AGENCY:

Securities and Exchange Commission.

ACTION:

Proposed rule.

SUMMARY:

The Securities and Exchange Commission (“Commission”) is proposing rule and form amendments concerning access to and management of accounts on the Commission's Electronic Data Gathering, Analysis, and Retrieval system (“EDGAR”) that are related to potential technical changes to EDGAR (collectively referred to as “EDGAR Next”). We propose to require that electronic filers (“filers”) authorize and maintain designated individuals as account administrators and that filers, through their account administrators, take certain actions to manage their accounts on a dashboard on EDGAR. Further, we propose that filers may only authorize individuals as account administrators or in the other roles described herein if those individuals first obtain individual account credentials in the manner to be specified in the EDGAR Filer Manual. As part of the EDGAR Next changes, the Commission would offer filers optional Application Programming Interfaces (“APIs”) for machine-to-machine communication with EDGAR, including submission of filings and retrieval of related information. If the proposed rule and form amendments are adopted, the Commission would make corresponding changes to the EDGAR Filer Manual and implement the potential technical changes.

DATES:

Comments should be received on or before November 21, 2023.

ADDRESSES:

Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( https://www.sec.gov/​rules/​submitcomments.htm); or

• Send an email to rule-comments@sec.gov. Please include File Number S7–15–23 on the subject line.

Paper Comments

• Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number S7–15–23. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all submitted comments on the Commission's website ( https://www.sec.gov/​rules/​proposed.shtml). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Operating conditions may limit access to the Commission's Public Reference Room. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection.

Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on our website. To ensure direct electronic receipt of such notifications, sign up through the “Stay Connected” option at www.sec.gov to receive notifications by email.

FOR FURTHER INFORMATION CONTACT:

Rosemary Filou, Deputy Director and Chief Counsel; Daniel K. Chang, Senior Special Counsel; E. Laurita Finch, Senior Special Counsel; Jane Patterson, Senior Special Counsel; Margaret Marrero, Senior Counsel; Lidian Pereira, Senior Special Counsel; EDGAR Business Office at 202–551–3900, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION:

The Commission is proposing amendments to 17 CFR 232.10 (“Rule 10”) and 17 CFR 232.11 (“Rule 11”) under 17 CFR 232.10 through 232.903 (“Regulation S–T”); and amendments to Form ID (referenced in 17 CFR 239.63, 17 CFR 249.446, 17 CFR 269.7, and 17 CFR 274.402).

Table of Contents

I. Introduction

II. Background

A. Current EDGAR Access and Account Management

B. The Commission's September 2021 Request for Comment

III. Discussion

A. Individual Account Credentials

B. Individual Roles: Account Administrator, User, Technical Administrator

1. Account Administrators

2. Users

3. Technical Administrators

C. Delegated Entities

1. Delegating Authority To File

2. Separation of Authority of Filer and Delegated Entity

3. Delegated Entities

4. Delegated Users

5. User Groups at Delegated Entities

6. Technical Administrators at Delegated Entities

D. Application Programming Interfaces

1. Submission API

2. Submission Status API

3. EDGAR Operational Status API

E. Proposed Amendments to Rules and Forms

1. Rule 10 Under Regulation S–T

2. Rule 11 Under Regulation S–T

3. Form ID

F. Transition Process

1. Individual Account Credentials

2. Enrollment

3. Compliance

G. General Request for Comment and EDGAR Next Proposing Beta

IV. Economic Analysis

A. Introduction

B. Baseline

C. Consideration of Benefits and Costs as Well as the Effects on Efficiency, Competition, and Capital Formation

1. Benefits

2. Costs

3. Effects on Efficiency, Competition, and Capital Formation

D. Reasonable Alternatives

1. Require Personally Identifiable Information in Addition to Individual Account Credentials

2. Requirements for Individual and Small Filers

3. Implementing Performance-Based Standards

4. Institute Phased Compliance Dates by Filer Category or Form Type

E. Requests for Comment

V. Paperwork Reduction Act

A. Form ID

B. The Dashboard

C. Request for Comment

VI. Small Business Regulatory Enforcement Act

VII. Initial Regulatory Flexibility Analysis

A. Reasons for, and Objectives of, the Proposed Action

B. Legal Basis

C. Small Entities Subject to the Proposed Rule and Form Amendments

D. Reporting, Recordkeeping, and Other Compliance Requirements

E. Duplicative, Overlapping, or Conflicting Federal Rules

F. Significant Alternatives

G. Request for Comment

Statutory Authority

Appendix A

I. Introduction

We are seeking comment on proposed rule and form amendments concerning EDGAR filer access and account Start Printed Page 65525 management. Separately, we welcome feedback on related EDGAR technical functionality.

The Commission is seeking to enhance the security of EDGAR, improve the ability of filers ^[1] to securely manage and maintain access to their EDGAR accounts, facilitate the responsible management of filer credentials, and simplify procedures for accessing EDGAR.^[2] In furtherance of these goals, on September 30, 2021, the Commission issued a Request for Comment on Potential Technical Changes to EDGAR Filer Access and Filer Account Management Processes (“2021 Request for Comment”).^[3] The Commission received comments from and engaged in a dialogue with interested parties, considered feedback from these parties, and gathered additional information about filers' interactions with EDGAR.^[4] The rule and form amendments we are proposing in this release and the related technical changes seek to achieve the Commission's goals for secure EDGAR access and account management while addressing many of the comments and concerns expressed in response to the 2021 Request for Comment.

The obligations for filers contemplated by EDGAR Next would generally be codified in Rule 10 of Regulation S–T.^[5] Form ID would be amended to implement those changes and require information about, among other things, the filer's account administrators,^[6] and to improve the utility of the form for Commission staff. Moreover, Rule 11 of Regulation S–T would be amended to provide clarity regarding certain new terms related to the proposed rule and form amendments.^[7]

Under proposed Rule 10(d)(1), only those individuals who obtained individual account credentials ^[8] could be authorized to act on the filer's behalf on a dashboard ^[9] on the EDGAR Filer Management website.^[10]

Proposed Rule 10(d)(2) would require each filer to authorize and maintain individuals as its account administrators ^[11] to manage the filer's EDGAR account on the filer's behalf, in accord with the EDGAR account access and account management requirements set forth in this proposal and in the EDGAR Filer Manual. The filer could authorize someone who is not an employee of the filer ^[12] as the filer's account administrator, if the authorized individual for the filer ^[13] provided a relevant notarized power of attorney authorizing that individual to be the filer's account administrator.^[14]

On the dashboard, account administrators would take actions on behalf of the filer to add and remove authorized users, account administrators, and technical administrators; and annually confirm the accuracy of the filer's information on the dashboard.

Additionally, on the dashboard, account administrators could delegate authority to file on behalf of the filer to any other EDGAR account, such as a filing agent, making that account a delegated entity of the filer, and could remove a delegated entity's authority to file on the filer's behalf. A delegated entity would have its own EDGAR account and dashboard to manage its account. Because it would itself be a filer, a delegated entity would be subject to the same requirements as other filers. Through its dashboard, a delegated entity could manage the delegated authority it received from filers. If a delegated entity accepted a delegation from a filer, the delegated entity's account administrators would become delegated administrators with respect to that filer. Each delegated administrator could thereafter manage which of the users of the delegated entity would become delegated users for particular filers. A delegated entity could not further delegate authority to file on behalf of that filer, nor could delegated administrators take action on the filer's dashboard. Similarly, the filer's account administrators could not view or take action on the delegated entity's dashboard.^[15]

As proposed, Rule 10(d)(4) would require each filer, through its authorized account administrators, to confirm annually that all account administrators, users,^[16] delegated entities,^[17] and technical administrators ^[18] reflected on the dashboard for the filer's EDGAR account are authorized by the filer and that all information regarding the filer on the dashboard is accurate (generally including the filer's corporate and contact information).

Pursuant to proposed Rule 10(d)(5), each filer, through its authorized Start Printed Page 65526 account administrators, would further be required to maintain accurate and current information about the filer on EDGAR, and, pursuant to proposed Rule 10(d)(6), to securely maintain information relevant to the ability to access the filer's EDGAR account.

As part of EDGAR Next, the Commission would offer filers optional APIs ^[19] to facilitate machine-to-machine communication with EDGAR, including submission of filings and retrieval of related information. Pursuant to proposed Rule 10(d)(3), if the filer decided to use an optional API, the filer would be required to authorize two individuals to be technical administrators to manage the API.^[20] In addition, the filer would present security tokens to EDGAR, which would be reissued annually, and which the technical administrators would manage on the filer's dashboard. Individuals using the APIs would be required to sign in with their individual account credentials and complete multi-factor authentication on a monthly basis.

The Commission intends to make available to filers an EDGAR Next Proposing Beta environment ^[21] that reflects the proposed rule and form amendments and related technical changes. In addition to public comment on the proposed rule and form amendments, the Commission welcomes feedback from filers about the technical aspects of EDGAR Next.^[22]

II. Background

A. Current EDGAR Access and Account Management

Presently, those seeking to file on EDGAR apply for access pursuant to Rule 10 of Regulation S–T by completing the Form ID application for access on the EDGAR Filer Management website and submitting a notarized copy of that application signed by an authorized individual of the filer.^[23] Form ID is an online fillable form that requires the applicant to provide the applicant's name and contact information, the applicant's point of contact for EDGAR information, inquiries, and access codes (“EDGAR POC”), and its contact for SEC account information and billing invoices (“billing contact”).^[24] Further, when the applicant entity or individual submits the Form ID, the applicant must create and retain a passphrase to be used to create access codes if the application is granted.

If Commission staff approves the Form ID application, an account in the filer's name is opened on EDGAR, denoted by a central index key number (“CIK”) unique to that filer, if needed.^[25] The EDGAR POC may then generate access codes to allow the filer to make submissions on its EDGAR account. To do so, the EDGAR POC uses the CIK provided in an email from EDGAR and the passphrase the filer created on EDGAR when the filer submitted the Form ID to generate a password, central index key confirmation code (“CCC”), and password modification authorization code (“PMAC”).^[26] Together with the CIK, the filer's password, passphrase, CCC, and PMAC constitute the EDGAR access codes.

Filers make submissions on EDGAR using their CIK, password, and CCC. Filings on EDGAR are therefore traceable to the filer's CIK. EDGAR does not presently issue identifying credentials to individuals making filings on EDGAR; an individual's authority to file on EDGAR is predicated on possession of the password and CCC. Thus, filings are not easily traceable to individuals, and the Commission currently does not provide a technical solution through which filers may manage individuals who make submissions on filers' behalf. As a result, Commission staff and affected filers often encounter delays in addressing potentially problematic filings.

Because filers are required to securely maintain their EDGAR access codes,^[27] Commission staff understands that many filers have devised their own internal methods of tracking the individuals who possess the password and CCC. Other filers, however, may not have closely tracked the individuals who possess the password and CCC and/or otherwise maintained secure access to filers' EDGAR accounts. For example, Commission staff understands that some filers have shared EDGAR access codes with co-registrants, filing agents, and various employees through non-secure means and without tracking or recording the names and identities of the recipients.

EDGAR does not currently employ multi-factor authentication. As noted, if an individual has the password and CCC, then no other authentication is required to access EDGAR. Multi-factor authentication would increase the level of assurance that an individual is indeed the person authorized to access an account by requiring provision of an additional data point to gain access.

Filers routinely hire filing agents, which include law firms and third-party software providers, to assist with filing on EDGAR. Indeed, EDGAR data reveals that, at a minimum, more than 60% of filings on EDGAR are made by a filing agent on the filer's behalf,^[28] and Start Printed Page 65527 commenters have indicated that 81–90% of EDGAR filings are not manually submitted to EDGAR.^[29] While EDGAR does not require the use of filing agents, a filer may decide to hire a filing agent to assist with EDGAR filing.

Further, as noted in comments submitted in response to the 2021 Request for Comment, individual filers who are officers and/or directors with obligations to file on EDGAR pursuant to section 16 of the Securities Exchange Act of 1934 (“Exchange Act”) ^[30] routinely rely upon the companies for which they serve as officers and/or directors to make filings on their behalf on EDGAR.^[31] Likewise, other filers may make filings on behalf of affiliated or related entities, such as asset-backed securities issuers on behalf of their serial companies.^[32]

Filers make submissions on EDGAR through one of three web-based user interfaces, depending on the type of submission made.^[33] Commission staff is aware that filers and filing agents have for years sought to automate submissions on EDGAR so as not to rely upon web-based interfaces, and many filers and filing agents have engineered their own automated processes to make submissions and otherwise interact with EDGAR. These filers and filing agents extract data and content from, or “scrape,” the EDGAR filing websites and use that data to create custom software that allows them to interact with the websites in a machine-to-machine fashion to accomplish tasks such as scheduling filings and making a large volume of submissions on numerous different CIK accounts.^[34]

Filers and filing agents must modify their custom software periodically to accord with underlying changes to EDGAR code. Similarly, when Commission staff makes EDGAR software changes, staff has coordinated with filers and filing agents using custom software to prevent filing disruptions. As a result, efficient implementation of certain technical changes in EDGAR may be delayed while such coordination and software adjustments take place.

B. The Commission's September 2021 Request for Comment

The 2021 Request for Comment sought feedback from filers about potential technical changes to EDGAR access and account management, including the addition of individual account credentials with multi-factor authentication, a dashboard on EDGAR where a filer would manage its EDGAR account, administrators to manage the filer's account and annually confirm the filer's information, and the time period required to implement the potential technical changes. To assist filers in assessing the potential technical changes, the Commission provided filers access to a beta environment that reflected the majority of the potential technical changes.

The Commission received over forty comment letters in response to the 2021 Request for Comment.^[35] Commenters were generally supportive of the Commission's objectives,^[36] but were concerned about certain aspects of the potential technical changes.

With respect to requiring individual account credentials, many commenters expressed the view that the potential technical changes would prevent filers and filing agents from continuing to use their custom third-party software to make machine-to-machine submissions on EDGAR. Several commenters estimated that currently 81–90% of EDGAR filings are submitted to EDGAR directly through third-party filing systems rather than manually uploaded on an individual basis via EDGAR filing websites.^[37] Commenters stated that the Login.gov multi-factor authentication process does not support automated machine-to-machine authentication and requested that the Commission consider machine-to-machine authentication to facilitate the ability to pre-schedule and perform bulk filings, reduce the potential for error due to manual processing, reduce the risk of missing deadlines, and decrease the cost of compliance.^[38] One commenter conducted a survey of filers wherein 70% of respondents believed that the increased time required to submit filings due to the loss of direct submission capability from third-party filing systems would be “very impactful” or “extremely impactful” to their filing success.^[39]

The Commission also requested comment on whether filers should authorize administrators to manage filers' EDGAR accounts. Certain commenters expressed concerns about the impact that the institution of administrators would have on individual officer and director filers pursuant to section 16 of the Exchange Act.^[40] Commenters recommended that the Commission allow a company to create and manage a company-specific account for an individual non-employee director or section 16 officer.^[41] These commenters further suggested that each company be required to obtain a notarized power of attorney from the individual so that the company could create and maintain the company-specific account on behalf of the individual.^[42]

With respect to the Commission's request for comment on a requirement to annually confirm users and administrators, commenters generally did not support the requirement, ^[43] Start Printed Page 65528 noting that it would increase the number of required confirmations, would be duplicative, and would necessitate additional management effort for filers, thus increasing the administrative burden.^[44] Certain commenters recommended limiting confirmation to administrators.^[45] Others suggested that the Commission implement an active notification process to inform filers of impending expiration ^[46] and recommended a grace period after failure to make a confirmation.^[47] Several commenters recommended that denying EDGAR access until the administrator has reconfirmed would be less burdensome than deactivating accounts.^[48]

With respect to the time period required to effectuate the potential technical changes to EDGAR access and account management, one commenter indicated that 66% of its surveyed respondents expressed the view that an appropriate transition period would be 1–3 years,^[49] one commenter suggested a transition period of 18–24 months, and another commenter recommended a transition period of at least one year.^[50]

The staff engaged in additional dialogue with commenters and other interested parties regarding the 2021 Request for Comment and further approaches to EDGAR access improvements.^[51] Among the topics discussed were APIs for submission and for checking accession numbers (numbers filers receive from EDGAR indicating receipt of a filing), filing status, and other information; annual confirmation of individuals authorized to make submissions on a filer's behalf; whether accession numbers should be traceable to the individuals making submissions or instead to the CIK numbers associated with the submissions; bulk submissions and user group functionality; delegation of authority to file; a potential transition process to implement the changes contemplated by the 2021 Request for Comment; and other technical topics.

Having considered the significant additional information provided by commenters in response to the 2021 Request for Comment and the subsequent dialogue with interested parties, we are contemplating a number of changes in connection with the EDGAR Next project, including proposed amendments to Rules 10 and 11 under Regulation S–T and to Form ID; changes to enhance dashboard functionality; and the addition of optional APIs to allow machine-to-machine submissions on EDGAR as an alternative to submission through the EDGAR filing websites.

III. Discussion

We are proposing amendments to Rule 10 under Regulation S–T concerning EDGAR filer access and account management and related matters; Form ID, the application for EDGAR access; and Rule 11 under Regulation S–T, containing the definitions of terms in Regulation S–T. Proposed amendments to Rule 10 and Form ID would set forth requirements for each EDGAR filer to authorize and maintain individual account administrators to manage the filer's EDGAR account on a dashboard on EDGAR, and to authorize account administrators, users, and technical administrators only if those individuals obtained individual account credentials.^[52] Each filer, through its account administrators, would be required to confirm annually that all account administrators, users, technical administrators, and delegated entities reflected on the filer's dashboard are authorized by the filer to act on its behalf, and that all information about the filer on the dashboard is accurate; maintain accurate and current information on EDGAR concerning the filer's account; and securely maintain information relevant to the ability to access the filer's EDGAR account.

On the dashboard, account administrators could add and remove authorized users, account administrators, and technical administrators; delegate and remove delegated authority to file to other EDGAR accounts; and annually confirm the accuracy of all information on the dashboard. The dashboard would contain the filer's corporate and contact information, generally corresponding to the company information currently maintained on EDGAR.^[53] The dashboard would be available during EDGAR operating hours,^[54] such that filers could manage their EDGAR accounts during the same time period that they would file on EDGAR.

