Insurance Verification Best Practices Explained: Key Insights for Brokers

Insurance verification best practices have evolved well beyond a one-time check at contract start. For agencies managing commercial accounts where clients operate as general contractors, property managers, or any party that receives COIs from outside vendors, verification is an ongoing operational function with direct E&O implications.

IIABA 2025 found that 22% of agencies have no documented process for verifying incoming certificates from third-party vendors. Of agencies that do verify, 41% do not re-verify at renewal. Both gaps create the same outcome: a lapsed policy goes undetected, a claim occurs, and the certificate holder faces an uninsured loss that their broker failed to catch.

This guide covers the seven best practices that define a defensible, systematic verification process, with implementation guidance, E&O context, and the data behind each recommendation.

Key Takeaways

• IIABA 2025 found that 22% of agencies have no documented process for verifying incoming vendor certificates; 41% of those that do verify do not re-verify at renewal.
• Verifying only at contract inception and not at renewal is the single most common gap in commercial lines COI management.
• Maintaining a contract requirements database per certificate holder allows automated comparison when certificates arrive, reducing manual review time significantly.
• Every incoming certificate should include a carrier NAIC number verification using apps.naic.org; a carrier not in the database is a fraud indicator, not an administrative oversight.
• Documentation of each verification (date, method, verifier, discrepancies found) is the primary E&O defense when a claim arises from an uninsured contractor.
• Automated expiration tracking with alerts at 30, 15, and 7 days before policy expiration prevents coverage gaps from going unnoticed mid-contract.

Best Practice 1: Verify at Inception and at Every Renewal

Most agencies verify COIs once: at the start of a contract or project. That single verification becomes outdated the moment the contractor's policy changes. Carriers can cancel or non-renew mid-term. Premiums go unpaid. Coverage lapses.

A certificate issued at contract start that showed active coverage tells you nothing about coverage six months later. The contract is still running. The contractor is still on site. But the policy may no longer be in force.

The fix is straightforward but requires discipline: require re-verification at the contractor's policy anniversary date. If the contractor's policy runs January to January and the contract runs March to March, the certificate holder needs a new COI every January. Build this requirement into the contract language itself. A clause that states "Contractor shall provide an updated certificate of insurance within 10 days of each policy renewal" creates a contractual obligation rather than an administrative request.

At minimum, re-verify annually. For long-running projects or high-risk contractors (those in construction, transportation, or staffing), require certificates at each policy anniversary and whenever a policy changes mid-term.

Best Practice 2: Maintain a Contract Requirements Database

Certificate verification without a requirements database produces inconsistent results. Staff checking incoming certificates against memory or informal notes will miss requirements that differ by client, by contract, or by certificate holder.

A contract requirements database stores, for each certificate holder your clients work with, the specific insurance requirements that apply: required GL limits, auto limits, workers compensation requirements, umbrella/excess thresholds, required endorsements (AI, WOS, P&NC), and any special requirements specific to that holder or jurisdiction.

When a new COI arrives, staff compare the extracted certificate data against the stored requirements for that certificate holder. The comparison is explicit and documented, not informal.

This database can live in your AMS (as client account notes or a structured data field), in a spreadsheet that is updated with each new contract, or in a dedicated COI management platform. The format matters less than consistency: every certificate should be checked against a documented set of requirements, not ad hoc judgment.

For agencies with multiple clients who are GCs or property managers, each of those clients may have dozens of certificate holders with different requirements. A database is the only scalable way to manage this.

Best Practice 3: Verify Carrier Legitimacy for Every Incoming Certificate

Carrier verification is the step most agencies skip. It takes two minutes using NAIC's free carrier lookup at apps.naic.org, and it catches one of the most common fraud vectors: a certificate listing a carrier name that sounds legitimate but is not a licensed insurer.

For every incoming certificate, run the NAIC number printed on the form through the NAIC carrier lookup. Confirm:

• The carrier name matches what is on the certificate.
• The carrier is licensed in the state where the work will be performed.
• The carrier is authorized to write the line of business listed (GL, auto, WC, etc.).
• No significant administrative actions or financial impairment notices are listed.

