A certificate of insurance is one of the most commonly requested documents in business - and one of the most misunderstood. Organizations collect thousands of them every year, file them in spreadsheets or compliance systems, and consider the job done.
The job is not done.
A COI is a summary document. It tells you what coverage a vendor or contractor reportedly has. It does not guarantee that coverage is adequate for your contract, that you're properly protected, or even that the policy hasn't already been cancelled.
This guide explains exactly what a certificate of insurance is, what it proves, what it doesn't, and what you actually need to do to verify compliance.
What Is a Certificate of Insurance?
A certificate of insurance (COI) is a standardized one- or two-page document that summarizes the key terms of an insurance policy. It's issued by an insurance agent or broker on behalf of the policyholder, typically in response to a request from a client, landlord, property manager, general contractor, or other party requiring proof of coverage.
The most common format is the ACORD 25 form - a standardized template used throughout North America. Most COIs you'll encounter follow this format.
A COI typically shows:
- The name and address of the insured (the policyholder)
- The insurance company providing each type of coverage
- Policy numbers
- Policy effective and expiration dates
- Types of coverage (general liability, auto, workers' comp, umbrella, etc.)
- Coverage limits (per occurrence, aggregate, etc.)
- The certificate holder (you - the party requesting the COI)
- Any remarks or special conditions
- The agent or broker who issued the certificate
What a COI Does NOT Prove
This is where most businesses get into trouble.
A certificate of insurance is not a legal guarantee of coverage. The ACORD 25 form itself includes a disclaimer at the top: "This certificate is issued as a matter of information only and confers no rights upon the certificate holder."
A COI does not:
- Confirm you are listed as an additional insured. Being named as certificate holder is not the same as being an additional insured. Additional insured status requires a separate endorsement on the policy.
- Guarantee the policy hasn't been cancelled or modified since issuance. A COI shows a snapshot of coverage at a point in time.
- Confirm that coverage limits match your requirements. The COI may show $1M in general liability while your contract requires $2M.
- Verify the policy terms match what's shown. An agent can issue a COI showing limits or endorsements that don't actually exist on the underlying policy.
- Establish that the named insured matches your contract. If your contract is with ABC LLC and the COI names ABC Inc., the coverage may not apply.
How to Read an ACORD 25 Certificate of Insurance
Understanding the key fields on an ACORD 25 form:
| Field | What to Look For |
|---|---|
| Insured | Must match the legal entity in your contract exactly |
| Insurer | Check financial stability (A.M. Best rating recommended) |
| General Liability - Each Occurrence | Compare to per-occurrence limit in your contract |
| General Liability - General Aggregate | Separate from per-occurrence; often higher |
| Workers' Comp | Look for statutory limits; required in most contracts |
| Auto Liability | Required if vendor operates vehicles on your property |
| Umbrella/Excess | Must meet any umbrella requirement in your contract |
| Policy Dates | Coverage must be active through your contract term |
| Certificate Holder | Your organization's name and address |
| Additional Insured | Look for "Y" or "X" checkbox AND verify via endorsement |
| Waiver of Subrogation | Must be checked AND confirmed via endorsement |
| Description of Operations | Read carefully - may contain project-specific limitations |
The Endorsement Problem
The checkboxes on an ACORD 25 for "Additional Insured" and "Waiver of Subrogation" are frequently misunderstood. Checking these boxes on the COI is not the same as having the endorsements on the policy.
The proper process:
- The certificate shows a checkbox indicating additional insured status
- You request the actual endorsement form - typically an ACORD 20, CG 20 10, CG 20 37, or insurer-specific form
- The endorsement must name your organization specifically, or be a blanket additional insured endorsement that covers your situation
- The endorsement must be dated and attached to the active policy
Many organizations never request the endorsements and never discover they weren't actually protected.
- Was a COI received?
- Is the certificate expired?
- Is there a GL policy listed?
- Is the certificate holder correct?
- GL limits vs. contract-required limits
- Additional insured endorsement missing
- Named insured entity mismatch
- Waiver of subrogation not confirmed
- Umbrella shortfall vs. contract threshold
Why Contract Requirements Make This More Complex
Every certificate of insurance needs to be evaluated against the requirements in a specific contract - not a generic checklist.
Your lease requires $3 million in general liability. Your service agreement with the same vendor requires $2 million. Your agreement with a contractor requires $5 million plus pollution liability. These are three different COIs you need to evaluate against three different requirement sets.
This is the core problem with generic "COI compliance" approaches. Checking whether a COI meets your standard template misses the variation in your actual contracts. The only accurate approach is comparing each COI against the specific requirements in the controlling contract - the lease, the service agreement, the subcontract, or the MSA.
