During the Section 16 Q&A webcast in January, Alan Dye discussed the new procedures for resetting an EDGAR passphrase. The passphrase is used if you need to generate new EDGAR codes (CCC, password, and PMAC) for you or your insiders in the event that you’ve forgotten the password or it has expired.
Linda Epstein from Hewlett Packard Enterprise emailed to tell us that there is an easier way to update an insider’s expired password, assuming the following:
You know the insider’s EDGAR codes (CIK, CCC, expired password, and PMAC—you don’t need the passphrase for this), and
Have your own access to EDGAR.
The Easier Way
Rather than logging into the insider’s account, you can simply log into the main EDGAR website (or the EDGAR Online Forms Management website) under your account and select the Retrieve/Edit Data function. EDGAR will ask you to enter the CIK and CCC for the account you want to edit. Turns out, you can enter any account here (so long as you have the access codes for that account)—it doesn’t have to be your own account.
Once you enter the CIK and CCC code, you then have the ability to change the password for the account, provided you know the old password and the Password Modification Authorization Code (PMAC). This is easier than generating all new EDGAR codes, especially if the individual is an insider at more than one company (which would require you to notify all the other companies of his/her new CCC).
Update Contact Info Too
You can also use the Retrieve/Edit Data function to update an insider’s contact info, including email address, and you don’t need the insider’s password or PMAC to do this.
Given the ability to do this, I’m not sure you’d even need to update the insider’s password (you can still submit filings for an insider whose password has expired). But if you did need to do so, without the insider’s password or PMAC, you’d be stuck generating new EDGAR codes. Here again, this feature could be handy. Because, let’s face it, if you don’t know those two things, you also probably don’t know the insider’s passphrase and you’re going to have to generate a new passphrase. This feature would at least allow you to ensure that the insider’s email is correct (or change it to an email address that you can access), since, under the new passphrase procedures, you have to provide the “electronic security token” that is emailed to the insider when the new passphrase is requested.
It also means that instead of the nightmare I went through to update my passphrase, I could have had one of my friends who does Section 16 filings update my expired password for me (ironically, I knew my old password and PMAC, I just didn’t know my passphrase). I’m sure one of you would have come through for me. Good to know for the future (not that I am ever going to forget my passphrase or let my password expire again).
This Explains a Lot
Well, maybe not a lot, but it does at least explain why you have to enter your CIK and CCC to change your password after logging into EDGAR, something that, until now, seemed like a useless extra step to me. I’m not sure it explains the need for the PMAC, however (if you already know the insider’s old password, how much more authorization do you need).
If anyone else has any handy EDGAR tips, I’m all ears.
The SEC has announced an update to the process used to generate a new EDGAR passphrase. In anticipation of this, now would be a good time to make sure your email address is correct (and the email addresses for all of your Section 16 insiders) in the EDGAR system.
What Is a Passphrase and How Is It Different from a Password or a Password Modification Authorization Code (PMAC)?
The EDGAR system has a ridiculous number of password-type codes assigned to each individual user. You probably only need one password to access your bank account, but EDGAR assigns four password-type codes to each user. And, even with that shockingly complex security protocol, it’s still possible to submit fake EDGAR filings.
Your passphrase is used to generate a completely new set of EDGAR codes (CCC, password, and PMAC). You do this when you are first assigned a CIK (because you won’t have any of the other codes yet). It’s also the only way to generate a new password if you’ve forgotten yours.
What Is the New Process?
The problem with having to use your passphrase to generate a new password (and CCC) is that if you’ve forgotten your password, you’ve probably also forgotten your passphrase. In which case, you have to request a new passphrase before you can generate a new password.
Previously, to generate a new passphrase, you completed the online request form and submitted a new notarized Form ID to the SEC (for a more detailed, somewhat humorous explanation of this, see “My EDGAR Nightmare“). Now, you’ll also have to provide an “electronic security token” with your request. The electronic security token will be emailed to you by EDGAR at the time you make the request to change your passphrase. This is why it is important to make sure your email address is correct; if the EDGAR system doesn’t have your correct email address, you won’t get the email with your electronic security token and you’ll have to go through some sort of manual review to get your passphrase updated, which could take more than two days (and I’m sure you all understand the significance of process that takes longer than two days in the EDGAR context).
