Business

A guide to secure voting software and compliance for credit unions

By Tony Hoff for Survey & Ballot Systems Stacker

Regulatory scrutiny around election integrity is crucial. The potential for data breaches, incorrect election results, and noncompliance can have significant consequences for credit unions.

The National Credit Union Administration (NCUA) conducts comprehensive audits that focus on governance and voting procedures. Failure to comply can lead to legal challenges and severe reputational damage.

Members anticipate a secure, transparent voting process. Organizations responsible for election failures can face recount expenses and frustrated members who no longer trust them. Ensuring secure voting software for credit unions eliminates these risks. But what should you be looking for in a trusted, compliant vendor?

This guide from Survey & Ballot Systems (SBS) has everything you need to know.

When Credit Unions Need Secure Voting Software

There are several situations and processes where you'll find that secure voting software is essential, such as:

  • Board of directors elections: Annual board member elections typically require verification of members' voting rights and strict, fair ballot procedures. The potential need for remote voting and scattered membership raises several security considerations.
  • Supervisory committee elections (where applicable): For credit unions that elect their supervisory committee members, secure voting software is essential to manage the balloting process effectively, verify member eligibility, and ensure the integrity and transparency of the election results. This is important for upholding the rigorous standards of credit union governance.
  • Merger votes: A process involving high-stakes elections under NCUA 12 CFR 708a, with member approval requirements to ensure compliant mergers. Documentation and audit trails are crucial for these votes, given the heightened scrutiny regulators and members face.
  • Charter conversion votes: Whether federal-to-state or state-to-federal, they require a simple majority of 50% plus one for member approval. Because conversion votes are subject to regulatory requirements and review, maintaining accurate records and a clear audit trail throughout the voting process is essential.
  • Bylaw amendments: Bylaw amendments typically receive less scrutiny than merger votes. But it's still essential that member voting on governance changes remain democratic and transparent.

Secure voting software for credit unions ensures compliance and maintains voting integrity.

Understanding NCUA Regulatory Requirements

The NCUA has several regulatory requirements. These are crucial for federally insured credit unions. The regulations are based on standards set by the Financial Institutions Examination Council (FFIEC).

12 CFR 708a

12 CFR 708a is a federal regulation. It dictates the procedures and requirements for federally insured credit unions that intend to convert to mutual savings banks (Subpart A) or merge into existing banks (Subpart C). The structured outline of this regulation helps credit unions manage these institutional changes while remaining compliant.

Some of the main elements of this regulation that credit unions should be aware of include:

  • Authority to convert (708a.102): A credit union may convert to a mutual savings bank or association with member approval, provided it follows all regulatory requirements. Prior NCUA approval isn't required.
  • Notice, disclosures, and communication (708a.103-708a.104): A credit union must provide clear, timely notices and disclosures to members during a proposed conversion. This includes a 90-day notice of intent to convert, a 60-day follow-up notice, and a 30-day final notice with a voting ballot. The NCUA also requires you to provide a 90-day notice of intent and a certification of the final vote results.
  • Membership approval (708a.106): A conversion proposal must be approved by a majority vote of the members. The voting process must be conducted by secret ballot and conducted by an independent entity.
  • Limitations on compensation (708a.111): A director or senior management official is prohibited from receiving any special economic benefits or compensation due to the conversion. Compensation can only be paid in the ordinary course of business.

These are essential compliance requirements for NCUA approval.

Governance and Election Integrity Standards

12 CFR 708a concerns conversion and merger votes. However, it also states that all special meetings and votes must be conducted in accordance with applicable federal and state laws and other parliamentary procedures.

While this regulation doesn't explicitly reference the NCUA Federal Credit Union bylaws, it does require adherence to the NCUA's overarching credit union governance.

These standards include the following requirements:

  • Supervisory committee audit and account verification: Federal Credit Union bylaws and NCUA regulations (12 CFR Part 715) mandate that the supervisory committee conduct an annual audit and verify members' accounts.
  • Federal standards for charter conversion votes: The mandated notice periods, disclosures to members, and use of secret ballots. This maintains the fairness and legality of the voting methods and procedures used.
  • Documentation of voting requirements: 12 CFR 708a emphasizes maintaining a clear audit trail for conversion and merger votes, including who voted, when they voted, and how these results were verified. This includes documentation of the independent entity's written certification of the final vote tally, including the number of members who voted, the number of affirmative votes, and the number of negative votes.

