When a vendor submits a COI that doesn't meet your requirements, you have a specific set of actions to take - and a specific set of things to avoid. How you handle non-compliance is as important as catching it, both for your risk exposure and for the documentation that protects you if things go wrong.
Given that 70% of COIs are non-compliant at first submission, this isn't an edge case. It's the standard workflow.
Step 1: Document the Specific Deficiency
Before contacting the vendor, document exactly what's wrong. Vague non-compliance is hard to cure. Specific deficiency documentation drives faster resolution and creates the paper trail you need.
A deficiency record should include:
- Vendor name and contract reference
- Date the COI was received
- Each specific gap: what was required, what was submitted, and where the discrepancy is
Examples of specific deficiency language:
- "GL per occurrence limit is $500,000. Contract requires $1,000,000 minimum."
- "Additional insured endorsement checkbox marked but no description of operations language confirming AI status."
- "Workers' compensation coverage not present. Contract requires statutory workers' comp for all employees."
- "Named insured is 'Smith Electric Co.' Contract is with 'Smith Electrical Services LLC.' Entity does not match."
Vague feedback ("your COI isn't right") leads to vendors sending the same COI again. Specific feedback leads to vendors going to their agent with a list of corrections.
Step 2: Send a Written Deficiency Notice
Once you've documented the gaps, send a written notice to the vendor that:
- Identifies the deficiency or deficiencies specifically
- References the contract requirement for each
- Specifies the cure deadline (5-10 business days is standard)
- States clearly that work cannot begin or continue until compliance is confirmed
The written notice is critical. A phone call isn't documentation. An email is. A formal deficiency letter through your compliance system is better. The goal is a timestamped record that you identified the problem, communicated it specifically, and gave the vendor a reasonable opportunity to correct it.
Step 3: Make a Work-Hold Decision
If the vendor is already performing work under the contract, the non-compliant COI creates a decision point. Options:
Hold work: Stop work until compliance is restored. This is the cleanest risk management position. An uninsured vendor working on your premises or performing work on your behalf transfers their liability to you.
Conditional continuation: Allow work to continue with documented exception approval and a hard deadline for cure. Appropriate when the deficiency is minor (e.g., limit is $900K instead of $1M) and stopping work would cause disproportionate disruption. Requires documented risk acceptance by the appropriate authority.
Hold payment: Some contracts include provisions to withhold payment to non-compliant vendors. This is an effective lever when work cannot practically stop.
The decision must be documented regardless of which path you choose. An undocumented decision to allow work to continue with a non-compliant vendor is difficult to defend.
Step 4: Track the Cure
Mark the cure deadline in your tracking system. Follow up with the vendor before the deadline if they haven't responded. A second reminder at the midpoint of the cure window (e.g., day 4 or 5 of a 10-day cure period) prevents deadline surprises.
When the vendor submits a corrected COI, verify it against the original deficiency list. Confirm every identified gap has been addressed. Don't assume - check.
Step 5: Document Resolution
When a compliant COI is received, document:
- Date of receipt
- Who verified compliance
- Confirmation that all deficiencies were resolved
- Any residual exceptions that were formally accepted
This closes the loop on the non-compliance event and creates the audit trail that demonstrates your program was functioning.
When to Accept a Waiver
Sometimes a vendor genuinely cannot meet a specific requirement - a small subcontractor who can't obtain a $5M umbrella for a short-duration project, for example. In these cases, a formal exception or waiver process is appropriate:
- Document the specific requirement that cannot be met
- Have a risk manager or appropriate authority review and approve the exception
- Define whether compensating measures are required (e.g., your own wrap coverage, indemnification language, reduced scope)
- Set a time limit on the exception if the situation may change
An exception approved and documented is defensible. An exception that just sort of happened because no one followed up is not.
What NOT to Do
Don't silently accept the non-compliant COI. Filing a COI you know doesn't meet requirements without any documentation of the deficiency is worse than not verifying at all. You've demonstrated awareness of the gap and chose to proceed without addressing it.
Don't rely on verbal assurances. "Don't worry, we have the coverage" is not documentation. "Our agent says the endorsement is there" is not verification. Written records are required.
Don't delay follow-up. Deficiencies that aren't addressed promptly tend to stay unresolved. The vendor forgets, priorities shift, and you end up with a non-compliant vendor working indefinitely under an expired or deficient certificate.
Bramble automates deficiency identification, sends formal deficiency notices, and tracks cure status - so non-compliance is handled systematically, not informally. See how it works.