CARI (Community Association Risk Index) is a deterministic scoring system that evaluates the financial health, governance quality, and operational risk profile of community associations. It produces a single 0--100 score with a letter grade, component breakdown, and confidence assessment --- computed from live ledger data, not self-reported surveys.
This document describes the methodology: what CARI measures, how it measures it, and why each component is weighted the way it is. It is published for institutional transparency. Lenders, insurers, CPAs, and title companies evaluating CARI scores should understand what the numbers represent and what they do not.
What CARI Is
CARI is a read-only consumer of existing platform data. It never writes to accounting, governance, or vendor models. It reads signals, computes scores, and serves them through a consent-gated API.
Three properties define the system:
-
Deterministic. Given the same inputs and methodology version, the same score is produced every time. Every score carries a SHA-256 calculation hash computed from the canonical JSON of all inputs. If two computations produce the same hash, they produced the same score.
-
Consent-gated. No score is computed or served without active consent from the association. The HOA opts in. The HOA can revoke consent at any time. No CARI data is accessible to third parties without the association's permission.
-
Immutable. Scores are append-only. Once computed and persisted, a score record cannot be modified. New scores supersede old scores through a version chain linked by foreign key. The full history is preserved.
What CARI Is Not
CARI is not a credit score. It does not score individuals. It does not make lending decisions, insurance underwriting decisions, or eligibility determinations. It is an institutional health index --- a structured, auditable summary of signals that already exist in the association's financial and governance records.
CARI does not replace professional judgment. A CARI score of 85 does not mean the association is "safe." A score of 45 does not mean it is "failing." The score summarizes observable conditions. The consumer of the score --- lender, insurer, title company --- applies their own underwriting criteria to the data.
Five Components
CARI computes five component sub-scores, each on a 0--100 scale. The composite score is the weighted sum.
1. Financial Health (30%)
Measures the association's fiscal condition using four signals:
| Signal | Source | What It Captures |
|---|---|---|
| Composite risk score | HOA risk signal model (inverted) | Aggregate financial distress indicator |
| Reserve ratio | Fund balances | Reserve fund balance relative to annual budget |
| Delinquency rate | Accounts receivable aging | Percentage of assessments past due |
| Operating ratio | Budget vs. actuals | Operating expenses relative to revenue |
Higher weight because financial condition is the primary determinant of an association's ability to meet obligations, fund reserves, and maintain property.
2. Governance (25%)
Measures the quality of board oversight and institutional controls.
| Signal | Source | What It Captures |
|---|---|---|
| Governance risk coefficient (60%) | Governance risk snapshot | Board composition, meeting frequency, attestation currency, policy compliance |
| Governance score (40%) | HOA risk signal model | Governance quality as assessed by the risk signal pipeline |
Governance weight reflects that financial problems in associations are almost always preceded by governance failures --- deferred decisions, absent oversight, lapsed attestations.
3. Vendor Risk (15%)
Measures the compliance posture of the association's vendor relationships.
| Signal | Source | What It Captures |
|---|---|---|
| Linked vendor count | Vendor-contractor link model | How many vendors are tracked in the system |
| Expired COI count | Compliance alert model | Vendors with lapsed certificates of insurance |
| Expired license count | Compliance alert model | Vendors with lapsed professional licenses |
| Critical alert count | Compliance alert model | Vendors with critical compliance issues |
| Average compliance rate | Compliance check log | Overall vendor compliance percentage |
Nine vendor compliance signals are evaluated. Associations that pay vendors with expired insurance or lapsed licenses carry elevated liability.
4. Enforcement Integrity (15%)
Measures how effectively the association's internal controls operate.
| Signal | Source | What It Captures |
|---|---|---|
| Block rate | Enforcement decision model | Percentage of transactions blocked by guards |
| SLA breach count | Enforcement telemetry | Control failures and response time violations |
| Override rate | Enforcement decision model | Frequency of guard overrides |
The block rate uses a calibrated curve centered at 5% --- associations that block too few transactions may lack controls; associations that block too many may have misconfigured rules. The optimal range indicates functioning controls that intervene when necessary.
5. Payment Behavior (15%)
Measures the association's payment patterns and loss prevention.
| Signal | Source | What It Captures |
|---|---|---|
| Prevented loss total | Prevented loss snapshot | Dollar value of transactions blocked by enforcement |
| Dispute rate | Payment model | Frequency of payment disputes |
| Collection efficiency | AR aging model | Effectiveness of assessment collection |
Payment behavior reflects operational discipline --- whether the association collects what it is owed and manages disputes effectively.
Composite Score Computation
The composite score is the weighted sum of component sub-scores:
composite = (financial_health x 0.30) + (governance x 0.25) +
(vendor_risk x 0.15) + (enforcement_integrity x 0.15) +
(payment_behavior x 0.15)
The result is a value between 0 and 100, rounded to two decimal places.
