Certificate of Insurance Management at Scale for Indian Enterprises

A certificate of insurance (COI) is a one-page summary document issued by an insurer or broker that confirms the existence of an insurance policy. It typically shows the insured's name, the insurer's name, policy number, lines of coverage, limits per occurrence and in aggregate, policy period dates, and any additional insured endorsements. For Indian enterprises managing supply chains, construction projects, leased properties, and outsourced services, the COI is the standard mechanism by which a counterparty proves it carries the insurance the contract requires.

Understanding what a COI does and does not prove is the starting point for sound COI management. A COI proves that an insurance policy existed on the date the certificate was issued, with the limits and terms shown. It does not prove that the policy continues to be in force (it may have been cancelled after issuance), that the specific claim being contemplated will be covered (exclusions are not shown on the COI), that the limits are adequate for the actual loss that may occur, or that the additional insured endorsement on the COI is consistent with what is actually in the policy.

This gap between what the COI shows and what the policy actually provides is the central risk in COI management. An Indian construction company that accepts a COI from a subcontractor showing INR 5 crore in public liability coverage has not confirmed that the subcontractor's policy: (a) is still in force, (b) covers the specific work being performed at the specific site, (c) includes the contractor as an additional insured for ongoing operations and completed operations, or (d) has not been modified by an endorsement that reduces or removes coverage since the COI was issued. All of these deficiencies have materialised in Indian construction sector claims where the principal contractor relied on a COI that proved to be either stale, inaccurate, or incomplete.

IRDAI has not prescribed a mandatory standardised COI format for the Indian market (unlike, for example, the ACORD 25 certificate widely used in the US). Indian insurers issue COIs in varying formats, which creates both standardisation challenges for enterprise risk teams and the opportunity for material differences between COIs that appear superficially similar.

IRDAI's regulatory framework touches COI requirements in specific ways that Indian risk managers should understand.

For motor insurance, the Motor Vehicles Act 1988 mandates a certificate of insurance as a compulsory document that must be carried in the vehicle and produced on demand by traffic authorities. The format of the motor COI is prescribed under the Insurance Act rules, and IRDAI's circular on motor certificate format (most recently updated in 2019) specifies the minimum information to be contained. Motor COIs from third-party insurance policies are issued by IRDAI-regulated insurers and must comply with this format.

For marine cargo, IRDAI has prescribed the minimum information to appear on a marine certificate under the Marine Insurance Act 1963, specifically where an open cover or floating policy is in place. Marine certificates are the mechanism by which individual shipments are declared under the open cover, and they serve as proof of insurance for customs clearance under Central Board of Indirect Taxes and Customs (CBIC) import regulations.

For commercial liability and property COIs, IRDAI has not prescribed a mandatory format. Individual insurers use their own certificate templates. This means that two insurers may issue COIs for similar policies with very different information detail levels, requiring the recipient to request supplementary information (policy schedule, endorsement copies) to verify that the coverage shown on the COI matches contractual requirements.

The IRDAI's Insurance Brokers Regulations 2018 authorise registered insurance brokers to issue COIs on behalf of their insurer principals. In practice, the broker typically issues the COI as an agent of the insurer, and the insurer is bound by the certificate's representations to the extent they are consistent with the underlying policy. If there is a conflict between the COI and the policy wording, the policy wording prevails. Indian enterprises should therefore treat the COI as a starting point for verification, not as a final confirmation of coverage.

Enterprise risk teams and procurement functions managing large vendor panels in India encounter a predictable set of COI deficiencies, most of which can be caught at the point of collection if the review process is systematic.

Wrong limits: The most common deficiency. The vendor's COI shows a public liability limit of INR 1 crore per occurrence, but the contract requires INR 5 crore. The vendor may have this coverage on a different policy or the limit may be a per-occurrence sublimit within a higher aggregate. Either way, accepting a COI with insufficient limits exposes the enterprise to uninsured gap risk if a claim arises from the vendor's work.

Missing additional insured endorsement: Most Indian contracts with vendors and contractors require the enterprise to be named as an additional insured on the vendor's liability policy, so that claims arising from the vendor's operations that are directed against the enterprise are covered by the vendor's insurer rather than the enterprise's own liability insurer. The COI may show 'additional insured as per endorsement' without attaching the endorsement. The risk manager must request and review the actual endorsement to confirm: (a) the enterprise is correctly named, (b) the additional insured status applies to the specific type of operations (ongoing operations and/or completed operations), and (c) there is no limitation in the endorsement that carves out the specific claim type being contemplated.