The Commission would provide optional APIs for machine-to-machine communication with EDGAR, including to submit filings and to facilitate filers' retrieval of information regarding their submissions. To use APIs, filers would be required to authorize two technical administrators and present certain tokens to EDGAR that we plan to specify in the EDGAR Filer Manual. Filers who did not wish to use the APIs would not need to do so and therefore would not need to comply with the API-related requirements. Those filers could continue to make submissions through the web-based EDGAR filing websites.

A. Individual Account Credentials

Under proposed Rule 10(d)(1), a filer could only authorize an individual to perform functions on the dashboard on the filer's behalf if the individual possessed individual account credentials, obtained in the manner specified in the EDGAR Filer Manual. This requirement would pertain to all existing filers and all individuals acting on behalf of those filers, as well as all applicants for access to EDGAR.

We anticipate requiring, through the EDGAR Filer Manual, that individual account credentials be obtained through Login.gov, a secure sign in service of the U.S. General Services Administration. ^[55] Login.gov is used by participating Federal agencies, as well as State, local, and territorial governments to provide a secure login process and to allow members of the public to use a single account that is protected by encryption, multi-factor authentication, and additional safeguards.^[56]

On the Login.gov website, the individual would respond to prompts to provide an email address and select a multi-factor authentication option.^[57] Start Printed Page 65529 The email address provided to Login.gov would be required to match the email address the filer provides to EDGAR, for example, on Form ID.^[58] After the individual confirmed her email address and completed multi-factor authentication, Login.gov would issue individual account credentials to the individual to sign in to EDGAR.

In accord with proposed Rule 10(d), all account administrators, users, and technical administrators would be required to use their individual account credentials, and multi-factor authentication, to sign into all EDGAR filing websites. After entering the Login.gov username and password, each individual would be prompted to enter a one-time passcode received through the multi-factor authentication option the individual selected when obtaining individual account credentials at Login.gov .^[59]

Individual account credentials would enhance EDGAR security and improve the ability of filers to securely maintain access to their EDGAR accounts. As noted, filers currently share access codes among multiple individuals, making it difficult to track with whom the codes are shared or to trace a filing to a specific individual. The use of individual account credentials would enable Commission staff and filers to easily determine the individuals making specific filings on EDGAR. Linking individuals to the filings they make would be particularly useful for filers and Commission staff when problematic filings are made on EDGAR and would enhance the security and integrity of the system.

The use of individual account credentials would provide additional assurance that only individuals who have been properly authorized by the filer or the filer's account administrator could take actions on the filer's behalf on EDGAR. Currently, the process of filing on EDGAR requires the filer to use certain EDGAR access codes. EDGAR Next would enhance security by requiring an individual seeking to make a filing on EDGAR to sign in with individual account credentials, complete multi-factor authentication, be authorized by the filer or the filer's account administrator, and enter the filer's CIK and CCC.

Multi-factor authentication for individual accounts would be required to access EDGAR. Multi-factor authentication is a widely accepted security tool that would improve the security of access to EDGAR by adding a layer of validation each time an individual signed into EDGAR. Consistent with general industry practice, and standard Login.gov processes, individuals could check a box labeled “remember this browser” during the Login.gov sign-in process to preserve their multi-factor authentication for 30 days if they used the same web browser for login.^[60]

Under EDGAR Next, the EDGAR password, PMAC, and passphrase would no longer be used. The historic use of several codes with differing functions is not in accord with standard access processes. The use of individual account credentials aligns more closely with streamlined, modern access processes, including individual login using multi-factor authentication. The CCC would persist as the code required for filing, but, as noted, individuals seeking to file would also need to sign in with individual account credentials, complete multi-factor authentication, and be authorized by the filer or an account administrator for the filer. Because of these additional safeguards, the filer's CCC would be displayed on the dashboard for account administrators and users.

Requests for Comment

1. Should we require the use of individual account credentials, as proposed under Rule 10(d)(1), and multi-factor authentication for all existing filers, individuals acting on their behalf, and applicants for access to EDGAR?

2. Does the filing community have experience with obtaining account credentials from third-party service providers including or similar to Login.gov that the Commission should consider? If so, which third-party service party service providers, and what experience? Would the use of third-party service providers give rise to any security concerns for individual or entity filers?

3. Would the use of individual account credentials give rise to any concerns regarding costs, confusion, or complexity for individual or entity filers? Are there specific concerns for individual or entity filers that make filings with respect to more than one subject company ( e.g., an individual filer who is a board member for more than one company)? If so, what concerns? Please be specific.

B. Individual Roles: Account Administrator, User, Technical Administrator

Under proposed Rule 10(d)(2), each filer would be required as an initial matter to authorize and maintain at least two individuals with individual account credentials as account administrators to manage the filer's EDGAR account and to make submissions on EDGAR on behalf of the filer,^[61] unless the filer were an individual or single-member company,^[62] in which case it would be required to authorize and maintain at least one individual with individual account credentials as an account administrator.

Using the dashboard on EDGAR, account administrators, acting on behalf of the filer, would authorize individuals with individual account credentials to be users, additional account administrators, or technical administrators for the filer, as needed. This process is illustrated in diagram 1 below. Further, account administrators could de-authorize account administrators, users, and technical administrators for the filer.

Individuals in each role would perform different functions for the filer, and an individual's dashboard would display functionality that corresponded to the respective individual's role, as explained more fully below.

An individual could be authorized to perform more than one role for a filer. For example, one individual could be both an account administrator and a technical administrator, or one individual could be both a technical administrator and a user. An account administrator could not be a user, however, given that account administrators are able to perform all the functions of a user, including the ability to file on EDGAR, themselves.

Analogous additional roles would exist at delegated entities—filers, including filing agents, to which another filer delegates authority to file on its behalf. Specifically, the delegated entity's account administrators would become delegated administrators for the filer, and delegated administrators would have the ability to authorize one or more of the delegated entity's users as delegated users who could make submissions on behalf of that filer.

The key functions that could be performed by each role are illustrated in diagram 2 below.

1. Account Administrators

Proposed Rule 10 paragraphs (d)(4), (d)(5), and (d)(6) would require that the filer, through its account administrators, be responsible to maintain accurate and current information on EDGAR concerning the filer's account and to confirm that information annually, as well as to securely maintain information relevant to the ability to access the filer's EDGAR account, including but not limited to access through any APIs.

Under EDGAR Next, account administrators, on behalf of the filer, would be responsible for the security of the filer's EDGAR account and the accuracy of the filer's information on EDGAR. Account administrators would manage the filer's account on the dashboard, which would display relevant functionality for them to:

• Add and remove users, account administrators, and technical administrators (including removing themselves as account administrators);
• Create and edit groups of users;
• Delegate filing authority to other EDGAR accounts, such as a filing agent's account, and remove such delegations;
• Make the required annual confirmation of all of the filer's information on the dashboard;
• Generate a new CCC for the filer; and
• View and correct their own profile information (name, address, phone number, etc.).

Account administrators could also make submissions on behalf of the filer on EDGAR, allowing filers to make submissions on EDGAR through their account administrators without adding individuals as users on the account.

In addition, account administrators would serve as the points of contact for questions from Commission staff regarding the filer's account.^[63]

Each account administrator would be co-equal, possessing the same authority and responsibility to manage the filer's EDGAR account. There would be no primary account administrator. All actions that would be required to be Start Printed Page 65531 performed by account administrators could be performed by any of them individually and would not require joint action by the filer's account administrators.

a. Filer Authorization of Account Administrators

Under the proposal, prospective EDGAR filers would designate on Form ID the individuals that the filer authorized as account administrators.^[64] As noted above, pursuant to proposed Rule 10(d)(1), the filer could only authorize individuals as account administrators if those individuals had obtained individual account credentials in the manner specified in the EDGAR Filer Manual.

Prospective company filers could authorize as account administrators either (i) individuals employed at the filer or an affiliate of the filer or (ii) any other individual, provided the filer submitted a notarized power of attorney authorizing such other individual to be its account administrator. Prospective individual filers could authorize as account administrators either (i) themselves or (ii) any other individual, provided the filer submitted a notarized power of attorney authorizing such other individual to be the individual filer's account administrator.

A prospective account administrator would complete the prospective filer's Form ID and electronically submit it, and also upload a notarized copy of the prospective filer's Form ID signed by an authorized individual of the prospective filer, as currently required. The signature of the authorized individual would constitute the filer's authorization of the account administrators listed on Form ID.

If the prospective filer sought to authorize another individual as an account administrator, the prospective filer would additionally be required to provide Commission staff with a notarized power of attorney executed by an authorized individual of the prospective filer granting authority to that individual to be an account administrator. The power of attorney would be uploaded with the prospective filer's completed, notarized Form ID.^[65]

If, after reviewing the Form ID application, Commission staff granted access to EDGAR to the filer, EDGAR would email the account administrators listed on Form ID the filer's CIK number and a link to the relevant EDGAR website, similar to the current process. The account administrators could then access the filer's dashboard by logging into EDGAR with their individual account credentials and completing multi-factor authentication.

On the dashboard, account administrators could generate a CCC for the newly issued CIK. The CCC would be securely saved in the dashboard and would be visible to all account administrators and users, delegated administrators, and delegated users for that CIK to facilitate their ability to make submissions on behalf of the filer.

Account administrators could authorize additional account administrators via the dashboard. Thus, if the initial account administrators are determined to be properly authorized to act for the filer on EDGAR, those initial account administrators would be authorized to add account administrators.

b. Number of Account Administrators

As proposed in Rule 10(d)(2), filers who are individuals or single-member companies would be required to authorize and maintain at least one account administrator; all other filers would be required to authorize and maintain at least two account administrators. On the dashboard, any account administrator could add account administrators to the filer's EDGAR account; the maximum number of account administrators would be twenty. After an account administrator invited the individual on the dashboard, EDGAR would send an email invitation to the individual at the email address used to create individual account credentials.

Requiring most filers to authorize at least two account administrators would increase the ability of filers to manage their EDGAR accounts without interruption. Thus, if an account administrator unexpectedly resigned or otherwise ceased to be available to manage the filer's account, the remaining account administrators would continue to manage the filer's account and could authorize additional account administrators. If the account administrator who sought to resign was one of the required two account administrators for an entity filer, then that account administrator could not be removed from the filer's EDGAR account unless the filer first added another account administrator through the dashboard to meet the required minimum of two account administrators. For individual filers and single-member companies, at least one account administrator would always be required because those filers typically consist of only one individual. A limit of twenty account administrators would likely be sufficient to allow for management of large accounts, while avoiding the confusion that a larger number of account administrators might cause.

If all the account administrators for a filer ceased to be available to manage the filer's account, the filer would be required to submit a new Form ID to authorize new account administrators.

c. Account Administrator Authorization and Removal of Users, Technical Administrators, and Other Account Administrators

An account administrator could add an individual as a user, account administrator, or technical administrator for an EDGAR account through the dashboard. The account administrator would enter on the dashboard the prospective individual's first and last name and email address, and EDGAR would send an email invitation to that address. The email address would be required to match the email address provided by the individual when they obtained individual account credentials. In addition, EDGAR would send a notification to the individual through the dashboard if the individual to be added had existing access to the dashboard for another role or filer. The individual's designation as user, account administrator, or technical administrator would be effective when the individual accepted the invitation. Individuals would have fourteen days within which to accept the invitation.^[66] If the individual did not accept within that time period, the individual would not be added, and the invitation would become void. The account administrator could re-initiate the invitation thereafter, however, to afford the individual another opportunity to accept.

Account administrators could change roles of individuals who had already been authorized to act on behalf of the filer, by adding or removing roles as account administrator, user, and/or technical administrator. The relevant individuals would not be required to accept additional invitations or de- Start Printed Page 65532 authorizations for their role to be changed. An account administrator could perform all the functions of a user, therefore, an account administrator could not also be a user since it would be redundant for an individual to hold both roles for the same filer. An individual could, however, be both an account administrator and a technical administrator for the same filer, or a user and a technical administrator for the same filer.

d. Account Administrator Performance of Annual Confirmation

As proposed under Rule 10(d)(4), each filer would be required to perform an annual confirmation on EDGAR of all of the filer's users, account administrators, technical administrators, and delegated entities, as well as any other information related to the filer appearing on the dashboard.^[67] Account administrators would act for the filer to carry out this function.^[68] Annual confirmation would assist the filer in tracking those authorized to file on EDGAR and would provide an opportunity for account administrators to confirm the accuracy of those individuals and delegated entities associated with the filer and to remove those no longer authorized.

To provide flexibility to filers, EDGAR would allow account administrators to select one of four quarterly dates as the filer's ongoing confirmation deadline: March 31, June 30, September 30, and December 31 (or the next business day, if the date fell upon a weekend or holiday when EDGAR was not operating). An account administrator need not wait until the deadline to confirm and could confirm at any earlier date. An account administrator could further change the quarter when confirmation was due by confirming the account at a date in a quarter earlier than the currently selected deadline quarter. Confirmation in an earlier quarter would result in a confirmation deadline one year after the end of the quarter in which the early confirmation occurred. For example, if a December 31 confirmation deadline was selected by the account administrator for the initial annual confirmation, but the account administrator submitted the confirmation for the following year in August, the filer's annual confirmation deadline for the next year would be September 30 (or the next business day, if the date fell upon a weekend or holiday when EDGAR was not operating).

EDGAR would provide several periodic notices to account administrators of the upcoming confirmation deadline, as well as notice of completion of confirmation or failure to timely confirm.^[69] There would also be a two-week grace period following the confirmation deadline, during which account administrators would receive a final series of notices reminding them to complete annual confirmation.^[70]

If no account administrator performed the annual confirmation by the end of the grace period, EDGAR would deactivate the filer's access and the filer would be required to submit a new Form ID application to request access to file on EDGAR.^[71] If Commission staff approved the Form ID application, the filer would continue to have the same CIK previously assigned and its filing history would be maintained. The filer's account administrators listed on Form ID would be required, however, to invite through the dashboard, as if to a new account, any additional account administrators, technical administrators, and users. Although the need to reapply for access and, in particular, the need to invite account administrators, users, and technical administrators anew, would impose an additional burden on filers, failure to perform annual confirmation could signal that the filer was no longer managing or controlling the account. Removing individuals from the filer's account upon deactivation would safeguard information regarding individuals whose information was listed on the filer's dashboard. For example, if someone other than the original filer's account administrators submitted a Form ID application for access to the account, and the original account administrators did not respond to Commission staff's inquiries regarding the new Form ID, the process outlined above would prevent the new account holder from accessing the names, addresses, and contact information of the individuals formerly associated with the account.

e. User Groups

The dashboard would allow an account administrator to group subsets of the filer's users into user groups. User groups would:

• Be created by an account administrator;
• Consist only of users, not account administrators or technical administrators;
• Contain only users for the same EDGAR account;
• Contain up to 500 users (corresponding to the maximum number of users per filer that would be allowed); and

• Not be subject to any numerical limit ( i.e., there could be an unlimited number of user groups).

The user group function would primarily assist delegated entities to authorize certain delegated users to file on EDGAR for specific filers, as explained in the Delegated Entities section below. By employing user groups, the delegated administrator could add or remove the ability to file Start Printed Page 65533 for a certain filer to all users in the group at once, leading to efficiencies of time in managing users.

If an account administrator added an individual to a user group, the individual would receive an invitation to join the user group. If the individual accepted, the individual would become a member of the user group.

2. Users

Under EDGAR Next, account administrators could authorize individuals with individual account credentials as users able to make submissions on EDGAR on behalf of the filer.

a. Authority of Users

Users would be able to make submissions on EDGAR on the filer's behalf. On the dashboard, account administrators and Commission staff could determine which users made which submissions; however, this information would not be made public on EDGAR. In addition, on the dashboard, users could:

• Remove themselves as a user for a filer;
• If using APIs, generate, view, and copy their user API tokens (as discussed further in Section III.D below); and
• View basic information about the filer's account, including the filer's name, CIK, CCC, and corporate information and contact information, as well as the contact information for the account administrators.

Users could not, however, add or remove individuals from the dashboard other than themselves. Further, users could not generate a new CCC.

Separately, users could submit COUPDATs to update filer information such as name, address, and state of incorporation, as filers currently do.

As part of the login and authentication process for the EDGAR filing websites, a user would be able to select the CIK of the filer for which submissions were being made, and that CIK would be reflected in the accession number ^[72] for each of the user's submissions (“login CIK”). Users could change their login CIK at any time to any other CIK for which they were authorized.

b. Becoming Authorized as a User

Through the dashboard, an account administrator would invite an individual to be a user for the filer's account, and the prospective user would receive an email invitation from EDGAR at the email address associated with the prospective user's individual account credentials. In addition, if the prospective user had a role for any EDGAR account, the notification would also appear on the prospective user's dashboard. The individual would be required to accept the invitation to become a user. The individual could then sign in as a user to the filer's EDGAR account by entering her individual account credentials and completing multi-factor authentication.

c. Number of Users

There would be no minimum number of users because account administrators could make submissions on behalf of the filer. There would be a maximum of 500 users. We anticipate that 500 users would be sufficient to accommodate sophisticated filers making a large number of varied filings.

3. Technical Administrators

In connection with the EDGAR Next changes, filers would have an option to use a submission API and related informational APIs, and filers who opted to use the APIs would be required, through their account administrators, to authorize at least two technical administrators to manage API tokens and related technology. Technical administrators could:

• Issue and deactivate filer API tokens on the dashboard;
• Remove themselves as technical administrators for filers;
• View and correct their own profile information; and
• View basic information about each filer for which they are designated as a technical administrator, including the filer's corporate information and contact information.

a. Authority of Technical Administrators

A technical administrator would issue and deactivate filer API tokens required to use the APIs, as set forth more fully in the API discussion in Section III.D. Technical administrators would also serve as points of contact for questions from Commission staff regarding the filer's use of the APIs.

