[Federal Register Volume 86, Number 190 (Tuesday, October 5, 2021)]
[Notices]
[Pages 55029-55033]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-21697]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release Nos. 33-10993; 34-93204; 39-2541; IC-34392; File No. S7-12-21]


Potential Technical Changes to EDGAR Filer Access and Filer 
Account Management Processes

AGENCY: Securities and Exchange Commission.

ACTION: Request for comment.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
requesting comment on potential technical changes related to how 
entities and individuals access the Commission's Electronic Data 
Gathering, Analysis, and Retrieval system (``EDGAR'') to make 
submissions, and how these entities and individuals (``filers'') manage 
the permissions of individuals who may file on EDGAR on their behalf. 
Individuals who seek to file on EDGAR on behalf of a filer would be 
directed to a third-party service provider to create individual user 
account credentials and to enable multifactor authentication. Each 
filer would designate a ``filer administrator''--analogous to the 
current filer contact person who receives the filer's EDGAR access 
codes--to manage the permissions of the filer's individual users 
through a new filer management tool on EDGAR.

DATES: Comments should be received on or before the later of: December 
1, 2021, or November 4, 2021.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/submitcomments.htm); or
     Send an email to rule-comments@sec.gov. Please include 
File Number S7-12-21 on the subject line.

Paper Comments

     Send paper comments to Vanessa A. Countryman, Secretary, 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549.

All submissions should refer to File Number S7-12-21. This file number 
should be included on the subject line if email is used. To help the 
Commission process and review comments more efficiently, please use 
only one method of submission. The Commission will post all submitted 
comments on our website (http://www.sec.gov). Typically, comments are 
also available for website viewing and printing in the Commission's 
Public Reference Room, 100 F Street NE, Washington, DC 20549, on 
official business days between the hours of 10 a.m. and 3 p.m. 
Operating conditions may limit access to the Commission's Public 
Reference Room. All comments received will be posted without change. 
Persons submitting comments are cautioned that the Commission does not 
redact or edit personal identifying information from comment 
submissions. Please submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: Rosemary Filou, Deputy Director and 
Chief Counsel; Daniel Chang, Senior Special Counsel; EDGAR Business 
Office, at 202-551-3900, Securities and Exchange Commission, 100 F 
Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Commission is seeking public comment on 
potential technical changes to the EDGAR access process that include 
the addition of individual user account credentials as well as a tool 
on EDGAR through which filers would manage their EDGAR accounts. During 
the comment period, the Commission will open an EDGAR ``Beta'' 
environment where pre-enrolled EDGAR filers may preview and test many 
of the potential access changes. The Commission plans to provide more 
information regarding

[[Page 55030]]

the Beta environment for the potential technical changes and what 
functions can be tested in the Beta environment through an information 
page on SEC.gov.

I. Introduction and Background

    Individuals and entities seek to access EDGAR to make electronic 
submissions with the Commission to comply with various provisions of 
the federal securities laws. Prospective EDGAR filers currently apply 
for access in accord with 17 CFR 232.10 (Rule 10 of Regulation S-T) by 
completing the online uniform application for EDGAR access codes 
(``Form ID'') \1\ on the EDGAR Filer Management website \2\ and 
submitting a notarized copy of that application signed by an authorized 
individual of the filer.\3\
---------------------------------------------------------------------------

    \1\ See Form ID, uniform application for access codes to file on 
EDGAR, 17 CFR 239.63, 249.446, 269.7, and 274.402.
    \2\ See EDGAR Filer Management website at https://www.filermanagement.edgarfiling.sec.gov.
    \3\ See EDGAR Filer Manual, Volume I, at Section 3. The EDGAR 
Filer Manual specifies the instructions filers must follow when 
making electronic filings on EDGAR and is incorporated by reference 
in the Code of Federal Regulations by 17 CFR 232.301 (Rule 301 of 
Regulation S-T). Rule 10 of Regulation S-T and the EDGAR Filer 
Manual permit manual, electronic, and remote online notarizations, 
authorized by the law of any state or territory of the United States 
or the District of Columbia. See 17 CFR 232.10 and EDGAR Filer 
Manual, Volume I, at Section 3. An ``authorized individual'' for 
purposes of the Form ID notarization process includes, for example, 
the Chief Executive Officer, Chief Financial Officer, partner, 
corporate secretary, officer, director, or treasurer of a company 
filer; or for individual filers, the individual filer or a person 
with a power of attorney from the individual filer. See EDGAR Filer 
Manual, Volume I, at Section 3.
---------------------------------------------------------------------------

