7 COI Compliance Mistakes That Expose Your Business

Every organization that manages vendor relationships faces insurance compliance risk. The question is not whether gaps exist — it is whether you are catching them before they become claims. After reviewing thousands of certificates, certain mistakes appear again and again. These are the seven most common COI compliance failures, each one capable of turning a routine vendor relationship into a six-figure liability.

1. Accepting Expired Certificates

This is the single most common compliance failure, and it is also the most preventable.

What happens: A vendor provides a Certificate of Insurance when they are first onboarded. The certificate goes into a file. The policy expires six months later. Nobody notices because nobody is tracking expiration dates. The vendor continues working on your property with no verified coverage.

Why it matters: An expired certificate is evidence of nothing. It tells you the vendor had insurance at some point in the past, but it says nothing about today. If the vendor's policy lapsed — due to non-payment, cancellation, or simple non-renewal — and an incident occurs, you are exposed.

The numbers are alarming. Industry data suggests that at any given time, 25-40% of vendor certificates in a typical compliance portfolio are expired. That means roughly one in three vendors may be working without verified coverage.

How to avoid it: Implement a tracking system that monitors every policy expiration date and triggers automated renewal requests 60, 30, and 15 days before expiration. Do not accept a vendor's assurance that "the policy renewed, we just haven't gotten the new certificate yet." Until you have current documentation, the vendor is non-compliant.

2. Not Verifying Additional Insured Endorsement

What happens: The reviewer sees the vendor's name as the certificate holder and assumes they are covered. Or the reviewer sees "Additional Insured" mentioned in the Description of Operations but does not verify that the endorsement actually exists on the underlying policy.

Why it matters: Being named as a certificate holder gives you a piece of paper. Being named as an Additional Insured gives you insurance coverage. These are completely different things. If a vendor's employee causes a $500,000 injury on your property and you are only a certificate holder, the vendor's insurer owes you nothing. You pay the claim from your own policy.

Additionally, the Description of Operations on a certificate is not an endorsement. It is a statement about what the producer believes is endorsed on the policy. If the actual policy does not contain the endorsement, the Description language is meaningless.

How to avoid it: First, ensure your contracts explicitly require Additional Insured status and specify which endorsement forms are acceptable (CG 20 10 for ongoing operations, CG 20 37 for completed operations). Second, verify that the Description of Operations on every certificate contains explicit Additional Insured language referencing the correct endorsement forms. Third, for high-value or high-risk vendors, request copies of the actual endorsement pages.

3. Ignoring Waiver of Subrogation

What happens: A vendor's employee is injured on your property. The vendor's Workers' Compensation carrier pays the claim. The carrier then exercises its right of subrogation — filing a lawsuit against you to recover the money it paid. You are now defending a lawsuit even though the vendor's own employee was injured due to the vendor's own negligence.

Why it matters: Subrogation is an insurer's legal right to "step into the shoes" of the insured and pursue third parties for recovery. Without a Waiver of Subrogation endorsement, the vendor's insurer can sue you for any claim it pays — even claims that originated entirely from the vendor's operations. This turns the vendor's insurance into a weapon against you rather than a shield.

Waiver of Subrogation is especially critical for Workers' Compensation claims, where the amounts can be substantial and the insurer's subrogation rights are well established.

How to avoid it: Require Waiver of Subrogation in every vendor contract, for all applicable policy types (General Liability, Workers' Compensation, and Auto at minimum). Verify that the Description of Operations on the certificate includes language such as "Waiver of Subrogation applies in favor of the Certificate Holder as required by written contract." For Workers' Comp, look for the WC 00 03 13 endorsement (Waiver of Our Right to Recover From Others).

4. Not Checking Primary and Non-Contributory Language

What happens: A vendor causes an incident on your property. Both the vendor's insurer and your insurer are called upon to respond. Without Primary and Non-Contributory language, the two insurers may share the loss — meaning your policy pays a portion of a claim that originated entirely from the vendor's work. Your loss history takes a hit, and your premiums increase.

Why it matters: When two insurance policies potentially cover the same loss, the insurers look to the "other insurance" clauses in their respective policies to determine who pays first. Without a Primary and Non-Contributory endorsement on the vendor's policy, the default rules often result in both policies contributing to the loss. This means you are partially paying for the vendor's mistake through your own insurance.

The Primary and Non-Contributory endorsement on the vendor's policy makes the vendor's insurance primary (it pays first) and non-contributory (your insurance does not have to contribute). This is the correct risk allocation — the vendor's insurance should bear the full cost of the vendor's liabilities.

How to avoid it: Include Primary and Non-Contributory language in all vendor contracts. Verify the provision in the Description of Operations on the certificate. Common acceptable language includes: "Coverage is primary and non-contributory as required by written contract" or a reference to endorsement CG 20 01 (Primary and Non-Contributory — Other Insurance Condition).