A technical administrator could not add or remove individuals on the dashboard, except to remove themselves as technical administrator. Nor could a technical administrator make submissions on EDGAR on the filer's behalf. Additionally, a technical administrator could not generate CCCs and could not change company information. A technical administrator could, however, view relevant filer information on the dashboard.

An account administrator could authorize technical administrators to be account administrators or users as well as technical administrators. To the extent that individuals designated as technical administrators also had the role of account administrator or user, they would additionally be able to perform the functions associated with that role.

b. Becoming a Technical Administrator

Identical to the process for users, an account administrator would invite the prospective technical administrator on the dashboard, and EDGAR would send the invitation to the email address associated with the prospective technical administrator's individual account credentials. In addition, if the prospective technical administrator already had a role for any EDGAR account, a notification of the invitation would appear on her dashboard. The prospective technical administrator would be required to accept the invitation to become a technical administrator.

c. Number of Technical Administrators

As proposed, if the filer chose to use an API, the filer, acting through its account administrator, would be required to designate at least two technical administrators. This minimum would parallel the minimum number of individuals required to be account administrators (in the case of filers other than individuals and single-member companies) and would reduce the chance that the filer's access to the APIs would be interrupted. There would be no exception to the two technical-administrator minimum for individuals and single-member companies, however, because we anticipate that filers that make a large volume of submissions—typically large filers and filers who use filing agents—would use the APIs, and those filers would have sufficient staff to designate two technical administrators.

Because a filer would be required to have at least two technical administrators to use the APIs, the dashboard would not allow a technical administrator to be removed from a filer's account when only two technical administrators were authorized on the account. An account administrator would be required to first add another technical administrator. Start Printed Page 65534

There would be a maximum of ten technical administrators per filer. This limit would streamline points of contact with the filer and avoid confusion at the filer regarding API tokens. For example, having more than ten possible technical administrators could heighten opportunities for miscommunication between Commission staff and the filer if issues arose regarding the use of APIs. Moreover, based on our understanding of filers' current practice, we do not anticipate that a filer would require more than ten technical administrators to carry out the functions of managing technical aspects of the APIs.

Requests for Comment

4. Should we add a required account administrator role to EDGAR, as set forth in proposed Rule 10(d)? If not, why not?

5. As stated in proposed Rule 10(d), at least two account administrators would be required for filing entities (other than single-member companies) and one account administrator for individual filers and single-member companies. Are these minimum numbers of account administrators appropriate? If not, what minimum numbers of account administrators would be appropriate? Should individual filers and single-member companies be required to have more than one account administrator? If so, why?

6. Should account administrators be permitted to add and/or remove other account administrators without the filer's consent? If so, why? If the filer's consent is not required, should the filer be notified when a new account administrator is added or removed?

7. Should a prospective filer's Form ID be required to be completed and submitted by an account administrator, as set forth in proposed Rule 10(b)? If not, what would be the advantages and disadvantages of allowing an individual who was not an account administrator to complete and submit a Form ID on behalf of an applicant? Please be specific.

8. In proposed Rule 10(d), each filer, through its account administrators, would be required to confirm annually the accuracy of the filer's information on the dashboard; maintain accurate and current information on EDGAR concerning the filer's account; and securely maintain information relevant to the ability to access the filer's EDGAR account, including but not limited to access through any EDGAR APIs. Should any changes or clarifications be made to the proposed responsibilities of filers to be carried out by account administrators in proposed Rule 10(d)? If so, how and why should such changes or clarifications be made? Should any guidance be provided with regards to any of these responsibilities and, if so, how and why?

9. Should any changes be made to the authorization process for account administrators? For example, in the case of company filers, should employees of the filer's affiliate be required to be authenticated via a notarized power of attorney? If so, why?

10. Should any changes be made to the scope of the proposed annual confirmation requirement set forth in proposed Rule 10(d)? Why? Should the confirmation be performed annually, more frequently, or less frequently? Why? As currently contemplated as part of EDGAR Next, in the case of a failure to satisfy the proposed annual confirmation requirement, should there be a grace period for the account administrators to satisfy the confirmation requirements before the account is deactivated? How long should this grace period be, if adopted? Regardless of whether a grace period is provided, should failure to satisfy the proposed annual confirmation requirement result in deactivation of the account with removal of the individuals authorized on the dashboard for the filer, as discussed above, or alternatively, would a temporary suspension of EDGAR access without removal of any of the individuals authorized on the dashboard for the filer be more appropriate, until any of the listed account administrators satisfied the confirmation requirement? Why? How long should the described temporary suspension be, if adopted? Separately, if failure to satisfy the proposed annual confirmation requirements should result in deactivation of the account with removal of the individuals authorized on the dashboard of the filer, as discussed above, should delegated entities and delegating filers also be removed from the dashboard? Why or why not?

11. Would the annual confirmation requirement create any additional burden for filers compared to the current annual EDGAR password update requirement? If so, are there any improvements to the proposed annual confirmation requirement that would reduce the burden for filers? Separately, are there any particular concerns for filers who may only engage in occasional filings, such as filers pursuant to section 16 of the Securities Exchange Act of 1934 who may make sporadic submissions of Forms 3, 4, and 5 less than once per year? If so, to what extent would those concerns be newly implicated by the proposal, given that currently filers must change their password annually or their access to EDGAR is deactivated?

12. Are there any considerations regarding the annual confirmation requirement that are specific to individual or entity filers that make filings with respect to more than one subject company ( e.g., an individual filer who is a board member for more than one company)? Should the confirmation requirement differ for such filers? If so, why?

13. Should we add a user role to EDGAR? If not, how would we address our policy concerns regarding the identification and authorization of individuals who make submissions on the filer's behalf? Is a limit of 500 authorized users per filer appropriate, or should that number be increased or decreased? Should account administrators be able to add users only for a specific filing or for a specific period of time, after which the user's authorization automatically expires? Should any changes or clarifications be made to the scope of authority of users as part of EDGAR Next? If so, how and why should the scope of authority of users be different, or how could the tasks within the scope of authority for users be clarified?

14. Should we add a technical administrator role to EDGAR, as set forth in proposed Rule 10(d)? If not, how would we address our policy concerns regarding the identification and authorization of the individuals who would manage the filer's APIs?

15. Would the requirement of at least two technical administrators to manage the filer's APIs, as set forth in proposed Rule 10(d), create an undue burden for filers? Should this requirement be revised to more fully parallel the limit for account administrators by requiring only one technical administrator for filers who are individuals and single-member companies? Why or why not? Is a maximum number of ten technical administrators appropriate? Why or why not? Should any changes or clarifications be made to the scope of authority for technical administrators as part of the EDGAR Next changes?

16. For what purposes, if any, would filers need to access the dashboard when EDGAR filing functionality was not available? If the dashboard were made available to filers for a period of time outside of EDGAR operating hours, in addition to during EDGAR operating hours, would filers be impacted by the unavailability of filer telephone and email support and EDGAR submission capabilities during that time period? Start Printed Page 65535 How would they be impacted? Please be specific.

C. Delegated Entities

Under EDGAR Next, a filer could delegate authority to file on its behalf to any other EDGAR filer, such as a filing agent, which would become a delegated entity for the filer.

1. Delegating Authority To File

An account administrator would delegate authority to file by entering the prospective delegated entity's CIK on the dashboard. EDGAR would then send an email invitation to all account administrators of the prospective delegated entity; in addition, the invitation would appear on the dashboard of the prospective delegated entity's account administrators.

One account administrator for the prospective delegated entity would be required to accept the invitation for the delegation to become effective. If no account administrator for the prospective delegated entity accepted within fourteen days of it being issued, the invitation would lapse; however, the filer could again follow the process outlined herein to issue another invitation.^[73]

If the filer's account administrators wished to terminate the delegation, they could do so on the dashboard by removing the delegated entity's authority to file. Removal of delegation would not require acceptance by the delegated entity.

An account administrator could delegate authority to file to an unlimited number of EDGAR accounts, allowing filers to delegate to multiple filing agents, for example, should they so choose.

2. Separation of Authority of Filer and Delegated Entity

An account administrator could not add or remove individual delegated users at the delegated entity, nor could the account administrator access the delegated entity's dashboard or account.

Delegated administrators and delegated users could file on the filer's behalf, but they could not take any other actions on behalf of the filer. Nor could they access the filer's dashboard.^[74] For example, a delegated administrator could not add, remove, or confirm account administrators, users, or technical administrators for the filer. Similarly, delegated administrators would not be able to generate or reset the filer's CCC, nor would delegated administrators or delegated users be able to make COUPDAT submissions for the filer.^[75] Delegated administrators and delegated users would not count towards the limits of 20 account administrators and 500 users for the filer under EDGAR Next.^[76]

Delegated entities could receive and provide multiple delegations, but they could not further delegate authority to file to other entities on behalf of filers who delegate authority to them. For example, Filer A could delegate authority to file on its behalf to Filer B. Separately, Filer B could delegate authority to file on its behalf to Filer C. In this scenario, however, Filer B could not delegate to Filer C the authority to file on behalf of Filer A, and Filer C could not file on behalf of Filer A.

3. Delegated Entities

As EDGAR filers, delegated entities would be required to comply with the same requirements applicable to all filers.

A delegated entity could be any EDGAR account, including but not limited to:

• Filing agents; ^[77]

• Issuers, broker-dealers, and others making submissions on behalf of individuals filing pursuant to section 16 of the Securities Exchange Act of 1934;and
• Parent companies of large groups of related filers.

A delegated entity would maintain its separate EDGAR account with its own account administrators, users, and technical administrators.

A delegated entity could receive delegated authority to file for an unlimited number of filers.

We contemplate that individuals with section 16 filing obligations could delegate authority to file to relevant company filers under the construct set forth herein, if they wished to do so. In response to the 2021 Request for Comment, several commenters suggested that the Commission permit the creation of company-specific accounts for each individual with filing obligations pursuant to section 16 of the Exchange Act.^[78] Commenters stated that such accounts would allow individuals to delegate their EDGAR account administration responsibilities to the companies for which those individuals had section 16 filing obligations.^[79] This framework would make it difficult for the Commission and others to track the filings made by a specific individual, however, since each filing would be made by a different company-specific account without linking individuals to the accounts or the filings made therein. The delegation process described herein would make it easier for individuals to obtain assistance with their filings, while allowing the Commission and others to determine filings made by a specific individual. We therefore do not plan to implement the commenters' suggestion.

If a filer authorized a delegated entity to file on its behalf, one of the delegated entity's account administrators would be required to accept the invitation; further, upon acceptance, all of the delegated entity's account administrators would automatically become delegated administrators for the filer. All delegated administrators for the filer would have co-equal authority with regard to that filer. If the delegated entity added or removed one of the account administrators for its own EDGAR account, then that individual would also be added or removed as a delegated administrator for the filer. These relationships are illustrated in diagram 3 below.

4. Delegated Users

If a delegated entity accepted a delegation from a filer, the delegated administrators could authorize specific users at the delegated entity to become delegated users with respect to that filer. Delegated users would not count as part of the 500-user limit for the filer.^[80]

Alternately, if delegated administrators wanted all of their users to become delegated users with respect to a filer, the delegated administrators could check a box to automatically designate all of the users at the delegated entity as delegated users for the filer.

Thus, delegated administrators would have the following options:

• Authorize a subset of the delegated entity's users as delegated users, through the user group function, as discussed above and further explained below;
• Authorize all of the delegated entity's users as delegated users for the filer; or

• Not authorize any delegated users (because the delegated administrators could file on behalf of the filer ^[81] ).

Users at the delegated entity would receive notifications if a delegated administrator added or removed them as a delegated user for a particular filer, however, users would not need to accept the notification or take any further action to become a delegated user for a filer.

Delegated users could submit filings on behalf of the filer on the EDGAR filing websites or through the submission API (which would also require the user to generate and submit a user API token, as discussed further below).

5. User Groups at Delegated Entities

We believe that the user group function would provide an efficient method for delegated administrators to manage delegated users. Delegated entities, through their delegated administrators, could employ user groups to assign certain users to different filers for whom they possessed delegated authority to file. An example is provided in diagram 4 below.

• In diagram 4, the account administrators for Filer A and Filer B delegated to Filer C. As a result, Filer C's account administrators became delegated administrators for Filers A and B. In this example, Filer C might be a filing agent to which Filer A or Filer B gave authority to make filings on its behalf, and Filer A and Filer B might be public companies or investment companies.
• A delegated administrator at Filer C created User Group 1 containing Filer C's Users 1, 2, and 3. The delegated administrator assigned authority to file for Filer A to User Group 1. Users 1, 2, and 3 are thus delegated users for Filer A because they are members of User Group 1. If additional users from Filer C were added to User Group 1, those additional users would also become delegated users for Filer A.
• The delegated administrator at Filer C also created User Group 2 containing Filer C's User 3. The delegated administrator assigned authority to file for Filer B to User Group 2. User 3 is a delegated user for Filer B.
• By employing the user group function, the delegated administrator at Filer C restricted delegated filing permissions for Filer A to Filer C Users 1, 2, and 3 only (via User Group 1) and delegated filing permissions for Filer B to Filer C User 3 only (via User Group 2). Filer C User 4 has not been authorized as a delegated user for any filers.
• In diagram 4, each user group has only been assigned authority to file for a single filer, but user groups could be assigned authority to file for multiple filers.

Delegated administrators could also designate a default user group of individuals who would be automatically assigned as delegated users for all future delegations. The ability to have a default user group would be an efficient way for delegated administrators to authorize groups of their users as delegated users for any delegating filer.

Users would receive notifications when added to or removed from a user group, and when the user group to which they belonged became authorized to make submissions for a filer, or when that authorization was removed. Users would not need to accept or otherwise take any action on these notifications.

6. Technical Administrators at Delegated Entities

If the delegated entity chose to use APIs, the delegated entity would be required to designate its own technical administrators. The delegated entity's technical administrators would be responsible for maintaining the API capabilities for filings by the delegated entity. They would manage the delegated entity's own filer API tokens, as discussed further in Section III.D.1, and the delegated entity would use the delegated entity's filer API tokens to make filings for any filers that delegated authority to it. Technical administrators at the delegated entity would not manage any APIs in use by the filer itself. Nor would the technical administrator need different tokens for different filers that delegated to the delegated entity.

Requests for Comment

17. Should we add individual roles to EDGAR for delegated administrators and delegated users? If not, how should we address our policy concerns regarding the identification and authorization of the delegated individuals who would submit filings on the filer's behalf?

18. Should account administrators be able to delegate filing authority to any EDGAR filer (and remove such delegation)? Do commenters have any concerns with the delegation function or any suggested modifications? For example, should delegation be limited to EDGAR filers that selected “filing agent” as the account type on Form ID when opening the account? Or should delegation be permitted to any EDGAR account, as proposed? Why?

19. Would the EDGAR Next delegation framework address concerns raised by commenters about the impact that the contemplated EDGAR Next changes would have on individual officer and director filers pursuant to section 16 of the Exchange Act, in light of the fact that individual officer and director filers could delegate authority to file on their behalf to any related companies, law firms, or filing agents? Why or why not?

20. Should any changes be made to the authority of delegated administrators and delegated users under EDGAR Next?

21. Are there any situations where the EDGAR Next delegation framework could be streamlined?

22. Would user group functionality facilitate the ability of account administrators and delegated Start Printed Page 65538 administrators to efficiently add and remove users and delegated users? Why or why not? Should any changes to user group functionality be made?

D. Application Programming Interfaces

As part of the EDGAR Next changes, the Commission would offer APIs to filers to allow machine-to-machine communication with EDGAR. The Commission plans initially to provide three APIs to allow filers to:

• Make both live and test submissions on EDGAR (“submission API”);
• Check the status of an EDGAR submission (“submission status API”); and
• Check EDGAR operational status (“EDGAR operational status API”).

Pursuant to proposed Rule 10(d)(3), to use the APIs, filers would be required to authorize at least two technical administrators.

Additionally, we plan to specify in the EDGAR Filer Manual that, to use the APIs, filers would be required to present filer API tokens and user API tokens to EDGAR that would be generated on the dashboard. The filer's technical administrators would be required to generate a filer API token to authenticate the filer. Further, the individual user or account administrator who submits the filing would be required to generate a user API token to authenticate herself as an authorized user or account administrator for the filer. We plan that filer and user API tokens would be confidential alphanumeric strings of text separately generated in the dashboard by a technical administrator and a user, respectively, and each would be valid for one year.^[82] Employing these tokens would allow automated server-to-server authentication without the need for manual individual account credential multi-factor authentication, thus addressing a significant concern raised by commenters in the 2021 Request for Comment.^[83]

In addition, as they would with other similar APIs, filers would need to create, license, or otherwise obtain software (a “filing application”) to interface with the APIs. Additional information regarding the APIs is available in the Overview of EDGAR Application Programming Interfaces (“Overview of EDGAR APIs”) located on the EDGAR Next page on SEC.gov.

The use of APIs would be optional. Filers that seek to file on EDGAR, check the status of a submission, or check EDGAR operational status would continue to be able to do so without using an API, as they currently do.

1. Submission API

The submission API would provide filers a new option to submit test and live filer-constructed EDGAR submissions through a machine-to-machine connection.^[84] Filers who do not wish to use the API to make filer-constructed submissions, and filers making other types of submissions, could file through the web-based EDGAR filing websites.^[85]

To use the optional submission API, filers would be required to comply with certain requirements. For filer API tokens, we plan that:

• A filer API token would be needed to identify the filer or filing agent accessing the API.
• Only the filer's authorized technical administrator could create filer API tokens.
• Filers could have multiple, valid filer API tokens (for example, to identify different subsidiaries or divisions within the filer) in use at the same time.
• A technical administrator would need to log into the dashboard and be authenticated with individual account credentials to create a filer API token.
• A technical administrator could terminate a filer API token on the dashboard at any time.
• A filer API token would remain valid for up to one year.
• While valid, a filer API token could be used to submit an unlimited number of filings.

