How to Verify Subcontractor Insurance: 3-Layer System (2026)

A certificate of insurance landed on your desk yesterday. The subcontractor's name matches, the policy dates look current, and the limits seem adequate. You filed it away, checked a box, and moved on with your day.

‍

Six months later, that same subcontractor causes a jobsite accident. You pull the COI expecting protection, only to discover the policy was cancelled two weeks after that certificate was issued. Or the additional insured endorsement you assumed existed was never actually added. Or the exclusion buried on page 47 of the policy specifically carves out the exact type of work they performed for you.

‍

This scenario plays out constantly across construction, manufacturing, property management, and every industry that relies on subcontractors. The problem isn't that companies skip insurance verification entirely. What most people call verification is actually document collection with a cursory glance.

‍

A genuine system for verifying subcontractor insurance requires three distinct layers: understanding what a COI actually proves, gathering evidence beyond that certificate, and creating clear protocols for handling exceptions. Without all three working together, you're managing paperwork rather than managing risk.

‍

Why "reviewing COIs" isn't verification

Here's an uncomfortable truth that insurance professionals rarely say out loud: a certificate of insurance is essentially a snapshot that can become outdated the moment it's printed. The standard ACORD 25 form includes explicit language stating it's issued as a matter of information only and confers no rights upon the certificate holder.

‍

That disclaimer isn't legal boilerplate to ignore. It means the document you're relying on to protect your company carries no contractual weight whatsoever. The policy could be cancelled tomorrow, the limits reduced, or the coverage scope narrowed, and you'd have no legal claim based on what that certificate showed.

‍

Most COI reviews amount to checking four things: Is the named insured correct? Are the policy dates current? Do the limits meet our minimums? Is our company listed as additional insured? If those boxes check out, the certificate gets filed and forgotten.

‍

This approach misses critical gaps. It doesn't confirm whether the additional insured status actually exists in the policy or just appears on a certificate someone requested. It doesn't reveal exclusions that might gut coverage for your specific project. It doesn't account for policies structured with aggregate limits that could be exhausted by other claims before yours ever surfaces.

‍

The certificate also tells you nothing about the insurer's financial stability, whether claims are being paid, or if the subcontractor has a history of coverage lapses. You're making substantial risk decisions based on a single-page summary that explicitly disclaims its own reliability.

‍

Real verification means treating the COI as a starting point for investigation rather than the finish line. The certificate tells you what coverage allegedly exists. Your job is to confirm that coverage actually protects you in the ways that matter.

‍

Layer 2: Evidence (what you can prove—endorsements, schedules, policy language)

Moving beyond the certificate requires gathering documentation that carries actual legal weight. This evidence layer transforms assumptions into confirmed facts.

Endorsement verification

‍

When a COI shows your company as additional insured, request the actual endorsement form. Generic additional insured status means nothing without knowing which ISO form or carrier-specific endorsement applies. The CG 20 10 form from 2004 provides different coverage than the 2013 version. Some endorsements limit coverage to ongoing operations only, leaving you exposed for completed operations claims that surface years later.

‍

Ask for the specific endorsement number and edition date. Compare what you receive against your contract requirements. If your agreement specifies additional insured coverage for both ongoing and completed operations, a blanket additional insured endorsement tied only to written contracts might not deliver what you need.

‍

Policy schedule review

The declarations page of the actual policy reveals information no certificate can show. You'll see whether coverage is written on an occurrence or claims-made basis, the specific retroactive dates for claims-made policies, and whether aggregate limits apply per project or across all the insured's work.

‍

For subcontractors performing specialized work, the declarations page also shows classification codes. A contractor classified for general carpentry might face coverage disputes if they're actually performing structural framing that carries different risk characteristics.

‍

Exclusion analysis

Every commercial general liability policy contains exclusions. Standard ISO forms exclude pollution, professional services, and various other exposures. Manuscript policies written by specific carriers often add exclusions tailored to the insured's operations or claims history.

‍

Request a copy of the exclusion schedule or, ideally, the complete policy form. Look specifically for exclusions related to the subcontractor's work for you. A roofing contractor's policy might exclude water damage claims. An electrical contractor might have exclusions for fire-related losses. These carve-outs could eliminate coverage precisely when you need it most.

‍

Insurer verification

Confirm the insurance carrier's AM Best rating and verify they're admitted in your state. Non-admitted carriers operating through surplus lines arrangements may have different claims handling processes and regulatory oversight. For significant subcontract values, a carrier rated below A- should trigger additional scrutiny.

‍

Layer 3: Exceptions (how to approve, condition, and memorialize)

No verification system works without a clear process for handling situations that don't meet your standard requirements. Rigid policies that allow no deviation create two problems: they are ignored when business pressures demand flexibility, and they force all-or-nothing decisions that don't align with real-world risk gradients.

‍

Conditional approvals

Some coverage gaps warrant approval with conditions rather than outright rejection. A subcontractor with limits slightly below your threshold might be acceptable for a smaller scope of work. Missing completed operations coverage could be approved if the subcontractor's work will be immediately covered by other components, reducing long-tail exposure.

‍

Document conditional approvals with specificity. Note the exact deviation being approved, the business justification, any risk mitigation measures being implemented, and the duration of the approval. A blanket statement that coverage was deemed acceptable provides no protection when someone later questions the decision.

‍

Indemnification reinforcement

When insurance gaps can't be closed, contractual indemnification becomes your backup protection. Ensure your subcontract agreements include indemnification language that survives insurance deficiencies. The subcontractor's obligation to defend and hold you harmless shouldn't depend on whether their insurance actually responds.