Types of Coverage on a COI
Commercial General Liability (CGL)
The most common and most important coverage type. CGL covers bodily injury and property damage caused by the insured's operations. Look for:
- Each occurrence limit - maximum per incident
- General aggregate - maximum across all claims in the policy year
- Products/completed operations aggregate - covers work after completion
- Personal and advertising injury - defamation, copyright infringement
Workers' Compensation
Required in most states for employers. Pays benefits to employees injured on the job. The COI should show statutory limits (the legally required amounts in each state). If a vendor has employees working on your property without workers' comp coverage, you may have exposure as the property owner.
Commercial Auto
Required if the vendor operates vehicles. Look for a combined single limit (CSL) that meets your contract requirements. Hired and non-owned auto coverage extends to vehicles the vendor rents or uses but doesn't own - important for vendors who use employee personal vehicles.
Professional Liability / Errors & Omissions
Required for vendors providing professional services (consultants, architects, engineers, IT service providers). This covers claims arising from professional mistakes. Note: professional liability is usually a claims-made policy, not occurrence - meaning claims must be filed during the policy period.
Umbrella / Excess Liability
Provides additional limits above the underlying policies. If your contract requires $5 million in GL but your vendor's GL only goes to $2 million, an umbrella for the remaining $3 million can satisfy the requirement - if the umbrella is properly written to follow form to the underlying GL.
Common COI Compliance Mistakes
Accepting a COI without checking the contract requirements. Seventy percent of COIs are non-compliant when first received. If you're not comparing to the contract, you're not finding the gaps.
Treating the certificate holder box as additional insured status. They're categorically different. Get the endorsement.
Not monitoring renewals. A COI received at contract signing is only valid until the policy expires. If coverage lapses, you're exposed. Active relationships need active monitoring.
Accepting COIs from the wrong entity. Verify the named insured matches the exact legal entity in your contract.
Missing the aggregate limits trap. A vendor with a $2M per-occurrence / $2M aggregate GL policy may exhaust the aggregate on an earlier claim before yours occurs. The aggregate limit is not always sufficient for the full policy term.
Not checking the retroactive date on claims-made policies. Professional liability and E&O policies on a claims-made basis only cover claims arising from work done after the retroactive date. If a vendor changes insurers and the new retroactive date doesn't cover prior work, you have a gap.
How to Build a Proper COI Verification Process
A compliant COI verification process requires:
Know your contract requirements - don't rely on memory or a generic checklist. Pull the actual insurance requirement language from each contract.
Request and review the COI against those specific requirements - not just "does a COI exist" but "does this COI meet what our contract requires?"
Request and review endorsements for additional insured, waiver of subrogation, and any other endorsement requirements.
Verify the named insured matches the contracting entity - exactly, including LLC vs. Inc. distinctions.
Set expiration reminders - COIs expire. Active relationships need updated certificates before expiration.
Document your review - if a gap is found and a vendor provides a corrected COI, document the original deficiency and the cure.
Reject non-compliant COIs and document the rejection - accepting a non-compliant COI can be used to argue waiver of the contractual requirement.
Frequently Asked Questions
Who is responsible for issuing a COI? The vendor's insurance agent or broker issues the COI. The vendor requests it and directs where it should be sent. The agent certifies that the coverage shown exists at the time of issuance. Neither the vendor nor the agent is legally responsible if the underlying policy doesn't match what's shown - another reason to request actual endorsements for critical requirements.
How long should I keep COIs on file? At minimum, keep COIs for the duration of the contract plus the statute of limitations for contract claims in your jurisdiction - typically 3-6 years after the contract ends. For construction, keep longer due to completed operations tails.
Can I reject a vendor who can't provide adequate COI coverage? Yes, and you should. If a vendor can't meet the insurance requirements in your contract, the risk isn't transferred to them - it stays with you. Requiring adequate coverage before beginning work is the most effective risk transfer mechanism available.
What's the difference between certificate holder and additional insured? A certificate holder is simply notified that the policy exists and may receive notice of cancellation. An additional insured has actual coverage rights under the policy - they can make claims directly. Most contracts require additional insured status, not just certificate holder designation. See our guide on certificate holder vs. additional insured.
Does a COI expire? The COI itself doesn't have an expiration date - but the policies shown on it do. When a policy expires or renews, the certificate is no longer valid for the old policy period. You need an updated COI showing the renewed or new policy.
Collecting COIs isn't compliance. Comparing them against your contracts is. Book a demo to see how Bramble automates contract-to-COI comparison for your entire vendor and tenant portfolio.