How to Request a Certificate of Insurance from a Vendor

Requesting a certificate of insurance from a vendor sounds simple. You send an email, they send a PDF, you file it away. In practice, it is one of the most error-prone steps in the entire vendor onboarding process - and most of those errors are baked in before the vendor ever contacts their broker.

This guide covers what actually goes wrong, how to write a COI request that forces the right outcome, and what to check when the certificate finally lands in your inbox.

What Information to Include in a COI Request

Most COI request emails are too vague. "Please send proof of insurance" tells a vendor - and their broker - almost nothing. The broker has to guess at your requirements, and they will almost always guess wrong or default to whatever coverage the vendor already has on file.

A proper COI request is essentially an instruction sheet for the vendor's insurance broker. It should specify:

• The types of coverage required - General Liability, Workers Compensation, Employers Liability, Commercial Auto, Professional Liability (E&O), and/or Umbrella. Do not assume the vendor knows which lines you need.
• Minimum coverage limits for each line - Be specific. "$1 million per occurrence / $2 million aggregate" means something. "Adequate coverage" means nothing and will not hold up if you ever need it.
• Certificate holder information - Your company's legal name and full address, exactly as it should appear in Box 3 of the ACORD 25. Spelling errors here create ambiguity during a claim.
• Whether additional insured status is required - This is the single most commonly omitted piece of information in COI requests, and it is the most important. Certificate holder status and additional insured status are not the same thing. See below.
• Whether a primary and non-contributory endorsement is required
• Whether a waiver of subrogation is required
• The ACORD form version expected - ACORD 25 for liability and workers comp; ACORD 28 for property. If a vendor sends you an ACORD 28 when you need an ACORD 25, the information you need is not on the form.
• Deadline - Include an explicit date. "Before work begins" is not a date.

Minimum Coverage Requirements: What Is Actually Standard

Coverage requirements vary by industry and contract type, but here are defensible baseline numbers for most commercial vendor relationships:

• Commercial General Liability: $1,000,000 per occurrence / $2,000,000 general aggregate / $2,000,000 products-completed operations aggregate. For construction or high-hazard work, bump the per-occurrence limit to $2,000,000.
• Workers Compensation: Statutory limits for the state where work is performed. This is not negotiable - it is a legal minimum.
• Employers Liability: $500,000 / $500,000 / $500,000. Many vendors carry $100,000 limits because that is the statutory minimum in some states. Push for $500K, especially for any vendor with employees who work on your premises.
• Commercial Auto: $1,000,000 combined single limit. If the vendor operates any vehicles on your behalf or on your property, this is non-negotiable.
• Umbrella / Excess Liability: $1,000,000 to $5,000,000 depending on the exposure. For construction subcontractors, $5,000,000 is common. For lower-hazard vendors, $1,000,000 excess over the GL and auto may be sufficient.

These numbers should live in your standard vendor agreement, not just the COI request email. If you specify requirements in the contract but request a lower amount in the email, the broker will issue the lower amount.

Certificate Holder vs. Additional Insured: The Critical Distinction

This distinction trips up more risk managers than any other single issue in COI compliance.

Being named as the certificate holder means you receive a copy of the certificate and are notified if the policy is cancelled. That is it. You have no coverage rights under the vendor's policy. A certificate holder is an administrative designation - it tells you the policy exists. It does not make you an insured party.

Being named as an additional insured means you are an insured party under the vendor's policy. If a claim arises from the vendor's work and you are sued, the vendor's insurance carrier has a duty to defend you and indemnify you up to policy limits. This is actual coverage.

When you request a COI, make your request explicit:

• If you only need notification of policy status, certificate holder language is sufficient.
• If you need coverage protection - which you almost always do in a vendor relationship - request additional insured status via endorsement, not just a notation on the certificate.

The additional insured status must appear either in the Description of Operations box on the ACORD 25 or, better, via a separate endorsement attached to the policy. A blanket statement in the description box is often the result of a blanket AI endorsement on the policy, which may or may not actually cover your specific situation. For a deeper look at verifying AI status properly, see our guide on how to verify additional insured endorsements.