What Exactly Is an Electronic Security Token?
Got me. Since EDGAR is emailing it to you, my guess is that it is some sort of code that you enter into the EDGAR website, but it could also be a link in the email that you have to click.
Will Form ID Still Be Required to Change a Passphrase?
No idea on this either. The announcement from the SEC did not include a lot of information.
When Is the New Process Going Into Effect?
The SEC announcement, which was issued on December 12, says “soon.” When dealing with the government, “soon” often is later than you might expect but I still wouldn’t wait to make sure your and your insiders’ email addresses are correct.
Thanks to Tami Bohm of Radian Group for reminding me to blog about this.
I recently had to update my EDGAR passphrase. I thought this would be a relatively simple process. I’m a smart person and I have a proven success rate in navigating government websites—I know how to use the DMV website to make an appointment, I’ve requested a certified copy of my birth certificate online, I can find a public company’s stock plan on EDGAR—how hard could it be to update my EDGAR password? Turns out, way harder than I expected.
This is a long blog entry, but it’s not my fault. I blame the SEC (and maybe Microsoft).
How I Got Into this Mess
I got my EDGAR access codes over a decade ago, back when the SEC first rolled out the system for filing Section 16 forms online. It was so long ago, it was before the SEC required a notarized Form ID or a passphrase. I did not want to go through the hassle of submitting a notarized form to the SEC, so I had a system in place to make sure I didn’t forget to update my EDGAR password, which consisted of a reminder in my Outlook calendar set for about a month before my EDGAR password expired. Once a year, the reminder would pop up and—unlike how I respond to my alarm clock—I would not ignore it or hit snooze. I would immediately update my EDGAR password and set the reminder for the next year.
This system worked fantastically for over a decade, including through a change in employers. And then I got a new laptop with Outlook 13 on it. Outlook 13 had some sort of “known issue” that caused emails to disappear from my inbox. The only way to fix it was to remove Outlook 13 and go back to Outlook 10. In the process, my entire calendar was lost. Completely gone.
After massive hyperventilating and gnashing of the teeth, I was able to recreate most of it, but there were some appointments I forgot—including the reminder about my EDGAR password.
Fixing an Expired EDGAR Password
To update an expired EDGAR password, you have to generate a new set of EDGAR codes. This requires a passphrase. I had no idea what my passphrase was because the passphrase system wasn’t in place when I originally got my EDGAR codes, hence I didn’t have it noted in any of the various places where I have made note of my EDGAR codes (this was regrettable on my part). Here’s what I needed to do:
1. Generate a new passphrase. This required me to submit an Update Passphrase Confirmation form, which has to be notarized. I thought getting the notarization would be hard, and it was, mainly because I kept forgetting to bring the form with me when I met with my notary friend who would notarize the form for free.
This part was also very confusing because the only way to get the Update Passphrase Confirmation form is to fill out an online request for a new passphrase. But the SEC won’t issue a new passphrase until the notarized form is submitted, so I would have to come back and complete this very same online form again once I had my notarization. Essentially, you complete one new passphrase request that the SEC completely ignores. Then, once you have your notarized form, you complete a second request that the SEC will act on if you can manage to submit your notarized form properly (see steps 2 to 5).
Finally, to add to my frustration, it took several tries to come up with a passphrase that would meet the SEC’s crazy specifications so that I could print the form that I had to have notarized. (Note to the SEC: a password that is so complicated to remember and so hard to update that you write it down in multiple places it is a total security fail.)
2. Months later, after I finally got the form notarized (access to EDGAR isn’t really a pressing concern for me on a day-to-day basis), I had to go back to EDGAR to submit the form.
3. Of course I first tried this after 7:00 PM Pacific (I am in California) and EDGAR is shut down for the night at that time. Despite how ridiculous this is for an online system, it shouldn’t have been a surprise; as soon as I got the error message, I remembered that EDGAR shuts down for the night.
