In partnership with brickbybrick, the #1 community for modern risk managers.
RiskStack
← All posts
EndorsementsComplianceRisk Management

Endorsements Are Where COI Compliance Lives or Dies

Additional insured, waiver of subrogation, primary and noncontributory — the endorsements behind your COIs are what actually protect you. Here's how to track them.

The RiskStack Team

Most risk managers spend most of their time tracking the wrong thing. They track certificates — the front-page summary documents — when what actually matters is the endorsements behind those certificates. The certificate is marketing. The endorsement is the law.

If that sounds harsh, here's the test: when a claim happens and your company is named, the insurance carrier doesn't read the certificate. They read the policy. The certificate is a courtesy document showing what coverage exists; the policy and its endorsements determine what's actually covered. If the certificate says you're an additional insured but no endorsement was added to the policy, you're not an additional insured. You can sue over it, but you'll lose.

This is why endorsement tracking is the single most underrated capability in COI compliance, and why platforms that don't take it seriously leave you exposed.

The endorsements that matter

For most commercial contracts, three endorsements drive coverage:

Additional Insured (AI). This adds your company as a named insured on the vendor's policy, meaning the vendor's insurance defends and indemnifies you for liability arising from their work. The most common forms are CG 20 10 (ongoing operations) and CG 20 37 (completed operations). Many contracts require both. The certificate often just says "additional insured" in the description box, which tells you exactly nothing about which form was used or whether it was actually added.

Waiver of Subrogation. This prevents the vendor's insurance carrier from coming after your insurance carrier after paying a claim. Without it, you can end up in a circular fight where their carrier sues your carrier for reimbursement, even though you both technically had coverage.

Primary and Noncontributory. This makes the vendor's insurance the primary coverage, with your insurance not contributing until theirs is exhausted. Without this language, both policies share the loss pro-rata, which often means your premiums go up because of someone else's claim.

There are others — completed operations coverage, per-project aggregate, additional insured for owners and contractors — but those three are the workhorses. Most contracts require some combination, and the requirements vary by vendor type, project, and jurisdiction.

Why certificates lie about endorsements

The certificate of insurance is generated by the broker using a standard form (ACORD 25 for liability coverage, ACORD 28 for property). The description box at the bottom is freeform text where the broker types whatever the contract requires. There's nothing stopping anyone from typing "Owner is named as additional insured per CG 20 10 and CG 20 37; waiver of subrogation applies; coverage is primary and noncontributory" — even if none of those endorsements were actually added to the policy.

This isn't always fraud. Sometimes it's a mistake. The contract gets signed, the certificate gets generated, but the endorsement request never makes it to the carrier. The vendor's broker forgets to file it. The carrier denies the request because the policy doesn't allow it. The endorsement gets added but the form number is wrong. There are a lot of ways this fails, and most of them are invisible from the certificate.

The only way to verify is to look at the actual endorsement documents. And that's where most COI programs stop short.

What endorsement tracking should actually do

A serious COI program tracks endorsements at three levels:

Document collection. For each certificate, collect the actual endorsement forms. Not the certificate's description of the endorsements — the endorsements themselves. CG 20 10 04 13 is a document. It has a form number, an effective date, and specific language. You should have it in your file.

Form verification. Check that the right form was used. CG 20 10 ongoing operations is different from CG 20 10 11 85, which is a much broader version that hasn't been issued in decades but is sometimes referenced. CG 20 33 automatic AI is different from CG 20 38 named AI. The contract specifies which forms are required; the endorsements need to match.

Coverage scope verification. Even with the right form, the coverage scope matters. Some endorsements limit additional insured status to ongoing operations only. Some exclude certain types of claims. Some apply only when required by written contract. The endorsement language determines what's actually covered.

Most COI tracking software handles the first level passably and the second two badly or not at all. The platform extracts the certificate, flags missing endorsements based on what's listed in the description box, and calls it done. The actual endorsement documents are an afterthought.

How platforms differ on endorsements

When we compare COI tracking platforms, endorsement tracking is one of the fastest ways to separate serious tools from workflow shells.

The serious platforms — TrustLayer is the best example, with bcs and Veriforce in the same general tier — track endorsement documents as separate entities, allow per-form verification, and flag mismatches between contract requirements and actual coverage. They also handle the routine cases automatically: when a vendor's policy renews, the platform checks whether the new endorsements match the old ones and flags discrepancies.

The weaker platforms — myCOI and several legacy tools — treat endorsements as text fields. The "compliance check" verifies that certain words appear in the description box. If the description says "additional insured," the platform flags compliance as met, regardless of whether the endorsement actually exists.

Jones, in our research, falls in between. The platform does collect endorsement documents but the verification depth varies by configuration. Their pricing model (square-foot for CRE) means smaller portfolios often don't get the deeper verification setup.

The contract drafting connection

A lot of endorsement problems start in contract drafting. The contract says "vendor will name owner as additional insured" — but doesn't specify which form, doesn't specify ongoing vs. completed operations, doesn't specify primary and noncontributory. The vendor's broker then provides whatever's cheapest, which is usually the narrowest form available. The certificate looks compliant, the actual coverage is much narrower than intended.

If you're inheriting a COI program, one of the highest-leverage things you can do is review the contract templates your company uses. Are the endorsement requirements specific? Do they cite form numbers? Do they require coverage to apply to completed operations? If not, you're losing protection at the contract stage that no amount of COI tracking can recover.

What to do this quarter

Practical actions if you want to improve endorsement tracking:

  1. Audit your top 20 vendors. Pull the certificates and the underlying endorsement documents. Verify that the endorsements actually exist and match what the certificate claims.
  2. Review your contract templates. Are endorsement requirements specific enough? Add form numbers and scope language where missing.
  3. Confirm your platform's capability. Does your COI tracker actually collect and verify endorsement documents, or does it just check description-box text? If it's the latter, you have a gap.
  4. Build a quarterly endorsement audit. Sample a percentage of your active vendors each quarter and verify endorsements against the underlying policies. This catches drift over time.

The bigger picture

Certificates of insurance are a 50-year-old document type designed for a paper-based world. They're a snapshot, not a verification mechanism. The endorsements they reference are the actual instruments of coverage transfer. Treating the certificate as the source of truth — when actually the endorsements are — is the core mistake of most COI programs.

The platforms that do this well charge a premium and earn it. The ones that don't will tell you they handle endorsements, which is technically true in the same sense that a calendar handles birthdays. Yes, the date is on the calendar. No, that doesn't mean anything happened.

See how the major platforms compare on endorsement tracking in our vendor profiles.

Find your COI tracker in three minutes.

Eight questions, personalized shortlist. No sales calls.

Start My Comparison