The Community Association Risk Index (CARI) is a deterministic, consent-gated index that summarizes attested governance, financial, and operational risk signals for community associations. This article documents the scoring methodology, signal sources, access controls, and integrity guarantees that govern how CARI scores are produced and consumed.
CARI is not a credit score. It does not make eligibility or lending decisions. It summarizes observable conditions from an authoritative system of record and presents them as a structured, verifiable index. For an introduction to what CARI is and why it exists, see What Is a Community Association Risk Index?.
Scoring Architecture
Every CARI Score is a weighted composite of five component sub-scores. Each component is computed independently from system-of-record signals, then combined using published weights.
Component Weights
| Component | Weight | Signal Domain |
|---|---|---|
| Financial Health | 30% | Reserve ratios, delinquency rates, operating ratios, fund balances |
| Governance | 25% | Governance risk coefficients, board attestation status, quorum compliance |
| Vendor Risk | 15% | Certificate of insurance status, license validity, compliance rates |
| Enforcement Integrity | 15% | Enforcement block rates, SLA breach rates, override frequency |
| Payment Behavior | 15% | Collection rates, dispute incidence, prevented loss ratios |
Weights are stored in a versioned ScoreMethodology record. Only one methodology version is ACTIVE at any time. When weights change, a new version is created and the previous version is marked DEPRECATED. Historical scores always reference the methodology version that was active at computation time.
Financial Health (30%)
The largest component. Derived from signals that are already computed and stored by the platform's accounting engine:
| Signal | Source | Interpretation |
|---|---|---|
| Financial health score | HOARiskSignal model | Inverted (100 - risk_score). Higher = healthier |
| Reserve ratio | Fund model | Current reserve balance / annual operating budget |
| Delinquency rate | AR aging service | Percentage of assessments past due |
| Operating ratio | Budget/actual comparison | Operating expenses / operating revenue |
Sub-signal weights within this component: reserve adequacy (40%), delinquency rate (35%), operating ratio (25%).
Governance (25%)
Captures the quality of board oversight and governance processes:
| Signal | Source | Interpretation |
|---|---|---|
| Governance risk coefficient | GovernanceRiskSnapshot | Scaled 0-1 to 0-100. Lower coefficient = better governance |
| Governance score | HOARiskSignal model | Direct governance quality indicator |
| Board attestation status | GovernanceAttestation model | Current attestation = full credit |
| Quorum compliance rate | Board meeting records | Percentage of meetings meeting quorum threshold |
Vendor Risk (15%)
Measures the compliance posture of the HOA's vendor ecosystem:
| Signal | Source | Interpretation |
|---|---|---|
| Average vendor compliance rate | VENDOR_COMPLIANCE signal group | 9 individual compliance signals aggregated |
| Expired COI count | Vendor compliance monitoring | Fewer expired certificates = higher score |
| License validity rate | BuildRated contractor data | Percentage of vendors with current licenses |
Enforcement Integrity (15%)
Derived from the platform's own enforcement telemetry. This component measures how well the HOA's financial controls are operating:
| Signal | Source | Interpretation |
|---|---|---|
| Block-to-total ratio | EnforcementDecision telemetry | Very low (0%) or very high (>20%) is concerning. 1-10% indicates healthy controls |
| SLA breach rate | Escalation service data | Lower = better responsiveness |
| Override frequency | AuditOverride records | Lower = fewer manual bypasses of controls |
This component has a non-linear relationship: a 0% block rate may indicate controls are not active, while a very high rate may indicate operational dysfunction. The scoring function assigns the highest scores to the 1-10% range.
Payment Behavior (15%)
Captures the HOA's payment patterns and dispute history:
| Signal | Source | Interpretation |
|---|---|---|
| Prevented loss ratio | PreventedLossSnapshot | Lower prevented loss relative to transaction volume = better |
| Collection rate | Payment receipt data | Higher collection rates = better |
| Dispute incidence rate | Payment dispute tracking | Lower dispute rates = better |
Grade Thresholds
CARI Scores are mapped to letter grades using published thresholds:
| Grade | Minimum Score | Interpretation |
|---|---|---|
| A+ | 97 | Exceptional across all components |
| A | 93 | Strong performance, minor areas for improvement |
| A- | 90 | Solid performance |
| B+ | 87 | Good with some notable areas for attention |
| B | 83 | Good baseline |
| B- | 80 | Adequate with clear improvement opportunities |
| C+ | 77 | Below average, specific concerns present |
| C | 73 | Below average |
| C- | 70 | Marginal |
| D | 60 | Significant concerns across multiple components |
| F | Below 60 | Critical deficiencies |
Grade thresholds are defined in the active ScoreMethodology record and versioned alongside weights.