How Brokers Respond Differently Than Agents

Understanding who you are actually dealing with affects how you communicate requirements.

A captive agent represents one carrier. They can issue a COI quickly for whatever coverage their carrier offers. If your requirements do not match the carrier's available endorsements, they will push back - or worse, issue a certificate that overstates coverage.

An independent broker represents the vendor across multiple carriers. They have more flexibility to shop for endorsements and can often accommodate unusual requirements by moving coverage to a carrier that offers the right endorsement form. When a vendor says "my insurance company doesn't offer that," it usually means they are with a captive agent and the carrier's forms do not support it.

When a vendor pushes back on your AI requirements, the question to ask is: "Can your broker move the GL policy to a carrier that supports CG 20 10 and CG 20 37 endorsements?" If the answer is no, you need to decide whether the vendor relationship is worth the risk.

Timing: How Far in Advance to Request Renewal

Policy renewal periods create gaps that catch organizations off guard. Most commercial policies renew annually. Most vendors do not proactively send updated COIs after renewal. If you collect a COI in January for a vendor whose GL policy renews in September, you have a stale certificate by October and may not know it.

Best practices for timing:

• Request a COI at least 30 days before work begins. This gives time to identify deficiencies and have them corrected without delaying the engagement.
• Set renewal reminders 60 days before the policy expiration date shown on the certificate. Send the renewal request at 45 days.
• For long-term vendor relationships, include a contractual obligation requiring the vendor to deliver updated certificates no later than 10 days after each policy renewal.
• If a vendor's policy renews mid-project, require a new COI before the renewal date, not after.

Automating expiration tracking is one of the most valuable things you can do for your COI program. Tools like automated COI expiration date checking eliminate the gap between policy renewal and your awareness of it.

Email Template for Requesting a COI

Use this template as a starting point. Fill in the bracketed fields with your actual requirements.

Subject: Certificate of Insurance Required - [Your Company Name] / [Project or Contract Name]

[Vendor Contact Name],

To proceed with [work description or contract name], we require a current Certificate
of Insurance (ACORD 25) reflecting the following coverage requirements. Please forward
this request to your insurance broker.

CERTIFICATE HOLDER (Box 3 on ACORD 25):
[Your Company Legal Name]
[Street Address]
[City, State, ZIP]

COVERAGE REQUIREMENTS:

Commercial General Liability
- Per Occurrence: $1,000,000
- General Aggregate: $2,000,000
- Products/Completed Operations Aggregate: $2,000,000
- Additional Insured: [Your Company Legal Name] must be named as Additional Insured
  on a primary and non-contributory basis via endorsement (CG 20 10 11 85 or
  equivalent for ongoing operations; CG 20 37 or equivalent for completed operations)

Workers Compensation
- Statutory limits per [State]
- Employers Liability: $500,000 / $500,000 / $500,000
- Waiver of Subrogation in favor of [Your Company Legal Name]

Commercial Auto Liability
- Combined Single Limit: $1,000,000
- Covering owned, hired, and non-owned vehicles

Umbrella / Excess Liability
- Per Occurrence: $[X,000,000]
- Aggregate: $[X,000,000]
- Following form over GL and Auto

Please have the certificate and any endorsement copies sent to [your email] by [date].

If you have questions about these requirements, please contact [name] at [phone/email].

Thank you,
[Your Name]
[Title]

Handling Vendor Pushback

Vendors push back on COI requirements for two reasons: they either genuinely cannot meet them at their current premium, or their broker has not explained what is actually possible. The two situations require different responses.

When the vendor cannot afford the coverage: This is a business decision. A vendor who cannot afford $1M/$2M GL limits is either working at very small scale or is operating without adequate financial reserves. Consider whether this is actually the right vendor for the engagement, especially for higher-risk work. You may also offer to negotiate the requirement for lower-risk, lower-dollar engagements.