4. The next day I thought I was all set. I had my form and it was between 3:00 AM and 7:00 PM Pacific. Thankfully, the EDGAR system let me use the same passphrase I had come up with after several tries in step 1, so I didn’t have think of another one. But I still made every error in the book before I could submit the form—my file name was too long, then it had spaces, then it had capital letters, then my reason for needing to update my passphrase was too long, then it included profanity (just kidding, I did not swear at the SEC, at least not in writing).
5. After several tries, I finally managed to submit my update passphrase request form without getting an immediate error. I took this to be a good sign, even though there was no way I could tell that the submission had succeeded, since I got the same “submission completed” screen that I got when the submission failed.
6. Then I waited. After two business days, I received an email that my request to change my passphrase had been accepted. This was a major hurdle overcome, but I still had to go in and generate my new EDGAR codes.
7. Guess what time it was when I tried generate my new EDGAR codes: yep, after 7:00 PM Pacific (this is one of my most productive time periods). So I set an appointment in my calendar to remind me to generate my codes before 7:00 PM the next day (no worries about me trying to generate them before 3:00 AM).
8. The next day, my reminder pops up and I go to generate my new EDGAR codes. After all this, I am positively holding my breath that I wrote down my passphrase correctly because I sure as heck didn’t want to have to start this whole process again. Luckily, I am at least competent in this one thing, because the passphrase worked and I finally have my new EDGAR codes. Phew!
Lesson Learned
You might think the lesson I learned is to not let my EDGAR password expire, but that isn’t it all. The lesson I learned is …
Don’t forget your EDGAR passphrase!
If I had just remembered my passphrase, this whole blog entry could have been avoided. Maybe I should rent a safe deposit box or get one of those fireproof safes just to store my EDGAR passphrase.
Wondering why EDGAR is such a hot mess? Check out this nifty podcast that explains the problem with government websites: “DMV Nation.”
Fake EDGAR filings are a thing. The EDGAR system requires more access codes than any of my financial accounts: there’s the CIK, CCC, password, password modification code, and passphrase. That’s five codes to access the system. And, to get the codes, you have to submit a notarized form to the SEC. So it seems surprising that anyone would be able to submit a fake EDGAR filing, but apparently it happens.
Recently, someone filed a fake Schedule TO announcing a takeover of Avon (“A Phantom Offer Sends Avon’s Shares Surging,” NY Times, May 14, 2015). In 2012, someone (probably the same someone) submitted a fake buyout offer for the Rocky Mountain Chocolate Factory. A guy named Johnny Earl Satterwhite has filed 61 highly suspicious Section 16 filings claiming, among other things, that he owns 999 billion shares of Microsoft and Exxon Mobil, which is something like more than 100 times the number of shares that actually exist in these companies (“Texan Plays April Fool’s Joke on SEC, Investors with 999 Billion Shares,” Footnoted*, June 20, 2011).
From Broc Romanek’s May 19 blog on TheCorporateCounsel.net:
This latest incident [fake Schedule TO for Avon] is a cautionary tale for investors as it’s not the first fake takeover announcement. My favorite dates back to 2001, as noted in this piece, when a fake “blank check” company calling itself “Toks Inc.” filed a Form SB-2 with the SEC announcing plans to take over General Motors, General Electric, AT&T, Hughes Electronics, AT&T Wireless, AOL Time Warner and Marriott International—roughly $2 trillion in “Toks” stock. The promoter—Ade O. Ogunjobi—didn’t give up even when the SEC issued a “Stop Order” to prevent the registration statement from going effective and suing him for selling unregistered securities, later launching a website to promote his wild ambitions and plans to then hold press conferences to announce his plans for these major US companies he was to take over!
While the idea of fake EDGAR filings may seem a little crazy and fantastical, the fraudulent filings can have serious repercussions. Avon’s stock price increased by about $1 per share (a 20% increase) after the fake Schedule TO filing, then dropped back to prior levels after the TO was revealed to be a hoax. But, according to Bloomberg, $91 million worth of Avon shares changed hands before trading was halted in Avon’s stock, four times Avon’s trading volume the prior day (“About $91 Million of Avon Stock Traded at Peak of Frenzy,” Bloomberg Business, May 14, 2015). The SEC has charged a Bulgarian, Nedko Nedev, with filing using the fake buyout offer to manipulate Avon’s stock price for his personal gain, (“S.E.C. Charges Man in Bulgaria in Fake Takeover Offer for Avon,” NY Times, June 4, 2015).
