Understanding Insurance: What Every COI Professional Needs to Know

COI compliance professionals spend their days reviewing insurance documentation, but many have never worked in the insurance industry itself. This creates a knowledge gap. You know what a General Liability limit looks like on a certificate, but you may not know how the policy that produces that certificate actually works — how it is priced, how claims are paid, what brokers do, or why carriers behave the way they do.

This guide fills that gap. It covers the fundamentals of how commercial insurance works from the perspective of someone who needs to understand the system well enough to verify that it is protecting their organization. You do not need to become an insurance expert. But you do need to understand enough about the mechanics to catch the things that certificates do not tell you.

How Insurance Policies Work

An insurance policy is a contract between the insured (the policyholder) and the insurer (the insurance company). The insured pays a premium, and in exchange, the insurer agrees to pay for covered losses up to defined limits, subject to the terms, conditions, and exclusions in the policy.

The Five Core Components

1. Premium

The premium is the price of insurance. It is the amount the insured pays (typically annually, sometimes quarterly or monthly) to maintain coverage. Premium is determined by:

• Risk classification: What type of business is the insured in? Construction pays more than consulting because the loss potential is higher.
• Exposure base: How much revenue, payroll, square footage, or number of vehicles does the insured have? More exposure means more premium.
• Loss history: Has the insured had claims? Insureds with frequent or severe claims pay more because they represent higher risk to the carrier.
• Limits and deductibles: Higher limits cost more. Higher deductibles cost less (because the insured retains more risk).
• Endorsements: Additional coverages like additional insured endorsements or waiver of subrogation can increase premium.

As a compliance professional, you do not set or negotiate premiums. But understanding that premiums exist helps you understand why vendors sometimes push back on requirements. When you require a vendor to increase their limits from $1M to $2M, their premium increases. When you require specific endorsements, their premium may increase further. The vendor's broker manages this relationship, but the cost ultimately falls on the vendor.

2. Deductible / Self-Insured Retention (SIR)

The deductible is the amount the insured must pay out of pocket before the insurance policy begins to pay. For most commercial policies, deductibles are relatively modest ($1,000 to $10,000 for a standard GL policy).

A Self-Insured Retention (SIR) is functionally similar to a deductible but with an important distinction: with a deductible, the insurer typically pays the full claim amount and then bills the insured for the deductible portion. With an SIR, the insured must pay the retention amount first, and only after the SIR is satisfied does the insurer's obligation begin.

SIRs are more common on larger commercial policies and professional liability policies. From a compliance perspective, a large SIR (e.g., $100,000 or more) can be a concern because it means the vendor must fund a significant amount before insurance responds. If the vendor cannot pay its SIR, the claim may go unpaid even though the policy exists.

3. Limit

The limit is the maximum the insurer will pay for covered claims. Limits come in multiple forms (per occurrence, aggregate, CSL, split) as detailed in the Insurance Limits guide. The limit is the ceiling — once it is reached, the insurer's obligation ends.

4. Exclusion

Exclusions define what the policy does not cover. Every insurance policy has exclusions, and they are often the source of coverage disputes. Common GL exclusions include:

• Expected or intended injury: Intentional acts are not covered
• Contractual liability: Liability assumed under contract (with exceptions for "insured contracts")
• Workers' compensation: Injuries to the insured's employees are covered by WC, not GL
• Pollution: Standard GL policies exclude pollution liability (requires a separate policy)
• Professional services: Errors in professional advice or services (requires Professional Liability)
• Employer's liability: Claims by employees (covered by WC/EL, not GL)
• Damage to the insured's own work: A contractor's defective work product is typically excluded

As a compliance reviewer, you do not typically review policy exclusions — you review certificates, which do not list exclusions. But knowing that exclusions exist helps you understand why a claim might be denied even when the policy appears to cover the loss. It also explains why specific coverage types (pollution, professional, cyber) exist: they cover the gaps left by standard GL exclusions.

