During the Section 16 Q&A webcast in January, Alan Dye discussed the new procedures for resetting an EDGAR passphrase. The passphrase is used if you need to generate new EDGAR codes (CCC, password, and PMAC) for you or your insiders in the event that you’ve forgotten the password or it has expired.
Linda Epstein from Hewlett Packard Enterprise emailed to tell us that there is an easier way to update an insider’s expired password, assuming the following:
You know the insider’s EDGAR codes (CIK, CCC, expired password, and PMAC—you don’t need the passphrase for this), and
Have your own access to EDGAR.
The Easier Way
Rather than logging into the insider’s account, you can simply log into the main EDGAR website (or the EDGAR Online Forms Management website) under your account and select the Retrieve/Edit Data function. EDGAR will ask you to enter the CIK and CCC for the account you want to edit. Turns out, you can enter any account here (so long as you have the access codes for that account)—it doesn’t have to be your own account.
Once you enter the CIK and CCC code, you then have the ability to change the password for the account, provided you know the old password and the Password Modification Authorization Code (PMAC). This is easier than generating all new EDGAR codes, especially if the individual is an insider at more than one company (which would require you to notify all the other companies of his/her new CCC).
Update Contact Info Too
You can also use the Retrieve/Edit Data function to update an insider’s contact info, including email address, and you don’t need the insider’s password or PMAC to do this.
Given the ability to do this, I’m not sure you’d even need to update the insider’s password (you can still submit filings for an insider whose password has expired). But if you did need to do so, without the insider’s password or PMAC, you’d be stuck generating new EDGAR codes. Here again, this feature could be handy. Because, let’s face it, if you don’t know those two things, you also probably don’t know the insider’s passphrase and you’re going to have to generate a new passphrase. This feature would at least allow you to ensure that the insider’s email is correct (or change it to an email address that you can access), since, under the new passphrase procedures, you have to provide the “electronic security token” that is emailed to the insider when the new passphrase is requested.
It also means that instead of the nightmare I went through to update my passphrase, I could have had one of my friends who does Section 16 filings update my expired password for me (ironically, I knew my old password and PMAC, I just didn’t know my passphrase). I’m sure one of you would have come through for me. Good to know for the future (not that I am ever going to forget my passphrase or let my password expire again).
This Explains a Lot
Well, maybe not a lot, but it does at least explain why you have to enter your CIK and CCC to change your password after logging into EDGAR, something that, until now, seemed like a useless extra step to me. I’m not sure it explains the need for the PMAC, however (if you already know the insider’s old password, how much more authorization do you need).
If anyone else has any handy EDGAR tips, I’m all ears.
The SEC has announced an update to the process used to generate a new EDGAR passphrase. In anticipation of this, now would be a good time to make sure your email address is correct (and the email addresses for all of your Section 16 insiders) in the EDGAR system.
What Is a Passphrase and How Is It Different from a Password or a Password Modification Authorization Code (PMAC)?
The EDGAR system has a ridiculous number of password-type codes assigned to each individual user. You probably only need one password to access your bank account, but EDGAR assigns four password-type codes to each user. And, even with that shockingly complex security protocol, it’s still possible to submit fake EDGAR filings.
Your passphrase is used to generate a completely new set of EDGAR codes (CCC, password, and PMAC). You do this when you are first assigned a CIK (because you won’t have any of the other codes yet). It’s also the only way to generate a new password if you’ve forgotten yours.
What Is the New Process?
The problem with having to use your passphrase to generate a new password (and CCC) is that if you’ve forgotten your password, you’ve probably also forgotten your passphrase. In which case, you have to request a new passphrase before you can generate a new password.
Previously, to generate a new passphrase, you completed the online request form and submitted a new notarized Form ID to the SEC (for a more detailed, somewhat humorous explanation of this, see “My EDGAR Nightmare“). Now, you’ll also have to provide an “electronic security token” with your request. The electronic security token will be emailed to you by EDGAR at the time you make the request to change your passphrase. This is why it is important to make sure your email address is correct; if the EDGAR system doesn’t have your correct email address, you won’t get the email with your electronic security token and you’ll have to go through some sort of manual review to get your passphrase updated, which could take more than two days (and I’m sure you all understand the significance of process that takes longer than two days in the EDGAR context).
What Exactly Is an Electronic Security Token?
Got me. Since EDGAR is emailing it to you, my guess is that it is some sort of code that you enter into the EDGAR website, but it could also be a link in the email that you have to click.