Confidence and Data Completeness
Every CARI Score includes a confidence assessment that reflects how much source data was available at computation time.
| Confidence Level | Data Completeness | Meaning |
|---|---|---|
| HIGH | 80% or more of signals available | The score is well-supported. All major components have strong data coverage |
| MEDIUM | 50-79% of signals available | The score is directionally reliable but some components have limited data |
| LOW | Below 50% of signals available | The score should be interpreted with caution. Significant data gaps exist |
Data completeness is calculated as signals_available / signals_total * 100, where signals_total is the count of all signals defined in the active methodology and signals_available is the count of signals that returned non-null values for the HOA being scored.
A LOW confidence score is still a valid score — it reflects what is observable. The confidence tier tells the consumer how much evidence supports the number.
Consent Architecture
CARI enforces a strict consent model. No score data is accessible to any third party without an active consent record from the HOA.
Consent Model
The HOA controls who can access its CARI data. Consent is granted by an authorized HOA representative and recorded as an OracleConsent record.
Three consent scopes exist:
| Consent Type | Scope | Use Case |
|---|---|---|
| ALL_SUBSCRIBERS | Any authorized subscriber | HOA opts into the index broadly |
| SPECIFIC_SUBSCRIBER | Named subscriber only | HOA authorizes a specific lender or insurer |
| SUBSCRIBER_TYPE | All subscribers of a given type | HOA authorizes all lenders, or all title companies |
Each consent record specifies: - Permissions: What actions are authorized (score:read, report:lender, report:title, monitor) - Expiration: Optional expiry date after which consent automatically lapses - Revocation: HOA can revoke consent at any time. Revocation is immediate and retroactive — no new queries are served
Consent Enforcement
Every API request that accesses HOA data passes through a consent check. The check verifies: 1. An active (non-expired, non-revoked) consent record exists for this HOA 2. The consent covers the requesting subscriber (by identity, type, or ALL) 3. The consent includes the required permission for the requested operation
If any check fails, the request is rejected with a 403 Forbidden response. The rejection is logged but no score data is included in the response.
API Authentication
Third-party access to CARI data uses API key authentication designed for machine-to-machine integration.
Key Lifecycle
- Creation: A raw API key is generated using
secrets.token_urlsafe(32)with the prefixoracle_key_. The full key is shown to the subscriber once at creation - Storage: Only the SHA-256 hash of the key is stored. The raw key cannot be recovered
- Authentication: On each request, the key is hashed and compared against stored hashes. Lookup uses the 12-character prefix for efficiency, then verifies the full hash
- Expiration: Keys can have optional expiration dates. Expired keys are rejected at authentication time
- Revocation: Keys can be revoked with a documented reason. Revocation is immediate
Scoped Permissions
Each API key carries a set of scoped permissions:
| Scope | Grants |
|---|---|
| score:read | Read CARI scores, history, and component breakdowns |
| report:generate | Generate CARI reports (lender, insurer, title, buyer) |
| monitor:subscribe | Create and manage score change monitors |
| webhook:manage | Register and manage webhook endpoints |
A key without score:read cannot retrieve scores. A key without report:generate cannot request reports. Permissions are checked on every request after authentication.
Rate Limiting
Rate limits are tier-based:
| Tier | Daily Limit | Intended Use |
|---|---|---|
| Basic | 100 requests/day | Evaluation, small portfolios |
| Professional | 1,000 requests/day | Active integration, medium portfolios |
| Enterprise | 10,000 requests/day | High-volume integration, monitoring |
Individual API keys can override the tier default with a custom daily limit. Rate limit state is tracked per-subscriber and enforced via middleware.
Webhook Security
Subscribers can register webhook endpoints to receive real-time notifications when monitored HOA scores change. Webhook payloads are signed for integrity verification.