5. Endorsement

An endorsement is a modification to the insurance policy that adds, removes, or changes coverage. Endorsements can:

• Add additional insureds (CG 20 10, CG 20 37)
• Add waiver of subrogation (CG 24 04)
• Make coverage primary and non-contributory
• Add or remove specific coverage extensions
• Modify exclusions

Endorsements are the mechanism through which COI requirements are satisfied. When you require additional insured status, you are requiring that an endorsement be added to the vendor's policy. When you require waiver of subrogation, you are requiring another endorsement. The certificate reports on these endorsements, but the endorsements themselves are what create the coverage.

The Policy Period and Renewal Cycle

Commercial insurance policies typically run for one year, from the inception date to the expiration date. The ACORD 25 certificate shows these dates for each coverage type.

The Renewal Process

Approximately 60-90 days before a policy's expiration, the insured's broker begins the renewal process:

1. Renewal application: The insured updates their exposure information (payroll, revenue, operations changes)
2. Marketing: The broker solicits renewal quotes from the current carrier and potentially from competing carriers
3. Negotiation: The broker negotiates terms, premiums, and conditions
4. Binding: The insured selects a carrier and binds the renewal
5. Policy issuance: The carrier issues the new policy (this can take weeks to months after binding)
6. Certificate issuance: The broker issues new certificates to all certificate holders

This process matters for compliance because there is often a gap between when the old policy expires and when new certificates are issued. A vendor's policy may have renewed on January 1, but the new certificate may not be issued until January 15 or later. During this gap, the certificate on file shows expired coverage even though the vendor is actually insured.

Mid-Term Changes

Policies can change during the policy period. Endorsements can be added or removed. Coverage can be increased or decreased. Carriers can issue mid-term cancellation. These changes may not be reflected on the certificate you have on file, because certificates are typically only re-issued at renewal or upon specific request.

This is one of the fundamental limitations of certificate-based compliance: the certificate is a snapshot taken at a specific point in time. It does not update automatically when the underlying policy changes.

The Role of the Insurance Broker/Agent

Understanding the broker's role is essential for anyone who communicates about certificates.

Broker vs. Agent

Technically, a broker represents the insured (the buyer of insurance), while an agent represents the insurer (the seller). In practice, the distinction is blurred in most states, and the terms are used interchangeably in daily business. For COI purposes, the important thing is that the producer (the term the ACORD 25 uses) is the intermediary between the insured and the carrier.

What the Broker Does

• Places insurance: Finds carriers willing to insure the client, negotiates terms and pricing
• Issues certificates: Generates ACORD 25 certificates on behalf of the insured, using their agency management system
• Manages endorsements: Requests endorsements from carriers (additional insured, waiver of subrogation, etc.) on behalf of the insured
• Handles claims: Assists the insured with the claims process
• Advises: Provides guidance on coverage needs, risk management, and market conditions

Why This Matters for Compliance

When you need a corrected certificate, you contact the broker — not the insured and not the carrier. The broker is the operational point of contact for all certificate-related requests. The broker information appears in the upper-left corner of the ACORD 25 (the "Producer" section).

However, you should be aware that the broker has a conflict of interest that is relevant to compliance: the broker works for the insured, not for you. The broker's job is to satisfy the insured's customer (you), but their primary obligation is to the insured. This is why certificates should be verified rather than simply accepted at face value.

Fraudulent Certificates

Fraudulent certificates are rare but they do occur. Because brokers generate certificates using software, and because certificates are not verified against the actual policy by any central authority, it is possible (though illegal) for:

• A broker to issue a certificate for a policy that does not exist
• A broker to issue a certificate with inflated limits or endorsements that the policy does not carry
• An insured to fabricate a certificate using a template

Certificate fraud is most common among small vendors with limited insurance who need to meet requirements to win contracts. Verification against carrier databases (where available) and requesting endorsement copies are defenses against fraud.

Carrier Ratings: What They Mean and Why They Matter

Not all insurance companies are equally reliable. A policy is only as good as the carrier's ability to pay claims. Carrier financial strength ratings exist to assess this ability.