Credit unions are also required to maintain accurate and complete member lists for eligibility verification. The board's final certification to the NCUA must confirm that all materials used in credit union mergers were identical to those submitted to the NCUA. Discrepancies must be accompanied by copies and explanations.

What Is SOC-2?

SOC-2, also known as Service Organization Controls 2, is an auditing procedure. It ensures data security and maintains client privacy. It's commonly adopted by technology companies that must meet compliance requirements related to security standards, confidentiality, and privacy.

SOC 2 Type I evaluates controls at a specific point in time, while Type II evaluates them over a period that's typically between six and 12 months. The procedure was created by the American Institute of Certified Public Accountants (AICPA). While it's not a legal requirement for election software, many state and local governing bodies will require it during vendor selection.

SOC-2 Trust Service Principles Explained

The auditing standards required to achieve SOC-2 certification and compliance involve assessing systems and controls. These assessments are made against one or more of the following 5 Trust Service Principles:

  1. Security: Protecting systems and data from unauthorized access. This covers a range of criteria, including firewalls, two-factor authentication, and threat detection.
  2. Availability: Ensuring services and systems are operational and available.
  3. Processing integrity: Making sure that system processing is accurate, efficient, and properly authorized.
  4. Confidentiality: Protecting sensitive information, such as financial data, by only allowing access to authorized users.
  5. Privacy: Dictating the way in which personal information is collected, used, and disposed of, including organizational privacy policy specifics.

While security is mandatory, organizations aren't required to comply with every principle. The other four principles are optional and chosen based on the specific offering a company provides or the type of data it handles.

Why SOC-2 Compliance Matters for Voting Software

SOC-2 compliance requires a meticulous independent audit to verify the effectiveness of internal controls over time. For credit unions using voting software, this method:

Survey & Ballot Systems
Survey & Ballot Systems
  • Proves rigorous security protocols and confirms robust infrastructure, policies, and procedures against industry best practices.
  • Demonstrates compliance with encryption, access controls, and data protection implementation and maintenance.
  • Provides third-party audit evidence that supports vendor risk management documentation and due diligence requirements.
  • Reduces liability through independent assurance of security posture, mitigating risk exposure in the event of a security issue.

All of these factors provide assurance that the systems and processes used for elections are secure and reliable. It guarantees vote processing integrity and builds trust in the electoral process.

Essential Security Architecture

For credit unions, voting compliance will also include adherence to official standards and best practices for systems security architecture. Ensure that any potential vendors have the following security measures in place.

Survey & Ballot Systems
Survey & Ballot Systems



Encryption Standards

Robust encryption standards are essential for securing sensitive voting data and credit union voting compliance. Consider the following:

  • TLS 1.2+ for data in transit: All data exchanged between users, voting software, and backend systems must be protected using Transport Layer Security (TLS) version 1.2 or higher. This also includes vote submissions and administrative communications. Cryptographic protocols like this secure communications over networks, which prevents eavesdropping, tampering, and message forgery. Detailed guidance on these implementations can be found in the official standard, NIST SP 800-52r2.
  • AES-256 for data at rest: AES-256 is a globally recognized secure symmetric-key encryption algorithm. This protects data from unauthorized access by scrambling it, even if storage media are compromised. This standard is defined by NIST FIPS 197 (AES Standard). Any stored voting data, including ballots, voter registries, audit trails held on servers, databases, and backup systems, must be encrypted with a 256-bit key.
  • End-to-end encryption: Votes must be encrypted at the point of casting (on the voter's device) to ensure robust security and privacy. This encryption must remain throughout every stage of transmission, storage, and processing. It can only be decrypted for secure tabulation. This ensures the confidentiality and integrity of individual votes through aggregation into final results.
  • Bank-level security over commercial-grade: Bank-level security represents a higher standard of cybersecurity. It's considered a robust cybersecurity option for credit unions that use critical systems, such as voting software. This level of security ensures regulatory compliance, advanced threat detection and prevention mechanisms, continuous auditing, and resilience against sophisticated attacks. Commercial-grade security protects general business operations. However, it lacks the specialized defenses and compliance frameworks required to protect sensitive electoral processes.

