Skip to main content
Onfile

Blog

How to track certificates of insurance (COI) without losing your mind

· 9 min read · OnFile team

If you've worked through W-9 collection, you might think COI tracking is the same problem with a different file name. It isn't. A W-9 you collect once and update on rare changes. A certificate of insurance is a living document: it expires every year (sometimes more often), the policy number changes when the carrier renews, the limits can shift, and a single missing endorsement can void the protection it's supposed to provide.

A typical commercial COI for a property management vendor packs four or five distinct policies onto one ACORD 25 form: general liability, workers' compensation, auto, sometimes umbrella, sometimes professional. Each line has its own carrier, policy number, effective dates, and limits. Each has to be valid on the day the contractor steps onto your property. Miss one, and you're carrying the risk yourself.

The reason COI tracking gets out of control isn't that any individual COI is hard to read — it's that you're trying to keep 50 to 500 of them current at once, with no two carriers using the same template, and no single inbox folder that makes the bad ones obvious.

What "compliant" actually means

Before you can automate the workflow, you have to define "compliant" precisely. Most teams don't, and that's where ambiguity starts: every property manager in the office has a slightly different definition, and vendors get told different things on different days.

A compliant COI for a typical property management vendor passes four checks:

  • General liability with the limits you require. The defaults you'll see in property management contracts are $1M per occurrence / $2M aggregate. Some institutional owners require $2M / $4M. Whatever you require should be written into the vendor agreement — not improvised.
  • Workers' compensation in states that require it (most do, with narrow sole-proprietor exemptions) and commercial auto liability if the work involves vehicles on your property.
  • You named as additional insured AND certificate holder. These are different things. Certificate holder gets the email when the policy renews; additional insured is the entity actually covered by the contractor's policy. You need both. The endorsement form to look for is CG 20 10 (ongoing operations), and ideally CG 20 37 (completed operations) for any work that creates a finished product.
  • Coverage dates that haven't expired on the day work is performed.

Then there are three optional-but-very-common requirements that institutional owners and most property insurers will ask for:

  • Waiver of subrogation in your favor (form CG 24 04 for GL).
  • Primary and non-contributory wording so the contractor's policy pays first, before yours.
  • 30-day written notice of cancellation to certificate holders.

If your vendor agreement requires any of these, "the COI is on file" doesn't mean compliant. The endorsements have to be there too — usually as separate pages stapled to the ACORD form. The most common compliance gap in vendor files isn't a missing COI; it's a COI present but missing the endorsements that make it count.

The manual workflow — and where it breaks

Here's how COI tracking usually runs at a small property management firm:

  1. New vendor onboards. Office manager emails them: "Please send a COI naming us as additional insured."
  2. Vendor's broker emails back a PDF, sometimes with the right endorsements, often with the wrong ones, occasionally with no additional-insured endorsement at all.
  3. Office manager glances at the form, sees an ACORD 25, files it under the vendor name in a Drive folder.
  4. Eleven months later, the policy is about to renew. No one knows.
  5. The vendor's broker re-issues the COI on renewal date — but only if the broker remembered. Often they don't. The new COI lands in someone's inbox and gets overlooked.
  6. A claim happens. The form on file expired four months ago. Your insurance broker calls.

Where this breaks:

  • No expiration tracking. The expiration date sits on page 1 of the PDF. Without something pulling that date out and reminding you, it's invisible.
  • No requirements validation. Nothing checks the GL limit against your contractual requirement. You discover the gap during a renewal review, or — worse — during a claim.
  • No endorsement check. The ACORD form might say "additional insured per attached endorsement" — and the endorsement might not be attached. The COI looks fine at a glance.
  • No carrier renewal handoff. When the carrier renews mid-year and the policy number changes, your file still references the old policy. Verifying coverage during a claim becomes a phone tree.
  • No central audit trail. When your insurance broker asks "show me the COIs for every vendor who worked on Building B last year," reconstruction takes a day. Sometimes it's not possible.

What an automated COI workflow looks like

A working COI tracking workflow has five components. As with W-9 collection, you can build them, buy them, or stitch them together — but the components themselves are the same shape.

1. Vendor uploads via secure portal (no contractor login)

The same rule from W-9 collection: never make a contractor create an account. Send a tokenized URL. The contractor or their broker uploads the COI and any endorsements in one click, no password.