For user API tokens, we plan that:

• Only a user, delegated user, or account administrator for the filer associated with the filer API token could be authorized as a user for the API.
• A user API token would be needed to identify the user associated with each submission.
• Users would have only one valid user API token at a given time.
• A user would log into the dashboard and be authenticated with individual account credentials to create a user API token.
• A user API token would remain valid for up to one year provided that the user associated with the token logged into the dashboard or one of the EDGAR filing websites at least every 30 days. If the user did not log in at least every 30 days, the user API token would be deactivated.
• A user could terminate its user API token on the dashboard at any time.
• While valid, a user API token could be used to submit an unlimited number of filings.

The Overview of EDGAR APIs lists certain technical standards for the submission API, as well as the expected inputs and outputs.

2. Submission Status API

Currently, EDGAR receives significant network traffic inquiring as to the status of EDGAR submissions. Many filers check EDGAR submission status immediately upon making a filing and again regularly until the submission is accepted and ultimately disseminated, or alternately suspended. This may result in significant network traffic for EDGAR and represent a tedious manual process for filers. Providing a submission status API would allow filers to use their filing application to simultaneously check the status of multiple submissions in a batch process, instead of manually logging into EDGAR and individually checking the status of each submission.

The Overview of EDGAR APIs lists certain technical standards for the submission status API, as well as the expected inputs and outputs. Among other things, the submission status API would require a valid filer API token; it would not require a user API token. The submission status API would indicate to the filing application whether each submission was submitted and accepted, but not yet publicly disseminated; ^[86] submitted and accepted, and publicly disseminated; or submitted and suspended. In turn, the filing application would display this information to the filer.

3. EDGAR Operational Status API

Many filers check EDGAR operational status continuously throughout the filing day. This may result in significant network traffic for EDGAR and constitute a tedious manual process for Start Printed Page 65539 filers. Providing an EDGAR operational status API would allow filers to use their filing application to check the operational status of EDGAR at any given time.

The Overview of EDGAR APIs lists certain technical standards for the EDGAR operational status API, as well as the expected inputs and outputs. Among other things, the EDGAR operational status API would require a valid filer API token to be submitted by the filing application; it would not require a user API token. The EDGAR operational status API would indicate to the filing application whether EDGAR was fully operational, unavailable (after business hours), or not fully operational in whatever regard at that point in time (for example, if EDGAR is not disseminating to SEC.gov). In turn, the filing application would display this information to the filer.

Requests for Comment

23. Should we add other EDGAR information that could be accessed through APIs, and, if so, why? Please rank in terms of priority any additional information that you would like to see added, and also estimate how much usage you believe that information API would receive (for example, in potential hits per day).

24. The Overview of EDGAR APIs lists certain technical standards for the planned APIs. Are there any considerations we should take into account when determining what technical standards should be used for the planned APIs?

E. Proposed Amendments to Rules and Forms

1. Rule 10 Under Regulation S–T

We propose to add new paragraph (d) to Rule 10 to implement the changes being contemplated as part of EDGAR Next. Proposed paragraphs (d)(1) through (4), are discussed in full above.^[87]

We further propose to add new paragraph (d)(5) to require that the filer, through its authorized account administrators, maintain accurate and current information on EDGAR concerning the filer's account, including but not limited to accurate corporate information and contact information, such as mailing and business addresses, email addresses, and telephone numbers. This would constitute an ongoing obligation for the filer to update its information on EDGAR as necessary. Similar to proposed paragraph (d)(4), proposed paragraph (d)(5) is analogous to the requirements currently set forth in the EDGAR Filer Manual, Volume I to securely maintain EDGAR access ^[88] and to maintain accurate company information on EDGAR.^[89] The proposed requirement in paragraph (d)(5) would allow Commission staff and the public to rely upon the accuracy of the filer's information contained in EDGAR.

Proposed paragraph (d)(6) would require the filer, through its authorized account administrators, to securely maintain information relevant to the ability to access the filer's EDGAR account, including access through any EDGAR API. This requirement is designed to ensure that information relevant to the ability to access the filer's account, such as individual account credentials and API tokens, is securely maintained and not publicly exposed or otherwise compromised. Similar to proposed paragraphs (d)(4) and (d)(5), proposed paragraph (d)(6) is analogous to the requirements currently set forth in the EDGAR Filer Manual, Volume I to securely maintain EDGAR access and to maintain accurate company information on EDGAR.

The Commission also proposes to amend Rule 10 to make certain technical and conforming changes. Rule 10(b) would be revised to refer to “each electronic filer” who would be required to submit Form ID before filing on EDGAR, instead of “each registrant, third party filer, or filing agent.” ^[90] This change is not intended to alter the scope of who would be subject to Rule 10(b), but instead clarifies that all new electronic filers would be required to submit Form ID for review and approval by Commission staff before they may file on EDGAR.

In addition, we propose to amend Rule 10(b)(2), which currently states that an authenticating document for Form ID must be signed by the applicant, to also state that the authenticating document may be signed by an authorized individual of the prospective filer.^[91] This change is intended to conform the language in Rule 10(b)(2) with the text of the EDGAR Filer Manual, which currently provides that the authenticating document shall be signed by an authorized individual, including a person with a power of attorney.^[92]

Finally, we propose to revise the note to Rule 10 that currently “strongly urges” potential applicants for EDGAR access to state that the Commission staff carefully reviews each Form ID application and filers should not assume that the Commission staff will automatically approve the Form ID. Therefore, filers should submit Form ID “well in advance” of their first required filing.^[93] We believe this makes clear that Commission staff requires time to review the Form ID. Due to the often high volume of Form ID applications for Commission staff review, potential applicants should allow sufficient time for the review process to be conducted in the event that staff is concurrently reviewing a high volume of applications.

Requests for Comment

25. Do the proposed amendments to Rule 10 described above appropriately implement the proposed technical and conforming changes? Should additional or fewer changes be made to Rule 10 and, if so, why? For example, should specific requirements be added to Rule 10 that place requirements directly upon users, delegated entities, and technical administrators, as opposed to placing requirements upon account administrators to manage users, delegated entities, and technical administrators? Why or why not? Are there any technical, conforming, or clarifying changes to Rule 10 that should be made, and if so, why?

2. Rule 11 Under Regulation S–T

We also propose to amend Rule 11 under Regulation S–T, “Definitions of terms used in this part,” to add and define new terms discussed in this proposing release and update the definitions of certain existing terms. The proposed amendments include terms and definitions specific to the proposed rule and form amendments that would change how individuals and entities access, file on, and manage EDGAR accounts.

Certain terms would define the new roles for individuals contemplated by EDGAR Next, as follows: Start Printed Page 65540

“Account administrator” would mean the individual that the filer authorizes to manage its EDGAR account and to make filings on EDGAR on the filer's behalf. The designation of an account administrator would help ensure that only authorized persons are able to file and take other actions on behalf of the filer.

“Authorized individual” would mean an individual with the authority to legally bind the entity or individual applying for access to EDGAR on Form ID, or an individual with a power of attorney from an individual with the authority to legally bind the applicant. The power of attorney document must clearly state that the individual receiving the power of attorney has general legal authority to bind the applicant or specific legal authority to bind the applicant for purposes of applying for access to EDGAR on Form ID.

“Delegated entity” would mean a filer that another filer authorizes on the dashboard to file on its behalf. As itself a filer, a delegated entity would be subject to all applicable rules for filing on EDGAR. Delegated entities would not be permitted to further delegate authority to file for the delegating filer, nor would they be permitted to take action on the delegating filer's dashboard.

“Filing agent” would mean any person or entity engaged in the business of making submissions on EDGAR on behalf of filers. As discussed above in Section III.C., to act as a delegated entity for a filer, a filing agent would be a filer with an EDGAR account.

“Single-member company” would describe a company that only has a single individual who acts as the sole equity holder, director, and officer (or, in the case of an entity without directors and officers, holds position(s) performing similar activities as a director and officer).

“Technical administrator” would mean an individual that the filer authorizes on the dashboard to manage the technical aspects of the filer's use of EDGAR APIs on the filer's behalf.

“User” would mean an individual that the filer authorizes on the dashboard to make submissions on EDGAR on the filer's behalf.

Other terms would identify new applications and upgrades to access and maintain filers' accounts on EDGAR, including:

“Application Programming Interface” (API) would be defined as a software interface that allows computers or applications to communicate with each other. As discussed in Section III. D., the relevant APIs would include those that give filers the option to automate submissions on EDGAR and to retrieve certain submission-related information.

“Dashboard” would mean an interactive function on EDGAR where filers manage their EDGAR accounts and where individuals that filers authorize may take relevant actions for filers' accounts.

“Individual account credentials” would mean credentials issued to individuals for purposes of EDGAR access, as specified in the EDGAR Filer Manual, and used by those individuals to access EDGAR. (As previously mentioned, we currently anticipate that the EDGAR Filer Manual would specify that individual account credentials must be obtained through Login.gov, a sign-in service of the United States Government that employs multi-factor authentication.)

Collectively, these terms would assist in implementing the proposed rule and form amendments by clarifying how the proposed requirements would apply.

The amendments would also update or delete outdated terminology from certain definitions in Rule 11, such as references to “telephone sessions” in the definition of “direct transmission.” ^[94] Although some filers may still use dial-up internet to access EDGAR, we expect that nearly all filers currently rely on broadband, cable, or other internet technologies.

Finally, we propose updating the definition of “EDGAR Filer Manual” to more clearly describe its contents. Rule 11 currently defines “EDGAR Filer Manual” as “. . . setting out the technical format requirements for an electronic submission.” The EDGAR Filer Manual has been updated over time, however, to include additional requirements for filers, including those pertaining to seeking EDGAR access, maintaining EDGAR company information, and submitting online filings. We therefore propose to update the EDGAR Filer Manual definition accordingly to indicate the inclusion of these procedural requirements. We believe that the amended definition, if adopted, would better inform filers of the scope of the EDGAR Filer Manual requirements.

Requests for Comment

26. Do the proposed amendments to Rule 11 appropriately define the necessary terms in EDGAR Next? If not, please explain. Are there any additional terms that should be defined and, if so, why?

27. As proposed, should we amend certain terms to update terminology or more clearly define existing definitions? Are there any proposed terms that are inconsistent with existing definitions or concepts or that otherwise should not be defined? Should any additional terms be revised to update outdated terminology or to clarify existing definitions? Please be specific.

3. Form ID

Form ID is an online fillable form that must be completed and submitted to the Commission by all individuals, companies, and other organizations who seek access to file electronically on EDGAR.^[95] Among other things, Form ID seeks information about the identity and contact information of the applicant. The proposed amendments to Form ID include proposed changes to information required to be reported on the form as well as technical changes.

As outlined above, the proposed amendments to Form ID would require an applicant for EDGAR access to undertake certain additional disclosure obligations, including most significantly:

(1) Designating on Form ID specific individuals the applicant authorizes to act as its account administrators to manage its EDGAR account on a dedicated dashboard on EDGAR. Applicants would generally be required to authorize two account administrators, although individuals and single-member companies would only be required to authorize one account administrator. If a prospective account administrator was not (1) the applicant (in the case of an individual applicant) or (2) an employee of the applicant or its affiliate (in the case of a company applicant), the applicant would also be required to disclose the prospective account administrator's employer and CIK, if any, and provide a notarized power of attorney to authorize the individual to manage the applicant's EDGAR account as an account administrator.

(2) The applicant's Legal Entity Identifier (“LEI”) number if any.

• The LEI is a unique identifier associated with a single corporate entity and is intended to provide a uniform international standard for identifying counterparties to a transaction.

• Although there are certain modest costs to obtain and maintain an LEI, fees Start Printed Page 65541 are not imposed on data users for usage of or access to LEIs, and all of the associated reference data needed to understand, process, and utilize the LEIs are widely and freely available and not subject to any usage restrictions.^[96]

• Applicants that have not yet obtained an LEI would not be required to obtain one.
• The inclusion of LEI information would facilitate the ability of Commission staff to link the identity of the applicant with information reported on other filings or sources that are currently or will be reported elsewhere, if LEIs become more widely used by regulators and the financial industry.

(3) Providing more specific contact information about the filer, and the filer's account administrator(s), authorized individual (the individual authorized to submit Form ID on the filer's behalf, as defined in the EDGAR Filer Manual), and billing contact (including mailing, business, and billing information, as applicable).

• More specific contact information would allow Commission staff to reach account administrators, authorized individuals, and billing contacts associated with the filer when necessary.

(4) Specifying whether the applicant, its authorized individual, person signing a power of attorney (if applicable), account administrator, or billing contact has been criminally convicted as a result of a Federal or State securities law violation, or civilly or administratively enjoined, barred, suspended, or banned in any capacity, as a result of a Federal or State securities law violation.

• Information about whether the applicant or certain individuals named on Form ID may be subject to relevant bars and prohibitions (including but not limited to officer and director bars, prohibitions from associating with brokers, dealers, investment advisers, and/or other securities entities, and bars from participation in certain industries) would allow Commission staff to determine whether such bars or prohibitions are relevant to the application for EDGAR access.
• Individuals disclosing the existence of a criminal conviction, or civil or administrative injunction, bar, suspension, or ban may be contacted by SEC staff to determine the applicant's eligibility for EDGAR access.

(5) Indicating whether the applicant, if a company, is in good standing with its state or country of incorporation.

• Good standing generally means a company is legally authorized to do business in the relevant state or country and has filed all required reports and paid all related fees to the relevant jurisdiction.
• Although the lack of good standing would not prevent a company from obtaining EDGAR access, this information could be relevant in determining whether it may be appropriate for the staff to review additional documentation as part of its assessment of the application.

(6) Requiring submission of a new Form ID if the applicant claims to have (i) lost electronic access to its existing CIK account or (ii) assumed legal control of a filer listed on an existing CIK account but did not receive EDGAR access from that filer.

• Currently, applicants seeking to obtain control of an existing EDGAR account are required to submit certain summary information but are not required to submit a full application on Form ID. To assist Commission staff in determining whether applicants seeking to obtain control of existing EDGAR accounts are legitimate, we propose to require such applicants to submit a new Form ID. To facilitate the application process, certain publicly available corporate and contact information (such as the filer's name, “doing business as” name, foreign name, mailing and business addresses, state/country of incorporation, and fiscal year end) would be automatically prepopulated from EDGAR so that applicants would not need to resubmit that information, although applicants could update that information on Form ID as necessary.^[97]

(7) Requiring those seeking access to an existing EDGAR account to upload to EDGAR the documents that establish the applicant's authority over the company or individual listed in EDGAR on the existing account.^[98]

In addition, we would make certain conforming, formatting, and ancillary changes to modernize Form ID without significantly altering current disclosure obligations. For example, a checkbox would be added to each address field for identification of non-U.S. locations, which would improve data analytics. As another example, company applicants would be required to provide their primary website address, if any, to provide staff additional contact and other information regarding the filer. Further, certain disclosure warnings that are currently listed in the EDGAR Filer Manual and the landing page of the EDGAR Filing website would be incorporated into Form ID to more clearly provide notice of those matters to filers.^[99]

Collectively, the proposed amendments would enhance the security of EDGAR by allowing Commission staff to obtain more information about the applicant and its contacts for staff to confirm the identity of the applicant and the individuals associated with the applicant, assess whether the application is properly authorized, and determine whether there are any other issues relevant to the application for EDGAR access for staff's consideration.

Requests for Comment

28. Should any of the proposed amendments to Form ID be revised or removed and, if so, why or why not? For example, should any limits or qualifiers be placed on the proposed disclosure requirement regarding whether the applicant, its authorized individual, person signing a power of attorney (if applicable), account administrator, or billing contact has been criminally convicted as a result of a Federal or State securities law violation, or civilly or administratively enjoined, barred, suspended, or banned as a result of a Federal or State securities law violation? If so, why? Should this requirement apply to each of the applicant, its authorized individual, person signing a power of attorney (if applicable), account administrator, and billing contact, or only to certain categories of the aforementioned groups? Please explain your answer. Likewise, should the proposed requirement regarding whether the applicant is in good standing be revised or removed and, if Start Printed Page 65542 so, why? For example, if applicable, should we also require an explanation of why the applicant is not in good standing? Why or why not?

29. Would the proposed amendments to Form ID appropriately support the EDGAR Next changes to filer access and account management? Why or why not? Should Form ID require any additional information, or should any of the information proposed to be required be revised or deleted? Please explain.

30. Should Form ID be revised to require or allow applicants to provide the reason they are applying for access? For example, if applicants have an urgent upcoming filing deadline, should applicants be required or permitted to provide that information?

F. Transition Process

We believe that, if the proposed rule and form amendments are adopted and the technical changes are implemented, it would be efficient for the Commission and for the approximately 220,000 active EDGAR filers—those who made a submission on EDGAR in the last two years—to accomplish the transition to EDGAR Next over a period of several months, as set forth below.^[100] We anticipate that mandatory enrollment would begin one month after adoption and remain open for six months thereafter (the “Enrollment Period”).

During the Enrollment Period, existing filers would continue to file on EDGAR using the EDGAR filing websites, as they presently do, by logging on with the relevant CIK and password. The individual account credentials would not yet be used, nor would use of the dashboard to manage the account be required.

Applicants that seek EDGAR access subsequent to the compliance date would be immediately subject to the EDGAR Next requirements, if adopted.

1. Individual Account Credentials

If the Commission adopts the proposed amendments, individuals could seek individual account credentials in the manner to be specified in the EDGAR Filer Manual in advance of the required Enrollment Period. As a result, when the Enrollment Period begins, filers could immediately enroll the individuals with individual account credentials. Further, if the Commission adopts the proposed amendments and implements the EDGAR Next changes, and requires Login.gov as the individual account credential provider, we anticipate that individuals with existing Login.gov accounts would be able to use those accounts as their individual account credentials for purposes of EDGAR access.

2. Enrollment

Existing filers would enroll on an enrollment page on the EDGAR Filer Management website without submitting a Form ID. We intend to provide two options: (a) manual enrollment of single EDGAR accounts on an account-by-account basis; and (b) enrollment of multiple accounts simultaneously.

a. Manual Enrollment for a Single EDGAR Account

As a preliminary matter, each existing filer would be required to authorize two individuals to manage the filer's EDGAR account as account administrators, with the exception of individuals and single-member companies, which would be required to authorize one account administrator. On behalf of each existing filer, one account administrator would enter their individual account credentials to log in to an enrollment page on EDGAR. The account administrator would manually enter the filer's CIK, CCC, and EDGAR passphrase^[101] to ensure that a properly authenticated individual is enrolling the filer. If EDGAR authenticated that data, the account administrator would enter account administrator names, business contact information, and the email addresses used to obtain individual account credentials. By entering that information, the filer would indicate its authorization of the listed individuals as the filer's account administrators, as well as the accuracy of the information provided.