Monitoring, Audit Trails, and Logging

Secure architecture for voting activity requires industry-leading security measures that provide:

  • Real-time monitoring: This involves tallying votes as soon as ballots arrive or are submitted electronically. Real-time monitoring ensures trust by monitoring the live progress of voting activity.
  • Audit trails: These continuously capture events as they occur, providing immediate visibility into system operations to detect unusual activity.
  • Detailed logging: Comprehensive records help pinpoint which voting record accessed the voting platform, when, and what operations were performed.

All of this supports full accountability and traceability when facilitating investigations.

Authentication and De-Duplication

Authentication and de-duplication measures ensure that only eligible members can cast a vote and that each member votes only once. This is achieved through:

  • Multi-factor authentication: Security measures that require multiple forms of verification, such as a member ID, password, or single sign-on, reduce security risks.
  • Duplicate-vote prevention: Mechanisms that detect and prevent members from casting more than one vote, whether attempted via paper ballot or online.
  • Phone voting: Voters listen to prompts to vote for a candidate. Votes are recorded after selections are confirmed, and ballots are accessed by calling a specific number and entering specific details.

These additional security measures maintain the integrity of the voting process.

24/7 Monitoring and Incident Response

The voting system should be protected around the clock with the following response techniques:

  • Real-time system monitoring: Automated tools to track performance and security during voting periods.
  • Vulnerability and penetration testing: Regular simulated cyberattacks to identify potential weak points before they can be exploited.
  • Incident response teams: A dedicated team on standby 24/7 to identify, contain, eradicate, and recover from any security breaches.

Fast, efficient incident response plans keep the voting process uninterrupted and reliable.

Evaluating Vendors

When exploring vendor options, there are some other criteria to ensure complete peace of mind and safety. Look for the following additional areas of quality and compliance:

  • A clear data-residency and storage location to ensure they're U.S.-based
  • A clear and comprehensive disaster recovery and business continuity plan
  • Training and support for credit union staff before, during, and after the election
  • Mobile-friendly interface options and multi-channel voting capacity

Secure voting compliance for credit unions should also consider accessibility requirements. This involves compliance with regulations like Title II of the Americans with Disabilities Act (ADA), including accessibility for web content and mobile apps.

Credit Union Voting Compliance Red Flags

Look for the following warning signs that a vendor may not be qualified or compliant enough to support your voting needs:

  • Delaying or being unable to show proof of SOC-2 certification
  • Using encryption standards that fall short of modern needs (TLS 1.0 or WEP)
  • Having no clear audit trail or logging process
  • Being unclear about data storage and international data transfer
  • Offering no dedicated support during the voting period
  • Being inexperienced with the workings of NCUA-regulated elections

Any of these red flags should be considered proof that a vendor isn't capable of helping you stay compliant and operate with integrity.

Final Compliance Checklist

Before making a final commitment to a vendor, use the information below as a final checklist as part of your decision:

  • Are they SOC-2 Type II (current) compliant?
  • Are they TLS 1.2+ and AES-256 encryption confirmed?
  • Has the proof of audit trail capability been verified?
  • Is member data security and GLBA compliance officially documented?

There's a lot to consider when looking for secure voting software that maintains compliance. Working with a reputable vendor that's experienced in security and data protection under regulatory scrutiny can make the experience simpler and more streamlined.

Keeping your voting members' core needs in mind can be the ultimate roadmap to credit union election success. It also empowers credit unions to proceed without worrying about failed elections, data breaches, or irreparable reputational damage.

This story was produced by Survey & Ballot Systems and reviewed and distributed by Stacker.

Copyright 2026 Stacker Media, LLC

This story was originally published June 29, 2026 at 6:30 AM.

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER