CommunityPay monitors vendor compliance continuously through the BuildRated vendor intelligence layer. This page describes the compliance monitoring infrastructure, the VECR attestation artifact, and how vendor compliance data integrates with the enforcement system.
Compliance Monitoring Architecture
Data Sources
BuildRated aggregates vendor data from two categories:
Public data (ingested from external sources): - State licensing databases (e.g., Washington L&I) - Business registrations - Court records and litigation history - Bond verification services - Insurance verification services
Proprietary data (from CommunityPay operations): - Payment history (amounts, frequency, timing) - On-time payment rate - Dispute rate - HOA relationship quality - Work order completion patterns
Daily Compliance Check
The compliance monitor runs daily as a scheduled task. For every vendor linked to a BuildRated contractor profile, it evaluates:
| Credential | What It Checks |
|---|---|
| COI (Certificate of Insurance) | Coverage active, expiration date, carrier |
| License | Status (active, suspended, expired), expiration date, class |
| Bond | Amount adequacy, carrier, expiration date |
| W9 | On file, name match, TIN verification |
Alert Generation
When a credential approaches or reaches expiration, the monitor generates compliance alerts:
| Alert Type | Trigger Condition | Severity |
|---|---|---|
| COI_EXPIRING | COI expires within 30 days | MEDIUM |
| COI_EXPIRED | COI past expiration date | HIGH |
| LICENSE_EXPIRING | License expires within 30 days | MEDIUM |
| LICENSE_EXPIRED | License past expiration date | HIGH |
| LICENSE_SUSPENDED | License status changed to suspended | CRITICAL |
| BOND_EXPIRING | Bond expires within 30 days | MEDIUM |
| BOND_LAPSED | Bond past expiration date | HIGH |
| DEBARMENT_DETECTED | Vendor appears on debarment list | CRITICAL |
| TAX_DEBT_FLAG | Vendor has outstanding tax liens | HIGH |
Alerts are classified by severity and routed to the appropriate parties. CRITICAL alerts may trigger exclusion triggers (described in Risk Triggers & Exclusion Enforcement) that block payments to the vendor until the issue is resolved.
The VECR Artifact
The Vendor Eligibility & Compliance Record (VECR) is an institutional-grade attestation of a vendor's compliance posture. It is designed for consumption by escrow officers, CPAs, and underwriters.
VECR Sections
Each VECR contains five evidence sections:
1. Credential Status
Current status of all four tracked credentials, with dates and verification details:
| Credential | Status Values |
|---|---|
| COI | CURRENT, EXPIRING_SOON, EXPIRED, NOT_ON_FILE |
| License | ACTIVE, SUSPENDED, EXPIRED, NOT_REQUIRED |
| Bond | CURRENT, EXPIRING_SOON, LAPSED, NOT_REQUIRED |
| W9 | ON_FILE, MISSING, EXPIRED |
2. Compliance History
Longitudinal compliance data over the trailing 12 months:
- Continuity score: Percentage of days with all credentials current
- Gap count: Number of distinct coverage gaps
- Compliance rate: Percentage of months fully compliant
- Most recent gap: Date and duration of most recent coverage lapse
3. Performance Metrics
Transaction-level data from CommunityPay payment history:
- Total payment volume (amount and count)
- On-time payment rate
- Dispute rate
- Average payment amount
- Payment frequency
4. Violation Summary
Risk-relevant violation and enforcement data:
- Debarment status
- Contractor strikes
- Tax debt flags
- Safety violations
- Lawsuit history
- Number and severity of risk flags
5. Eligibility Determination
The VECR concludes with an eligibility determination:
| Status | Condition |
|---|---|
| ELIGIBLE | All credentials current, no violations, adequate compliance history |
| CONDITIONAL | Minor issues present — expiring credentials, recent gap, or low compliance rate |
| INELIGIBLE | Debarment, active strikes, or critical violations |
| REVIEW_REQUIRED | Insufficient data or anomalies requiring human evaluation |
Content Hash
The VECR evidence snapshot is hashed with SHA-256 using canonical JSON serialization. The hash covers all five sections. Any modification to any section would produce a different hash, making the VECR tamper-evident.
Integration with Enforcement
Vendor compliance data feeds into the enforcement system at two integration points:
1. Guard-Level Integration
The BillPaymentGuard (GUARD_007) queries vendor compliance status during payment evaluation. If a vendor has expired credentials or active compliance alerts, the guard can: - Block the payment (if the vendor has an active BLOCK exclusion) - Flag the payment for review (if compliance is conditional) - Allow with warning (if minor issues are detected)
2. Exclusion Trigger Integration
Vendor compliance signals feed into exclusion triggers. For example, the VENDOR_COI_EXPIRED trigger creates a BLOCK_PAYMENT exclusion when a vendor's insurance lapses. This exclusion persists until the vendor provides updated insurance documentation.
3. FADR Integration
When a FADR (Funds Authorization & Disbursement Record) is generated for a payment, it includes the vendor's compliance status at payment time. This creates a permanent record of the vendor's credential posture when the payment was authorized — not the current status, but the historical status at decision time.
BuildRated Score
The BuildRated score is a composite quality metric (0-100) computed from 18 signal categories:
| Category Group | Signals |
|---|---|
| Licensing | Status, expiry, class, specialty match |
| Insurance | Coverage, carrier quality, verification recency |
| Bonding | Amount adequacy, carrier, expiry |
| Violations | Count, severity, recency, debarment |
| Payments | On-time rate, volume, dispute rate |
| Relationships | HOA trust network, repeat usage, tenure |
The score is evidence-based: it reflects verified data, not self-reported claims or consumer reviews. The BuildRated platform explicitly does not use purchased testimonials, fake reviews, or consumer opinion data.
What This System Proves
The vendor compliance monitoring system provides continuous, auditable evidence that:
- Vendor credentials are monitored systematically — not checked once at onboarding and forgotten
- Expiration is detected proactively — alerts are generated before credentials lapse, not after
- Payment decisions consider compliance — vendor status is evaluated at payment time and recorded in the evidence chain
- Compliance history is preserved — the VECR captures longitudinal data, not just point-in-time status
- Eligibility determinations are reproducible — the same inputs always produce the same eligibility status
CARI Integration
Vendor compliance signals measured here — COI status, license verification, bond coverage, and W-9 completion — feed directly into the CARI Vendor Risk sub-score, which carries a 15% weight in the composite CARI score. The aggregate compliance rate across an HOA's entire vendor portfolio is a key signal: associations that maintain current credentials across all active vendors score higher than those with compliance gaps. VECR eligibility determinations are computed from the same underlying data used for CARI Vendor Risk evaluation.
For published methodology and component weights, see CARI Methodology and Scoring Framework.
How CommunityPay Enforces This
- Daily compliance monitor evaluates all linked vendor credentials: COI, license, bond, W9
- Expiration alerts generated at configurable lead times (30-day, 14-day, expired)
- VECR attestation computes SHA-256 content hash across all credential and performance sections
- Four eligibility determinations: ELIGIBLE, CONDITIONAL, INELIGIBLE, REVIEW_REQUIRED
- Vendor compliance signals feed directly into L5 enforcement guards for payment decisions
- Payment sync captures on-time rates and dispute rates from actual CommunityPay transactions