AM Best Ratings

AM Best is the dominant rating agency for insurance carriers. An AM Best rating assesses a carrier's financial strength and ability to meet its ongoing obligations to policyholders. The most common ratings you will encounter:

The standard compliance requirement is A- (Excellent) or better, sometimes specified with a Financial Size Category of VII or higher. This is written as "A- VII or better" and means the carrier must have an AM Best rating of at least A- and a financial size category of at least VII (adjusted policyholders' surplus of $100 million to $250 million).

Other Rating Agencies

• S&P Global Ratings: Uses a letter scale (AAA, AA+, AA, AA-, etc.). Less commonly referenced in COI compliance but recognized in the industry.
• Moody's: Primarily rates financial institutions but also rates some insurers.
• Fitch Ratings: Another major financial strength rating agency.

For compliance purposes, AM Best is the standard reference. If your requirements specify carrier ratings, they almost certainly reference AM Best.

NAIC Numbers

The National Association of Insurance Commissioners (NAIC) assigns a unique number to every insurance company authorized to do business in the United States. The NAIC number appears on the ACORD 25 next to each carrier name in the "Insurers Affording Coverage" section.

NAIC numbers serve as a unique identifier for carriers — similar to an EIN for a business. You can look up any carrier by NAIC number at the NAIC's database to verify:

• The carrier is a real, registered insurance company
• The carrier is authorized to write insurance in the relevant state
• The carrier's financial data and regulatory history

Policy vs. Certificate: The Critical Distinction

This is the single most important concept for any COI compliance professional to internalize: the certificate of insurance is not the policy.

What the Certificate Is

The Certificate of Insurance (ACORD 25) is a summary document prepared by the insurance broker that provides a snapshot of the insured's coverage at a point in time. It lists:

• The named insured
• The insurance companies providing coverage
• The types of coverage
• The policy numbers
• The effective and expiration dates
• The limits
• A description of operations, vehicles, or locations
• The certificate holder

What the Certificate Is Not

• It is not the policy. The certificate does not replace, amend, or extend the policy. The policy is a 50-200 page contract between the insured and the carrier. The certificate is a 1-page summary prepared by the broker.
• It does not create coverage. If the certificate says additional insured status is provided but the policy does not contain the endorsement, you are not an additional insured. The certificate cannot create rights that the policy does not grant.
• It is not a guarantee. The certificate can be revoked. The underlying policy can be cancelled. Coverage can change. The certificate captures a moment in time and does not update when the policy changes.
• It is not verified by the carrier. In most cases, the carrier does not review or approve certificates before they are issued. The broker generates the certificate from their agency management system based on the policy data they have. Errors can and do occur.

The ACORD 25 form itself includes standard disclaimer language that reinforces this: "THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPON THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW."

What the Policy Contains That the Certificate Does Not

• Exclusions: The certificate does not list what is excluded from coverage. A GL policy may have dozens of exclusions that narrow the effective coverage far below what the limits suggest.
• Conditions: Duties after a loss, cooperation requirements, and other conditions that the insured must comply with for coverage to apply.
• Endorsement details: The certificate may reference endorsement form numbers, but it does not contain the actual endorsement language. Endorsement language determines the scope of coverage for additional insureds, waivers, and other provisions.
• Sub-limits: Some policies have sub-limits for specific types of claims that are lower than the main limits. These sub-limits do not appear on the certificate.
• Deductibles and SIRs: The certificate may or may not show the deductible. The policy always specifies it.

Admitted vs. Non-Admitted Insurance

The regulatory status of an insurance carrier matters for compliance, and it is a concept many compliance professionals are unfamiliar with.

