COI Compliance During M&A: Integrating Acquired Programs

When one company acquires another, the due diligence process scrutinizes financials, contracts, intellectual property, employee obligations, and regulatory compliance. Insurance compliance — specifically, the acquired company's vendor COI program — is frequently overlooked or treated as a post-closing administrative task. This is a mistake. An acquired company's vendor insurance gaps become the acquiring company's vendor insurance gaps the moment the deal closes. Every uninsured or underinsured vendor in the acquired portfolio is now operating under the new parent's umbrella of responsibility.

M&A transactions create a unique convergence of COI compliance challenges: different requirement standards, different tracking systems, different enforcement cultures, and different vendor relationships — all of which must be integrated into a single coherent program. This guide covers the COI compliance considerations at each phase of the M&A process.

---

Due Diligence: What to Check Before You Buy

COI compliance due diligence should begin during the evaluation phase, not after the acquisition closes. The goal is to identify insurance compliance risks that could affect the deal valuation, the integration timeline, or the acquiring company's exposure post-closing.

The Compliance Program Assessment

Request and review the following from the target company:

Vendor inventory. A complete list of all active vendors, including contract values, scope of work, and current compliance status. This reveals the size of the integration challenge — acquiring a company with 50 vendors is a different task than acquiring one with 500.

Insurance requirements standards. What coverages does the target require? What limits? What endorsements? How do these compare to the acquirer's standards? A target company that requires $500,000 GL from construction subcontractors (well below industry standard) has systematically under-required insurance from its vendors.

Current compliance rate. What percentage of the target's vendors are currently compliant? A 95% compliance rate indicates a functioning program. A 60% compliance rate indicates a program in name only — the requirements exist on paper but are not enforced.

Tracking system. How does the target track COI compliance? A dedicated platform with automated tracking is an asset. A spreadsheet maintained by an office manager who left six months ago is a liability.

Expired certificates. How many vendor certificates are currently expired? This is the most immediate risk — these vendors are currently operating without verified insurance.

Waiver history. How many waivers have been issued? For what? A high number of waivers may indicate that the requirements are unrealistic, that enforcement is weak, or that the vendor base cannot meet standard requirements.

Claims history. Has the target company experienced claims involving vendor operations? Were those claims covered by vendor insurance? Were there coverage disputes related to COI deficiencies?

What Due Diligence Reveals

The due diligence findings fall into three categories:

Deal-breakers. Rare, but possible. A target company with no COI program, extensive uninsured vendor operations, and a history of coverage disputes may present too much risk to acquire without significant price adjustment.

Valuation adjustments. A target with a weak compliance program will require investment to bring it up to standard — system implementation, personnel, vendor re-certification. These costs should be factored into the deal valuation.

Integration planning inputs. The compliance rate, vendor count, requirement standards, and tracking system determine the integration timeline and resource requirements.

---

Day-One Integration Requirements

On the day the acquisition closes, the acquiring company assumes responsibility for the target company's operations — including the insurance compliance of every vendor operating under the target's contracts. Day-one priorities focus on risk identification and immediate gap closure.

Immediate Actions

Identify vendors currently on-site or actively working. These vendors present immediate exposure. If their certificates are expired or their compliance status is unknown, they represent unverified risk that is now the acquirer's problem.

Verify coverage for high-risk vendors. Prioritize construction contractors, security services, transportation providers, and any vendor performing work with significant bodily injury or property damage potential. Verify that their certificates are current and that limits meet at least the acquirer's minimum standards.

Confirm Workers' Compensation compliance. WC is a statutory requirement. Any vendor with employees working on-site without verified WC coverage creates immediate legal exposure. This is the single highest-priority verification on day one.

Issue a general communication. Send a communication to all of the target company's vendors informing them of the acquisition and advising that insurance requirements will be updated. This sets the expectation that changes are coming and begins the process of establishing the acquirer's compliance standards.

What Not to Do on Day One

Do not attempt to re-certify every vendor on day one. The volume is unmanageable and the disruption to operations is unjustified. Day one is about identifying and addressing the highest-risk gaps. Systematic re-certification happens over the integration period.

---

Harmonizing Requirement Standards

The acquiring company and the target company almost certainly have different insurance requirement standards. The acquirer requires $1,000,000/$2,000,000 GL and $5,000,000 umbrella from construction subs. The target requires $500,000/$1,000,000 GL and $1,000,000 umbrella. These differences must be resolved.

Approaches to Harmonization

Adopt the higher standard. The simplest and most conservative approach. All vendors across both companies must meet the acquirer's standards (or the target's standards, if they are higher for a specific coverage). This provides consistent protection but may create compliance gaps — vendors who met the target's lower standards will be non-compliant under the higher standards and will need to increase their coverage.

Phase in the higher standard. Vendors currently compliant under the target's standards are given a transition period (typically 90-180 days) to meet the acquirer's higher standards. During the transition, the target's existing standards remain the minimum. After the transition, the acquirer's standards apply to all vendors.

Create a unified standard. If both companies' standards have strengths and weaknesses, develop a new unified standard that incorporates the best elements of each. This takes longer but produces a purpose-built standard for the combined organization.

