Back to Resources
Vendor ComplianceCompliance Program

Vendor & Contractor Insurance Compliance: The Definitive Guide

Bramble·March 23, 2026·11 min read

Every organization that uses vendors, contractors, or tenants faces the same question: how do I know they have the insurance coverage my contracts require?

Most answer this question incorrectly. They collect certificates of insurance, file them somewhere, and assume compliance. What they actually have is a pile of documents - not a compliance program.

This guide covers what genuine vendor insurance compliance looks like, how to build a program that works at scale, and how automation changes what's achievable.

Vendor Compliance Reality Check
70%
of vendor COIs are non-compliant on first submission
90%+
compliance rate with automated contract-to-COI comparison
$500K+
potential cost of a single uninsured vendor incident

Why Vendor Insurance Compliance Matters

When something goes wrong - a contractor is injured, property is damaged, a professional error causes financial harm - the question is: whose insurance pays?

Your contracts exist to transfer risk. Insurance requirements in your vendor agreements ensure that if a contractor causes an incident, their insurance (not yours) covers the cost. That risk transfer only works if:

  1. The contractor actually has the required coverage
  2. The coverage meets the specific requirements in your contract
  3. You are properly designated as an additional insured
  4. The coverage is active at the time of the incident

All four conditions must be true. A COI on file confirms none of them with certainty. That's why compliance requires verification - comparing the COI against the contract requirements, confirming endorsements, and monitoring ongoing coverage.

The stakes are real. Industry data shows:

  • 70% of COIs are non-compliant when first received - wrong limits, missing endorsements, wrong entities
  • A single uninsured incident can cost $500,000 or more
  • Organizations with manual compliance programs average 60-70% actual compliance
  • Automated compliance programs achieve 90%+ compliance
The Vendor Compliance Gap
Vendor Contract
Specific requirements
THE GAP
Nobody compares
Vendor COI
Filed as "received"
Dashboard
Shows "compliant"

Building a Vendor Insurance Compliance Program

A complete vendor insurance compliance program has six components:

1. Contract-Level Requirement Documentation

Every vendor relationship should have documented insurance requirements - ideally in the contract itself, and replicated in your compliance system.

Requirements vary by:

  • Relationship type - a janitorial contractor has different risk than an electrical subcontractor
  • Work scope - on-site work has different requirements than remote services
  • Industry - oil field contractors need pollution liability; commercial tenants need different limits than residential
  • Contract value - higher-value contracts often warrant higher insurance requirements

Common mistake: using a single standard requirement for all vendors. The right approach is a tiered requirement matrix:

Vendor Category GL Per Occurrence GL Aggregate Umbrella Workers' Comp Auto
Light services (cleaning, landscaping) $1M $2M $2M Statutory $1M if vehicles
Skilled trades (electrical, plumbing) $2M $4M $3M Statutory $1M if vehicles
Construction (GC, major subs) $2M $5M $5M Statutory $1M
Professional services $1M $2M $2M Statutory N/A
High-risk (roofing, HVAC, structural) $2M $5M $5M Statutory $1M

Add professional liability requirements for consultants, architects, engineers, and IT vendors. Add pollution liability for environmental work, oil and gas contractors, and transportation.

2. COI Collection Process

A reliable collection process includes:

  • Onboarding trigger - COI collection is initiated as part of vendor onboarding, before work begins
  • Automated requests - templated emails specifying exactly what coverage is required and where to submit
  • Clear submission instructions - vendor knows the format, email address, and deadline
  • Escalation path - if COI isn't received, who follows up and when?

For ongoing vendor relationships: automated renewal requests sent 45-60 days before policy expiration, with follow-up if not received.

3. Verification Against Contract Requirements

This is where most programs fall short. Verification means comparing the COI against the specific requirements in the contract - not a generic checklist.

The verification checklist for each COI:

Coverage types:

  • Required coverage types all present (GL, WC, auto, umbrella, any special types)

Limits:

  • GL per occurrence meets contract requirement
  • GL aggregate meets contract requirement
  • Umbrella/excess meets contract requirement
  • Workers' comp: statutory limits for all applicable states
  • Auto combined single limit meets requirement

Named insured:

  • Named insured matches exact legal entity in your contract

Policy dates:

  • Coverage is active (not expired)
  • Coverage extends through contract term (or auto-renewal commitment)

Endorsements:

  • Additional insured endorsement (not just checkbox - actual CG 20 10/20 37 or equivalent)
  • Waiver of subrogation (applicable policies)
  • Primary and non-contributory wording (if required)
  • Notice of cancellation provision

Policy type:

  • Occurrence vs. claims-made confirmed; retroactive date reviewed if claims-made
Document Filing vs. True Compliance
What Most Programs Do
  • Collect a COI from each vendor
  • Check it's not expired
  • File it in a folder or spreadsheet
  • Mark vendor as "compliant"
  • 60-70% actual compliance rate
What Bramble Does
  • Reads the contract for each vendor
  • Compares COI against specific requirements
  • Flags exact gaps per vendor
  • Tracks endorsements and renewals
  • 90%+ verified compliance rate

4. Non-Compliance Management

When a COI is non-compliant (and ~70% of first submissions are), you need a defined process:

  1. Document the deficiency specifically - "GL per occurrence $500K; contract requires $1M" - not "COI not adequate"
  2. Notify the vendor with specific instructions for what needs to change
  3. Set a cure timeline - typically 5-10 business days for corrections
  4. Hold work until compliant COI received (or document the decision to proceed with an acknowledged gap)
  5. Accept the corrected COI and document the cure date

Never accept a non-compliant COI without documenting the decision - silence implies acceptance.