Admitted (Standard) Insurance

An admitted carrier is licensed by the state's Department of Insurance to sell insurance in that state. Admitted carriers:

• Are regulated by the state insurance department
• Must file and receive approval for their policy forms and rates
• Contribute to the state's guaranty fund (which pays claims if the carrier becomes insolvent)
• Must comply with state insurance laws and consumer protection regulations

Most certificates you review will involve admitted carriers. The NAIC number on the certificate corresponds to the carrier's state licensing.

Non-Admitted (Surplus Lines) Insurance

A non-admitted carrier (also called a surplus lines carrier) is not licensed in the state but is authorized to sell insurance there through a special surplus lines process. Non-admitted insurance exists to cover risks that the admitted market will not insure — either because the risk is too unusual, too high, or because adequate coverage is not available from admitted carriers.

Non-admitted carriers:

• Are not regulated by the state insurance department in the same way as admitted carriers
• Do not contribute to the state guaranty fund (if the carrier fails, there is no safety net)
• Can use non-standard policy forms (which may have broader or narrower coverage than ISO forms)
• May charge any rate they choose (not subject to rate filing requirements)
• Must be placed through a licensed surplus lines broker

Compliance implications:

1. Guaranty fund protection: If a non-admitted carrier becomes insolvent, claims may go unpaid. This is a real risk, though it is relatively rare among well-rated carriers.
2. Non-standard forms: Because non-admitted carriers are not required to use ISO forms, their policy language may differ significantly from standard ISO policies. An "additional insured" endorsement from a surplus lines carrier may not provide the same coverage as a standard CG 20 10.
3. Acceptability: Some compliance programs require admitted carriers only. Others accept non-admitted carriers if they meet minimum financial strength ratings.

If your requirements specify admitted carriers only, check whether the carrier is admitted in the state where work is performed. If the NAIC number is missing or the carrier name is unfamiliar, it may be a surplus lines carrier.

Self-Insured Employers

Some large employers — particularly government entities, large corporations, and organizations with strong balance sheets — self-insure for Workers' Compensation rather than purchasing a policy from a carrier. This is legal in most states but requires state approval.

How to Verify Self-Insurance

When a vendor claims to be self-insured for Workers' Compensation:

1. Request the certificate of self-insurance: Most states issue a formal certificate or letter confirming that the employer is approved to self-insure. This document should include the employer's name, the state, and the approval date.
2. Verify with the state: Contact the state's Workers' Compensation board or Department of Insurance to confirm the self-insurance authorization is current.
3. Check for excess coverage: Self-insured employers typically carry specific and aggregate excess insurance above their self-insured retention. Request documentation of this excess coverage.
4. Document in your records: Self-insured vendors will not have a standard Workers' Compensation section on their ACORD 25. Note the self-insurance authorization in your compliance records.

Self-insurance does not mean uninsured. A legitimately self-insured employer has financial resources set aside to pay Workers' Comp claims and is monitored by the state. But you should verify the authorization rather than accepting a vendor's word.

The ACORD Organization

ACORD (Association for Cooperative Operations Research and Development) is the insurance industry's standards body. Founded in 1970, ACORD develops and maintains the standardized forms, data standards, and electronic communication protocols used throughout the insurance industry.

Key ACORD Forms for Compliance

The ACORD 25 is by far the most common form in COI compliance. It was last significantly revised in 2016 (form date 2016/03). Earlier versions (2009/09, 2010/05, 2014/01) are still in circulation because brokers may not have updated their systems, but the 2016 version is the current standard.

ACORD Data Standards

Beyond forms, ACORD develops data standards for electronic communication between carriers, brokers, and third parties. These standards enable:

• Electronic policy data exchange
• Automated certificate generation
• Real-time coverage verification (emerging capability)
• Standardized loss reporting

These data standards are the foundation of the industry's move toward digital certificates and automated verification.

Digital Certificates and the Future

The traditional ACORD 25 is a static PDF or paper document. Once issued, it does not update. If the underlying policy changes, the certificate remains unchanged until a new one is issued. This fundamental limitation drives much of the complexity in COI compliance.