Signing Scheme
Every webhook delivery includes two headers:
| Header | Value |
|---|---|
| X-CARI-Signature | sha256={hmac_hex_digest} |
| X-CARI-Timestamp | Unix timestamp (seconds) |
The HMAC-SHA256 signature is computed over the string {timestamp}.{payload_json} using the subscriber's webhook secret as the key. Recipients should:
- Extract the timestamp from the header
- Construct the signed message:
{timestamp}.{raw_body} - Compute HMAC-SHA256 with their stored secret
- Compare the computed signature to the header value
- Reject if the timestamp is more than 5 minutes old (replay protection)
Delivery Guarantees
Webhook deliveries use exponential backoff with 5 retry attempts:
| Attempt | Delay |
|---|---|
| 1 | Immediate |
| 2 | 1 minute |
| 3 | 5 minutes |
| 4 | 30 minutes |
| 5 | 2 hours |
After 5 failed attempts, the delivery is moved to DEAD_LETTER status. After 10 consecutive failures across any deliveries, the endpoint is automatically marked FAILING and delivery is paused until the subscriber re-enables it.
Score Immutability
CARI Scores are immutable after computation. The OracleScore model rejects any attempt to update an existing record. New scores do not replace old scores — they are appended to the time series.
Deterministic Hashing
Every score includes a calculation_hash — a SHA-256 digest computed from canonical JSON serialization of:
- HOA identifier
- As-of date
- Methodology version
- All signal values (sorted by key)
- All weights (sorted by key)
Canonical JSON uses sorted keys, minimal separators, and UTF-8 encoding. Given the same inputs and the same methodology version, the same hash is always produced. This allows independent verification that a score was computed correctly.
Version Chain
Each CARI Score references its previous_score (the most recent prior score for the same HOA). This creates an append-only chain that enables:
- Score delta computation (current vs. previous)
- Grade change detection
- Historical trend analysis without relying on query ordering
Audit Trail
Every score computation records:
- All signal values at computation time (signals_snapshot)
- The methodology version and weights used (weights_snapshot)
- Per-component calculation details (component_details)
- Computation timing (computation_ms)
- What triggered the computation (triggered_by: scheduled, enforcement_event, manual, api_request, signal_change)
This snapshot is frozen at computation time. Even if the underlying data changes later, the score's evidence is preserved exactly as it was when the score was computed.
CARI Reports
Four report types provide context-appropriate views of CARI data for different institutional consumers. All reports are generated as InstitutionalPackets using BaseAttestationService, which provides:
- Canonical JSON serialization with deterministic SHA-256 content hashing
- Version chain management (each report references its predecessor's hash)
- Full audit trail via PacketEvent records
- PDF rendering
| Report | Audience | Key Content |
|---|---|---|
| CARI Lender Report (OLR) | Mortgage underwriters | Score, financial health detail, delinquency analysis, reserve adequacy, governance summary |
| CARI Insurer Report (OIR) | D&O insurance pricing | Score, governance coefficient, prevented loss history, exclusion history, claims-relevant signals |
| CARI Title Report (OTR) | Escrow/title companies | Score, unit-level status, special assessments, litigation flags, ownership transfer readiness |
| CARI Buyer Report (OBR) | Homebuyers | Simplified score and grade, key health indicators, peer comparison, plain-language risk summary |
Each report type extends BaseAttestationService and implements its own evidence snapshot builder and scope determination logic. Reports inherit the same immutability and hash verification guarantees as all institutional packets.
Scheduled Operations
Three automated tasks maintain the CARI system:
| Task | Schedule | Purpose |
|---|---|---|
| Nightly score computation | 3:00 AM daily | Compute fresh scores for all active HOAs with consent |
| Failed webhook retry | Every 15 minutes | Retry PENDING webhook deliveries with elapsed retry delays |
| Daily usage aggregation | 1:00 AM daily | Aggregate per-subscriber API usage for billing and analytics |
How CommunityPay Enforces This
- Every CARI Score is computed from attested system-of-record data — no surveys, no self-reporting, no manual inputs
- Scores are immutable after computation. Same inputs + same methodology version = same score + same SHA-256 hash
- No score is accessible without an active OracleConsent record from the HOA — consent is verified on every API request
- Component weights and grade thresholds are published in versioned ScoreMethodology records. Historical scores always reference the methodology version used
- All API access is authenticated via hashed API keys with scoped permissions and tier-based rate limits
- Webhook payloads are signed with HMAC-SHA256 and include timestamps for replay protection