources are available at the SEC's dedicated EDGAR Next website (available here).
The comment period on EDGAR Next will be open until November 21, 2023. While this proposal does not raise the same kinds of interesting issues as the SEC's other recent rulemaking actions, it will have a significant effect on the day-to-day process for making SEC filings, so filers may want to weigh in if there are aspects they feel strongly about.
If EDGAR Next is adopted as proposed, a six month enrollment period for EDGAR Next would begin one month after adoption, which would allow existing filers to add authorized account administrators without submitting a Form ID.
We would like to thank Meghan Sherley in our Orange County office for her work on this post.
 Under the proposed rules, each filer would need to confirm annually that all account administrators, users, delegated entities, and technical administrators reflected on the filer's dashboard are authorized by the filer and that all information regarding the filer on the dashboard (e.g., contact information) is accurate.