    If the Form ID application is approved, the contact person listed 
on the Form ID receives an EDGAR account number unique to the filer 
known as a central index key (``CIK''), if needed,\4\ and information 
regarding EDGAR access codes. EDGAR access codes include the EDGAR 
password, central index key confirmation code (``CCC''), password 
modification authorization code (``PMAC''), and passphrase.\5\ Filings 
on EDGAR are not currently linked to a specific authorized individual, 
but rather associated with the CIK generally. Additionally, multifactor 
authentication is not presently available to validate individuals 
accessing EDGAR and simplify password retrieval.
---------------------------------------------------------------------------

    \4\ Currently, most applicants completing the Form ID for EDGAR 
access have not previously been assigned a CIK. However, a small 
number of other applicants have already been assigned a CIK, but 
have not filed electronically on EDGAR. These applicants continue to 
use the same CIK when they receive access to EDGAR and are not 
assigned a new CIK.
    \5\ See EDGAR Filer Manual, Volume I, at Section 4. For a 
discussion of the functions of these access codes, please see the 
``Understand and utilize EDGAR CIKs, passphrases and access codes'' 
section of EDGAR--How Do I, at https://www.sec.gov/edgar/filer-information/how-do-i.
---------------------------------------------------------------------------

    The Commission is considering potential technical changes to the 
EDGAR filer access and filer account management processes (``potential 
access changes'') to enhance the security of EDGAR, improve the ability 
of filers to securely maintain access to their EDGAR accounts, 
facilitate the responsible management of EDGAR filer credentials, and 
simplify procedures for accessing EDGAR.
    Individuals who seek to file on EDGAR would be directed to a third-
party service provider to create individual user account credentials, 
including a unique username and password (``account credentials''), and 
to enable multifactor authentication. The filer would designate a 
``filer administrator'' analogous to the current filer contact person 
who receives access codes. The filer administrator would manage the 
permissions of the filer's EDGAR ``users''--individuals with account 
credentials authorized by the filer to make submissions on its 
behalf.\6\ A new EDGAR filer management tool would allow the filer 
administrator to add and remove users and filer administrators, elevate 
a user to filer administrator, and change a filer administrator to a 
user. This tool would assist filers in complying with their existing 
obligation to securely maintain access to their EDGAR account.\7\
---------------------------------------------------------------------------

    \6\ For purposes of this request for comment, the term ``users'' 
includes filer administrators unless otherwise indicated.
    \7\ See EDGAR Filer Manual, Volume I, at Section 4.
---------------------------------------------------------------------------

    The filer management tool would be accessed through the EDGAR Filer 
Management website, which would be redesigned with a new layout and 
features. The new account credentials would be used to access the other 
two EDGAR websites--EDGAR Filing and EDGAR Online Forms; however, those 
websites would remain largely unchanged.\8\
---------------------------------------------------------------------------

    \8\ EDGAR Gateway Filing website at https://www.edgarfiling.sec.gov/Welcome/EDGARLogin.htm; and EDGAR Online 
Forms Management website at https://www.edgarfiling.sec.gov/Welcome/EDGAROnlineFormsLogin.htm. The three EDGAR filing websites would 
also remind filers of their obligations to comply with the rules and 
regulations governing access to EDGAR.
---------------------------------------------------------------------------

    The potential access changes would eliminate the EDGAR password,\9\ 
PMAC, and passphrase. Users would make submissions by using the filer's 
CIK and CCC after logging in with their new account credentials. The 
potential access changes would enable the Commission to identify the 
unique user making each filing on EDGAR while allowing a filer 
administrator to manage the permissions of users authorized to make 
submissions on the filer's behalf.
---------------------------------------------------------------------------

    \9\ The EDGAR password would be replaced by the password in the 
account credentials obtained from the third-party service provider.
---------------------------------------------------------------------------