The wrinkle for COIs: the portal should accept multiple files per upload, because endorsements are usually separate pages from the ACORD form. Many vendors will send four PDFs in one email; the portal should let them attach all four to the same upload.

2. Auto-extract insurer, policy number, dates, and limits

The structured data on a COI is what makes it useful: insurance company name, policy number, effective and expiration dates, per-line coverage limits. Modern OCR handles ACORD 25 forms well — the layout is standardized and the field positions are consistent. Extract that data into your system and you can sort, filter, and alert on it.

Confidence scores per field matter here. The extracted "$1,000,000" general liability limit should come with a confidence score so your reviewer knows when to spot-check.

3. Validate against per-vendor-type requirements

Not every vendor needs the same coverage. A landscaper might need $1M GL and workers' comp. An HVAC tech needs the same plus higher limits and professional liability. A janitor with property keys might need a fidelity bond. Set requirements per vendor type, then validate every uploaded COI against the relevant template.

The validation check is binary: every required line and limit either passes or fails. The contractor sees the failures immediately and either uploads a corrected COI or asks their broker to issue one. They don't get to send you something close-but-wrong and have you accept it.

4. Reminder cadence as expiration approaches

The cadence that actually works is 30 / 14 / 7 days before expiration, with the first nudge going to both the contractor and your team. Stop reminders the moment a renewed COI lands. Resume only if a renewal date passes with nothing on file.

The trap to avoid: bulk daily emails. Vendors stop reading. Three calibrated nudges per renewal cycle is the right cadence — frequent enough to land, sparse enough not to be ignored.

5. Auto-archive on lapse, with a clear "non-compliant" flag

When a COI expires and isn't renewed, the system should mark the vendor non-compliant immediately and surface it in the dashboard. Not deleted — archived, with the lapse date recorded. If the vendor renews three weeks late, the new COI gets stamped with the gap so you can decide whether to allow it or pause work.

The non-compliant state should be load-bearing. If a contractor isn't compliant, scheduling new work for them should require an explicit acknowledgment.

What happens when a COI lapses

The pain of a missing COI isn't theoretical. Here's the chain:

A contractor whose COI expired three months ago slips and falls on a wet stairwell at one of your properties. Or worse, drops a tool on a resident. They sue.

Their (lapsed) GL policy doesn't pay. Your GL policy does, because the loss happened on your property and you're the named insured. Your premium gets repriced at renewal — significantly, because property management policies are loss-sensitive. The renewal conversation with your broker is uncomfortable.

If the property is institutional, the owner asks for proof of vendor insurance compliance going back two years. You can't produce it. They ask why their property manager wasn't tracking COIs. The conversation becomes about whether to renew the management contract.

None of this requires bad faith on anyone's part. The contractor's broker forgot to send the renewal certificate. The office manager didn't notice. The system that should have flagged the lapse three months ago didn't exist.

The cost of the system that does flag it is small enough to round to zero compared to one mid-five-figure premium increase, let alone one lost management contract.

Build vs. buy

If you have an in-house engineering team and a meaningful number of vendors (say, 200+), you can build COI tracking. The components are the same as W-9 collection plus a few COI-specific pieces:

  • Tokenized upload, OCR, audit log: same as W-9 (~3–5 weeks).
  • Per-vendor-type requirements engine: ~1 week.
  • Reminder cadence with renewal-aware logic: ~1 week.
  • Compliance dashboard with status filters: 1–2 weeks.
  • Maintenance: a week or two per year, mostly OCR template updates as carriers tweak their PDFs.

Total: roughly 6–8 weeks, plus ongoing.

The buy alternative — including OnFile — handles all of it for around $49 to $99 a month depending on vendor count. The break-even is roughly 25 active vendors and one near-miss, where "near-miss" means an expired COI you found before something happened. The cost of one event you didn't catch is higher than several years of subscription.

Year-end view

When COI tracking is wired correctly, here's what your year-end audit looks like:

  1. You filter every active vendor.
  2. For each, you see: current COI on file, all required endorsements present, expiration date, last renewal cycle, all limits meeting your requirements.
  3. You export the whole thing to PDF or CSV.
  4. You hand it to your insurance broker, your owner, or your auditor. They have everything they need.

The broker doesn't have to chase you for spreadsheets. Your owners don't have to wonder whether you're tracking compliance. Your team doesn't spend the first two weeks of December reconstructing the year.

COI tracking is one of those problems that quietly compounds when ignored and quietly disappears when wired correctly. The five-component workflow above is the wiring.