A certificate of insurance (COI) is a standardized document issued by an insurance carrier or broker that summarizes a policyholder's active coverage, including coverage types, policy limits, effective dates, and named insureds. It confirms four critical details: proof that a policy exists, the types of coverage in force (general liability, workers' compensation, auto, umbrella), the policy limits for each coverage type, and the dates during which coverage is active.
Organizations require COIs to verify that contractors, vendors, tenants, and other third parties carry adequate insurance before those parties begin work or occupy a space. Risk managers, property managers, and general contractors request COIs as a standard step in vendor onboarding and lease execution. Basically, any time a third party's activities could create liability exposure for the requesting organization.
Before diving in, here's what this guide covers:
A certificate of insurance is a one-page summary document, not a policy. It doesn't create coverage, modify coverage, or extend coverage to anyone who receives it. What it does is confirm, at the time of issuance, that a named insured holds one or more active insurance policies meeting specified parameters.
The document is issued by the policyholder's insurance agent or broker, typically in response to a request from a business requiring proof of coverage before allowing a contractor or vendor to work on their behalf.
A COI is not a contract, a warranty, or a binding insurance agreement. It cannot be used to make a claim. If there's a dispute about what a policy genuinely covers, the policy document—not the certificate—is the controlling instrument.
COIs also don't confirm that the policy remains in force after the issue date. A certificate issued in January reflects coverage as of January. If the policyholder lets coverage lapse in March, the January COI is no longer accurate, and any organization relying on it may not know.
The difference is fundamental. A certificate summarizes key terms; the policy defines them. The policy document specifies exclusions, sub-limits, conditions for coverage, and endorsements that may materially affect what's truly covered. A COI rarely reflects the full picture.
This is why certificate holders are advised to request copies of relevant policy endorsements—particularly additional insured endorsements—rather than relying on certificate language alone when coverage questions arise.
Most COIs use a standardized layout that makes the key fields predictable once you know what to look for.
ACORD 25 is the insurance industry's standard certificate form for general liability coverage. Published by ACORD (Association for Cooperative Operations Research and Development), it's the form a vendor's broker will almost always produce when a COI is requested for commercial insurance purposes.
The form contains the following fields:
Of all the fields on the form, the description of operations is where most compliance issues originate. Requirements stated there—specific projects, contract numbers, additional insured language—need to match the endorsements attached to the policy.
ACORD 25 accommodates several coverage lines. The types most commonly required from vendors and contractors include:
Each coverage line has its own policy number, effective dates, and limits. Verification requires checking all of these against the requirements in the contract or lease, not just confirming that a coverage type is listed.
A COI is issued by the policyholder's insurance agent or broker. The broker generates the certificate and sends it to whoever the policyholder needs to provide proof of coverage to. This is typically a client, property owner, general contractor, or government entity.
Any organization that hires contractors, vendors, or suppliers to perform work on its behalf may face liability exposure if those parties are inadequately insured. A subcontractor without workers' compensation coverage, for example, can expose the general contractor to liability for on-site injuries that should be covered by the sub's own policy.
Standard practice across construction, property management, manufacturing, healthcare, and logistics is to require COIs before work begins—and to specify the coverage types, minimum limits, and endorsements the vendor must carry. These requirements are written into contracts and verified through the COI before onboarding is complete.
Commercial leases routinely require tenants to carry and maintain insurance throughout the lease term (general liability at a minimum, with limits scaled to the lease type and occupancy risk). The COI is the mechanism for verifying that the tenant has met this obligation.
Residential landlords with insurance requirements in their leases use the same process, though the coverage types differ. Renters insurance rather than commercial GL is the typical requirement in residential contexts. In both cases, the COI is collected at lease signing and tracked for renewal throughout the tenancy.
This is the section of COI management that creates the most compliance risk. Understanding what a certificate confirms versus what it doesn't is where liability exposure actually lives.
A COI is valid for the coverage period listed—the dates the underlying policy is in force. But a certificate issued today can become inaccurate tomorrow if the policy lapses, is cancelled, or has its limits reduced.
Most standard COI cancellation clauses state that notice will be provided to the certificate holder if the policy is cancelled before expiration. In practice, this notice is inconsistent. And even when it works as intended, it's reactive. By the time a certificate holder learns of a cancellation, the coverage gap may already exist.
This is why ongoing monitoring of expiration dates, not just collection at onboarding, is the function that most directly affects compliance outcomes.
A certificate holder listed on a COI receives notice of cancellation. That's it. They have no coverage under the policy unless they are also named as an additional insured through an endorsement attached to the policy.
The distinction: additional insured status means that if a contractor's employee is injured and claims the property owner bears responsibility, the property owner can be defended and indemnified under the contractor's GL policy. Without additional insured status, the certificate holder's own GL policy is the only coverage available—even if the incident was the contractor's responsibility.
Organizations that collect COIs without verifying additional insured endorsements are fulfilling the paperwork requirement while leaving a coverage gap open.
Certificate of insurance tracking is the process of managing COI collection, verification, and renewal across a vendor or tenant population. At small scales, the process is manageable manually. At larger scales, it requires a system.
Spreadsheet-based COI tracking works by maintaining a log of each vendor's certificate, expiration dates, coverage types, and limits. Someone on the compliance or operations team monitors the spreadsheet, sends renewal reminders, and updates records when new certificates arrive.
Certificates come in as PDFs that must be manually reviewed and entered. Expiration date reminders depend on whoever manages the spreadsheet catching them. Vendors who don't respond to renewal requests stay active in the system with expired documentation—often unnoticed until an audit or an incident forces a review.
Automated COI tracking software manages the collection, review, and monitoring functions that manual processes struggle with at scale. Core functions across most platforms include:
The degree of automation and the sophistication of the verification layer vary across platforms. The meaningful difference is whether the system can read and interpret the actual content of a certificate—not just log that one was received.
Effective certificate of insurance management requires three things: collecting certificates before work begins, verifying that the actual coverage meets your contract requirements, and monitoring expirations before policies lapse. Each function is straightforward to describe. Together, they're where most manual compliance programs break down at scale.
bcs automates all three functions, from no-login COI collection to instant compliance verification and automated expiration reminders. The platform is free for up to 25 vendors, with no credit card required.
Try bcs free — full platform access for up to 25 vendors.