Here are my key takeaways on this:
Don’t believe everything you read on the internet, even if it is on EDGAR.
Don’t submit fake EDGAR filings for your own personal gain because it seems like it probably isn’t going to be all that hard for the SEC to catch you, even if you are in Bulgaria. Definitely don’t do it more than once.
I feel like I should have some key takeaways on how you an prevent your company from being a victim of a fake EDGAR filing, but I’ve got nothin’ on that. I would suggest not sharing your CIK, but that number is already publicly available all over EDGAR.
– Barbara
Thanks to Tami Bohm of Radian for suggesting this topic.
It’s a holiday week so I thought I’d do something a little lighter for today’s blog entry. Over the nearly 20 years that I’ve worked in this industry, I have asked a lot of questions about stock compensation. I’ve also found the answers to a lot of them, but there are still a few questions that remain a mystery to me. For today’s entry, I present some of my unanswered questions.
IFRS 2?
The international financial reporting standard for stock compensation is IFRS 2. Two? Is this really the second standard that the IASB drafted? Seriously? Of all the possible areas of discrepancy in worldwide accounting, stock-based compensation was the second most important area they could think of? And, if so, what the heck was so important that it beat us out for the number 1 spot?
Why Two and a Half Months?
What is magical about two and a half months after the end of the calendar year for the IRS? Would anyone care if the deadline were just two months (i.e., the end of the second month)? Because in terms of explaining both the provisions of 409A and the FICA short-term deferral rule, this would be a heck of a lot easier to say.
Forms 1 & 2?
Whatever happened to Forms 1 and 2? I must remember to ask Alan Dye about this. Wouldn’t it have made more sense to call Forms 3, 4, and 5 something like “Forms 16A, 16B, and 16C”? Or maybe 16H (“H” for holdings), 16NE (“NE” for non-exempt transactions), and 16E (“E” for exempt transactions)? The form for Rule 144 is called “Form 144,” why not use the same naming system for Section 16 forms?
When Is 30 Days After June 30?
Why does Form G-4 (filed by companies that have issued loans for the purchase of their own stock in excess of the Federal Reserve Board thresholds) have to be filed within 30 days following June 30? Wouldn’t that always be by July 30? Why couldn’t the Federal Reserve Board just say, “file this form by July 30”? Does the Federal Reserve Board have a different calendar than I do?
How Does the IRS Determine What Constitutes “News”?
Why does the IRS send out an email announcing inflation adjustments for the carbon dioxide (CO2) sequestration credit under §45Q but doesn’t send an email announcing proposed rule changes under Section 83?
How Many EDGAR Passwords Does It Take to Change a Lightbulb?
Why the heck does it take four–count ’em, that’s 4–codes to change my EDGAR password? That’s two more codes than I have to enter to change the password on any of my financial accounts. And it’s useless as a form of security because I can’t remember any of them, so I have them all written down in the same document–if someone manages to get one of them, he/she probably has them all. Heck, I bet most companies have a single document where they store all of these codes for all of their insiders–all in one handy place for anyone who wants to sabotage their insiders’ Section 16 filings. This is a perfect example of why lawyers shouldn’t be allowed to develop computer systems.
What Is a Borker, Anyway?
Does anyone else consistently mistype the word “broker” as “borker”? It seems so inappropriate but also kind of appropriate at the same time. “Consluting” for “consulting” is another typo I make with some regularity. Thankfully, both errors are caught easily with spellcheck.
Just a few thoughts to ponder and perhaps discuss with your family as you enjoy Thanksgiving dinner. Enjoy your holiday!
In today’s blog, I provide an update on the status of FICA taxes as we head into next year and include a note from Alan Dye on the impact of Hurricane Sandy on EDGAR filings.
FICA Tax Increases for 2013 The Social Security Administration announced in a press release on October 16 that the annual wage base for Social Security tax is increasing to $113,700 in 2013 (up from $110,100 in 2012).