    In conjunction with this request for comment, the Commission will 
allow pre-enrolled filers to access an EDGAR Beta environment, where 
filers will be able to preview and test many of the potential access 
changes. As with any change to EDGAR code, the potential access changes 
to EDGAR may affect custom code that filers have created in their 
systems to interact with EDGAR. The Beta environment generally should 
allow filers to determine what changes would be needed to their custom 
code to accommodate the potential access changes and to provide 
targeted technical feedback to the Commission about the potential 
access changes. The Commission currently anticipates that the Beta 
environment will be available in October 2021. All filers will be 
eligible to enroll to participate in the EDGAR Beta environment, which 
may be made available for future EDGAR changes. The Commission will 
provide more information regarding the Beta environment for the 
potential access changes and what functions can be tested in the Beta 
environment through an information page on SEC.gov.
    We have established an information page explaining the potential 
access changes on the EDGAR--Information for Filers web page on 
SEC.gov,\10\ leveraging the recently introduced EDGAR--How Do I guide 
\11\ for filers, and providing additional filer assistance such as in-
context help, live webinars, and on-demand how-to videos. Our goal is 
to make the transition as easy as possible for filers. We will also 
provide a help desk devoted to assisting filers with the potential 
access changes.
---------------------------------------------------------------------------

    \10\ See EDGAR--Information for Filers web page at https://www.sec.gov/edgar/filer-information.
    \11\ See EDGAR--How Do I at https://www.sec.gov/edgar/filer-information/how-do-i.
---------------------------------------------------------------------------

    If the potential access changes are implemented, the Commission 
anticipates that it would adopt amendments to certain Commission rules 
and forms to reflect the potential access changes. The corresponding 
amendments would include changes to Rule 10 of Regulation S-T, Form ID 
and associated rules,\12\ and the EDGAR Filer Manual, which is 
incorporated by reference in the Code of Federal

[[Page 55031]]

Regulations by Rule 301 of Regulation S-T.
---------------------------------------------------------------------------

    \12\ See Form ID, uniform application for access codes to file 
on EDGAR, 17 CFR 239.63, 249.446, 269.7, and 274.402.
---------------------------------------------------------------------------

    We would expect to implement a phased transition of existing filers 
to the potential access changes, as discussed below, to make the 
transition a user-friendly experience for filers.

II. Discussion

    We are considering potential technical changes to the method by 
which filers access EDGAR to make submissions and manage their EDGAR 
accounts.

A. Individual Account Credentials

    Under the potential access changes, each individual seeking to make 
submissions on EDGAR on behalf of a filer would be required to obtain 
individual account credentials from a third-party service provider. The 
Commission is considering using as the third-party service provider 
Login.gov, an official website of the U.S. Government that provides a 
sign-in service for use by the public and Federal agencies.\13\ When an 
individual creates account credentials with the third-party service 
provider, the individual would be prompted to provide an email address 
and select an authentication option.\14\ After the individual confirms 
the email address and completes the authentication, the third-party 
service provider would assign the individual unique account 
credentials.
---------------------------------------------------------------------------

    \13\ See https://www.login.gov/.
    \14\ Login.gov authentication options include: (1) A security 
key; (2) government employee or military PIV or CAC cards; (3) 
authentication application; (4) text message/SMS or telephone call; 
and (5) backup codes, with (1), (2), and (3) being the most secure 
method, and (5) being the least secure authentication option 
according to Login.gov. See generally Login.gov, Authentication 
Options at https://www.login.gov/help/get-started/authentication-options/. See also generally Login.gov, Privacy and security: Our 
security practices at https://login.gov/policy/our-security-practices/ for information on Login.gov's security practices.
---------------------------------------------------------------------------