Non-admitted carriers and risk retention groups require additional verification. Non-admitted carriers are not subject to the same state regulatory oversight as admitted carriers, and a claim against a non-admitted carrier may not be covered by the state guarantee fund if the carrier becomes insolvent. If a non-admitted carrier appears on a certificate, confirm that the coverage type is appropriate for non-admitted placement and that the carrier is on your state's list of approved surplus lines carriers.

A carrier NAIC number that returns no result at apps.naic.org is not an administrative gap. It is a fraud indicator. Do not accept the certificate without direct clarification from the issuing agency.

Best Practice 4: Require Certificates from the Issuing Agency, Not the Contractor

Contractors should not be allowed to self-produce, alter, or transmit their own certificates. The ACORD 25 form is issued by the insured's agent or broker, not by the insured. When a contractor sends a COI directly without it coming from their agent's office, the chain of custody is broken.

The operational fix: require all certificates to be sent directly from the contractor's agent or via a carrier portal. In the contract language, specify that certificates must be issued and transmitted by the contractor's licensed insurance agent or broker. The contractor should not be the source of the document.

For high-volume certificate holder clients, platforms like Certificial allow agents to push certificates directly to certificate holders via a verified electronic feed. The certificate holder receives a document with a verified issuing agency, not a PDF attachment forwarded by the contractor.

This single requirement eliminates a significant portion of self-issued and altered certificate fraud. Contractors who present fraudulent certificates typically cannot replicate the process through a legitimate agency.

Best Practice 5: Use Consistent Verification Documentation

Documentation is the most undervalued element of a COI verification program. Agencies that verify certificates but do not document what they checked, when they checked it, and what they found have no defensible record if a claim arises.

Every COI verification should produce a written record that includes:

• Certificate date: the date of the certificate being verified.
• Verification date: the date verification was performed.
• Verifier name: which staff member performed the verification.
• Verification method: visual check, NAIC lookup, direct call to issuing agency, or automated platform.
• Findings: all fields verified and their status (passed, failed, discrepancy noted).
• Discrepancies and resolution: if a discrepancy was found, what it was and how it was resolved.

This documentation belongs in the client's account file in your AMS, linked to the specific certificate. If an E&O claim arises from a coverage gap, the audit trail demonstrates that your agency followed a documented process. Absence of documentation in an E&O dispute is treated as absence of verification.

The documentation requirement is not onerous if it is systematized. A COI management platform generates this record automatically for every certificate processed. Manual verification can use a standardized form or template that staff complete for each certificate. The format does not matter; the consistency does.

Best Practice 6: Automate Expiration Tracking

Manual tracking of certificate expiration dates fails at scale. An agency managing 300 certificates across 50 accounts with staggered renewal dates cannot rely on calendar reminders or spreadsheet flags to catch every expiration. Gaps happen.

Automated expiration tracking sends alerts at defined intervals before a certificate expires: 30 days, 15 days, and 7 days before the policy expiration date are standard. At each alert, the system notifies the relevant staff member and, in some platforms, automatically contacts the contractor's agent to request a renewal certificate.

The 30-day alert is the most operationally important. It gives enough lead time to request a renewal certificate, receive it, verify it, and follow up on discrepancies before the policy expires. A 7-day alert alone often produces a scramble.

IIABA 2025 data shows that 41% of agencies that verify COIs at inception do not re-verify at renewal. Automated expiration tracking directly addresses this gap by making re-verification the default, not the exception.

For accounts where continuous coverage is contractually required (a GC who must maintain coverage throughout a multi-year public works project), a lapsed certificate is a contract breach. Automated alerts give the agency the ability to catch and resolve that breach before it becomes a claim.

Best Practice 7: Write a Verification Policy

Process variation is the root cause of most verification failures in commercial lines agencies. One staff member verifies thoroughly. Another does a quick visual check. A third forwards the certificate to the client without verifying at all. Without a written policy, all three approaches are equally valid.