Each EDGAR account would enroll once. If there was an attempt to enroll an EDGAR account that had already been enrolled, the subsequent attempted enrollment would be denied. An individual filer who makes filings with respect to multiple companies ( e.g., the CEO of one company who is also on the board of directors of other companies) may have more than one filing agent and/or representatives at such companies who have access to her CIK, CCC, and EDGAR passphrase. Accordingly, it would be advisable for any such filer to designate one filing agent or company representative to enroll her EDGAR account and to then communicate such enrollment to the other filing agent(s) and/or company representatives. Such other filing agent(s) and/or company representatives may then be added as an account administrator, user, or delegated entity through the dashboard.

After enrolling the filer, an account administrator could access the filer's dashboard. There, the account administrator, on behalf of the filer, would be able to add account administrators, users, and technical administrators, and delegate authority to file to other filers. Any individuals to be authorized on the filer's account would be required to possess individual account credentials.

b. Bulk Enrollment of Multiple EDGAR Accounts

We plan to permit the simultaneous bulk enrollment of multiple EDGAR accounts, together with those filers' account administrators. We expect that filing agents, as well as individuals and entities that control multiple EDGAR accounts, would find this an efficient and time-saving function.

An individual authorized to enroll the relevant filer accounts would log in to an enrollment page on EDGAR with their individual account credentials. There, the individual would complete and upload a spreadsheet in a format to be specified that could accommodate multiple rows of data. Each row would pertain to a single existing filer. The individual would enter data for each filer on each row, including CIK, CCC, and EDGAR passphrase to ensure that enrollment is being performed by a properly authenticated individual. In addition, the individual would enter on each row information regarding the filer's prospective account administrators, including names, business contact information, and email addresses associated with the individual account credentials of the account administrators, to indicate that the filer authorizes those account administrators to manage its EDGAR account. Under the bulk enrollment method, two account administrators would be required for each filer (including individuals and single-member companies), in part due to logistical difficulties associated with simultaneously validating the minimum number of account administrators for multiple filers, and in part because we Start Printed Page 65543 expect that bulk enrollment would be used by larger filers and filers using filing agents likely to have at least two account administrators. We intend to set a limit of 100 existing filers (100 rows) per bulk enrollment.

As discussed above, enrollment would only occur once per EDGAR account. Any additional changes that are needed to be made ( e.g., adding additional account administrators) would have to be performed by the account administrators who had been added during the enrollment process. After the filer was enrolled, the account administrators could access the dashboard to add additional account administrators, users, technical administrators, and delegated entities.

3. Compliance

We anticipate that the compliance period would start six months after the beginning of the Enrollment Period. In response to our 2021 Request for Comment, commenters requested a transition period ranging from 12 months to three years.^[102] We considered those comments, and we believe that the transition process we are contemplating should provide sufficient opportunity for existing filers to transition to EDGAR Next. The transition process would include an initial, separate period during which individual account credentials could be established, as well as a six-month Enrollment Period during which filers would access the dashboard, authorize individuals in relevant roles, and make any needed delegations. We further contemplate providing a bulk enrollment option to allow enrollment of multiple filers simultaneously.

If the rule and form changes are adopted, and the related technical changes are to be implemented, we plan to provide an EDGAR Next Adopting Beta environment to allow commenters to evaluate and test the EDGAR Next changes, to prepare necessary software, and to assist filers in preparing for the changes.

Existing EDGAR filers that fail to enroll by the compliance date would lose EDGAR access and would be required to reapply for EDGAR access on Form ID.

If the Commission adopts the proposed rule and form changes, we expect that staff would provide additional support for filers transitioning to EDGAR Next, such as by posting practical information and guidance on the EDGAR—Information for Filers ^[103] and EDGAR—How Do I ^[104] pages on SEC.gov, as well as providing a devoted help desk to assist filers.

Requests for Comment

31. Does the planned transition process adequately address the needs of filers and filing agents with regard to implementation of EDGAR Next? If not, what changes should be made to the transition process, and why?

32. How long would it take existing filers to transition to EDGAR Next? As planned, the Enrollment Period would begin one month after adoption of the proposed rule and form changes. Is this a sufficient amount of time for filers to prepare for enrollment and, if not, why? Is an Enrollment Period of six months sufficient for filers to enroll their EDGAR accounts via manual or bulk enrollment and, if not, why? Should existing filers transition their EDGAR accounts on a specific schedule during the Enrollment Period ( e.g., large filers must transition by date X, medium filers by date Y, etc.) or, as contemplated, should we allow filers to decide when to transition to EDGAR Next so long as they do so prior to the compliance date?

33. We plan to require CIK, CCC, and EDGAR passphrase in order for both individual and bulk enrollments to be accepted by EDGAR. Would alternate credentials be more appropriate and, if so, what credentials should be used? In particular, are passphrases typically maintained by filing agents and, if not, how burdensome would it be for filing agents to obtain and maintain their clients' passphrases? In situations where filers no longer know their passphrases or those passphrases are no longer recognized in EDGAR, how burdensome would it be for filers to obtain new passphrases?

34. Following enrollment, what notification, if any, should be provided to the existing EDGAR POC for the filer? Although filers are currently required to list a contact address, telephone number, and email address as part of their EDGAR contact information, we understand that many EDGAR filer accounts that were created before email addresses became mandatory never added an email address. Should we require acknowledgment or confirmation from the existing EDGAR POC to complete enrollment of an EDGAR filer account, or should completion of enrollment be delayed until a certain period of time has passed without objection from the existing EDGAR POC? If so, what should be the waiting period before enrollment could be completed, keeping in mind the interest of filers seeking to quickly transition to EDGAR Next?

35. Should we permit the bulk enrollment of multiple EDGAR accounts, as planned? Are there particular steps the Commission should take to minimize risks associated with enrollment? For example, should the CCCs of enrolled filers be automatically reset as a security precaution after enrollment is accepted? If the CCC is automatically reset, what notification, if any, should be provided to the existing EDGAR contact for the filer?

36. To what extent would bulk enrollment present logistical or other burdens for filers with multiple filing agents or unaffiliated third-party account administrators? For example, if the filer's CCC were automatically reset after bulk enrollment, to what extent could this cause confusion if the filer had multiple filing agents and some of them were inadvertently not included as account administrators in the bulk enrollment? Instead of the CCC being reset after enrollment, should the CCC be reset at the compliance date for each enrolled CIK?

37. Are there any extenuating circumstances that would justify filers being exempted from having to enroll by the compliance date, or that would allow non-complying existing filers to maintain their EDGAR access following the compliance date? If so, please explain.

G. General Request for Comment and EDGAR Next Proposing Beta

In conjunction with this proposing release, the Commission will make available an EDGAR Next Proposing Beta environment where filers may preview and test the planned EDGAR Next changes. The EDGAR Next Proposing Beta generally should allow filers to view how the proposed changes would be reflected in EDGAR. We currently anticipate that the EDGAR Next Proposing Beta will be available on or about September 18, 2023, and will remain available for at least six months thereafter. Any filer may sign up to access the EDGAR Next Beta. The Commission will provide more information regarding the EDGAR Next Start Printed Page 65544 Proposing Beta through an information page on SEC.gov.

We request and encourage any interested person to submit comments on any aspect of EDGAR Next, other matters that might have an impact on EDGAR Next, and suggestions for additional changes. Comments are of particular assistance if accompanied by analysis of the issues addressed in those comments and any data that may support the analysis. We urge commenters to be as specific as possible.

In particular, we request comment on the following issues.

38. Would the proposed rule and form changes facilitate the responsible management of EDGAR filer credentials? Are there additional changes that would encourage such responsible management? Would the changes create any undue burdens for filers? If so, how could the proposed rule and form changes be modified to ease such burdens? Are there any other concerns that the Commission should be aware of with implementation of EDGAR Next? Are there any conforming or parallel changes that the Commission should make to effectively implement EDGAR Next?

39. Are there alternatives to the dashboard that we should consider? For example, are there alternative methods that would enable filers to take the same actions as they would using the dashboard that would be easier to implement or more user friendly? If so, what are those alternatives? Please be specific.

40. In connection with the EDGAR Next changes, we intend to provide APIs as described above to make EDGAR submissions and to check EDGAR submission status and operational status. Are there alternatives that would better accomplish the objectives of secure, efficient, and automated machine-to-machine communication with EDGAR? If so, please describe.

41. Are there any issues specific to certain types of filers that should be considered with regard to the EDGAR Next changes? For example, asset-backed securities (“ABS”) issuers, usually the depositor in an ABS transaction, often create one or more serial companies each year, each of which is a separate legal entity with its own CIK, even though each generally has the same contact information as the ABS issuer. Should new serial companies have their account administrator information automatically copied from the ABS issuer's account administrator information, so those account administrators could access the dashboards for those serial companies? Likewise, should other information be automatically inherited by new serial companies from the ABS issuer, such as the ABS issuer's contact information, users, and technical administrators (if any)? If so, in order to ensure that the ABS issuer has account administrator information and other information that could be copied to the new serial company, would there be any issues associated with requiring ABS issuers to have transitioned to individual account credentials before the ABS issuer can create new serial companies? To what extent are these concerns already addressed by the delegation function, given that delegation would allow filers to delegate the authority to file to another EDGAR account?

42. Separately, should we allow the annual confirmations of administrators and users for an ABS issuer to also apply to the serial companies associated with that ABS issuer, if the same administrators, users, delegations, and corporate and contact information are associated with each serial company? Why or why not? If so, should we allow this more generally with regards to any situation where the same administrators, users, delegations, and corporate and contact information are associated with multiple CIKs? If some but not all of that information is identical for multiple CIKs ( e.g., each CIK has a different P.O. box or email address listed for its business address), should we allow a single confirmation to apply to each of those CIKs and, if so, what validation if any should we apply to ensure that an account administrator has properly reviewed the CIK's administrators, users, delegations, and corporate and contact information?

43. While ABS issuers have been able to create new CIKs, non-ABS related filers have attempted to use the process to create new CIKs without submitting a Form ID. Would ABS issuers be significantly impacted if the process were limited only to existing CIKs that have an EDGAR filing history that includes ABS-related filings (including but not limited to the following submission types and forms—ABS–EE, 10–K, ABS–15G, 10–D, SF–1, SF–3 and 424H)?

44. Recent filing experience has shown that ABS issuers have not been using the ability to create new ABS serial companies “on the fly” when filing a 424H submission.^[105] If, as a result of EDGAR Next, the EDGAR system no longer supported creating ABS “on the fly” via filing either a 424H or 424B submission, would that cause any problems for ABS issuers? ABS issuers would continue to be able to create new CIKs for serial companies via the “Request Asset-Backed Securities (ABS) Issuing Entities Creation” option in the EDGAR Filing website (known in EDGAR as an “ABSCOMP” submission).^[106]

45. Currently, EDGAR permits certain filings to be submitted on behalf of multiple filers, who are treated as co-registrants for purposes of the filing. Would filers face difficulties in delegating to co-registrants or authorizing individuals to act as users or account administrators for both the filer and the co-registrant(s)? To what extent, if any, should the EDGAR Next changes provide special consideration or treatment for EDGAR submissions by co-registrants? For example, should the dashboard allow filers to designate other filers as “co-registrants” similar to how filers would delegate other filers as delegated entities, except that filing authority would only exist with regards to co-registrant submissions ( e.g., the co-registrant could not submit a filing solely on behalf of the filer)? If so, to what extent should co-registrants be treated differently from delegated entities ( e.g., with regards to user groups, delegated admins, etc.)? Alternately, should a user or account administrator for a filer be able to submit a co-registrant filing jointly on behalf of the co-registrant by using the co-registrant's CIK and CCC (as is currently the case), without being a user or account administrator of the co-registrant? Why or why not? Please note that for purposes of EDGAR Next Proposing Beta, a filer will be able to submit a co-registrant filing by inputting the CCC and CIK of the co-registrant(s), as is currently the case.

46. Should the Commission consider other changes to EDGAR filer access and account management processes in the future? Why? Please be specific.

IV. Economic Analysis

The Commission is sensitive to the economic effects, including the costs and benefits, of its rules. The discussion below addresses the potential economic effects that may result from the rule and form amendments we are proposing in this release, and certain related technical changes, including the Start Printed Page 65545 benefits and costs to investors and other market participants as well as the broader implications of the EDGAR Next project for efficiency, competition, and capital formation.^[107]

A. Introduction

Individuals and entities submit filings electronically with the Commission through EDGAR in order to comply with various provisions of the Federal securities laws. Filings on EDGAR are not currently linked to a specific individual authorized by the filer. EDGAR access codes represent a complex combination of several codes with differing functions.^[108] This access method is not aligned with standard access processes and is hard to monitor and manage. The Commission is also aware that some filers may have failed to maintain secure access to their EDGAR accounts.^[109]

The changes contemplated by EDGAR Next would modernize the mechanism by which filers and designated individuals acting on filers' behalf obtain access to EDGAR, streamline the management of filers' accounts, and offer three optional APIs that would allow filers to interface with the EDGAR system. EDGAR Next would benefit both the Commission and filers by enabling the Commission to identify specific individuals making filings on behalf of filers and by simplifying procedures for accessing EDGAR in a way that allows filers to leverage the Commission's web function to reduce cost. Enhancing the security of EDGAR would better protect against unauthorized access to the EDGAR system thereby decreasing the likelihood of unauthorized filings impacting the market and potentially imposing economic and reputational costs on the public, the filer, and the Commission.

As discussed in greater detail in Section III above, EDGAR Next would:

• Offer a dashboard where filers would manage their EDGAR accounts and where individuals that filers authorize could take relevant actions for filers' accounts.
• Require each filer to authorize and maintain individuals as its account administrators to act on behalf of the filer to manage the filer's EDGAR account in accordance with the EDGAR account access and account management requirements set forth in this proposal and the EDGAR Filer Manual. Only those individuals who obtained individual account credentials could be authorized to act on the filer's behalf to manage its EDGAR account.
• Require each filer, through its authorized account administrators, to confirm annually that all account administrators, users, delegated entities, and technical administrators reflected on the dashboard for the filer's EDGAR account are authorized by the filer and that all information regarding the filer is accurate (generally including the filer's corporate and contact information).
• Require each filer, through its authorized account administrator(s), to maintain accurate and current information on EDGAR concerning the filer's account, and securely maintain information relevant to the ability to access the filer's EDGAR account.
• Allow individuals designated as account administrators to file on EDGAR on the filer's behalf and authorize other individuals as users to file.
• Allow filers to authorize delegated entities to file on their behalf. Delegated entities would be subject to the same requirements applicable to all filers.
• Offer optional APIs for machine-to-machine submissions and retrieval of related filing information. Require filers who opt to use the APIs to, through their account administrator(s), authorize at least two technical administrators to manage the technical aspects of the APIs.
• Amend Rules 10 and 11 under Regulation S–T and Form ID to codify the above requirements for filers, to add and define new terms as part of this proposal, and to capture additional information during the application for EDGAR access, respectively.

The discussion below addresses the potential economic effects of the EDGAR Next changes, including the likely benefits and costs, as well as the likely effects on efficiency, competition, and capital formation. At the outset, we note that, where possible, we have attempted to quantify the benefits, costs, and effects on efficiency, competition, and capital formation expected to result from the contemplated changes. In many cases, however, the Commission is unable to quantify certain economic effects because it lacks the information necessary to provide estimates or ranges. In those circumstances in which we do not have the requisite data to assess the impact of the EDGAR Next changes, we have analyzed their economic impact qualitatively.

B. Baseline

The current set of requirements to obtain access to and file on the Commission's EDGAR system, as well as the account management practices as they exist today, serve as the baseline from which we analyze the economic effects of the EDGAR Next changes. Filers are comprised of any individuals and entities that make a submission electronically through EDGAR. For example, directors and executives of many public companies have reporting obligations under section 16 of the Securities Exchange Act of 1934.^[110] Entities consist of public operating companies, investment companies, broker-dealers, transfer-agents, and other institutions who have filing obligations with the Commission. The parties directly affected by EDGAR Next are current and prospective filers as well as relevant individuals or entities acting on filers' behalf. In 2022, the Commission received approximately 79,457 Form ID submissions.^[111] From 2018 to 2022, an average of approximately 62,061 Form IDs were submitted per year to the Commission.^[112]

Individuals and entities who seek to file on EDGAR apply for access in accordance with Rule 10 of Regulation S–T by completing Form ID, the uniform application for access codes to file on EDGAR.^[113] Form ID currently Start Printed Page 65546 collects the applicant's contact information, along with the applicant's EDGAR POC. Upon approval, the filer receives a unique CIK, and the EDGAR POC generates access codes (including a password), using their CIK and passphrase from the Filer Management website, which allows the filer to make submissions on its EDGAR account. EDGAR filers are required to renew their EDGAR password annually. Currently, EDGAR system access has not incorporated multi-factor authentication to validate individuals accessing EDGAR and simplify password retrieval. Additionally, the Commission has no systematic way to determine with whom the filer has shared EDGAR access codes, or when the filer has revoked authorization. Filers are responsible for safeguarding their access codes and monitoring the number of individuals authorized to receive the codes.^[114] Certain filers and filing agents currently devise their own internal systems to track who possesses their EDGAR access codes. Because the Commission does not collect the personal information of the specific individual who makes the submission, nor does the Commission issue identifying credentials to individuals acting on behalf of filers when filings are submitted, the Commission is currently unable to match filings to specific individuals who made the filings. EDGAR receives a large volume of filings, typically more than 500,000 per calendar year, and has approximately 220,000 active filers, of which approximately 149,000 represent entities and approximately 71,000 represent individuals.^[115]

The majority of Commission filings are made by filing agents on behalf of their client filers.^[116] Certain filing agents and filers use proprietary custom software to interface with EDGAR to mimic a machine-to-machine submission process and eliminate the need for individual human web-based interaction with the EDGAR filing websites. To create this custom software, data are extracted from the EDGAR filing websites and the custom software is configured to mimic a web-based interaction. This model of interaction with EDGAR requires frequent maintenance, however, since whenever EDGAR filing websites change their content or structure, those changes impact the custom software. Although Commission staff does not provide technical or other support for custom software for interaction with EDGAR, staff seeks to minimize filing disruptions and strives to provide notice to filers prior to making website changes. As a result, however, technical changes ( e.g., maintenance, updates, etc.) to be implemented in EDGAR may be slowed by the fact that staff has to consider downstream custom software configurations.

