A certificate of insurance (COI) is a standardized document, most commonly the ACORD 25 form, that summarizes the insurance coverage held by a contractor, vendor, tenant, or supplier at a specific point in time.
It identifies the insured party, the insurance producer who issued the certificate, the types of coverage in force, the policy limits for each coverage type, the policy effective and expiration dates, and the certificate holder to whom the document was issued. Organizations use COIs to verify that the parties they work with carry adequate insurance before work begins or contracts are executed.
Risk managers, property managers, general contractors, and procurement teams rely on COI tracking as the foundation of vendor insurance compliance. When coverage is not verified, liability can shift back to the organization that hired the vendor.
Before reviewing every field, start with the items most likely to create compliance risk:
A certificate of insurance is a summary document. It represents the insurance producer's statement that the named insured held the described coverage on the date the certificate was issued. The certificate is not the policy itself, and it does not bind coverage or create independent legal rights between the certificate holder and the insurer.
The underlying policy governs what is and isn't covered. The COI summarizes key policy terms in a standardized format that non-insurers can review quickly. If a dispute arises, the policy language controls — not the certificate. This is why verifying additional insured endorsements requires confirmation against the actual policy, not just the certificate's checkbox.
COIs serve an important gatekeeping function: they give organizations a consistent format for collecting and comparing coverage information across hundreds of vendors. They are a starting point for verification, not a conclusion.
ACORD (the Association for Cooperative Operations Research and Development) publishes standardized insurance forms used across the industry. The ACORD 25 is the standard certificate of liability insurance form, covering general liability, automobile liability, umbrella/excess liability, workers' compensation, and employer's liability. A separate form, the ACORD 28, is used for evidence of commercial property insurance.
Most carriers and producers issue COIs on the ACORD 25 format. When a certificate arrives on a non-ACORD form, that's worth flagging; it’s not necessarily a disqualifier, but a reason to scrutinize the document more carefully.
The top section of an ACORD 25 identifies three parties: the producer, the insured, and the insurers providing coverage.
The named insured field identifies who holds the policy. This should match the legal entity name of your vendor, contractor, or tenant: not a trade name, not a parent company, not an affiliate. If the certificate lists "ABC Plumbing LLC" and your contract is with "ABC Plumbing Services Inc.," those are different legal entities. Coverage under one does not extend to the other.
Verify that the named insured matches the contracting entity exactly. Discrepancies here are among the most common — and consequential — errors on a certificate.
The producer is the insurance agent or broker who issued the certificate. If you need to verify coverage or request an endorsement, the producer is the point of contact. The producer’s name does not, by itself, validate coverage. A certificate can be issued with inaccurate information. For high-value or high-risk vendor relationships, direct confirmation with the carrier is the reliable standard.
Once you’ve confirmed the producer and named insured, the next step is to read the ACORD 25 from top to bottom: review each coverage row, compare limits against your requirements, confirm policy dates, and then verify certificate holder and additional insured language near the bottom of the form.
The central section of the ACORD 25 lists each coverage type, the associated insurer, policy number, effective dates, and limits.
General liability (GL) is the baseline coverage required for virtually every vendor relationship. It covers third-party bodily injury and property damage claims arising from the insured's operations. The ACORD 25 displays GL limits across several sub-fields:
The general aggregate resets each policy year. If a vendor has multiple claims, the aggregate can be exhausted mid-term — leaving subsequent claims uncovered even if the policy is technically active.
Auto liability covers bodily injury and property damage caused by vehicle use in the course of operations. The critical field here is the "autos covered" designation. "Any Auto" provides the broadest coverage. Certificates listing only "Owned Autos" do not cover employees using personal vehicles on your behalf — a common gap for service vendors without company fleets.
Workers' compensation is statutory coverage — meaning limits are set by state law, and the limits column typically shows "statutory" rather than a dollar amount. Confirm the state(s) listed match where the vendor performs work.
Employer's liability, bundled with workers' comp on the ACORD 25, covers lawsuits by employees outside the workers' comp system. Limits are expressed three ways: per accident, per disease per employee, and per disease policy limit.
An umbrella policy sits above the underlying GL, auto, and employer's liability policies, responding when underlying limits are exhausted. Confirm effective dates align with the underlying policies. Misaligned dates leave one period without excess coverage.
Professional liability (errors and omissions) covers claims from professional services failures. It is almost always written on a claims-made basis: the claim must be filed while the policy is in force, not just when the error occurred. This makes expiration dates especially significant for this coverage type.