A written COI verification policy defines:

• Who verifies: which role or staff member is responsible for verifying incoming certificates.
• When they verify: at inception, at renewal, and for any mid-term policy change.
• What they verify: the specific checklist of fields and checks required for every certificate (using the seven-step process outlined in a companion guide).
• How they document it: the required documentation format and where it is stored.
• What happens when a discrepancy is found: the escalation path, who makes the decision to accept or reject, and how the contractor is notified.

Agencies that have a written verification policy and follow it consistently have materially lower E&O exposure than those that handle verification ad hoc. The policy is also a training document for new staff and a reference for experienced staff who handle a verification situation they haven't seen before.

The policy does not need to be long. A one-page document that answers the five questions above, approved by agency leadership and stored in the operations manual, is sufficient. The discipline is in following it on every certificate, not in the length of the document.

Insurance Verification Best Practices Reference Table

Frequently Asked Questions About Insurance Verification Best Practices

How often should a certificate of insurance be verified?

Verify at contract inception and at every policy renewal. At minimum, verify annually. For accounts in high-risk industries (construction, transportation, staffing) or for clients with long-running projects, build renewal certificate requirements into the contract and verify each time a new certificate is provided. IIABA 2025 data shows 41% of agencies that verify at inception do not re-verify at renewal, which leaves mid-contract policy lapses undetected.

What is the most important element of an insurance verification process?

Documentation. Agencies that verify but do not document have no defensible record when an E&O claim arises. Every verification should produce a written record of what was checked, when it was checked, who checked it, and what the findings were. Without that record, a thorough verification is indistinguishable from no verification in a dispute. Store the documentation in the client's account file in your AMS, linked to the specific certificate.

Should certificate holders allow contractors to self-issue or modify their own COIs?

No. The ACORD 25 certificate of insurance is issued by the insured's agent or broker, not by the insured. When a contractor produces or transmits their own certificate without going through their agent, the integrity of the document is compromised. Contracts should specify that certificates must be issued and transmitted directly by the contractor's licensed agent or broker, or via a carrier-connected portal. Self-issued certificates are one of the most common sources of altered and fraudulent COIs.

How should agencies document their COI verification process?

Each verification should record: the certificate date, the date of verification, the name of the staff member who verified, the method used (visual check, NAIC lookup, direct carrier call, or automated platform), the result of each check, and any discrepancies found along with how they were resolved. Store this record in the client's AMS account file. For agencies processing high volumes, a COI management platform that generates this audit trail automatically is more reliable than manual documentation. The standard is consistency: every certificate gets the same documentation, not just the ones that have issues.

What is the E&O risk of accepting an unverified certificate of insurance?

It is significant. If a client accepts a contractor with a lapsed or inadequate policy based on an unverified COI, and that contractor causes a loss, the client faces an uninsured claim. If the client then alleges that their broker failed to verify the certificate adequately, the agency faces an E&O claim. Defense costs for commercial E&O claims average $25,000 to $50,000 even when the agency prevails. Settlements in cases where the agency had no documentation of verification can reach six figures. A written verification process with documented records is the primary E&O mitigation for this exposure.

How do automation tools improve insurance verification best practices?

Automation addresses three specific gaps in manual verification processes. First, it applies a consistent process to every certificate, eliminating variation in how different staff members verify. Second, it generates automatic audit trails for every certificate processed, removing the dependency on staff remembering to document. Third, it tracks expiration dates across the entire certificate portfolio and sends alerts before policies lapse, addressing the 41% of agencies that IIABA 2025 found do not re-verify at renewal. The time savings (from approximately 12 minutes per certificate manually to under 2 minutes with automation) are real, but the consistency and documentation benefits are the primary E&O argument for automation adoption.

BrokerageAudit's COI Manager automates certificate verification, tracks expirations, and maintains a complete verification audit trail for every account. See how it works →

Written by Javier Sanz, Founder of BrokerageAudit. Last updated April 2026.