Your vendor submits a Certificate of Insurance. Your team logs it as received. The compliance box gets checked.
Three months later, there's an incident on your property. You file a claim - and discover that the COI you accepted showed $1 million in general liability coverage. Your lease required $2 million. The gap is yours to cover.
This scenario plays out every day in commercial real estate, construction, oil and gas, transportation, and virtually every industry that relies on vendors, contractors, or tenants. The problem isn't a lack of COI collection - it's a failure of contract-to-COI comparison.
The Difference Between COI Tracking and COI Compliance
Most organizations treat these as the same thing. They're not.
| COI Tracking | COI Compliance | |
|---|---|---|
| What it does | Collects and stores COI documents | Verifies COI meets contract requirements |
| Source of truth | The COI itself | The underlying contract or lease |
| What it catches | Missing or expired certificates | Coverage gaps, wrong limits, missing endorsements |
| Risk it prevents | "We don't have a COI on file" | "The coverage doesn't match what we required" |
| The hard question | Did they send one? | Does it actually protect us? |
COI tracking solves the first problem. Contract-vs-COI compliance solves the second - and the second is where the real liability lives.
According to industry data, 70% of certificates of insurance are non-compliant when first received. They have the wrong limits, missing endorsements, incorrect named insured designations, or expired policy dates. Most organizations catch none of this because they're comparing the COI against a checklist in someone's head - not against the actual language in the contract.
What Lives in Your Contracts That You're Not Checking
When your organization enters a lease, service agreement, subcontract, or master service agreement, you negotiate specific insurance requirements. These requirements are written into the contract for a reason: to ensure that if something goes wrong, there's adequate coverage to pay for it.
These requirements typically include:
Coverage types required:
- General liability (GL) - the most common and most frequently under-covered
- Professional liability / errors & omissions
- Workers' compensation (statutory limits)
- Commercial auto
- Umbrella / excess liability
- Industry-specific: pollution liability, builders risk, cargo, professional indemnity
Specific limits that must be met:
- Per occurrence vs. aggregate limits
- Separate limits for specific project types
- Minimum umbrella thresholds that often get missed
Endorsement requirements (the most commonly missed):
- Additional insured - your organization must be named, not just "certificate holder"
- Waiver of subrogation - prevents the insurer from coming after you if they pay a claim
- Primary and non-contributory - ensures their coverage pays first before yours
- Notice of cancellation - ensures you're notified before coverage lapses
Policy specifics:
- Occurrence vs. claims-made policies
- Retroactive dates for claims-made policies
- Tail coverage requirements
Every one of these items can be present in a contract and absent - or wrong - on the COI. And unless someone compares the two documents, clause by clause, the gap remains invisible.
- COI received - yes or no
- Certificate expired - yes or no
- Coverage types listed - yes or no
- Generic minimum met - yes or no
- GL limits match contract-specific threshold
- Additional insured endorsement confirmed
- Named insured matches contracting entity
- Waiver of subrogation on file
- Umbrella meets contract-required minimum
- Primary and non-contributory wording verified
Why Manual Comparison Fails at Scale
For organizations managing one or two vendors, manual comparison is painful but possible. For organizations managing dozens, hundreds, or thousands of vendor relationships simultaneously, it's a fiction.
Consider a mid-sized commercial property management company with 200 tenants and 50 vendors. Each year:
- ~250 COIs come in for renewal
- Each COI needs to be compared against the specific lease or service agreement for that relationship
- Each contract has different requirements - you can't use one master checklist
- Some contracts have been modified with amendments
- Insurance requirements may vary by tenant type, lease structure, or property
At industry-standard labor rates, this review process costs $36,400 per year - and that's if it's done correctly. In practice, most organizations either skip the comparison entirely or rely on staff to remember what's in each contract from memory.
The result: average compliance rates of 60-70% for manually managed programs, versus 90%+ for organizations using automated contract-to-COI comparison.
The Three Gaps That Cost Organizations the Most
After analyzing insurance compliance programs across thousands of vendor relationships, the same three gaps appear most frequently:
Gap 1: The Additional Insured Problem
Your contract requires the vendor to name you as an additional insured on their general liability policy. This is not the same as being listed as a certificate holder. An additional insured has actual coverage rights - a certificate holder is just notified that the policy exists.
An ACORD 25 form (the standard COI) lists the certificate holder at the bottom. It does NOT automatically confirm additional insured status. That requires a separate endorsement - typically an ACORD 20 or a specific endorsement form attached to the policy.
Most COI review processes check for the certificate holder. They miss the endorsement.
Gap 2: Limits That Look Correct But Aren't
Your contract requires $5 million in commercial general liability coverage. The COI shows $5 million in the general aggregate. What you needed was $5 million per occurrence.