Digital Certificate Initiatives

The insurance industry is moving toward digital certificates that address the limitations of static documents:

Real-time verification. Instead of relying on a document that may be stale, digital certificate platforms allow certificate holders to verify coverage status in real time by querying the carrier's system directly. This eliminates the gap between policy changes and certificate updates.

Blockchain-based certificates. Several industry initiatives are exploring blockchain technology to create tamper-proof, verifiable certificates that update automatically when policy terms change. While still emerging, this technology could fundamentally change how certificates work.

API-based data exchange. Rather than exchanging PDF documents, carriers and compliance platforms can exchange structured data through APIs. This enables automated verification without human review of documents.

ACORD Digital Certificate Standards. ACORD itself is developing standards for digital certificates that maintain the industry's common language while enabling electronic verification.

What This Means for Compliance Professionals

The shift to digital certificates will not eliminate the need for compliance programs, but it will change how they operate:

• Less manual data entry: Structured data replaces PDF document review
• More real-time monitoring: Coverage status can be checked continuously rather than annually
• Reduced fraud risk: Carrier-verified data is more reliable than broker-issued documents
• Faster resolution: Gaps can be identified and communicated immediately

However, the transition to digital certificates will be gradual. The insurance industry is fragmented — there are thousands of carriers, tens of thousands of brokers, and no single authority that can mandate adoption of a new standard. Static ACORD 25 certificates will remain the norm for years to come, even as digital alternatives gain traction.

How Claims Work: The Lifecycle

Understanding the claims process helps compliance professionals appreciate why proper documentation — certificates, endorsements, contracts — matters so much.

The Claims Lifecycle

1. Incident occurs: An accident, injury, or property damage event happens.
2. Notice of claim: The insured (or the additional insured) notifies the carrier of the claim. Timely notice is critical — late notice can be grounds for coverage denial.
3. Investigation: The carrier assigns a claims adjuster who investigates the facts, determines coverage applicability, and evaluates the claim's value.
4. Reservation of rights: If the carrier believes there may be a coverage issue, it issues a reservation of rights letter, which says: "We are investigating your claim, but we reserve the right to deny coverage based on [specific policy provisions]."
5. Defense: If the claim involves a lawsuit, the carrier assigns defense counsel (for liability claims where the carrier has a duty to defend).
6. Resolution: The claim is resolved through settlement, judgment, or dismissal.
7. Payment: The carrier pays the covered amount up to the policy limit.

Where COI Compliance Intersects

At step 3, the adjuster reviews the policy to determine if the claim is covered. This is where:

• Additional insured status is verified (is the claimant actually an additional insured under the policy?)
• Endorsements are reviewed (does the waiver of subrogation endorsement exist?)
• Entity names are checked (does the additional insured endorsement name the correct entity?)
• Policy dates are confirmed (was the policy in force when the incident occurred?)

Every gap that a compliance program should have caught — but did not — becomes a coverage issue during claims. The cost of that gap is no longer theoretical. It is a denied claim, an uninsured loss, or a coverage lawsuit.

Putting It All Together

Insurance is a complex industry, but COI compliance professionals do not need to master every aspect of it. What you need is a working understanding of:

1. How policies work: Premium, deductible, limit, exclusion, endorsement — these five components define every insurance policy.
2. The renewal cycle: Policies are annual, and there is always a lag between renewal and certificate issuance.
3. The broker's role: The broker is your contact point for certificate issues, but remember they work for the insured, not for you.
4. Carrier reliability: AM Best ratings and NAIC numbers are your tools for verifying that the insurance company behind the certificate is financially sound.
5. The certificate's limitations: The certificate is a snapshot, not the policy. It does not create coverage, it does not update automatically, and it can contain errors.
6. Admitted vs. surplus lines: The regulatory status of the carrier affects the protections available to you.
7. The future is digital: Digital certificates and real-time verification are coming, but static ACORD 25 certificates will remain the standard for years.

This foundational knowledge makes you a better compliance professional. It helps you understand not just what the certificate says, but what it means — and what it does not mean.