C. Consideration of Benefits and Costs as Well as the Effects on Efficiency, Competition, and Capital Formation

1. Benefits

The EDGAR Next changes seek to enhance the security of EDGAR, improve filers' ability to securely manage and maintain access to their EDGAR accounts, facilitate the responsible management of filer credentials, and simplify procedures for accessing EDGAR. EDGAR Next aims to improve access by filers and enhance security by identifying individuals who submit filings on EDGAR. Improving access by filers and the security of EDGAR may increase the accuracy of submissions to the Commission and thereby the quality of the information available on EDGAR, thus also improving regulatory oversight. After an initial setup burden described below,^[117] these changes could potentially reduce the burden for reporting entities because modernizing the EDGAR filing regime could improve the accuracy and efficiency of filing preparation. Additionally, the improved accuracy and efficiency of the filings submitted to the Commission could reduce the costs associated with receiving and processing such submissions, in part by reducing the time, processing, and search costs, and accordingly aid the Commission's examination and oversight functions. An increase in the accuracy and quality of submissions would boost the efficiency of the Commission's document review, processing, and quality assurance. Further, the public would generally benefit from the implied increase in informational efficiency resulting from EDGAR Next changes as they use EDGAR filings for investment decisions.

EDGAR Next would impose new requirements on existing filers, relevant individuals acting on their behalf, and applicants for EDGAR access. These requirements are designed to enhance the security of EDGAR, and prevent the unauthorized access to information and systems by: (1) identifying and authenticating individuals accessing EDGAR; (2) requiring filers to authorize account administrators to manage their accounts; (3) providing an account management dashboard to simplify the management of EDGAR accounts and facilitate account administrators in their compliance; (4) requiring filers, through their account administrators, to annually confirm the individuals with roles on the filer's dashboard, and to maintain accurate and current information on EDGAR concerning the filer's account while securely maintaining information relevant to access the filer's EDGAR account; and (5) providing a machine-to-machine solution for filers to interface with EDGAR.

a. Individual Account Credentials

The amendments to Rule 10 would provide that filers may only authorize individuals on the dashboard if those individuals have obtained individual account credentials in a manner to be specified in the EDGAR Filer Manual. The Commission also anticipates requiring multi-factor authentication (which we anticipate would be performed through Login.gov ).^[118] We believe that by imposing the requirement to require individual account credentials for the individuals accessing the dashboards for all existing and prospective EDGAR filers, EDGAR Next would generally improve the security of the EDGAR system in three different ways. First, this requirement would eliminate the need for filers to share their EDGAR access codes with various individuals acting on behalf of the filer, reducing the likelihood of an unauthorized individual gaining access to the filer's account. For example, a personnel change or management reorganization at the filer could create a situation where previously authorized filing agents or former employees of the filer lose their privileges, but still possess the EDGAR access codes. The risk of unauthorized access is heightened when there is no internal method of tracking possession of EDGAR access codes. Second, individual account credentials provide a means of associating any given filing with the particular individual who submitted such filing. The ability to associate the relevant individuals to the filings they submitted would benefit the Commission and the filer in resolving issues with problematic filings. Third, individual account credentials would provide an additional layer of validation with the anticipated requirement of multi-factor authentication that would Start Printed Page 65547 require users to present a combination of two or more credentials for access verification, thereby strengthening identity verification and the security of access to EDGAR.^[119]

b. Account Administrators

The proposed amendments to Rule 10 also would require filers to authorize account administrators to act on the filers' behalf to manage their accounts. Currently, anyone who possesses a filer's access codes can make a filing on that filer's EDGAR account. If the codes are shared or left unprotected by the people who have them, they may be obtained by someone who could use them to make an unauthorized filing, and neither the filer nor Commission staff would be able to easily trace the unauthorized filing through EDGAR to the individual who made it. Under EDGAR Next, account administrators would improve the security of EDGAR because account administrators would oversee and monitor the filer's account. Account administrators would have the ability to authorize, remove authority, and track all individuals acting on the filer's behalf, thereby reducing the risk of unauthorized access to the filer's account. The account administrator's monitoring of the filer's account would allow for prevention and timely detection of potential harms resulting from unauthorized access. It is difficult to quantify the potential benefits to filers of these aspects of the proposed changes because they would depend, in part, on the security risks faced by filers and the effectiveness of their existing systems to protect against unauthorized use of EDGAR access codes.

Individual filers and filers who are single-member companies would be required, under proposed Rule 10(d)(2), to authorize and maintain at least one account administrator. The designation of account administrators would also help facilitate communication between filers and the Commission, thus reducing the risk of possible interruptions in filer EDGAR activities. Currently, filers designate a point of contact on their Form ID to enable communication with the Commission. Correspondence between the Commission and the EDGAR POC regarding the filers' account activities may be delayed in the event that the EDGAR POC is no longer associated with the filer, because the filer may not update their EDGAR POC information with the Commission. All filers who are not individuals or single-member companies would be required to authorize and maintain at least two account administrators. The minimum requirement of two account administrators would lower the likelihood of the previously mentioned scenario. In addition, though the current EDGAR POC receives the access codes on behalf of the filer, he is not necessarily authorized to act on behalf of the filer. Under EDGAR Next, the account administrator, on behalf of the filer, would oversee all other designated roles and would be responsible for the management of the filer's account.

c. Dashboard

Commission staff is also aware that certain filers and filing agents currently have internal systems that track which individuals possess their EDGAR access codes. The cost to these filers in transitioning to the dashboard would be the same as if they did not have an internal system. We can infer that the cost to these filers would be less on an ongoing basis if they use the dashboard instead of their current system due to the elimination of ongoing maintenance costs for their system. Moreover, the dashboard would offer the advantage of being a uniform system for all filers that additionally allows Commission staff visibility into individuals authorized to act for the filer. This additional qualitative benefit is not present for current filer internal tracking systems. Furthermore, filers without a system for tracking individuals in possession of EDGAR codes currently would be afforded a tool to do so through EDGAR, thereby facilitating compliance with their existing and proposed obligation to securely maintain access to their accounts.

As proposed, Rule 10(d)(6) essentially codifies the current requirement for a filer to securely maintain its EDGAR access codes. Under the proposal, filers, through their account administrators, would be required to securely maintain information relevant to the ability to access their EDGAR accounts. Access to the dashboard would require individual account credentials, completion of the anticipated requirement of multi-factor authentication steps, and authorization from account administrators. Because of these security features, individuals in designated roles on the dashboard could safely access the CCC code to file on behalf of the filers.^[120] This added security feature would eliminate the need to share the CCC codes with various individuals thus minimizing the risk of unauthorized access.

Additionally, the dashboard functionality of EDGAR Next would provide time and labor efficiencies in managing filers' EDGAR accounts, while facilitating compliance with the proposed rule requirements:

First, the dashboard would have a flexible user interface that would provide time and labor efficiencies to account administrators by facilitating the management of filers' EDGAR accounts, and compliance with the proposed changes. Through the dashboard's interface, an account administrator would have access to readily available information that would facilitate compliance with proposed Rule 10(d)(4), assist in tracking those authorized to file on EDGAR, and provide an opportunity for account administrators to confirm the accuracy of all information contained on the dashboard. Furthermore, through the dashboard's interface, account administrators could add an individual as a user, account administrator, or technical administrator for an EDGAR account on the dashboard. Additionally, using API tokens as a method of authentication would eliminate the need for manual individual account credential multi-factor authentication. This would decrease the time required to submit filings, facilitate the ability to pre-schedule and perform bulk filings, and reduce the potential for error due to manual processing and the risk of missing deadlines. Moreover, through the dashboard's interface, account administrators could generate a CCC for newly issued CIKs. The CCC would be securely saved in the dashboard visible to all authorized account administrators and users. The CCC would remain as the code required for filing in the account.

Second, the dashboard would provide additional time and labor efficiencies through the user groups feature. This functionality would particularly benefit delegated entities in managing multiple users and multiple filers' delegations of authority. EDGAR Next would allow up to 500 users per filer, and delegated users would be able to make submissions on behalf of the delegating filer. Assigning multiple users on an individual basis to a given filer would be time consuming and labor intensive, which would be detrimental to filers when they may need to make time-sensitive filings. The user group feature would streamline that process and allow delegated entities to assign multiple users to a specific filer at once. The dashboard would harness the benefits of technology and modernize the EDGAR access and management functions while providing filers the flexibility to adapt to changes rapidly, which is significant particularly in scenarios that could negatively impact filing times. Start Printed Page 65548

The institution of the user role would particularly benefit large filers or filing agents submitting multiple forms, for multiple entities. Allowing up to 500 users per filer would increase the likelihood of filling success for large filers and filing agents by providing these entities flexibility in assigning multiple users to various user-groups. Users would be able to remove themselves as a user for a given filer, thereby facilitating the maintenance of updated dashboard information that would benefit all affected parties.

d. Proposed Rules 10(d)(4), (d)(5), and (d)(6)

The proposed Rules 10(d)(4), (d)(5), and (d)(6) would require the filer, through its authorized account administrators: to annually confirm that all individuals reflected on the dashboard for the filer's EDGAR account are authorized by the filer and that all information regarding the filer on the dashboard is accurate; to maintain accurate and current information about the filer on EDGAR; and to securely maintain information relevant to the ability to access the filer's EDGAR account. It would assist the filer in tracking and confirming those individuals and delegated entities authorized to act on behalf of the filer, and to remove those no longer authorized. Confirming the accuracy of individuals authorized to act on behalf of filers while ensuring the safeguard of account access related information would enhance the security of EDGAR by reducing the risk of unauthorized access therefore reducing the likelihood of unauthorized filings. The Commission preliminarily believes that to the extent that the risk of unauthorized access is reduced, taking measures that may prevent unauthorized filings is inherently more efficient than remediating the consequences of such events after it occurred.

Additionally, failure to perform the annual confirmation of the information on the dashboard would result in the deactivation of the filer's access and the removal of individuals from the filer's account upon deactivation. Failure to perform annual confirmation could signal that the account has been abandoned. Deactivation would further benefit filers and all individuals associated with the filer's account by protecting their information listed on the dashboard. Proposed Rule 10(d)(5) is analogous to the current requirements to securely maintain EDGAR access and to maintain accurate company information on EDGAR.^[121] Ensuring the accuracy of filer's relevant information contained in EDGAR would increase the reliability of such available information and thus would enhance the Commission's oversight capabilities, which benefits both the Commissions and the public. Furthermore, accurate and reliable EDGAR information would benefit the filer by facilitating a timelier remediation of problematic filings.

e. Optional APIs

In connection with the EDGAR Next changes, the Commission would provide optional APIs that would permit filers to interface on a machine-to-machine basis with the EDGAR platform. These APIs would benefit filers and the Commission by automating filers' connection to EDGAR for submission and retrieval of certain filing-related data and by reducing network traffic to the Commission. The Commission would offer three APIs: a submission API, a submission status API, and an operational status API.

With respect to the process for submissions, the submission API would benefit filers by allowing for more secure submissions since prior to using the APIs, the filer's technical administrator would be required to generate a filer API token to authenticate the filer, and the user would be required to generate a user API token to authenticate the user. The API tokens would be confidential and generated through the dashboard. The above requirements would provide additional assurance that the user is indeed authorized to submit the relevant filing.

The APIs would further streamline the submission and retrieval process since the use of APIs and user tokens would allow automated server-to-server authentication without the need for manual login and multi-factor authentication. As mentioned before, many filing agents' software use web scraping to retrieve information from EDGAR for filing purposes and to make submissions. Though widely used, scraping depends on the underlying structure of the external web page being scraped. Thus, any minor changes to the underlying structure of the EDGAR websites could impact the filers' software. The APIs would provide a more reliable way for filers to interact with EDGAR since future changes to EDGAR would likely not impact filers' software.

Further, the submission status API would allow filers to assess information regarding submission status via machine-to-machine communication. The submission status API would allow filers and filing agents to use their filing application to simultaneously check the status of multiple EDGAR submissions in a batch process as opposed to individually checking the submission status of each submission after manually logging into EDGAR. The submission status API would increase the likelihood that the Commission receives submissions promptly by limiting the risk of a failed submission through early communication with the filers or their authorized representatives, benefiting the Commission, filers and filing agents. An increase in the certainty and timeliness of submission boosts the overall information quality of the EDGAR system.

By opting to use the APIs, filers would further benefit by using direct machine-to-machine connections that would be approved and maintained by the Commission (as opposed to current third-party custom applications). As described in Sections III.D.2 and 3, filers and filing agents, as well as those using third-party custom applications continuously interact with the EDGAR system inquiring as to the status of submissions, or the operating status of EDGAR. Such inquiries into EDGAR create significant network traffic. For example, this network traffic could be more severe in the case of a large filing agent checking the status of multiple submissions. Instead of manually logging into EDGAR and individually checking the status of each submission, the submission status and operational status APIs would benefit the Commission and filers by allowing filers to simultaneously check the status of multiple submissions in a batch process as opposed to checking the status of each submission individually, thereby reducing network traffic created when filers are repeatedly requesting the status of their submissions, or the operational status of EDGAR.

Additionally, a filer who opts to use APIs would be required to authorize at least two technical administrators, and would be allowed a maximum of ten technical administrators to facilitate communication with the Commission on API-related technical issues. This would reduce the chance that filers' API access would be interrupted for any unforeseen technical issues.

2. Costs

We believe that the costs associated with EDGAR Next would primarily result from compliance costs borne by filers as described in the Paperwork Reduction Act (“PRA”) analysis below, associated costs to comply with new Start Printed Page 65549 Rule 10 requirements, and the one-time burden for filers to adjust their internal filing application software to interface with the APIs.^[122] While filers are not currently subject to analogous specific requirements regarding access, they are nevertheless subject to the same general requirements regarding securely maintaining EDGAR access codes and limiting the number of persons who possess the codes.

The proposed additional disclosure requirements for Form ID would entail certain incremental compliance costs.^[123] For example, filers are already subject to the disclosure requirements of Form ID and under EDGAR Next we estimate for purposes of the PRA that Form ID's burden hours would increase by 0.3 burden hours.^[124] Collectively, we estimate the burden to all filers to comply with the proposed amendments to Form ID would be 47,674 hours per year.^[125] Filers would also incur labor costs associated with authorizing account administrators, along with fees associated with authorized individuals granting powers of attorney to designated individuals and delegated entities if those individuals being designated as account administrators are not employees of the filer. However, such costs would be mitigated by the six-month enrollment period of EDGAR Next, which would allow existing and prospective filers to enroll their account administrators without submitting a Form ID. Other costs that could arise from the proposal would stem from a filer's failure to perform, through its authorized account administrator, the required annual confirmation pursuant to proposed Rule 10(d)(4). Failure to perform the annual confirmation of the information on the dashboard would result in the deactivation of the filer's access, and the removal of individuals associated with the filer's account upon deactivation.^[126] Filers would incur an additional burden of submitting a new Form ID application to regain access to file on EDGAR, and re-issuing invitations to any technical administrators, users, and technical administrators associated with their account prior to deactivation. However, these costs would potentially be mitigated by EDGAR's multiple notices of the impending confirmation deadline to account administrators on the dashboard and by email.^[127]

The Commission would further ease the transition for filers by allowing relevant individuals of the filer to submit bulk enrollment of up to 100 filers and their account administrators. This would particularly benefit large filing agents enrolling multiple accounts by saving time and labor costs. The dashboard would require filers to incur costs to set up their accounts, as set forth in the PRA, and would require some period of time to maintain accurate and current information on EDGAR, confirm annually on EDGAR that all users, account administrators, technical administrators, and/or delegated entities reflected on the dashboard for the filer's EDGAR account are authorized by the filer, and that the filer's information on the dashboard is accurate, and securely maintain relevant account access information, largely depending on the number of users the filer authorizes and the amount of turnover of relevant personnel.^[128] We recognize that due to these factors, the burden incurred would vary across filers. Filers with a large number of users and significant turnover would likely spend a greater amount of time managing their dashboard accounts. And filers with few users and little turnover would likely have infrequent need to manage individuals on the dashboard. Similarly, larger filers managing multiple CIKs would spend more time performing their required annual confirmation, and thus would incur a higher associated compliance cost associated. For purposes of the PRA, we estimate that, on average, each filer would incur one burden hour per year managing their account in the dashboard.^[129]

Collectively, we estimate the burden to all filers to comply with the proposed new dashboard requirements would be 220,000 hours per year.^[130] However, such burden would be mitigated by active notifications and other efficiencies provided by the dashboard as an account management tool.

Filers or filing agents who choose to use the optional APIs would incur a one-time cost to adjust their internal software systems to the new EDGAR APIs. Given that the APIs are optional, filers would presumably incur this cost to the extent that the benefits of using the APIs are expected to exceed the cost of doing so. Further, for filers who substitute the optional APIs for custom filing software, the cost of adjusting internal software systems to use the new EDGAR APIs would be mitigated by the elimination of current ongoing maintenance costs associated with adjusting their custom software each time EDGAR undergoes changes. The costs of developing software to use the APIs would not apply to filers who do not generally utilize custom filing software, as these filers could continue using the EDGAR websites to submit their filings. We have observed that small filers typically do not utilize custom filing software and we expect they will generally not incur these costs. Furthermore, the Commission would make available an EDGAR Next Beta to facilitate a smooth transition process for all affected parties.