Grade Scale
| Grade | Minimum Score |
|---|---|
| A+ | 97 |
| A | 93 |
| A- | 90 |
| B+ | 87 |
| B | 83 |
| B- | 80 |
| C+ | 77 |
| C | 73 |
| C- | 70 |
| D | 60 |
| F | 0 |
Confidence Assessment
Not all associations have complete signal coverage. CARI reports a confidence level alongside every score:
| Confidence | Data Completeness | Interpretation |
|---|---|---|
| HIGH | 80% or more of signal keys populated | All major categories represented. Score is reliable. |
| MEDIUM | 50--79% | Core signals present, secondary gaps. Score is directional. |
| LOW | Below 50% | Significant gaps. Score reflects limited data. |
The data completeness percentage is reported alongside the confidence level. A score with 92% completeness and HIGH confidence is more informative than a score with 55% completeness and MEDIUM confidence --- even if the composite numbers are similar.
Calculation Hash
Every score carries a SHA-256 hash computed from the canonical JSON representation of all inputs:
- All signal values are serialized with sorted keys and minimal separators.
- Decimal values are serialized as strings to preserve precision.
- The resulting JSON bytes are hashed with SHA-256.
If two computations produce the same inputs, they produce the same hash. This enables third-party verification: given the signal values and methodology version, anyone can independently confirm the score is correctly computed.
Peer Percentile
Each score is compared against associations in the same peer bucket, defined by unit count and state:
| Bucket | Unit Range |
|---|---|
| 1--10 units | Small |
| 11--25 units | |
| 26--50 units | |
| 51--100 units | |
| 101--250 units | |
| 251--500 units | |
| 500+ units | Large |
A score of 75 means different things for a 12-unit townhome association and a 400-unit high-rise. Peer percentile contextualizes the score within comparable associations.
Methodology Versioning
The methodology version is recorded on every score. When weights, signals, or computation logic change, a new methodology version is published. Historical scores retain their original methodology version --- they are never retroactively recalculated.
Current version: 1.0
Consent Architecture
CARI operates behind a consent gate. Three consent paths exist:
| Consent Type | Scope | Use Case |
|---|---|---|
| All subscribers | Any authenticated subscriber can query | Full transparency opt-in |
| Specific subscriber | Named subscriber only | HOA grants access to their lender |
| Subscriber type | All subscribers of a type (lender, insurer, title) | HOA allows all insurers to query |
Consent is revocable at any time. Revocation is logged but never deleted --- the audit trail preserves the history of who had access and when.
API and Webhook Delivery
CARI scores are served through an authenticated REST API using API key authentication. Keys are stored as SHA-256 hashes; the raw key is shown once at creation and never stored.
Score changes trigger webhook notifications to subscribers who have registered monitoring endpoints. Webhooks are signed with HMAC-SHA256 using a per-subscriber secret, with a timestamp included in the signed message to prevent replay attacks.
Change classifications:
| Classification | Score Delta | Trigger |
|---|---|---|
| Minor | Less than 5 points | Logged, not always delivered |
| Moderate | 5--15 points | Delivered to active monitors |
| Major | More than 15 points | Delivered with elevated priority |
| Grade change | Any delta crossing a grade boundary | Always delivered |
Signal Sources
All signals are derived from data already present in the CommunityPay platform. CARI does not collect independent data. The 27 signal keys currently evaluated:
Risk signals: governance coefficient, governance risk tier, composite risk score, financial health score, governance score, dispute incidence rate.
Telemetry: blocked transaction count (12 months), blocked transaction amount (12 months), escalated transaction count, total transaction count, SLA breach count, SLA critical breach count.
Underwriting: credential continuity days, dispute incidence per 1,000 transactions, verified payment volume band, months on platform.
Vendor compliance: linked vendor count, expired COI count, expired license count, critical alert count, average vendor compliance rate.
Prevented loss: total prevented loss amount, prevented loss blocked count.
Market context: construction market tightness, construction market condition, construction market ratio.
Limitations
-
CARI scores reflect data in the platform. Associations that maintain incomplete records will receive lower confidence scores, not lower composite scores --- the system does not penalize missing data, but it does report it.
-
CARI does not perform site inspections, physical assessments, or independent verification of the data it scores. It trusts the ledger. The ledger's integrity is enforced by the enforcement dispatcher, which is a separate system.
-
Scores are computed at a point in time. An association's financial condition can change between score computations. Real-time monitoring is available through the webhook system but is not a guarantee of continuous observation.
-
The methodology will evolve. Weights, signals, and computation logic will be refined as the scored population grows and validation data accumulates. Every change is versioned and documented.
Disclosure
This methodology is published for institutional transparency and to establish prior art. The scoring system described here --- including the 5-component weighted architecture, consent-gated API design, deterministic SHA-256 calculation hashing, HMAC-signed webhook delivery, and peer-bucketed percentile comparison --- is invented by Scott Stephen Vuilleumier and implemented in production at CommunityPay as of the publication date.
The underlying platform architecture, including the enforcement dispatcher that generates several of the signals CARI consumes, is the subject of U.S. Patent Application No. 19/163,329, filed April 13, 2026 (CPAY-PAT-002).