The ACORD 25 includes a "description of operations" field where endorsements, additional insured status, and project-specific terms are noted. It's one of the most information-dense sections on the form — and one of the most frequently left incomplete.
Limits define the maximum an insurer will pay. Understanding the difference between per-occurrence and aggregate limits determines whether a vendor's coverage is adequate for your exposure.
Per occurrence is the maximum the insurer pays for a single covered event. Aggregate is the maximum across all covered events in the policy period. A vendor with a $1M per-occurrence / $2M aggregate GL policy can sustain up to two maximum-severity claims in a policy year before the aggregate is exhausted. A third claim in the same policy year is uncovered.
This matters most for vendors with high claim frequency or high-value projects.
Minimum limit requirements should be set in contracts before a vendor relationship begins. General benchmarks include:
These are illustrative starting points. Contract requirements, legal review, and the specific risk profile of each vendor category should drive the final numbers.
This is the field most often misunderstood. And the misunderstanding creates real liability exposure.
The certificate holder is the organization to whom the certificate is issued. Being listed as a certificate holder means you receive a copy of the certificate and typically receive notice if the policy is cancelled. It does not extend coverage to you. If the vendor’s employee is injured on your property and a claim follows, certificate holder status alone does not protect your organization.
Additional insured status extends coverage under the vendor's policy to your organization for claims arising from the vendor's work. Additional insured status requires an endorsement to the underlying policy, not just a checkbox on the certificate. The ACORD 25 can indicate additional insured status, but verification requires confirmation that the endorsement actually exists.
Certificates that check the "additional insured" box without referencing a specific endorsement form are incomplete. Many compliance programs require vendors to provide the endorsement page, not just the certificate notation.
Every policy on an ACORD 25 has an effective date and an expiration date defining the policy period, the window during which covered events must occur (for occurrence-based policies) or claims must be filed (for claims-made policies).
For occurrence-based policies (standard GL, auto, workers' comp), the coverage trigger is when the event occurs. Coverage applies even if the claim is filed after the policy expires. For claims-made policies (most professional liability), both the event and the claim must fall within the policy period or the extended reporting period.
A certificate issued today reflects coverage as of today. After issuance, policies can be cancelled, amended, or allowed to lapse — and the certificate doesn't update to reflect any of those changes. Cancellation notices may go to the certificate holder, but notice requirements vary and are not a substitute for active expiration monitoring.
This is the core reason certificate of insurance tracking requires ongoing monitoring, not just one-time collection at vendor onboarding. A vendor with valid coverage in January may have a lapsed policy in July. Without active expiration monitoring, that gap goes undetected until a claim is filed.
Certain conditions on a certificate warrant additional scrutiny before approving a vendor. Common flags include:
A COI is a summary of policy information, not a policy audit. Several things fall outside what a certificate alone can confirm.
A COI doesn't show who's really standing behind the policy. Insurer financial strength — AM Best rating, carrier solvency — requires a separate lookup and isn't reflected anywhere on the ACORD 25.
Whether coverage is still active. The certificate reflects policy status at issuance. Mid-term cancellations, non-renewals, or lapses are not reflected on a previously issued certificate.
The actual policy language. Exclusions, endorsements, and conditions that could affect coverage for your specific situation are not summarized on the ACORD 25. The underlying policy governs.
Whether the additional insured endorsement is correctly worded. A certificate can check the box; only the endorsement itself confirms the scope of that status — ongoing operations, completed operations, or both.
Whether the umbrella follows all underlying policies. The certificate shows limits and dates; it doesn't confirm which policies the umbrella is actually scheduled to follow.
Compliance with all contract requirements. A certificate may show coverage that appears adequate but doesn't satisfy specific contract provisions — waiver of subrogation requirements, primary/non-contributory language, or project-specific endorsements. Contract review against the certificate is a separate step.
This guide covers the ACORD 25 certificate of liability insurance form. It does not address ACORD 28 (commercial property), ACORD 75 (construction-specific), specialized professional liability forms, or surety bonds. Industry-specific requirements — construction, healthcare, property management — carry additional coverage mandates beyond the baseline fields covered here.
Reading a COI is only the first step. bcs automates certificate collection, coverage verification, expiration tracking, and gap detection across your full vendor list — without requiring vendors to create an account. Explore bcs certificate of insurance tracking software and try it free for up to 25 vendors. No credit card required.