5. Wrong Certificate Holder Name

What happens: Your organization's legal name is "Meridian Real Estate Holdings LLC." The certificate holder on the vendor's COI reads "Meridian Properties." Close, but not the same entity. In a claims scenario, the vendor's insurer may argue that the Additional Insured endorsement applies to "Meridian Properties" (which does not exist) rather than "Meridian Real Estate Holdings LLC" (which does exist and is the party asserting a claim).

Why it matters: Insurance is a business of precision. Endorsements apply to specific named parties. If the party name on the endorsement does not match the party making the claim, the insurer has grounds to deny the claim. While courts often look past minor discrepancies, the ambiguity creates risk and certainly creates delay and legal expense during a claims dispute.

Common certificate holder errors include:

• Missing entity designation (LLC, Inc., LP, Corp.)
• Using an informal or abbreviated name
• Listing the property management company instead of the property owner
• Misspelling the entity name
• Using a former name after a corporate restructuring

How to avoid it: Provide vendors with the exact certificate holder name and address when you request the certificate. Include this information in your contract and in your certificate request template. When reviewing certificates, compare the certificate holder name character by character against your legal entity name. Reject any certificate with a name that does not match exactly and request correction.

6. Insufficient Umbrella/Excess Limits

What happens: Your contract requires $5,000,000 in total General Liability coverage. The vendor provides a certificate showing $1,000,000 per occurrence in General Liability and no Umbrella or Excess policy. The vendor is $4,000,000 short of your requirement, but the reviewer only checks the General Liability line and sees the $1M meets a general threshold.

Why it matters: For many types of work — particularly construction, high-rise maintenance, heavy equipment operations, and any work involving the public — a $1M General Liability limit is inadequate. A single serious injury or a multi-claimant incident can easily exceed $1M. The Umbrella/Excess policy provides the additional limits needed to cover catastrophic losses.

Without sufficient Umbrella limits, your own insurance becomes the backstop if the vendor's primary limits are exhausted. If a $3M claim arises from a vendor's work and the vendor only has $1M in coverage, you are exposed for the remaining $2M.

How to avoid it: Set explicit Umbrella/Excess limit requirements based on the risk profile of the work being performed. Review both the primary General Liability limits and the Umbrella limits on every certificate. Calculate total available coverage (primary + umbrella) and compare against your requirement.

Typical Umbrella requirements by vendor type:

Also check the Self-Insured Retention (SIR) on the Umbrella policy. A high SIR creates a coverage gap that the vendor must fund out of pocket before the Umbrella responds.

7. Not Tracking Renewal Dates

What happens: You diligently verify a vendor's certificate when they are first onboarded. One year later, the policy renews. The renewed policy has different terms — maybe the Waiver of Subrogation endorsement was dropped, maybe the limits decreased, maybe the carrier changed to one with a lower financial rating. Nobody reviews the renewal certificate because nobody flagged the renewal date.

Why it matters: Insurance policies are annual contracts. Every year at renewal, the terms can change. Carriers change. Limits change. Endorsements are added or removed. An insured may switch from an occurrence-based policy to a claims-made policy. A vendor who was fully compliant last year may be non-compliant this year.

The renewal period is actually the highest-risk moment in the compliance lifecycle because it is the point at which coverage terms are most likely to change. Yet many organizations treat onboarding verification as a one-time event and never re-verify at renewal.

How to avoid it: Track every policy expiration date for every vendor. Set automated alerts at 90, 60, 30, and 15 days before expiration. When the renewal certificate arrives, verify it with the same rigor as the original — do not assume continuity. Pay particular attention to:

• Changes in coverage limits (any decrease)
• Changes in carrier (check the new carrier's financial rating)
• Changes in endorsements (was Waiver of Subrogation maintained? Additional Insured?)
• Changes in coverage trigger (occurrence vs. claims-made)
• Changes in self-insured retentions

The Compounding Effect

These seven mistakes rarely occur in isolation. An organization that does not track renewal dates also tends to accept expired certificates. One that does not verify Additional Insured status probably also ignores Waiver of Subrogation. The cumulative effect of multiple compliance gaps is far greater than the sum of individual risks.

Consider a scenario where a vendor has an expired certificate (Mistake 1), you were never added as Additional Insured (Mistake 2), no Waiver of Subrogation exists (Mistake 3), and the vendor's limits are insufficient (Mistake 6). If a serious claim occurs, you are defending yourself with your own policy, the vendor's insurer can sue you for recovery, and the vendor does not have enough coverage to make you whole even if you prevail in litigation.

The Path Forward

Eliminating these seven mistakes requires three things:

Clear requirements. Document exactly what you need from every vendor — coverage types, limits, endorsements, and certificate holder information. Include these requirements in every contract.

Systematic verification. Apply the same verification process to every certificate, every time. Do not rely on individual reviewers to remember what to check. Use checklists, rules, or technology to ensure consistency.

Continuous monitoring. Compliance is not a point-in-time event. Track expirations, monitor renewals, and re-verify coverage throughout the life of every vendor relationship.

The cost of preventing these mistakes is a fraction of the cost of the claims they cause. Whether you solve it with better processes, better tools, or both, the time to act is before the next claim, not after.