Expired policies: A COI showing a policy period of April 1, 2025 to March 31, 2026 accepted in April 2026 confirms coverage that has already expired. This sounds obvious but is surprisingly common in large organisations where procurement teams collect COIs at contract inception and file them without tracking renewal. A vendor that renews its insurance in April but does not automatically provide a fresh COI may leave the enterprise holding a stale document for months or years.

Wrong insured name: Vendor entities often have multiple legal entities in a group. A COI naming 'ABC Construction Pvt Ltd' does not cover work performed by 'ABC Construction Services Ltd', a related but legally distinct entity. If the contracting entity is not the same as the insured entity on the COI, coverage is not confirmed.

Wrong policy type: A vendor providing professional services under an IT outsourcing agreement needs professional indemnity cover. A COI showing only commercial general liability (public liability) confirms the wrong line of business. The PI cover, which responds to errors and omissions in professional services, is missing entirely.

Sublimits and aggregate exhaustion: A COI showing INR 10 crore in aggregate liability limit may not reveal that INR 8 crore of that aggregate has already been eroded by prior claims during the policy year. The aggregate limit shown is the policy maximum, not the remaining available limit. For high-frequency vendor panels (large construction projects with many subcontractors over a long project period), aggregate exhaustion is a real risk that a COI cannot reveal.

Not every vendor relationship carries the same risk exposure, and applying uniform COI requirements across the vendor panel is both administratively inefficient and commercially inappropriate. Tier-based COI requirements allow the enterprise to focus rigorous review on high-exposure relationships while applying lighter-touch processes to lower-risk vendors.

A practical three-tier approach for Indian enterprises:

Tier 1 (High Exposure): Contractors performing structural or mechanical work at the enterprise's facilities, vendors providing services with direct access to customer data, logistics providers handling high-value or hazardous goods, and any supplier whose failure could halt production or service delivery. Tier 1 vendors should provide: commercial general liability with minimum limits set at the contract value or INR 5 crore per occurrence (whichever is higher), employer/workmen's compensation cover for all workers deployed at the enterprise's sites, professional indemnity (for IT and professional services vendors) with limits reflecting the contract value, and the enterprise named as additional insured on both general liability and where applicable professional indemnity. COIs should be collected at contract inception and verified on annual renewal, with automated expiry alerts.

Tier 2 (Moderate Exposure): Vendors providing goods or non-critical services without site access, distributors and channel partners, standard office services vendors. Tier 2 vendors should provide commercial general liability and workmen's compensation at minimum statutory limits, with the enterprise named as certificate holder (not necessarily additional insured). COIs should be collected at contract inception and on annual renewal, with exception-based review rather than full annual verification.

Tier 3 (Low Exposure): Vendors of standard consumables, off-the-shelf software licences, and other low-exposure supply relationships where a single vendor failure does not create material liability for the enterprise. A self-declaration of insurance coverage at onboarding, with COI required only on request, is appropriate for Tier 3.

The tier classification should be reviewed when a vendor's scope changes materially (a Tier 2 vendor that begins performing on-site work should be reclassified to Tier 1) and annually as part of the broader vendor risk review process.

Manual COI tracking in a spreadsheet is adequate for a vendor panel of 20-30 entities. At 200-300 vendors, spreadsheet management creates systematic gaps: expiry tracking becomes unreliable, version control of documents fails, and the audit trail of who verified what and when disappears. Indian enterprises managing large vendor panels increasingly deploy dedicated COI tracking platforms.

The core functionality required in a COI tracking platform for Indian enterprises includes: document intake (ability to receive COIs by email, portal upload, or broker API feed), automated data extraction (optical character recognition to parse insurer name, policy number, limits, policy dates, and insured name from PDFs without manual keying), compliance scoring (comparison of extracted data against the contract's insurance requirement template, with automatic flagging of deficiencies), expiry management (automated alerts to the vendor, the procurement team, and the risk manager at 60, 30, and 7 days before policy expiry), and audit trail (full history of COI submissions, reviews, exceptions, and approvals for each vendor).

International platforms such as myCOI, Ebix, and Certificates.io are designed primarily for the US ACORD-standard COI format and have limited configurability for Indian insurance formats and IRDAI-specific requirements. Indian enterprises with international operations sometimes use these platforms for their foreign vendor panels while maintaining manual or Indian-software-based processes domestically.

For Indian-specific COI management, enterprise risk management platforms from vendors such as Riskpro, Safekey, and several ERP-integrated risk modules offer COI tracking capabilities designed around Indian policy formats and IRDAI regulatory requirements. The choice of platform should be driven by: volume of COIs managed annually, integration requirements with procurement ERP (SAP, Oracle, or homegrown), language of COIs (some platforms handle English-language COIs only, which is adequate for most Indian commercial insurance but not for motor policy certificates in regional languages), and the enterprise's appetite for cloud-based vs. on-premise deployment.