    Multifactor authentication adds a layer of validation each time an 
individual signs in to EDGAR. For example, if the telephone 
authentication option is selected, the individual would enter a one-
time passcode received by text message/SMS or from a telephone call to 
the provided telephone number each time the individual logs in to a 
filer's EDGAR account. Multifactor authentication would be used only 
for purposes of validation, and individuals would be reminded on EDGAR 
to provide only a business email account and relevant business 
information when creating account credentials. EDGAR would no longer 
employ the EDGAR password, PMAC, and passphrase codes.
    If the individual enters their account credentials and successfully 
completes the multifactor authentication process, the individual would 
be able to access the EDGAR Filer Management website. To make 
submissions on behalf of a certain filer on the three EDGAR filing 
websites,\15\ however, individuals would also need to be authorized as 
a user by the relevant filer administrator.
---------------------------------------------------------------------------

    \15\ See supra note 8.
---------------------------------------------------------------------------

B. Filer Administrators

    As part of the changes we are considering, a filer would designate 
which of its users would act as filer administrator(s) to manage the 
filer's EDGAR account, analogous to the contact person who currently 
receives access codes. A filing entity would be required to designate 
at least two filer administrators. Employees at filing entities often 
change; therefore, designating two filer administrators would increase 
the chances that management of the filer's EDGAR account would be 
uninterrupted. For individual filers, one filer administrator would be 
required. Both filing entities and individual filers would be permitted 
to have additional filer administrators.
    Under the potential access changes, prospective filers would 
designate their filer administrator during the initial Form ID 
application process while existing filers would enroll their filer 
administrators during a transition period. EDGAR would contain a link 
to the third-party service provider's website, where the prospective 
filer administrator could obtain account credentials. After the 
prospective filer administrator obtains account credentials, the 
prospective filer administrator would be automatically redirected to 
the EDGAR Filer Management website to access the Form ID application. 
We would permit a third party to be a filer administrator if the third 
party submits a Form ID listing the third party as filer administrator 
and includes a notarized power of attorney from an authorized 
individual of the filer that grants authority to the third party.\16\
---------------------------------------------------------------------------

    \16\ Currently, we permit a person with a power of attorney from 
an individual filer to sign the Form ID application for the 
individual filer; in that case, the power of attorney document must 
accompany the notarized Form ID application. See EDGAR Filer Manual, 
Volume I, at Section 3. Existing Commission practice also permits 
the Form ID to be signed by an individual with a power of attorney 
from a filing entity, such as a corporation.
---------------------------------------------------------------------------

    The filer administrator would replace the current filer contact 
person to manage the filer's access to EDGAR. As described in more 
detail below, the filer administrator would manage and confirm the 
permissions of users through the new filer management tool. All filer 
administrators would be able to manage and confirm permissions of users 
regardless of whether they are listed on the Form ID or added as filer 
administrators through the filer management tool.
    On the Form ID, prospective filers would include the names and 
business contact information of two filer administrators for filing 
entities or one filer administrator for individual filers. The 
prospective filer would then electronically submit the Form ID and 
upload a notarized copy of the Form ID signed by an authorized 
individual of the prospective filer, as currently required.
    If the Form ID application is approved, EDGAR would provide the 
filer administrator with a CCC code and a link to the EDGAR Filer 
Management website, similar to the current process. The filer 
administrator could then access the filer's account and the filer 
management tool by logging onto the EDGAR Filer Management website with 
the filer administrator's account credentials.
    The Commission would require existing filers to transition to the 
potential access process. Each existing filer would designate an 
individual to function as filer administrator. The filer administrator 
for the existing filer would obtain account credentials through the 
third-party service provider; log in to a transition page in EDGAR; and 
enter the filer's CIK, CCC, EDGAR password, and passphrase. Once 
existing filers transition to the potential access changes, they will 
no longer be able to use the current login method. Existing filers that 
do not have active EDGAR access codes would be required to complete a 
new Form ID to reapply for access.

C. Filer Management Tool and Annual Confirmation of Permissions

    The potential access changes would include a new filer management 
tool on the EDGAR Filer Management website where a filer administrator, 
acting on behalf of the filer, could view, add, remove, and confirm 
users. The filer administrator could also change the permissions of a 
user to filer administrator and vice versa. Further, on the filer 
management tool, filer administrators could delegate filing authority 
to third parties--such as filing agents--and remove such delegations. 
Thus, the filer management tool would allow filer administrators to 
view and manage the permissions of all of the filer's users.