In addition, the current 2% rate cut for the employee portion of FICA is due to expire at the end of this year. If Congress doesn’t take action before the end of the year, the withholding rate for Social Security will return to 6.2% next January. If I managed to do the math correctly (something you should never take for granted), that will bring the maximum Social Security tax payment for 2013 up to $7,049.40. This is up from $4,624.20 this year, an increase of over 50%.
For the first time since I’ve started working in stock compensation, the Medicare tax is also increasing, at least for those in the top income tax brackets. As noted in my August 7 blog, “The Supreme Court and Stock Compensation,” wages in excess of $200,000 per year ($250,000 for married taxpayers that file jointly, $125,000 for married taxpayers that file separately) are subject to an additional .9% Medicare tax. Companies will apply the higher rate to any wages in excess of $200,000, regardless of the employee’s filing status and the rest will be sorted out when employees file their tax returns.
The additional Medicare tax applies only to employees; the company’s matching payment is not increased.
There are already a couple of threads started on administering the new Medicare tax in the NASPP Discussion Forum, see topics 7186 and 7354.
Highly Compensated Employees The wage threshold for which employees are considered highly compensated for purposes of Section 423 qualified ESPPs will remain at $115,000 for 2013.
Hurricane Sandy and EDGAR Filings Alan Dye notes in his blog on Section16.net that Hurricane Sandy is preventing folks on the East coast from submitting Section 16 filings and that the SEC was quick to offer relief. From Alan’s blog yesterday:
With Hurricane Sandy bearing down on DC and much of the Northeast, some filers and filing agents are having trouble getting to their offices to make Section 16(a) filings that are due today. The staff is taking an accommodating position for purposes of Section 16(a) and Item 405, saying that “For those affected by the hurricane — filers (or their lawyers/agents) along the East Coast — we won’t object if the filings that are due today are filed tomorrow (assuming that tomorrow is a day on which people can go to work). For filers not affected by the hurricane, then today is a regular business day and filings due today have to be filed today. So, this is effectively a no action position for only those filers (or their lawyers/agents) affected by the hurricane.”
Presumably filers not affected by the hurricane have no need for relief and will file on time. Filers scrambling to find a filing agent, though, now have some breathing room and can file tomorrow (assuming tomorrow is a normal business day). Thanks to the staff for getting on top of this issue quickly.
Hurricane Sandy and Option Exercises We also had a couple of threads started in the NASPP Discussion Forum on how employees that are up against the contractual expiration of their in-the-money stock options can exercise despite the market’s unexpected closure due to Hurricane Sandy. Here is a quick list of the alternatives:
pay cash for the exercise
net exercise
stock-for-stock or pyramid exercise
margin loan to be closed out when the market reopens and the stock acquired up exercise can be sold
loan from the company (if the optionee is not an officer or director) to be repaid as soon as the market opens and the stock can be sold
See NASPP Discussion Forum topics 7361 and 7362 for more information.
We’ve gotten a two-week reprieve from the risk of a U.S. government shutdown, leaving everyone to worry over what a shutdown would mean exactly. First, it certainly doesn’t mean that everyone working for the government just stays home and that the machine of the U.S. governmental infrastructure comes to a screeching halt. Only non-essential functions would be suspended. In the world of stock plan administration, we are most interested in whether or not the SEC and the IRS will still function normally. Most importantly, will we be able to file required forms through the SEC’s EDGAR and the IRS’s FIRE system? I’m sure our partners in the Payroll department are also wondering if they will still be able to submit payroll withholding through EFTPS (or, more likely, that the service provider they are using will be able to), but don’t worry, I’m sure that the government will consider functions that bring tax money in are essential.
The truth is that nobody really knows, but we can all speculate. There hasn’t been a government shutdown since 1995 and the rules for determining which government positions are considered nonessential haven’t been updated since the 80’s. One section that is already covered is that all “activities essential to the preservation of the essential elements of the money and banking system of the United States, including borrowing and tax collection activities of the Treasury” are included in the list of essential government functions. This could potentially cover the personnel required to run both the electronic filings for the IRS, including the forms 3921 and 3922 if you haven’t taken care of that already. What probably won’t be deemed “essential” are personnel to help answer any questions you might have. According to this article, the SEC is already working on a contingency plan that would include stopping all audit processes, but I assume would keep EDGAR up and running. So, we are in a “wait and see” mode right now, both on whether or not a shutdown will take place and what exactly that would mean for stock plan managers.