These are not the same number. The general aggregate is the maximum the policy will pay across all claims in a policy period. The per-occurrence limit caps any single claim. A policy can show a $5M aggregate with a $1M per-occurrence limit - and satisfy neither your actual requirement nor your actual need.
This distinction is frequently misunderstood, and frequently wrong on submitted COIs.
Gap 3: The Wrong Named Insured
Your contract is with ABC Contractors LLC. The COI lists coverage for ABC Contractors Inc. - a different legal entity. If an incident occurs, the LLC may have no coverage under the Inc.'s policy.
This happens constantly with subsidiaries, DBAs, and companies that have changed legal structure. It requires careful comparison against the exact entity named in your contract.
Contract-to-COI Comparison: How It Works
The right approach - and the only approach that actually closes these gaps - is to compare every element of the submitted COI against the specific requirements in the controlling document: the lease, service agreement, subcontract, or MSA.
This means:
Extract requirements from the contract - not a generic checklist, but the actual language: "$2 million per occurrence, $4 million aggregate in commercial general liability; $5 million umbrella; additional insured with primary and non-contributory wording; waiver of subrogation."
Parse the submitted COI - coverage types, limits, policy dates, named insured, endorsements, certificate holder designation.
Compare them directly - does each requirement in the contract have a matching element on the COI? If not, flag it specifically: "Contract requires $2M GL occurrence limit. COI shows $1M per occurrence."
Flag gaps, not just missing documents - the COI exists. The question is whether it matches.
This is what Bramble does. Instead of tracking whether you have a COI, Bramble reads the source contract, extracts the insurance requirements, and compares them against the submitted certificate - clause by clause, line by line.
The Industries Where This Matters Most
Contract-vs-COI gaps create liability in every industry that uses contractors, vendors, or tenants. The stakes are highest where:
- Single incidents are catastrophic - construction, oil & gas, mining, transportation
- Portfolios are large - commercial real estate, franchises, property management
- Regulatory requirements layer on top - healthcare, government procurement
- Contractual complexity is high - MSA-heavy industries like energy, professional services
Commercial real estate and construction tend to have the highest exposure because both involve large physical locations, multiple concurrent contractors, and contracts with detailed insurance requirements that tenants and subcontractors frequently don't meet.
What to Do If You're Still Relying on COI Tracking Alone
If your current process involves collecting COIs and checking boxes without comparing them to contract language, you have gaps. The question is how material they are.
Start here:
Pull five random COIs from active vendors or tenants and compare them against the insurance requirements in the controlling contract. How many match?
Check your additional insured endorsements - not just certificate holder designation, but actual endorsements attached to each policy.
Calculate your coverage gap exposure - what's your organization's liability if one major incident occurs with a vendor who's under-insured relative to their contract?
Assess your review capacity - how many person-hours per week does your team spend on COI review? What would it cost if one compliance gap turned into an uninsured claim?
The answer to those four questions will tell you how urgent the problem is.
Frequently Asked Questions
What's the difference between a COI and a policy? A certificate of insurance (COI) is a summary document - it shows coverage types, limits, and policy dates, but it doesn't create coverage. The actual insurance policy does. If there's a discrepancy between the COI and the policy, the policy controls. COIs can also be issued incorrectly, showing coverage that doesn't actually exist or limits that don't match the underlying policy.
Can a vendor alter a COI to show incorrect information? Yes, and it happens. COIs are generated by agents and brokers, not by insurance companies. There's no universal verification system. A vendor or their agent can issue a COI showing coverage that doesn't match the actual policy. Bramble's approach mitigates this by cross-referencing contract requirements - but for high-stakes relationships, you should also verify coverage directly with the insurer.
What happens if a vendor's COI meets requirements at signing but lapses during the contract term? You're exposed from the moment coverage lapses. Most contracts require vendors to maintain coverage for the duration of the relationship and to provide notice of cancellation. Without automated monitoring, lapses go undetected. Bramble tracks expiration dates and alerts you before coverage lapses.
Is it legally sufficient to just have a COI on file? No. Having a COI on file establishes that coverage was represented at the time of issuance. It doesn't establish that coverage was adequate, ongoing, or that you were properly listed as an additional insured. In litigation, "we had a COI on file" is rarely a sufficient defense if the coverage didn't meet your contractual requirements.
How is Bramble different from other COI tracking software? Most COI software tracks and stores certificates. Bramble reads your contracts, extracts the specific insurance requirements, and compares them against the submitted COI - flagging specific gaps: wrong limits, missing endorsements, wrong entities, inadequate coverage types. It's the difference between "we have a COI" and "the COI matches what the contract requires."
Your contract says $2 million. Their COI says $1 million. Bramble finds it in seconds - before an incident does.
Book a demo at getbramble.com to see contract-to-COI comparison in action.