Common Harmonization Conflicts

GL limits. If the acquirer requires $1M/$2M and the target required $500K/$1M, every target vendor at the lower standard needs to increase their GL. This costs the vendors money (higher premiums) and may trigger resistance.

Umbrella requirements. Umbrella limits vary widely between organizations. Harmonizing umbrella requirements to the higher standard is the most common source of vendor pushback, particularly from smaller vendors for whom a $5,000,000 umbrella is a significant cost increase.

Additional insured entity names. Post-acquisition, the certificate holder and additional insured names change. The target company's legal entity name may change, additional entities from the acquirer's structure may need to be added, and old entity names may need to be removed. Every vendor's certificate must be updated with the new entity information.

Endorsement standards. One company may require CG 20 10 and CG 20 37 (ongoing and completed operations AI endorsements separately), while the other accepts CG 20 33 (a blanket endorsement). Harmonizing endorsement requirements requires a decision about which forms are acceptable.

---

Vendor Re-Certification Timeline

Re-certification is the process of requiring every acquired vendor to provide a new certificate that meets the combined organization's unified requirements. This is the most labor-intensive phase of M&A COI integration.

Recommended Timeline

Days 1-30: Triage. Identify all active vendors, categorize by risk, verify high-risk vendors immediately, send the general acquisition notification.

Days 30-60: Requirements distribution. Send the unified insurance requirements to all vendors. Include the new certificate holder information, updated limits, and any new endorsement requirements. Set a 90-day deadline for re-certification.

Days 60-120: Collection and verification. Receive and review certificates from vendors. This is where the volume challenge hits — if the target had 200 vendors, the compliance team is processing 200 new certificates in a 60-day window while also maintaining the acquirer's existing vendor program.

Days 120-150: Escalation. Vendors who have not responded by the 90-day deadline enter the escalation process. At this point, the combined organization's standard escalation ladder applies — reminder, management escalation, work suspension if necessary.

Days 150-180: Program normalization. By day 180, the re-certification process should be substantially complete. Remaining outliers are either in active escalation, under waiver, or in the process of being replaced.

Realistic Expectations

A 100% re-certification rate within 180 days is aggressive but achievable for organizations with strong compliance teams and automated tracking. More realistically, expect:

• 70-80% re-certified within the 90-day deadline
• 90-95% re-certified within 150 days
• 5-10% requiring extended escalation, waivers, or vendor replacement

---

System Consolidation

If the acquiring company and the target company use different COI tracking systems — or if one uses a system and the other uses spreadsheets — system consolidation is necessary.

Migration Considerations

Data migration. Vendor records, certificate images, compliance history, waiver records, and contact information from the target's system must be migrated to the acquirer's system. Data quality varies — the target's records may have inconsistent entity names, outdated contacts, or missing certificates.

Vendor portal reconfiguration. If the acquirer uses a vendor self-service portal, the target's vendors need to be onboarded to the portal. This requires sending portal invitations, providing instructions, and supporting vendors who are unfamiliar with the platform.

Workflow integration. The acquirer's notification schedules, escalation workflows, and approval processes need to accommodate the additional vendor volume from the acquisition. A system configured for 200 vendors may need adjustments to handle 500.

Historical data. Decide whether to migrate the target's historical compliance data (past certificates, expired waivers, prior escalation records) or start fresh. Historical data provides context but may not be worth the migration effort if the target's records are poorly maintained.

---

Common M&A Compliance Failures

Assuming the target's compliance program is adequate. The most common failure. The acquirer sees that the target has a COI program and assumes it is equivalent to their own. Without due diligence, they discover post-closing that the target's program was under-resourced, under-enforced, or non-existent.

Delaying integration. "We'll deal with vendor insurance after we finish the financial integration." By the time the compliance team gets to it, certificates that were current at closing have expired, vendors have changed carriers, and the re-certification effort is twice as large as it would have been on day 30.

Not updating entity names. Post-acquisition, the legal entity structure changes. Vendor certificates still list the old entity names. If a claim occurs, the additional insured status may not extend to the new entity — because the endorsement names the old entity that no longer has an insurable interest in the property or project.

Losing the target's compliance team. The people who managed the target's vendor relationships and compliance program are often lost during M&A — they leave voluntarily, are laid off during restructuring, or are reassigned. Their institutional knowledge (which vendors are difficult, which brokers are reliable, which waivers have history) walks out the door.

Inconsistent enforcement during transition. During the integration period, enforcement may lapse. The target's vendors sense that the new owners are still getting organized and become less responsive to compliance requests. The acquirer's compliance team is overwhelmed with the additional volume and cannot maintain their normal enforcement cadence. Non-compliance creeps up on both sides.

---

M&A COI Compliance Checklist

M&A COI compliance is a project within a project — a workstream that runs in parallel with the financial, legal, and operational integration. The organizations that execute it well treat it with the same discipline and resources as any other integration workstream. The organizations that treat it as an afterthought discover the consequences when the first post-closing claim exposes a gap that should have been closed months earlier.