On a related note, one of the fears expressed in this article is the threat posed by a lack of cyber-security in the event of a government shutdown; the list of critical-need computer security employees hasn’t been updated since 1995. With how much we rely on electronic filing in the world of equity compensation, that also has me a little concerned.
Electrifying Section 6039
Speaking of electronic filing, many companies that had originally planned on submitting paper returns the IRS have either requested an extension or decided to go ahead and file electronically. If you either missed the February 28th deadline to file for an extension or have decided to brave the electronic filing, you’re now faced with the problem of actually creating the file to submit through the IRS’s FIRE system.
Unfortunately, if you weren’t expecting to file electronically, then I suspect you didn’t send a test file to the IRS while the test files were still being accepted. This means that you have two choices: 1) engage a service provider to create and/or submit file on your behalf or 2) create the file yourself and hope you get it right. The first choice is, of course, the easiest. To make it even easier, the NASPP has a great matrix of service providers who are prepared to help you through this from our November 18th webcast. If you decide to go it alone without a test file, we can still help. Stock & Option Solutions recently provided NASPP members with an example of what the files for forms 3921 and 3922 should look like. Whatever your decision, the NASPP has got you covered!
This week marked the annual changing of my EDGAR password. I rarely use EDGAR these days, so I have an appointment in my Outlook calendar to remind me to do this every year. Even though, in the event that my password expired, I could easily generate a new password using the EDGAR Filer Management website and my EDGAR passphrase, I prefer to be proactive about these things. Since the topic of EDGAR access codes is fresh in my mind, I thought it might be helpful to review the various codes for our blog readers.
EDGAR Access Codes Demystified Access to the EDGAR system requires five codes (the SEC takes security seriously–that’s more codes than my online bank and credit card accounts require):
Central Index Key (CIK): Anyone using EDGAR and any entity for which filings are submitted is assigned a CIK and keeps that same CIK for his/her/its entire existence. The CIK identifies filers and users in the system. Even if an insider moves to a new company or is a insider in multiple companies simultaneously, he/she only has one CIK. This allows investors to query all of an insider’s filings using one search, even if the insider has changed companies or changed names (e.g., in the case of marriage). CIKs are public–you can find out any company’s or insider’s CIK just by querying EDGAR.
CIK Confirmation Code (CCC): The CCC is similar to a password and is used to validate EDGAR filings. CCCs should be known only to the insider and those making filings on his/her behalf. CCCs don’t expire and generally don’t change, even when an insider moves from one company to another, but you can and should change a CCC if you think it has been compromised (see my Sept 15, 2009 blog entry “Fraudulent Section 16 Filings“).
Password: The EDGAR password is necessary only to log onto the EDGAR website. It isn’t included in the EDGAR filing and it isn’t necessary for an insider’s password to be current for you to submit filings on his/her behalf. EDGAR passwords have to be changed every 12 months or they expire (but, see my March 10, 2009 blog entry, “EDGAR Passwords: One Less Thing To Do,” about how you can avoid updating all your insiders’ password if you have your own EDGAR login).
Password Maintenance Authorization Code (PMAC): This code must be entered to change an EDGAR password.
Passphrase: This code is used to generate new EDGAR codes (except for the CIK). When a CIK is first assigned, the passphrase is used to generate the rest of the required EDGAR codes. On an ongoing basis, the passphrase can be used to generate new codes when necessary. For example, if I had forgotten to renew my password before it expired, I could use my passphrase to generate a new password (along with the other EDGAR access codes). Passphrases do not need to be updated, but if it necessary to generate a new one (e.g., if you’ve forgotten it or if it has been compromised), you can do so via the EDGAR Filer Management website.
Less Than Two Weeks Left Until the NASPP Conference Catch up with all the latest Section 16 and Rule 144 developments at the 18th Annual NASPP Conference. The Conference is less than two weeks away and the Conference hotel has already sold out–register today to make sure you can attend.
NASPP “To Do” List We have so much going on here at the NASPP that it can be hard to keep track of it all, so I keep an ongoing “to do” list for you here in my blog.