For large Indian construction companies managing 500-1000 subcontractor COIs per project, the integration between the COI platform and the project management system (to track which subcontractors are active on which sites at any given time) is particularly valuable. A subcontractor whose policy has lapsed should be automatically flagged to the site manager before the next day's work begins, not discovered after a claim arises.

The consequences of accepting deficient COIs operate on two distinct channels: the uninsured gap risk at the time of a claim, and the contractual compliance risk that exists independently of any claim.

Uninsured gap at claim time: When a vendor's employee is injured at the enterprise's premises and the vendor's workmen's compensation policy has lapsed (because no one tracked the renewal), the enterprise faces two risks. First, the injured worker may seek compensation from the enterprise as the premises owner if the vendor cannot satisfy the claim. Second, if the enterprise's contract with the vendor requires the vendor to indemnify the enterprise for such claims and maintain adequate insurance, the absence of vendor insurance means the indemnity is worth only as much as the vendor's financial resources, which for small contractors may be minimal. The enterprise's own liability insurer may step in, but the claim will affect the enterprise's loss ratio and potentially its renewal premium. In the construction sector, where multi-party liability claims are common, the failure of a single subcontractor to maintain adequate insurance can convert a fully insured claim into a partially uninsured one.

Contractual compliance risk: Many construction contracts (particularly EPC contracts following FIDIC terms, which Indian infrastructure projects increasingly adopt) and IT outsourcing agreements explicitly require the vendor to maintain insurance as a contract condition. Breach of this condition may give the enterprise the right to terminate the contract for cause or to withhold payment. In practice, enterprises rarely exercise these rights but should be aware of them. More relevantly, if the enterprise itself has warranted to a project lender, a project owner, or an insurer that all subcontractors carry adequate insurance, accepting a deficient COI constitutes a breach of that warranty, potentially affecting the enterprise's own insurance or financing arrangements.

Regulatory exposure: For enterprises in regulated sectors (pharmaceuticals, food processing, healthcare), regulators may require that all contract manufacturers and service providers carry adequate insurance. The Central Drugs Standard Control Organisation (CDSCO) and the Food Safety and Standards Authority of India (FSSAI) have requirements or expectations around vendor insurance in certain segments. Accepting deficient COIs in these sectors can create compliance risk beyond the contractual dimension.

COI management works only when it is embedded in the procurement and contracting workflow, not operated as a standalone risk function that receives COIs after contracts are signed.

The procurement integration point is vendor onboarding. At the moment a new vendor is approved in the ERP system, the vendor's tier classification and corresponding COI requirements should be automatically triggered. The procurement system should not issue a purchase order to a Tier 1 vendor without a valid, compliant COI on file. Many Indian enterprises achieve this through a simple configuration in SAP MM or Oracle Procurement: a COI compliance flag as a mandatory field in the vendor master that blocks PO issuance until the flag is set by the risk team. This creates the process discipline without requiring procurement staff to understand insurance details themselves.

The legal integration point is contract drafting. The insurance requirements clause in vendor contracts must be specific enough to enable meaningful COI review. Clauses that say 'vendor shall maintain adequate insurance' are not reviewable because 'adequate' is undefined. Clauses that specify: line of business, minimum limit per occurrence and per annual aggregate, IRDAI-licensed insurer requirement, additional insured endorsement language, and obligation to provide 30 days' notice of cancellation or material modification, are reviewable. Legal should maintain a library of standard insurance requirement clauses by vendor tier, updated annually by the risk team based on current market availability and pricing. Requiring limits that are unavailable in the Indian market (or available only at prohibitive cost for small vendors) creates practical compliance problems.

The accounts payable integration point is payment release. For long-duration contracts (construction, IT maintenance), payment releases can be tied to COI validity: if the vendor's COI has expired and no renewal has been received, the next payment milestone is held until a compliant COI is on file. This is more commercially sensitive than blocking POs, and should be reserved for Tier 1 vendors where the insurance gap risk is material, but it provides a strong incentive for vendor compliance without requiring the enterprise to terminate or replace the vendor.

The insurance team integration point is renewal coordination. The risk manager should maintain a COI calendar that aligns with the enterprise's own policy renewals and with the known renewal dates of major vendors. A cluster of vendor policy expirations in March or April (common in India given the April-March financial year) should be flagged in January so that renewal COIs can be collected before the old policies expire, not after. The risk team should build a standard COI request template, pre-populated with the correct company name and address for the additional insured endorsement, that procurement can send to vendors with minimal customisation.