‍

Work with legal counsel to confirm your indemnification provisions are enforceable in the relevant jurisdiction. Anti-indemnity statutes in many states limit the amount of risk that can be contractually shifted, particularly for a party's own negligence.

‍

Waiver documentation

If you're proceeding despite known coverage deficiencies, create a formal waiver that requires appropriate signature authority. The waiver should identify the specific gap, explain why standard requirements aren't being met, describe any alternative protections in place, and assign responsibility for the decision.

‍

This documentation serves multiple purposes. It forces conscious decision-making rather than passive acceptance. It creates accountability for exceptions. And it provides a defense if the decision is later questioned, showing that risks were knowingly accepted through proper channels rather than overlooked.

‍

Escalation paths (who signs off on what)

Clear authority levels prevent both unnecessary bottlenecks and inappropriate risk acceptance. Define thresholds based on exposure magnitude rather than treating all insurance decisions equally.

‍

Tier-based authority

Project managers or field supervisors can typically approve subcontractors meeting all standard requirements without escalation. Their role is to confirm compliance, not to evaluate risk.

‍

Deviations from defined parameters require approval from risk management or operations leadership. A subcontractor with limits 10% below the threshold, or missing a secondary coverage line, falls into this middle tier. Someone with a broader organizational perspective evaluates whether the specific gap matters for the specific engagement.

‍

Significant gaps or unusual circumstances escalate to senior leadership or executive approval. Proceeding with a subcontractor who lacks required coverage entirely, or whose insurer shows financial instability, represents a business decision beyond routine risk management.

‍

Documentation requirements by tier

Each tier should have corresponding documentation expectations. Standard approvals require only a checklist confirmation. Middle-tier approvals need written justification and condition documentation. Executive-level approvals warrant formal memos that outline the full risk picture and rationale.

‍

This graduated approach keeps routine decisions moving efficiently while ensuring consequential exceptions receive appropriate attention. It also creates an audit trail demonstrating that your organization applies consistent standards rather than making ad hoc judgments.

‍

Minimal documentation that prevents maximum chaos

Verification systems fail when documentation requirements become so burdensome that people work around them. The goal is to capture essential information without creating administrative barriers that undermine compliance.

‍

What to retain

Keep the original COI plus any updated certificates received during the engagement. Store copies of endorsements confirming additional insured status and any other coverage features specifically required by your contract. Maintain records of any exception approvals, including the justification and authorizing

signature.

Create a simple tracking log showing verification dates, who performed the review, and the outcome. This log becomes invaluable when questions arise months or years later about what was confirmed and when it was confirmed.

‍

What you can skip

You don't need complete copies of the policy for every subcontractor. Request full policies only when specific concerns warrant deeper review. You don't need to retain every email exchange about routine certificate requests. Keep the final documentation, not the administrative back-and-forth.

‍

Avoid creating elaborate spreadsheets tracking dozens of data points that no one actually uses to make decisions. Focus on the information that would matter if a claim arose: Was coverage confirmed? Were our requirements met? If not, who approved the exception and why?

‍

Retention periods

Insurance documentation should be retained for the applicable statute of limitations plus a reasonable buffer. Construction defect claims can surface years after project completion. Product liability claims might arise a decade later. General liability policies typically have occurrence-based coverage that could respond to claims filed long after the policy period ends.

‍

Consult with legal counsel about retention requirements for your specific industry and jurisdiction. When in doubt, err on the side of longer retention. Storage costs are minimal compared to the value of having documentation available when disputes arise.

‍

FAQ

‍

How often should we re-verify subcontractor insurance?

At a minimum, verify coverage annually and whenever you receive notice of policy changes. For long-term subcontractor relationships, request updated certificates 30 days before known policy expiration dates. For project-based work, verify at project start and again if the engagement extends beyond the original policy period.

‍

What if a subcontractor refuses to provide copies of endorsements?

This refusal is itself useful information. Legitimate insurers and brokers routinely provide endorsement documentation to certificate holders with insurable interest. Resistance often indicates the coverage doesn't actually exist as represented. Consider whether you want to proceed with a subcontractor who is unwilling to verify their coverage claims.

‍

Should we verify insurance for small subcontractors differently from large ones?

The verification process should be consistent, but your risk tolerance for exceptions might vary. A subcontractor performing a $5,000 scope of work presents different exposure than one handling a $500,000 engagement. Adjust your exception approval thresholds accordingly while maintaining the same verification standards.

‍

How do we handle subcontractors with claims-made coverage instead of occurrence policies?

Claims-made coverage requires additional verification steps. Confirm the retroactive date predates any work performed for you. Understand what happens if the subcontractor changes carriers or lets coverage lapse. Consider requiring extended reporting period coverage for completed operations exposure.

‍

What's the most common verification mistake you see?

Treating the COI as proof rather than a starting point. Companies diligently collect certificates, check the obvious fields, and file them away, believing they've verified coverage. They haven't. They've collected a document that explicitly disclaims its own reliability. Real verification requires the additional steps outlined in the evidence layer.

‍

Building a three-layer verification system requires initial effort, but the alternative is to discover coverage gaps only when claims arise, and protection matters most. The companies that handle subcontractor insurance well aren't doing anything magical. They're simply treating verification as a genuine process rather than a paperwork exercise.

‍

If you're managing dozens or hundreds of subcontractor relationships, manual verification quickly becomes unsustainable. TrustLayer automates the collection, tracking, and verification of certificates and compliance documents, freeing your team to focus on actual risk decisions rather than administrative follow-up. Book a demo to see how modern certificate management works, and explore other TrustLayer articles for more guidance on building resilient compliance processes.