When the broker claims the endorsement is not available: Almost every legitimate commercial GL policy can be endorsed to add an additional insured. The CG 20 10 and CG 20 37 endorsements are standard ISO forms available through virtually every commercial carrier. If a broker says they cannot add AI status, dig deeper - they may be referring to a specialty carrier or a non-standard policy form. Ask specifically which carrier the GL is written through and why that carrier does not support ISO CG 20 series endorsements.

When the vendor sends a COI without addressing your requirements: Do not accept it. Send back a written response identifying specifically what is missing. "The certificate does not reflect additional insured status for [Your Company] as required by our agreement dated [date]. Please have your broker reissue with the required endorsement."

Verification Checklist When the COI Arrives

When the PDF lands in your inbox, do not just confirm it exists. Work through this checklist:

1. Named insured matches vendor entity name. The legal name of the vendor on the COI must match the entity you have a contract with. If you contracted with "ABC Plumbing LLC" but the COI shows "ABC Plumbing Inc." or an individual's name, there may be a coverage gap.
2. Policy dates are current. Check both the effective date and expiration date for each coverage line. A policy that expired last month provides zero coverage.
3. Coverage limits meet your minimums. Check each line individually. A $1M per-occurrence GL limit is not the same as a $1M aggregate.
4. Certificate holder block matches your entity name and address exactly.
5. Additional insured language is present. Check the Description of Operations box. Look for explicit language naming your entity as an additional insured. Vague statements like "additional insured as required by contract" may or may not be backed by the right endorsement. Request a copy of the actual endorsement if the stakes are high.
6. Primary and non-contributory language appears if required.
7. Waiver of subrogation is indicated for the appropriate coverage lines.
8. ACORD form version is current. ACORD 25 (2016/03) is the current version. Older versions may lack fields your compliance process depends on.

Common Errors in Vendor-Submitted COIs

After reviewing thousands of certificates, certain errors appear repeatedly:

• Wrong certificate holder name. Vendors copy the address from a previous COI and do not update it. You receive a certificate listing a prior client as the certificate holder.
• Expired policies listed with current dates. This is rare but does happen - brokers accidentally roll forward dates on a certificate without the underlying renewal being bound.
• GL policy with per-occurrence limit at requirement, but aggregate already depleted. A COI shows the policy limit but not the remaining aggregate. A vendor who has had multiple claims may have a depleted aggregate even though the policy technically remains active.
• Additional insured box checked but no supporting endorsement. Some brokers will check the "Additional Insured" box in the Description of Operations as shorthand without actually having the endorsement on the policy. If you have any doubt, request the endorsement page directly.
• Workers comp shown as "N/A" for a vendor who has employees. A vendor with employees in most states is legally required to carry WC. If they are marking it N/A, either they are misclassifying workers as contractors or they are operating illegally.
• Umbrella policy not following form. The umbrella section shows a limit, but there is no indication it applies to the same terms as the underlying GL. A standalone umbrella that does not follow form over your required GL endorsements may not extend AI status.

For a broader look at how automated parsing catches these errors at scale, see our guide on how to automate COI verification.

How Automated Verification Saves Time After the Request

The request is the first step. The actual work is in verifying that what was submitted meets your requirements - and doing that consistently across dozens or hundreds of vendors is where manual processes break down.

A parsing API approach eliminates the step where someone reads a PDF and manually compares numbers to a requirements checklist. When a COI arrives - whether via email attachment, upload portal, or forwarded PDF - a parsing layer extracts every structured data point: named insured, policy numbers, coverage types, limits, effective and expiration dates, endorsement language, and certificate holder information. A compliance rules engine then scores the certificate against your specific requirements and flags deficiencies.

The practical result: your team stops being the bottleneck between "vendor submits COI" and "vendor is approved to work." The compliance check happens in seconds, and the only human attention required is on the exceptions - the certificates that actually have problems.

For organizations running a structured COI compliance workflow, this kind of automated verification is the step that makes everything else scalable. You can onboard 10 vendors a day with the same rigor you applied when you were onboarding 10 vendors a month.