5. Ongoing Monitoring

Compliance at contract signing is a point-in-time snapshot. Ongoing compliance requires:

  • Expiration tracking - automated alerts before policies lapse
  • Renewal follow-up - requests sent before expiration, with escalation
  • Mid-term change monitoring - if a vendor's coverage changes materially during the contract term, you should know
  • Annual re-verification - even if a COI was verified at signing, re-verify at least annually

6. Audit Trail and Documentation

Your compliance program needs to be documented for internal audit, lender review, and - in worst case - litigation:

  • When each COI was received
  • What the verification found
  • Any gaps identified and when they were cured
  • Who approved any exceptions
  • Policy dates and limits at each review

This documentation is evidence that your risk transfer program was actively managed - not just "we had a file somewhere."

How Bramble Manages Vendor Compliance
1
Upload Contracts
Bramble reads each vendor agreement and extracts insurance requirements automatically
2
Collect COIs
Vendors submit certificates via email or upload - parsed instantly by AI
3
Verify Compliance
Each COI is compared against its specific contract requirements - gaps flagged instantly
4
Monitor & Renew
Continuous expiration tracking, automated renewal requests, and audit trail

The Technology Stack for Vendor Insurance Compliance

Modern vendor insurance compliance requires technology at scale. Organizations managing more than 50 vendor relationships cannot do this accurately by hand.

What you need from compliance software:

Contract intelligence - The ability to read your contract documents and extract the insurance requirements, rather than requiring manual data entry of each requirement.

COI parsing - Accurate extraction of coverage data from submitted certificates, including limits, policy dates, named insured, and endorsement indicators.

Contract-to-COI comparison - The automated comparison of what the contract requires against what the COI shows - flagging specific, actionable gaps.

Endorsement management - Workflow for requesting, collecting, and confirming endorsements (additional insured, waiver of subrogation, etc.).

Expiration monitoring and renewal automation - Ongoing compliance, not just point-in-time verification.

Multi-relationship management - Different vendors with different contracts and different requirements, all tracked in one system.

Audit trail - Immutable record of what was received, verified, and found.

Vendor Insurance Compliance by Industry

Different industries have different risk profiles and different contract structures. The compliance approach adapts:

Commercial Real Estate

Lease-based requirements. Tenants required to carry coverage matching the lease insurance clause. Additional insured, waiver of subrogation, and primary-and-non-contributory standard. Large portfolios with hundreds of simultaneous relationships.

Construction

Subcontract insurance exhibits. Requirements vary by subcontractor trade. Tiered tracking through GC to sub to sub-sub relationships. Builders risk coordination. Project-specific requirements.

Oil & Gas

MSA insurance exhibits with specialized requirements: pollution liability, control of well coverage, OEM additional insured endorsements. Contractors rotating across multiple sites.

Transportation

Broker-carrier agreements. Motor carrier certificates, cargo insurance, auto liability. Rotating carrier pools requiring continuous monitoring.

Franchises

FDD Item 8 requirements replicated across all franchisee locations. Centralized compliance with decentralized relationships.

Condominiums

Master deed and bylaws requirements for unit improvement contractors and amenity vendors. HOA board oversight.

Insurance Brokers

Managing COI compliance as a service for commercial clients. Portfolio view across multiple client programs.

Mining

Site access agreement requirements. Explosion liability, pollution liability, contractor-specific endorsements.

Common Mistakes That Create Liability

Assuming collection = compliance. Having a COI on file is not the same as knowing the COI meets your requirements.

Using one standard checklist for all vendors. Your contracts have different requirements. Your verification should match.

Not requesting endorsements. The additional insured checkbox on an ACORD 25 is not confirmation of additional insured status. Get the endorsement.

Letting verification quality depend on individual staff. When the person who knows your lease requirements leaves, the muscle memory walks out with them. Systems don't.

Treating first-time verification as ongoing compliance. Insurance lapses. Carriers change. Coverage changes. Ongoing monitoring is essential.

Not documenting non-compliance and cure. If you ever need to demonstrate that your compliance program worked, you need records. If you accepted a non-compliant COI, you need to document why.

Frequently Asked Questions

What insurance should I require from all vendors? At minimum: commercial general liability (limit depends on risk profile), workers' compensation (statutory limits), and commercial auto if vehicles are involved. For on-site or higher-risk work: umbrella/excess, professional liability if applicable. For specialized work: industry-specific coverage like pollution liability.

What if a vendor says they can't get the required coverage? This happens, especially for small vendors or specialized work. Options: accept a waiver (with documented risk assessment), require the vendor to name you on their policy via endorsement up to their available limits, or find a different vendor. Never silently accept coverage gaps on high-risk relationships.

How do I handle vendor relationships where the contract was signed before I had a compliance program? Audit existing relationships. Pull contracts, extract requirements, request current COIs, and verify. For long-standing relationships with no issues, a pragmatic approach is to verify at the next renewal. For higher-risk relationships, verify immediately.

Does having a COI protect me legally if a vendor causes an incident? A COI by itself does not establish coverage. What matters is whether the underlying policy covers the claim and whether you are properly listed as an additional insured. If the coverage is inadequate relative to your contract requirements, having a COI on file may demonstrate that you requested proof of coverage, but it doesn't guarantee that coverage exists or is adequate.

What's the most efficient way to manage compliance at scale? Technology. Organizations managing hundreds of vendor relationships with manual processes spend 15-20 hours per week on COI administration and still have significant compliance gaps. Automated contract-to-COI comparison eliminates the manual comparison step and surfaces gaps automatically.

Vendor insurance compliance isn't about collecting documents. It's about ensuring that the risk transfer your contracts are designed to create actually works when you need it.

Bramble automates the hardest part - reading your contracts and verifying that COIs actually match what they require. Book a demo.

See how Bramble reads the document that defines what the certificate should contain.

See It In Action