Friday, September 15, 2023

SEC proposes EDGAR enhancements, announces public beta

By Anne Sherry, J.D.

The SEC proposed new rules meant to enhance the security of its EDGAR filing system and improve how users access the system. Whereas currently each filer has a single login that gets passed around the firm, the amendments would require each individual using EDGAR to have their own credentials and to use multi-factor authentication. The SEC will soon roll out a public beta version of a new EDGAR user interface that will include a set of APIs for further flexibility in how users access the system (EDGAR Filer Access and Account Management, Release No. 33-11232, September 13, 2023).

EDGAR enhancements. The proposed changes to EDGAR would overhaul how individual users access the system. Currently, filers share credentials to log in to EDGAR, which include an EDGAR password, password modification authorization code (PMAC), and passphrase. The new system would require each individual user to obtain individual account credentials, which will be simplified relative to the current system, and to log on using multi-factor authentication. The current system “of several codes with differing functions is not in accord with standard access processes,” the release states.

The SEC believes that individual credentials would make EDGAR more secure and easier to use. It would also allow SEC staff and filers to easily determine the individual making specific filings on EDGAR, which the release says would be “particularly useful … when problematic filings are made.” In a statement, SEC Chair Gary Gensler likened the current system of one-login-per-firm to a family sharing a password to a streaming service. “You know where that can lead,” he said ominously.

The proposal also contemplates requiring firms to designate individuals with specific roles in the EDGAR filing process. These roles are account administrator, user, and technical administrator. Each filer must authorize and maintain at least two individuals to act as account administrators (or just one, for individual filers and single-person companies). The account admins, in turn, authorize users, additional account admins, or technical admins (for filers using APIs). Filers would also be able to delegate filing authority to other EDGAR filers, like a filing agent.

Beta release. On September 18, the SEC will open a public beta environment for testing and feedback. A webinar to demonstrate the beta environment will be held at noon on September 19 and a recording posted to the SEC’s YouTube channel afterwards.

This new user interface will include a set of optional application program interfaces (APIs) to allow machine-to-machine communication with EDGAR. Initially, the release will include three APIs:
  • Submission APIs that allow filers to make live and test submissions on EDGAR;
  • Submission status APIs for checking the status of an EDGAR submission; and
  • EDGAR operational status API for checking the operational status of the EDGAR system itself.
The latter two APIs could cut down on network traffic and reduce user tedium by allowing filers to check the status of multiple EDGAR submissions, or the system as a whole, in a batch process.

To use the APIs, filers must authorize at least two technical administrators. The technical admin as well as the individual who submits the filing would each need to generate an API token, which would be valid for one year. This would address a significant concern uncovered in a 2021 Request for Comment by eliminating the need for manual individual account credential multi-factor authentication, the release states.

An API Developer Toolkit will be forthcoming, and the SEC will hold four Q&A sessions for developers beginning September 26 to facilitate discussion and guidance around the toolkit.

Testers are instructed to use their real name and email to obtain access to the testing site, because the account credentials are likely to carry over to the real filing environment after the beta concludes. However, filers should only supply fictitious data for testing. The SEC is also providing test cases.

Comments. The proposing release contains specific requests for comment on the mechanics and impacts of the proposal, as well as requests for feedback on the costs and benefits of the proposal and any reasonable alternatives. The comment period is 60 days from publication in the Federal Register.

This is Release No. 33-11232.