We further estimate the direct costs to filers or filing agents associated with the proposed optional API requirements, including time and personnel costs to build a filing application integrated with all functions to successfully connect to the EDGAR APIs. Depending on their existing software, complexity of their application and individual business models, among other factors, these expenses are likely to vary across filers. Based on Commission experience from developing EDGAR Next the total estimated cost per filer for filing applications to connect to an EDGAR API by an external programmer analyst would range from $31,104 ^[131] for filers with a preexisting filing application to $38,880 assuming the filers do not have a preexisting filing application.^[132] The total estimated burden hours for filers developing their application internally Start Printed Page 65550 would range between 96 burden hours ^[133] and 120 burden hours.^[134]

Filers who choose to use the APIs would also incur the additional cost of authorizing two technical administrators to manage the technical aspects of the APIs. We do not expect that filers would need to hire new employees to fill the technical administrator role since the primary responsibilities for the technical administrator are to generate the filer API token on an annual basis and securely store it within a filer's application. For purposes of the PRA, we estimate that filers would incur a burden of one hour per year per CIK with respect to the technical administrators' responsibilities, depending on security standards imposed by the filer or filing agent.^[135]

3. Effects on Efficiency, Competition, and Capital Formation

EDGAR Next would increase the efficiency of filings and filing preparation by improving the accuracy of submissions and improving regulatory oversight into filings. The Commission preliminarily believes that enhancements to EDGAR security from the proposed EDGAR Next changes may improve efficiency by minimizing the risk of unauthorized access thus reducing the likelihood of unauthorized filings. Facilitating access and improving the tracking mechanism of who files on EDGAR would increase public confidence in the large amount of information submitted through EDGAR. Moreover, an increase in the accuracy and timeliness of processing submissions would boost the efficiency of the Commission's document review, processing, and quality assurance.

Enhancing the security of EDGAR would better protect against unauthorized access to the EDGAR system, thereby reducing the possibility of unauthorized filings that could have a distorting impact on the market. Strengthening filing security could marginally increase investor confidence and promote effective and well-functioning capital markets. The public would generally benefit from the implied increase in informational efficiency resulting from the improved accuracy and timeliness of processing submissions, as they use EDGAR filings for investment decisions. Overall, however, we do not expect the EDGAR Next changes to have a significant effect on capital formation because the contemplated security enhancements would not necessarily change market price fundamentals.

As discussed above, because the EDGAR Next changes would potentially increase the compliance requirements for filers, they could result in an increased demand for delegated entities to the extent that delegated entities find it profitable. This might increase competition among delegated entities, resulting in lower fees for filers with delegated entities. We cannot assess the relative likelihood of the above competitive effects among delegated entities because we are unable to estimate how many filers would choose to use delegated entities as a result of the proposal.

D. Reasonable Alternatives

1. Require Personally Identifiable Information in Addition to Individual Account Credentials

The proposed amendments would require all filers and relevant individuals acting on filers' behalf to obtain their individual account credentials prior to being authorized for any EDGAR Next role. Alternatively, the Commission could require that U.S.-based individuals provide certain personally identifiable information (“PII”) in addition to individual account credentials. Compared to the proposed amendments, while requiring PII from U.S.-based individuals and companies may result in a higher identity assurance level for U.S.-based persons, it would not achieve the same benefit for foreign individuals. Foreign individuals use different forms of PII, including different identifying documents, which makes it inherently difficult for a single vendor (database) to reliably identify everyone in the world. Additionally, the costs to the Commission of acquiring and safeguarding PII would exceed the benefits of doing so. Thus, this alternative would represent an extra burden to U.S.-based filers and individuals acting on their behalf, as well as the Commission.

2. Requirements for Individual and Small Filers

EDGAR Next would apply to all prospective and existing filers regardless of size. As an alternative, the Commission could simplify compliance requirements designed to address resource constraints of small entities. For example, the Commission could consider exempting small filers from proposed Rule 10(d)(4) that would require filers, through their authorized account administrators, to confirm annually that all account administrators, users, and delegated entities, and technical administrators reflected on the dashboard for the filer's EDGAR account are authorized by the filer and that all information regarding the filer on the dashboard is accurate. Further, the Commission could exempt small filers from proposed Rule 10(d)(1), and instead allow small filers to independently develop practices and recordkeeping to track individuals acting on their behalf and safeguard their account access codes. To the extent that simplifying these requirements could reduce regulatory burden on small filers, while affording small filers greater discretion into how they manage their accounts and securely maintain their EDGAR access codes, exempting a particular group of users would hinder the Commission's effort of establishing uniform requirements for all filers and individuals acting on their behalf.

For instance, because EDGAR Next would eliminate the use of the several passcodes and eliminate the present requirement to change the EDGAR password annually, exempting small filers from proposed Rule 10(d)(4) would generally lessen the security of their filing regime. Moreover, the Commission believes that any costs savings associated with exempting small filers from parts of EDGAR Next would likely be minimal. Small filers would still incur a cost of implementing their own practices and recordkeeping which might be higher than the cost of complying with the EDGAR Next changes and would impose a burden on small filers due to their limited resources and less established history of implementing such practices and recordkeeping. The EDGAR Next changes are designed to enhance the EDGAR filing regime, including, among other things, strengthening access to filers' EDGAR accounts by establishing a uniform method for authorizing, identifying, and tracking all individuals authorized to act on each filer's behalf. Additionally, a benefit of EDGAR Next is the elimination of password sharing. Exempting small filers from obtaining individual account credentials would not achieve that objective and therefore Start Printed Page 65551 would not generally improve the security of EDGAR.

3. Implementing Performance-Based Standards

The EDGAR Next proposal mandates the performance of certain prescribed requirements to enhance the security of EDGAR's filing regime. We could consider an alternative with a more performance-based approach that would not spell out the precise actions filers need to take in order to improve the security of their EDGAR accounts, but instead only state that filers should have in place practices and recordkeeping that would allow the Commission to more easily identify anyone who makes a submission on the filer's behalf, and ensure that only individuals authorized by the filer are privy to the filer's access codes. For example, filers might opt to authorize only one account administrator rather than authorize and maintain two such individuals, or filers might determine that they do not need the additional security provided by multi-factor authentication for designated individuals to be authorized to act on their behalf on the dashboard.

The benefits of such an approach would be that filers would have more flexibility in what their practices and recordkeeping cover. Such an approach would provide the benefit of reducing the regulatory burden for certain filers by permitting them to tailor their EDGAR access compliance requirements to fit their own particular circumstances, and would provide filers greater discretion into how they manage their EDGAR accounts and safeguard their account access codes. To the extent that this approach provides more flexibility to certain filers, this alternative could also increase compliance cost to the detriment of some filers who may incur higher cost to set up practices and recordkeeping arrangements to manage their account and safeguard their access codes. Furthermore, this approach would diminish the intended benefits of the EDGAR Next changes. Filers who bypass the individual account credential requirements would make it difficult for the Commission to match specific filings to the relevant individual who made the submissions, while authorizing only one account administrator would probably not reduce the likelihood of managing EDGAR accounts without interruptions.

Overall, a performance-based approach would create inconsistencies in improving the overall security of EDGAR, facilitating the responsible management of EDGAR filer credentials, and simplifying procedures for accessing EDGAR. In addition, any cost savings associated with a performance-based approach would likely be minimal because filers would still incur the cost of compliance. In sum, this alternative would limit the magnitude of the benefits for filers that would result from the contemplated EDGAR Next changes.

4. Institute Phased Compliance Dates by Filer Category or Form Type

The proposed amendments would have a single compliance date. As an alternative, we could employ phased compliance dates to either accelerate or postpone compliance for particular filers. Phased compliance would particularly benefit smaller filers by affording them a longer time period to come into compliance with EDGAR Next, while further facilitating compliance with other contemporaneous rules with similar or earlier compliance deadlines. To the extent that a phased compliance would provide filers with more time to comply with EDGAR Next changes, compared to the proposed compliance timeline, postponing compliance would delay the benefits provided by the proposed changes, while accelerating compliance might result in additional transition challenges for these filers.

E. Requests for Comment

55. The Commission requests comment on all aspects of the economic effects of the EDGAR Next changes, including any anticipated impacts that are not mentioned here. We are particularly interested in quantitative estimates of the benefits and costs, in general or for particular types of affected parties, including smaller entities. We also request comment on reasonable alternatives to the EDGAR Next changes and on any effect the changes may have on efficiency, competition, and capital formation.

56. Do you agree with the estimated benefits that EDGAR Next would provide to filers? If not, why?

57. Do you agree with the estimated costs associated with the EDGAR Next changes? If not, why? Please provide your views on the burden of complying with the EDGAR Next changes relative to our estimates. In particular, would filers and filing agents switch to using the optional APIs contemplated as part of EDGAR Next? If not, why?

58. Are there any filers for whom the compliance costs associated with EDGAR Next would not be justified by the benefits such that exempting those entities would be advisable? If so, which filers should the Commission exempt, and why?

59. Does the contemplated compliance timeline provide filers sufficient time to transition to EDGAR Next? If not, what would be the additional cost incurred in order to meet the contemplated compliance timeline?

60. Would EDGAR Next require any existing filers with delegated authority to file on behalf of a related person or entity to materially change the way they operate? If so, in what ways? What would be the cost associated with such change? For instance, many companies may file on behalf of their section 16 directors and officers, and some investment companies may also make filings on behalf of other funds within their fund family.

61. Prospective filers could designate as account administrators (i) individuals employed at the filer or an affiliate of the filer (in the case of company applicants) or themselves (in the case of individual applicants), as well as (ii) any other individual, provided the filer submitted a notarized power of attorney authorizing such other individual to be its account administrator. Are filers likely to designate individuals other than themselves or their employees or employees of their affiliates? What would be the costs associated with this determination?

The Commission also requests comment and supporting empirical data on the burden and cost estimates for the proposed rule, including the costs that filers and potential filers may incur.

V. Paperwork Reduction Act

Certain provisions of the proposed amendments contain “collection of information” requirements within the meaning of the Paperwork Reduction Act of 1995 (“PRA”).^[136] We are submitting the proposed collections of information to the Office of Management and Budget (“OMB”) for review in accordance with the PRA.^[137] An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Compliance with the information collection is mandatory. Responses to the information collection are not kept confidential, and there is no mandatory retention period for the information disclosed. The title for the existing collection of information that we are proposing to amend is “Form ID—EDGAR Password” (OMB Control No. 3235–0328). Our proposal also includes a new collection of information titled “the dashboard.” The amendments to Form ID and the Start Printed Page 65552 implementation of the dashboard are designed to harness the benefits of improved technology and to modernize the EDGAR access and management functions. A detailed description of the proposed amendments, including the amendments to Form ID and the implementation of the dashboard, including the need for the information and its proposed use, as well as a description of the likely respondents, can be found in Section III above, and a discussion of the expected economic impact of the proposed amendments can be found in Section IV above. We discuss below the collection of information burdens associated with each initiative.

A. Form ID

Form ID must be completed online and submitted to the Commission by all individuals, companies, and other organizations who seek access to file electronically on EDGAR.

As outlined above, the amendments to Form ID would require an applicant for EDGAR access to undertake certain additional disclosure obligations, including most significantly: (1) designating on Form ID specific individuals the applicant authorizes to act as its account administrator(s) to manage its EDGAR account on a dashboard on EDGAR; (2) indicating the applicant's LEI, if any; (3) providing more specific contact information about the filer, its account administrators, its authorized individual (individual authorized to submit Form ID on the filer's behalf), and its billing contact (including mailing, business, and billing information, as applicable); (4) specifying whether the applicant, its authorized individual, person signing a power of attorney (if applicable), account administrator, or billing contact has been criminally convicted as a result of a Federal or State securities law violation, or civilly or administratively enjoined, barred, suspended, or banned in any capacity, as a result of a Federal or State securities law violation; (5) indicating whether the applicant, if a company, is in good standing with its state or country of incorporation; (6) requiring submission of a new Form ID if the applicant claims to have (i) lost electronic access to its existing CIK account or (ii) assumed legal control of a filer listed on an existing CIK account but did not receive EDGAR access from that filer; and (7) requiring those seeking access to an existing EDGAR account to upload to EDGAR the documents that establish the applicant's authority over the company or individual listed in EDGAR on the existing account. The proposed amendments would also simplify filer account management by eliminating the EDGAR password, PMAC, and passphrase.

For purposes of the Paperwork Reduction Act, the currently approved burden includes an estimate of 57,329 Form ID filings annually and further estimates approximately 0.30 hours per response to prepare and file Form ID, for a total of 17,199 annual burden hours. Those estimates include the number of Form ID filings for filers without CIKs (48,089 filings), filers with CIKs who are seeking to regain access to EDGAR (8,836 filings), and filers with CIKs who have not filed electronically on EDGAR (404 filings).^[138] Filers are responsible for 100% of the total burden hours.

There were 79,457 Form ID filings in calendar year 2022. The estimate includes the number of filers without CIKs, filers with CIKs who have not filed electronically on EDGAR, and filers with CIKs who are seeking to regain access EDGAR.^[139] If the proposed access changes and proposed Form ID amendments are implemented, for purposes of the Paperwork Reduction Act, we estimate that the number of Form ID filings would remain the same and that the number of hours to prepare Form ID would increase by 0.30 hours.^[140]

Thus, for purposes of the Paperwork Reduction Act, the estimated total number of annual Form ID filings would increase from 57,329 filings to 79,457 filings. The estimate of 0.30 hours per response would increase to 0.60 hours per response. The estimated total annual burden would increase from 17,199 hours to 47,674 hours.^[141] The estimate that the filers are responsible for 100% of the total burden hours would stay the same.

B. The Dashboard

To file on EDGAR, each filer must also comply with certain account access and management requirements by taking actions on the dashboard. As outlined above, each filer must authorize individuals to act on its behalf on the dashboard, and those individuals must have obtained individual account credentials for EDGAR in the manner specified in the EDGAR Filer Manual. Moreover, each filer, through their account administrators, is required to: (i) authorize and maintain at least two individuals as authorized account administrators to act on the filer's behalf to manage the filer's EDGAR account, except a filer who is an individual or single-member company must authorize and maintain at least one individual as an account administrator; (ii) confirm annually on EDGAR that all users, account administrators, technical administrators, and/or delegated entities reflected on the dashboard for the filer's EDGAR account are authorized by the filer, and that the filer's information on the dashboard is accurate; (iii) maintain accurate and current information on EDGAR concerning the filer's account, including but not limited to accurate corporate information and contact information (such as mailing and business addresses, email addresses, and telephone numbers); (iv) securely maintain information relevant to the ability to access the filer's EDGAR account, including but not limited to access through any EDGAR API; and (v) Start Printed Page 65553 if the filer chooses to use an EDGAR API, authorize at least two technical administrators to act on the filer's behalf to manage technical matters related to the filer's use of an API.

Through the dashboard, account administrators could: (i) add and remove users, account administrators, and technical administrators (including removing themselves as an account administrator); (ii) create and edit groups of users; (iii) delegate filing authority to third parties with EDGAR accounts and remove such delegations; and (iv) generate a new CCC.

For purposes of the PRA, we estimate that each filer would spend approximately one hour setting up the dashboard, and approximately one hour per annum managing the filer's account on the dashboard. This burden would vary across filers depending on the size of the filer, the number of users, account administrators, technical administrators, and delegated entities authorized by the filer, as well as the amount of annual staff turnover for those individuals and entities, among other factors. For a small number of filers, the annual burden could significantly exceed our estimate ( e.g., filing agents who may have a large number of authorized individuals, as well as multiple accepted delegations and user groups for which delegated users would need to be maintained). On the other hand, for the vast majority of filers, the annual burden would presumably be less than our estimate because we expect most filers to have a small number of authorized individuals and experience little or no annual turnover with regard to those individuals.^[142] Consequently, the anticipated total annual burden attributed to the dashboard would be approximately 220,000 burden hours.^[143]

C. Request for Comment

We request comment on whether our estimates for burden hours and any external costs as described above are reasonable. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (i) evaluate whether the proposed collections of information are necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (ii) evaluate the accuracy of the Commission's estimate of the burden of the proposed collections of information; (iii) determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; (iv) determine whether there are ways to minimize the burden of the collections of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology; and (v) evaluate whether the proposed amendments would have any effects on any other collection of information not previously identified in this section.

Any member of the public may direct to us any comments concerning the accuracy of these burden estimates and any suggestions for reducing these burdens. Persons wishing to submit comments on the collection of information requirements of the proposed amendments should direct them to the Office of Management and Budget, Attention Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Washington, DC 20503, and should send a copy to Vanessa Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090, with reference to File No. S7–15–23. OMB is required to make a decision concerning the collections of information between 30 and 60 days after publication of this release; therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days after publication of this release. Requests for materials submitted to OMB by the Commission with regard to these collections of information should be in writing, refer to File No. S7–15–23, and be submitted to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549–2736.

VI. Small Business Regulatory Enforcement Act

For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996 (“SBREFA”),^[144] the Commission must advise OMB whether a proposed regulation constitutes a “major” rule. Under SBREFA, a rule is considered “major” where, if adopted, it results in or is likely to result in:

• An annual effect on the U.S. economy of $100 million or more (either in the form of an increase or decrease);
• A major increase in costs or prices for consumers or individual industries; or
• Significant adverse effects on competition, investment, or innovation.

We request comment on whether the proposed amendments would be a “major rule” for purposes of SBREFA. We solicit comment and empirical data on:

• The potential effect of the proposed amendments on the U.S. economy on an annual basis;
• Any potential increase in costs or prices for consumers or individual industries; and
• Any potential effect on competition, investment, or innovation.

Commenters are requested to provide empirical data and other factual support for their views to the extent possible.

VII. Initial Regulatory Flexibility Analysis

The Regulatory Flexibility Act (“RFA”) ^[145] requires an agency, when issuing a rulemaking proposal, to prepare and make available for public comment an Initial Regulatory Flexibility Analysis (“IFRA”) that describes the impact of the proposed rule on small entities.^[146] This IFRA has Start Printed Page 65554 been prepared in accordance with the RFA and relates to the proposed amendments to Rules 10 and 11 of Regulation S–T and Form ID described in Section III.E above.