Will Form ID Still Be Required to Change a Passphrase?
No idea on this either. The announcement from the SEC did not include a lot of information.
When Is the New Process Going Into Effect?
The SEC announcement, which was issued on December 12, says “soon.” When dealing with the government, “soon” often is later than you might expect but I still wouldn’t wait to make sure your and your insiders’ email addresses are correct.
Thanks to Tami Bohm of Radian Group for reminding me to blog about this.
It’s been a while since I tackled Section 16 reporting in this blog. The last time I covered it, the SEC was on widespread mission to crack down on the smallest of infractions, Section 16(a) included. That was in 2014, and things seem to have quieted since then. Or have they? In today’s blog I’ll address that question.
All is (not) Quiet on the Section 16 Front
This time last year, there was a fair amount of buzz circulating around about the SEC’s (at the time) newfound aggression in pursuing enforcement for Section 16(a) reporting violations. It was the latest in a line of actions brought by the Commission as part of what SEC Chairman White had described as a “broken windows” initiative, where the agency put focus on frequently overlooked minor violations and highlighted that it was “important to pursue even the smallest infractions.”
While some companies have struggled to file Section 16 reports on a timely basis, the SEC’s ability to identify even the smallest of those infractions has increased greatly in recent years. Advances in technology and renewed attention to enforcement have combined to create an environment where it’s no longer safe to assume that a tiny infraction, even if just an oversight, will be overlooked. Although hype around this type of enforcement has quieted in recent months, it doesn’t mean that SEC attention has waned. Companies should be attentive in pursuing flawless (or near flawless) compliance with Section 16 reporting requirements.
Proxy season is on the horizon for many companies, and although any Section 16(a) reporting violations that happened in the past are what they are, there’s still time to focus on the Item 405 proxy disclosure piece that identifies any late reported Section 16 activity. Effort can also be made to ensure no Section 16 reporting mishaps occur going forward. It’s time to examine opportunities for improvement in these areas.
Inadvertent Mistakes Aren’t a Defense
There was a time where it almost seemed reasonable to say “it was just an inadvertent mistake.” That language appears in the Item 405 disclosure of many proxy statements. Why? Because, the truth is that inadvertent mistakes do happen. What is important to know is that violations of Section 16(a) reporting requirements are enforced only by the SEC, and (key to note) there is no “intent” or other “state of mind requirement” for there to be a “violation”; therefore, inadvertent failures to timely file Section 16 Forms 3, 4 and 5 may constitute violations of the federal reporting requirements. Essentially, nobody had to have “intended” to violate Section 16 in order for there to be an infraction. Additionally, relying on others is not a defense either: (“The insider didn’t give us timely information and therefore, I couldn’t make the filing on time.”)
Since an inadvertent mistake won’t necessarily absolve an issuer (or an insider) from responsibility and potential SEC enforcement action, it’s more important than ever to develop practices that prevent mistakes from occurring in the first place.
Must-Have Section 16 Resources
This month, Section 16 is getting a lot of NASPP coverage. With the goal to achieve “flawless” reporting this year, there’s lots to focus on, especially if you have a history of recent Item 405 disclosures in the proxy (pointing to opportunities for improvement in this area).
On January 27, Alan Dye will be doing his annual webcast on the Latest Section 16 Developments (free for NASPP members). Since the SEC’s major Section 16 enforcement initiative in late 2014, involving 28 insiders and civil penalties totaling $2.6 million, Section 16 filings have been in the spotlight like never before, commencing a new era of enforcement for the SEC. This is a Q&A webcast, designed to make sure you are equipped to comply. Hear practical tips on refining your Section 16 procedures and answers to your questions on the challenges you are facing today (submit your questions to adye@Section.net).
We’ve also got a great interview with Alan Dye that will be featured in the next episode of our Equity Expert podcast series (out next week). Be sure to subscribe today so that you are notified when Alan’s interview becomes available. The podcast is all audio, and is accessible on the NASPP website or through a podcast app on your mobile device (search for “Equity Expert”). The podcast is available for free to everyone. If you’re not listening to it, you’re missing out on some great interviews!
The Jan-Feb issue of The NASPP Advisor is due out next week, and both the Top 10 List and Administrators’ Corner articles are dedicated to Section 16 practices. Keep an eye out for it, because you won’t want to miss the tips and practices for achieving better compliance with Section 16 reporting requirements.
Watch for and take advantage of these great resources to help improve Section 16 compliance and reporting practices this year.