[[Page 55032]]

    Once the filer administrator adds a user on the filer management 
tool, that user would have access to the EDGAR filing websites when the 
user obtains account credentials and logs in to the websites. Unlike 
the filer administrator, a user could only view the user's permissions 
on the filer management tool, not those of the filer administrator or 
other users; and the only action the user could take on the tool would 
be to remove their own ability to file on behalf of the filer.
    Filer administrators and users included on the filer management 
tool would be able to make submissions, submit correspondence, and 
manage certain filer information.
    Filers are currently required to change their EDGAR password 
annually (a filer's EDGAR password expires 12 months after it was 
created or last changed), or have their access deactivated. Because the 
potential access changes would eliminate the EDGAR password, an annual 
confirmation of permissions on the filer management tool would replace 
the present requirement to change the EDGAR password annually.
    EDGAR would notify filer administrators to access the EDGAR Filer 
Management website to review the list of the filer's users, including 
other filer administrators, and annually confirm on the filer 
management tool the accuracy of the permissions of those authorized to 
file on behalf of the filer. EDGAR would also notify each user to 
confirm annually the user's permissions. The annual confirmation of 
permissions would help the filer remain aware of who makes submissions 
on EDGAR on its behalf and provide an opportunity to update information 
about users no longer associated with the filer or no longer authorized 
to file on its behalf.
    Filers are currently deactivated if they do not timely change their 
EDGAR password on an annual basis, and, under the potential access 
changes, if no filer administrator timely confirms permissions for a 
filer, that filer would be deactivated. The deactivated filer would 
have to resubmit a Form ID application; if approved, staff would 
reactivate the permissions of the filer administrator(s) listed on the 
Form ID application. The filer administrator could then reactivate 
other filer administrators and users using the filer management tool. 
Where filer administrators or users become deactivated because they 
have not confirmed their own permissions, other filer administrators 
could reactivate those users and filer administrators using the filer 
management tool.

D. Transition Period

    There are approximately 180,000 EDGAR filer accounts in which a 
filing has been made in the last two years, approximately 115,000 of 
which represent filing entities and approximately 65,000 of which 
represent individual filers.\17\ If the potential access changes are 
implemented, the Commission would require filers to transition these 
accounts to the potential access process on a gradual basis over a six 
month period, likely beginning in spring 2022. During the transition 
period, existing accounts could access EDGAR through the current 
process until they transition to the potential access changes.
---------------------------------------------------------------------------

    \17\ In total, regardless of account activity, there are 
approximately 785,000 filer accounts in EDGAR.
---------------------------------------------------------------------------

    After all active accounts have transitioned, the Commission would 
address the transition of an additional approximately 600,000 inactive 
EDGAR filer accounts to the potential access changes. The Commission 
would inform filers of its plans regarding inactive accounts before it 
proceeds with those plans.