A. Reasons for, and Objectives of, the Proposed Action

The purpose of the proposed amendments is to enhance the security of EDGAR accounts, improve the ability of filers to securely maintain access to their EDGAR accounts, facilitate the responsible management of EDGAR filer credentials, and simplify procedures for accessing EDGAR. Among other things, the proposed amendments would require each filer to:

• Authorize individuals to act on its behalf on the dashboard only if those individuals have obtained individual account credentials in the manner to be specified in the EDGAR Filer Manual;
• Authorize and maintain individuals as account administrators to manage their EDGAR accounts;
• Confirm annually on EDGAR, through their account administrators, that all account administrators, users, technical administrators and delegated entities reflected on the dashboard for the filer's EDGAR account are authorized by the filer to act on its behalf, and that all information about the filer on the dashboard is accurate;
• Maintain accurate and current information on EDGAR concerning the filer's account; and
• Securely maintain information relevant to the ability to access the filer's EDGAR account.

Filers who chose to use the optional EDGAR APIs that the Commission would offer for machine-to-machine submissions on EDGAR and to facilitate filers' retrieval of related information, would, among other things, be required through their account administrators to authorize two technical administrators to manage tokens and other technical aspects of the EDGAR APIs.

B. Legal Basis

We are proposing the amendments contained in this release under the authority set forth in sections 6, 7, 8, 10, and 19(a) of the Securities Act of 1933 (“Securities Act”),^[147] sections 3, 4A, 4B, 12, 13, 14, 15, 15B, 23, and 35A of the Exchange Act,^[148] section 319 of the Trust Indenture Act of 1939,^[149] and sections 8, 30, 31, and 38 of the Investment Company Act of 1940 (“Investment Company Act”).^[150]

C. Small Entities Subject to the Proposed Rule and Form Amendments

The proposed amendments would affect individuals and entities that have EDGAR accounts or that seek to open EDGAR accounts. The RFA defines “small entity” to mean “small business,” “small organization,” or “small governmental jurisdiction.” ^[151] For purposes of the RFA, under our rules, an issuer, other than an investment company, is a small entity if it had total assets of $5 million or less on the last day of its most recent fiscal year.^[152] We estimate there are 908 issuers that file with the Commission—other than investment companies—that would be considered small entities for purposes of this analysis.^[153]

With respect to investment companies and investment advisers, an investment company, including a business development company, is considered to be a small entity if it, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year.^[154] We estimate that there are 82 registered investment companies (including business development companies and unit-investment trusts) that would be considered small entities.^[155] An investment adviser is generally considered a small entity if it: (1) has assets under management having a total value of less than $25 million; (2) did not have total assets of $5 million or more on the last day of the most recent fiscal year; and (3) does not control, is not controlled by, and is not under common control with another investment adviser that has assets under management of $25 million or more, or any person (other than a natural person) that had total assets of $5 million or more on the last day of its most recent fiscal year.^[156] We estimate that there are 594 investment advisers that would be considered small entities.^[157]

A transfer agent is considered to be a small entity if it: (1) received less than 500 items for transfer and less than 500 items for processing during the preceding six months (or in the time that it has been in business, if shorter); (2) transferred items only of issuers that would be deemed “small businesses” or “small organizations” as defined in 17 CFR 240.0–10; (3) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year (or in the time that it has been in business, if shorter); and (4) is not affiliated with any person (other than a natural person) that is not a small business or small organization under 17 CFR 240.0–10.^[158] We estimate that there are 126 transfer agents that would be considered small entities.^[159]

With respect to municipal securities dealers and broker-dealers, a municipal securities dealer that is a bank (including any separately identifiable department or division of a bank) is a small entity if it: (1) had, or is a department of a bank that had, total assets of less than $10 million at all times during the preceding fiscal year (or in the time that it has been in business, if shorter); (2) had an average monthly volume of municipal securities transactions in the preceding fiscal year (or in the time it has been registered, if shorter) of less than $100,000; and (3) is not affiliated with any person (other than a natural person) that is not a small business or small organization as defined in 17 CFR 240.0–10.^[160] We estimate there are 171 municipal securities dealers that would be considered small entities.^[161] A broker-dealer is a small entity if it: (1) had total capital (net worth plus subordinated liabilities) of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were prepared pursuant to § 240.17a–5(d) or, if not required to file such statements, a broker or dealer that had total capital (net worth plus subordinated liabilities) of less than $500,000 on the last business day of the preceding fiscal year (or in the time that it has been in business, if shorter); and (2) is not affiliated with any person (other than a natural person) that is not a small business or small organization as Start Printed Page 65555 defined in 17 CFR 240.0–10.^[162] We estimate that there are 782 broker-dealers that would be considered small entities.^[163]

A clearing agency is a small entity if it: (1) compared, cleared and settled less than $500 million in securities transactions during the preceding fiscal year (or in the time that it has been in business, if shorter); (2) had less than $200 million of funds and securities in its custody or control at all times during the preceding fiscal year (or in the time that it has been in business, if shorter); and (3) is not affiliated with any person (other than a natural person) that is not a small business or small organization as defined in 17 CFR 240.0–10.^[164] We estimate there are zero clearing agencies that are small entities.

An exchange is a small entity if it: (1) has been exempted from the reporting requirements of § 242.601 of this chapter; and (2) is not affiliated with any person (other than a natural person) that is not a small business or small organization as defined in 17 CFR 240.0–10.^[165] We estimate there are zero exchanges that are small entities. A securities information processor is a small entity if it: (1) had gross revenues of less than $10 million during the preceding fiscal year (or in the time it has been in business, if shorter); (2) provided service to fewer than 100 interrogation devices or moving tickers at all times during the preceding fiscal year (or in the time that it has been in business, if shorter); and (3) is not affiliated with any person (other than a natural person) that is not a small business or small organization under 17 CFR 240.0–10.^[166] We estimate there are zero securities information processors that are small entities.

Collectively, we estimate that there are 2,663 small entities that would be potentially subject to the proposed amendments, based on our review of data reported as of December 31, 2022.

D. Reporting, Recordkeeping, and Other Compliance Requirements

As noted above, the purpose of the proposed amendments would be to update access and provide secure management of individual and entity filers' EDGAR accounts. If adopted, the proposed amendments are expected to apply to all applicants and current EDGAR accounts and would apply to small entities to the same extent as other entities, irrespective of size. Therefore, we generally expect the nature of any benefits and cost associated with the proposed amendments to be similar for large and small entities. We note, and as discussed above,^[167] all existing and new EDGAR filers will be subject to certain fixed costs to update and maintain an EDGAR account under the proposed amendments, which may result in a proportionally larger burden on small filers.

We expect that the proposed amendments to the rules and form to update access and management of EDGAR accounts would have a small incremental effect on existing reporting, recordkeeping and other compliance burdens for all existing and new EDGAR filers, including small entities. The proposed amendments would simplify account management by providing an interactive dashboard on EDGAR, populated with EDGAR account information, as the central platform for account administrators and other delegated individuals to manage access to the account, update account information and send communications and notifications. Some of the proposed amendments, including requirements for all filers to confirm the accuracy of their account information, including authorizations for all account administrators, users, technical administrators, and/or delegated entities, would require the use of administrative and technical skills, and increase compliance costs for registrants, although we do not expect these additional costs would be significant.

E. Duplicative, Overlapping, or Conflicting Federal Rules

We believe that the proposed amendments would not duplicate, overlap, or conflict with other Federal rules.

F. Significant Alternatives

The RFA directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the proposed amendments, we considered the following alternatives:

i. Establishing different compliance requirements for individual and entity EDGAR account managers that take into account the resources available to small entities;

ii. Clarifying, consolidating, or simplifying compliance and reporting requirements under the rules for small entities;

iii. Using performance rather than design standards; ^[168] and

iv. Exempting small entities from all or part of the requirements.

Regarding the first, third, and fourth alternatives,^[169] we do not believe that establishing different compliance requirements, using performance rather than design standards, or exempting small entities from the requirements would permit us to obtain our desired objectives. We are concerned that each of these alternatives would frustrate our efforts to enhance the security of EDGAR, improve the ability of filers to securely manage and maintain access to their EDGAR accounts, facilitate the responsible management of EDGAR filer credentials, and simplify procedures for accessing EDGAR. The proposed amendments set forth uniform requirements for each filer to formally authorize individuals to act on the filer's behalf in EDGAR as account administrators, users, and technical administrators, which would allow EDGAR to determine whether authorized individuals were accessing and taking actions with regards to the filer's EDGAR account. As proposed, all individuals accessing EDGAR would be required to sign in with individual account credentials and multi-factor authentication, which would allow EDGAR to identify the individuals accessing EDGAR. As discussed above, we believe that by imposing these requirements on all existing and prospective EDGAR filers, the Commission's EDGAR Next proposal would generally improve the security of the EDGAR system by establishing a uniform method for authorizing, identifying, and tracking all individuals authorized to act on each filer's behalf. We anticipate that establishing different compliance requirements, using performance rather than design standards, or exempting small entities would result in a patchwork compliance regime that would frustrate the ability of filing agents and other service providers to efficiently manage filer credentials and manage and maintain access to filers' EDGAR accounts, and would likewise frustrate our efforts to simplify procedures for accessing EDGAR.^[170]

As noted above,^[171] the Commission considered using a performance-based approach rather than the design standards of the anticipated EDGAR Start Printed Page 65556 Next changes and the proposed rule. Revising the EDGAR Next changes to make them more performance-based would reduce the regulatory burden for certain filers by permitting them to tailor their EDGAR access compliance requirements to fit their own particular circumstances. For example, small filers could determine that they do not need the additional security provided by multi-factor authentication for designated individuals to be authorized to act on their behalf on the dashboard. Furthermore, larger filers might opt to authorize only one account administrator rather than authorize and maintain two such individuals. However, after consideration, we believe that permitting filers to tailor their EDGAR access compliance requirements to fit their own particular circumstances would diminish the intended benefits of the EDGAR Next changes. As discussed earlier,^[172] bypassing the individual account credential requirements would make it difficult for the Commission to match specific filings to the relevant individual who made the submissions. Likewise, generally allowing filers to have only one account administrator would increase the likelihood that Commission staff could not reach an account administrator when it had time-sensitive questions about access to or activity on the account. Overall, a performance-based approach would create inconsistencies in improving the overall security of EDGAR, facilitating the responsible management of EDGAR filer credentials, and simplifying procedures for accessing EDGAR. In addition, any cost savings associated with a performance-based approach would likely be minimal because filers would still incur the cost of compliance. Further, this alternative would limit the magnitude of the benefits for filers that would result from the contemplated EDGAR Next changes.

In addition, establishing different compliance requirements, using performance rather than design standards, or exempting small entities could permit individuals to access EDGAR accounts for small filers without being authorized on the dashboard, without multi-factor authentication, and without their EDGAR permissions being individually verified by EDGAR. Furthermore, if these exemptions or alternatives for small entities were implemented so that individuals acting on behalf of small entities were not required to obtain individual account credentials, the Commission would not be able to associate individuals with the specific filings they submitted on behalf of small entities. Collectively, this would reduce the security of EDGAR accounts for small entities, hinder the ability of the Commission and filers to prevent and resolve problematic and unauthorized filings, and frustrate our efforts to require small entities to responsibly manage EDGAR filer credentials.

Regarding the second alternative, we believe the proposal is clear, and that clarifying, consolidating, or simplifying compliance requirements for EDGAR filers, including small entities, is not necessary. All EDGAR users currently follow the same process and rules to access and maintain their EDGAR accounts. The proposed changes to EDGAR account management that are intended in many ways to simplify procedures for accessing EDGAR purposes of EDGAR account management. Among other things, the proposed changes would eliminate the need for individuals to track and share EDGAR passwords, PMACs, and passphrase codes for each CIK. Instead, each individual would only be responsible for tracking a single set of individual account credentials, which we contemplate would be issued by Login.gov. Once the individual logged into EDGAR by using those credentials, the dashboard would automatically authenticate the individual and provide them with the appropriate access to each CIK for which they had been authorized to take action. The dashboard would also display any relevant individual codes or tokens (such as user API tokens or CCCs), instead of requiring the individual to personally track or record those codes or tokens. This should result in more streamlined, modern access processes that would benefit all filers, including individuals and small entities.

G. Request for Comment

We encourage the submission of comments with respect to any aspect of this RFA. In particular, we request comments regarding:

• How the proposed rule and form amendments can achieve their objective while lowering the burden on individuals and small entities;
• The number of individuals and small entities that may be affected by the proposed rule and form amendments;
• The existence or nature of the potential effects of the proposed amendments on individuals and small entities discussed in the analysis; and
• How to quantify the effects of the proposed amendments; and
• Whether there are any Federal rules that duplicate, overlap, or conflict with the proposed amendments.

Commenters are asked to describe the nature of any effect and provide empirical data supporting the extent of that effect. Comments will be considered in the preparation of the Final Regulatory Flexibility Analysis, if the proposed rules are adopted, and will be placed in the same public file as comments on the proposed rules themselves.

Statutory Authority

We are proposing to amend Rules 10 and 11 of Regulation S–T and Form ID under the authority in sections 6, 7, 8, 10, and 19(a) of the Securities Act,^[173] sections 3, 4A, 4B, 12, 13, 14, 15, 15B, 23, and 35A of the Exchange Act,^[174] section 319 of the Trust Indenture Act of 1939,^[175] and sections 8, 30, 31, and 38 of the Investment Company Act.^[176]

List of Subjects

17 CFR Part 232

• Administrative practice and procedure
• Confidential business information
• Electronic filing
• Incorporation by reference
• Reporting and recordkeeping requirements
• Securities

17 CFR Part 239

• Administrative practice and procedure
• Confidential business information
• Incorporation by reference
• Reporting and recordkeeping requirements
• Securities

17 CFR Part 249

• Administrative practice and procedure
• Brokers
• Fraud
• Reporting and recordkeeping requirements
• Securities

17 CFR Part 269

• Reporting and recordkeeping requirements
• Securities
• Trusts and trustees

17 CFR Part 274

• Administrative practice and procedure
• Electronic funds transfers
• Investment companies
• Reporting and recordkeeping requirements
• Securities

For the reasons discussed above, we propose to amend 17 CFR chapter II as follows:

PART 232—REGULATION S–T—GENERAL RULES AND REGULATIONS FOR ELECTRONIC FILINGS

1. The general authority citation for part 232 continues to read as follows:

Authority: 15 U.S.C. 77c, 77f, 77g, 77h, 77j, 77s(a), 77z–3, 77sss(a), 78c(b), 78 l, 78m, 78n, 78o(d), 78w(a), 78 ll, 80a–6(c), 80a–8, 80a–29, 80a–30, 80a–37, 80b–4, 80b–10, 80b–11, 7201 et seq.; and 18 U.S.C. 1350, unless otherwise noted.

2. Amend § 232.10 by:

a. Revising paragraph (b);

b. Adding paragraph (d); and

c. Revising Note to § 232.10.

The revisions and additions read as follows:

3. Amend § 232.11 by:

a. Adding definitions for “Account administrator”, “Application Programming Interface”, “Authorized individual”, “Dashboard”, “Delegated entity” in alphabetical order;

b. Revising the definitions for “Direct transmission” and “EDGAR Filer Manual”; and

c. Adding the definitions for “Filing agent”, “Individual account credentials”, Single-member company”, “Technical administrator”, and “User” in alphabetical order.

The additions and revisions read as follows:

PART 239—FORMS PRESCRIBED UNDER THE SECURITIES ACT OF 1933

4. The authority citation for part 239 continues to read, in part, as follows:

Authority: 15 U.S.C. 77c, 77f, 77g, 77h, 77j, 77s, 77z–2, 77z–3, 77sss, 78c, 78 l, 78m, 78n, 78 o (d), 78 o –7 note, 78u–5, 78w(a), 78 ll, 78mm, 80a–2(a), 80a–3, 80a–8, 80a–9, 80a–10, 80a–13, 80a–24, 80a–26, 80a–29, 80a–30, 80a–37, and sec. 71003 and sec. 84001, Pub. L. 114–94, 129 Stat. 1321, unless otherwise noted.

Sections 239.63 and 239.64 are also issued under 15 U.S.C. 77f, 77g, 77h, 77j, 77s(a), 77sss(a), 78c(b), 78 l, 78m, 78n, 78 o (d), 78w(a), 80a–8, 80a–24, 80a–29, and 80a–37.

5. Revise § 239.63 to read as follows:

6. Form ID (referenced in §§ 239.63, 249.446, 269.7, and 274.402) is revised:

Note:

Form ID is attached as Appendix A at the end of this document. Form ID will not appear in the Code of Federal Regulations.

PART 249—FORMS, SECURITIES EXCHANGE ACT OF 1934

7. The general authority citation for part 249 continues to read as follows:

Authority: 15 U.S.C. 78a et seq. and 7201 et seq.;12 U.S.C. 5461 et seq.;18 U.S.C. 1350; Sec. 953(b) Pub. L. 111–203, 124 Stat. 1904; Sec. 102(a)(3) Pub. L. 112–106, 126 Stat. 309 (2012), Sec. 107 Pub. L. 112–106, 126 Stat. 313 (2012), Sec. 72001 Pub. L. 114–94, 129 Stat. 1312 (2015), and secs. 2 and 3 Pub. L. 116–222, 134 Stat. 1063 (2020), unless otherwise noted.

8. Revise § 249.446 to read as follows:

PART 269—FORMS PRESCRIBED UNDER THE TRUST INDENTURE ACT OF 1939

9. The authority citation for part 269 continues to read as follows:

Authority: 15 U.S.C. 77ddd(c), 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77sss, and 78ll(d), unless otherwise noted.

10. Revise § 269.7 to read as follows:

PART 274—FORMS PRESCRIBED UNDER THE INVESTMENT COMPANY ACT OF 1940

11. The authority citation for part 274 continues to read as follows:

Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 78c(b), 78 l, 78m, 78n, 78 o (d), 80a–8, 80a–24, 80a–26, 80a–29, and 80a–37, unless otherwise noted.

12. Revise § 274.402 to read as follows:

Note:

Appendix A will not appear in the Code of Federal Regulations.

Footnotes