Seventy percent of COIs submitted by vendors are non-compliant at first submission. That number isn't primarily about bad-faith vendors - it's about systematic mistakes in how organizations manage the COI process. The same five errors appear repeatedly across industries.
Here they are, with the consequence of each and the fix.
COI Compliance by the Numbers
Mistake 1: Treating Collection as Compliance
What it looks like: The team requests COIs, vendors send them, the files are saved, the box is checked. No one verifies whether the submitted COI actually meets the contract requirements.
The consequence: You have a filing cabinet of COIs that may or may not be compliant. You don't know which vendors have adequate limits, which are missing required endorsements, or which submitted certificates for the wrong entity. When an incident occurs, you discover the gap under litigation pressure.
The fix: Compliance requires comparison. For every COI received, check it against the specific requirements in the contract with that vendor: coverage types, minimum limits, required endorsements, correct named insured, and non-expired dates. Collection is step one. Verification is step two. Both are required.
If you don't have a documented set of requirements for each vendor category that you're actively comparing COIs against, you're collecting, not complying.
Mistake 2: Using One Standard Checklist for All Vendors
What it looks like: The organization has a single COI requirements template that goes to every vendor: $1M GL, workers' comp at statutory limits, $1M auto. Every vendor gets the same requirements regardless of what they do.
The consequence: High-risk vendors (construction, hazmat handling, professional services) are underinsured relative to their actual risk. Lower-risk vendors may be required to carry more than necessary, creating friction in vendor relationships without risk benefit. Requirements that don't match the contract terms are unenforceable.
The fix: Tier your vendors by risk category and set requirements accordingly. A janitorial vendor and a structural engineering firm require different coverage types and limits. Common tiers:
- Tier 1 (Low risk): Standard GL, workers' comp, auto
- Tier 2 (Moderate risk): Higher limits, professional liability, umbrella
- Tier 3 (High risk): Maximum limits, completed operations, professional liability, umbrella/excess, possibly pollution or other specialty coverage
Requirements should be set by your risk manager or legal counsel based on contract type, work scope, and historical loss experience.
Mistake 3: Not Requesting Endorsements
What it looks like: The COI shows the additional insured box is checked. The team accepts this as confirmation. No one requests the actual endorsement forms from the policy.
The consequence: The checkbox on an ACORD 25 is informational. It doesn't guarantee the endorsement exists, doesn't confirm which endorsement form was used, and doesn't verify the language matches your contract requirements. In a claim, the carrier pulls the policy. If the endorsement doesn't exist or doesn't say what you needed it to say, you may not have coverage.
The fix: For your highest-risk vendor relationships, require production of the actual endorsement forms as part of COI submission. Specifically:
- CG 20 10 and CG 20 37 for additional insured (GL, ongoing and completed operations)
- WC 04 03 A (or equivalent) for waiver of subrogation on workers' comp
- Endorsement confirming primary and non-contributory status
For lower-risk vendors, verify the description of operations field on the ACORD 25 references the endorsement specifically, and request the actual forms when there's any ambiguity.
Mistake 4: Ignoring Renewals
What it looks like: The initial COI is verified and filed. When the policy expires six or twelve months later, no one notices. The vendor continues working. The file contains an expired certificate.
The consequence: During the gap between policy expiration and renewal COI receipt, the vendor is effectively uninsured from your perspective. If an incident occurs during that window, you cannot demonstrate the vendor had coverage. And they may actually not have had coverage - policies can lapse without the vendor proactively renewing.
The fix: Track every policy expiration date actively. At 60 days before expiration, send a renewal request to the vendor. At 30 days, follow up if no response. If no compliant renewal COI is on file by the expiration date, work should pause until compliance is restored.
Manual tracking works for small vendor pools. For 50+ vendors, automated expiration monitoring is the only reliable approach.
Mistake 5: Not Documenting Non-Compliance and Cure
What it looks like: A vendor submits a non-compliant COI. Someone calls them or sends a casual email. The vendor eventually sends a corrected certificate. There's no formal record of the deficiency, the request for correction, or the timeline.
The consequence: If a loss occurs during the non-compliance window - or if your program is later audited - you have no documentation that you identified and addressed the deficiency. From an audit or litigation standpoint, you may as well have never checked.
The fix: Every non-compliance event requires a paper trail:
- Written deficiency notice specifying the exact gaps
- Cure period with a defined deadline (5-10 business days)
- Work-hold decision if work is in progress
- Documentation of the vendor's response
- Verification and sign-off when a compliant COI is received
This documentation protects you in litigation, satisfies auditors, and creates accountability that improves vendor response rates.
The Five Mistakes at a Glance
All five of these mistakes are addressable with the right process and tooling. Bramble automates the comparison, flags deficiencies, tracks renewals, and documents every step. See how it works.