III. Questions

    The Commission is providing an opportunity for the EDGAR filing 
community and other interested parties to provide feedback on the 
potential technical changes to the EDGAR filer access and account 
management processes. The Commission welcomes input on the following:
    1. Does the filing community have experience with obtaining account 
credentials from third-party service providers including or similar to 
Login.gov that the Commission should consider? If so, which third-party 
service party service providers, and what experience? Would the use of 
third-party service providers give rise to any security concerns for 
individual or entity filers?
    2. Under the potential access changes, there would need to be at 
least two filer administrators for filing entities and one filer 
administrator for individual filers; filers could designate as many 
filer administrators as they would like. Is this appropriate? If not, 
why? Should filing entities be required to have more than two filer 
administrators? For filing entities, would one filer administrator be 
adequate? Should individual filers be required to have more than one 
filer administrator? If so, why? Should there be a limit on the number 
of filer administrators?
    3. With the filer management tool, the filer administrator could 
view, add, remove, and confirm users and other filer administrators as 
well as change the permissions of a user to administrator and vice-
versa. Users could similarly use the tool to view and remove their own 
permissions. In addition, both filer administrators and users would use 
the filer management tool to confirm current permissions on an annual 
basis. Are there other functions that should be incorporated into the 
filer management tool or any other information that administrators or 
users should be able to view? Should any of these functions not be 
included on the filer management tool?
    4. With the filer management tool, the filer administrator could 
delegate filing authority to third parties such as filing agents and 
remove such delegations. Should filer administrators be able to 
delegate filing authority to third parties and remove such delegations? 
Do commenters have any concerns with this function or any suggested 
modifications? Should ``filing agents'' be limited to entities listed 
in EDGAR as ``filing agents'' based on their Form ID filing or should 
it also include entities that function as filing agents but who 
identified themselves on their Form ID filing as ``filer?''
    5. Are there alternatives to the filer management tool that the 
Commission should consider? For example, are there alternative methods 
that would enable filers to take the same actions as they would using 
the filer management tool that would be easier to implement or more 
user-friendly? Do commenters have experience with alternatives to the 
filer management tool, whether positive or negative, that the 
Commission should consider?
    6. Filer administrators and users would confirm their access 
permissions annually. The annual confirmation of permissions would help 
the filer remain aware of who makes submissions on EDGAR on its behalf. 
Should the confirmation be annual or at more or less frequent 
intervals? Are there concerns that the Commission should be aware of 
for filers that only make submissions annually or less frequently? 
Should both filer administrators and users confirm permissions 
annually, or only filer administrators? Should the requirement to apply 
for access again occur automatically upon failure by a filer to confirm 
the access permissions or should there be a grace period if the filer 
administrator fails to confirm the access permissions within a 
specified time period? If there should be a grace period, how long 
should it be? Would the annual confirmation create any additional 
burden on filers or filing agents compared to the current annual EDGAR 
password update requirement?

[[Page 55033]]

If so, are there any improvements to the annual confirmation as 
currently described that would reduce the burden for filers or filing 
agents?
    7. Would the potential access changes facilitate the responsible 
management of EDGAR filer credentials? Are there additional changes to 
the access process that we should make to encourage such responsible 
management? For example, should administrators be required to update 
their account permissions within a reasonable period of time following 
the separation of employment of a user from the filer or a change in 
the user's filing responsibilities? Would the potential access changes 
create any undue burdens for filers or filing agents? If so, how could 
the potential access changes be modified to ease such burdens? Are 
there any other concerns that the Commission should be aware of with 
the transition to the potential access changes?
    8. Are there any issues specific to certain types of filers that 
should be considered with regard to the potential access changes? For 
example, asset-backed securities (ABS) issuers often create one or more 
serial companies each year, each of which is a separate legal entity 
with its own CIK, even though it generally has the same contact 
information as the ABS issuer. If the potential technical changes are 
implemented, should new serial companies have their user and filer 
administrator information automatically copied from the ABS issuer's 
user and filer administrator information? If so, in order to ensure 
that the ABS issuer has user and filer administrator information that 
could be copied to the new serial company, would there be any issues 
associated with requiring ABS issuers to have transitioned to Login.gov 
before the ABS issuer can create new serial companies? Separately, 
should we allow the annual confirmations of users and filer 
administrators for an ABS issuer to also apply to the serial companies 
associated with that ABS issuer, if the same users and filer 
administrators were associated with each serial company?
    9. How long would it take existing filers to adjust to the 
potential access changes? Should we transition existing active accounts 
to the potential access changes on a gradual basis over a several month 
period, possibly beginning in spring 2022? If so, how? For example, 
should the transition period be tiered based on the volume of filings 
made by a filer or a filing agent on an annual basis? Should another 
method be used? What is an appropriate length of time for the 
transition period?
    10. What other changes to the EDGAR filer access and account 
management processes should the Commission consider in the future?

IV. General Request for Public Comment

    We request and encourage any interested person to submit comments 
on any aspect of the potential technical changes to the EDGAR filer 
access and filer account management processes, and suggestions for 
additional changes. In particular, we request comment on obtaining and 
using third-party service provider account credentials to access EDGAR, 
the filer administrator managing the permissions of users associated 
with the filer's EDGAR account, and the filer management tool. Comments 
are of particular assistance if accompanied by analysis of the issues 
addressed in those comments and any data that may support the analysis. 
We urge commenters to be as specific as possible.

    By the Commission.

    Dated: September 30, 2021.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2021-21697 Filed 10-4-21; 8:45 am]
BILLING CODE 8011-01-P


