Community associations manage billions of dollars in homeowner funds, maintain critical infrastructure, and carry fiduciary obligations that rival small municipalities. Yet there is no standardized, evidence-based way to measure how well they do it.
Lenders underwriting mortgages in HOA communities have no standardized risk signal. Insurers pricing D&O coverage rely on questionnaires. Title companies closing sales depend on manually assembled disclosure packets. Buyers receive no objective measure of the community they are joining.
The Community Association Risk Index (CARI) exists to close that gap.
What CARI Is
CARI is a deterministic, consent-gated index that summarizes attested governance, financial, and operational risk signals for community associations, derived directly from an authoritative system of record.
A CARI score is a number from 0 to 100 with a letter grade from A+ to F. Higher scores indicate healthier, better-governed communities.
CARI is computed from five independently auditable components:
| Component | What It Measures |
|---|---|
| Financial Health | Reserve adequacy, delinquency rates, operating efficiency, revenue stability |
| Governance | Board attestation compliance, governance risk coefficient, quorum rates, policy adherence |
| Vendor Risk | Contractor credential currency, insurance verification, compliance continuity |
| Enforcement Integrity | Internal control effectiveness, SLA compliance, override patterns, decision audit quality |
| Payment Behavior | Assessment collection efficiency, dispute rates, prevented loss patterns |
Each component produces its own sub-score. The composite CARI score is a weighted aggregation of these components, with weights defined by a versioned, published methodology.
What CARI Is Not
CARI is not a credit score. It does not evaluate individuals. It does not make eligibility or lending decisions. It does not determine whether a person qualifies for a mortgage, a loan, or any financial product.
CARI summarizes observable risk indicators about an organization — the community association — not about any person within it.
CARI is not an opinion. Every CARI score is computed deterministically from a versioned methodology and a frozen set of input signals. The same inputs, processed through the same methodology version, always produce the same score and the same SHA-256 content hash. There is no manual adjustment, no subjective override, no editorial discretion.
CARI is not a recommendation. CARI reports present evidence. They do not advise. A lender, insurer, or title officer uses CARI reports as one input among many in their own decision-making process. CARI does not tell anyone what to do — it tells them what the data shows.
Why the Signals Matter
CARI signals are not scraped from public records, collected via questionnaire, or self-reported by the association. They originate from the system of record where the financial and governance activity actually occurs.
This distinction is fundamental.
When a CARI component reports a delinquency rate, that number comes from the actual accounts receivable ledger — the same ledger that posts assessments, records payments, and ages balances. When it reports a governance coefficient, that number comes from the enforcement dispatcher that evaluates every financial decision in real-time. When it reports vendor compliance status, that status comes from the compliance monitoring system that tracks credential expiration dates against actual contractor records.
The signals are not estimates. They are measurements from the point of activity.
Consent: The HOA Controls Access
No CARI score can be queried without explicit, active consent from the community association.
Consent is granted by the HOA — not by an individual homeowner, not by a third party, and not by CommunityPay. The HOA's authorized representative decides:
- Who can access their CARI data (all subscribers, specific subscribers, or subscriber types)
- What they can access (score only, specific report types, monitoring subscriptions)
- When access expires (time-bounded or indefinite, revocable at any time)
Consent records are never deleted. When consent is revoked, the revocation is recorded with a timestamp and the identity of the revoking party. The full consent history is preserved as an audit trail.
This is not a privacy checkbox. It is an institutional access control that the HOA manages as part of its governance obligations.
Confidence and Completeness
Not all communities have the same data completeness. CARI addresses this directly rather than hiding it.
Every CARI score includes a confidence assessment:
| Confidence | Data Completeness | Meaning |
|---|---|---|
| HIGH | 80% or more of signal categories populated | Score reflects comprehensive data across all components |
| MEDIUM | 50-79% of signal categories populated | Core signals present; some secondary components have gaps |
| LOW | Below 50% of signal categories populated | Significant data gaps; score is directional only |
A LOW confidence score is not a bad score — it means the data is incomplete. CARI never fabricates signals to fill gaps. Missing data is reported as missing data, and the confidence assessment tells the consumer exactly how much of the picture they are seeing.
Immutability and Auditability
CARI scores are immutable. Once computed, a score record cannot be modified. New scores supersede previous scores but never replace them. The full time series is preserved, creating a verifiable history of how a community's risk profile has evolved.
Every score record includes:
- A SHA-256 content hash computed from the canonical JSON representation of all inputs
- A reference to the methodology version used
- A frozen snapshot of every signal value at computation time
- A link to the previous score for delta tracking
This means any CARI score can be independently verified: given the same inputs and the same methodology version, the same score and the same hash must result. If they don't, something has been tampered with.
CARI Reports
CARI scores summarize. CARI reports prove.
Four report types serve different institutional audiences:
| Report | Audience | What It Contains |
|---|---|---|
| CARI Lender Report | Mortgage underwriters | Financial health deep-dive, reserve adequacy, delinquency analysis, governance assessment |
| CARI Insurer Report | D&O insurance actuaries | Governance risk coefficient, enforcement statistics, exclusion history, override audit |
| CARI Title Report | Escrow and title officers | Unit-level financial status, special assessments, insurance coverage, litigation flags |
| CARI Buyer Report | Homebuyers and agents | Plain-language health summary, grade interpretation, peer comparison, key indicators |
Every report is generated as an institutional packet — a signed, hashed, versioned evidence document with a full audit trail. Reports are not PDFs assembled from screenshots. They are attestation artifacts computed from the system of record, with cryptographic integrity guarantees.
The Standard That Does Not Exist Yet
There is no FICO for HOAs. There is no S&P rating for community associations. There is no Moody's assessment of condominium governance.
This is not because the need doesn't exist. Lenders evaluate HOA risk on every condominium mortgage. Insurers price D&O coverage for every managed community. Title companies assess association health on every resale. They all do it — but they do it manually, inconsistently, and without standardized signals.
CARI provides the standardized framework: defined components, versioned methodology, attested signals, consent-gated access, immutable records, and institutional-grade reports.
The methodology is published. The infrastructure is built. The question is no longer whether HOA risk measurement should be standardized. It is whether the standard should be based on attested system-of-record data or on questionnaires and public records.
How CommunityPay Enforces This
- Every CARI score is computed deterministically — same inputs, same methodology version, same result, same SHA-256 hash
- Scores are immutable and append-only — new scores supersede, never replace
- No score query is permitted without active, explicit consent from the HOA
- All input signals originate from the system of record — not surveys, not self-reported data, not public records scraping
- Five component sub-scores are independently auditable with full signal provenance
- CARI is not a credit score and does not make eligibility or lending decisions