How to Build a COI Compliance Workflow for General Contractors

One uninsured subcontractor incident can cost a general contractor anywhere from $50,000 to $500,000 - and that range doesn't include the knock-on effects: project delays while liability gets sorted, mechanics liens filed by injured parties, OSHA recordable incidents on your EMR, and subrogation claims from the owner's insurance carrier coming back at you two years later.

The frustrating part is that most of these exposures are completely preventable. The subcontractor had insurance - they just let a policy lapse mid-project, or their certificate listed the wrong entity as additional insured, or their umbrella policy didn't follow form over their GL. None of that shows up unless someone actually reads the COI carefully. And when you're running 40 active subcontractors on a $12M commercial build, "carefully reading each COI" is not a scalable process.

This guide walks through the architecture of a COI compliance workflow that actually works - one that catches deficiencies before work starts, tracks renewals automatically, and gives you a documented audit trail in case things ever go sideways on a claim.

The 5 Components of a COI Compliance Workflow

A COI compliance workflow isn't just a checklist - it's a system with defined trigger points, verification steps, storage rules, alert logic, and escalation paths. Here's how those five components work together.

1. Collection Trigger - Contract Execution

The collection trigger defines when you request a COI. The answer should always be the same: at contract execution, before any work or mobilization begins. Not when the subcontractor shows up on site. Not after they've started demo. At contract execution.

This sounds obvious, but it breaks down constantly in practice. A PM signs a subcontract on a Friday, the sub shows up Monday morning, and the PM emails for the COI Tuesday. At that point you already have an uninsured worker on your site. Build the COI collection trigger directly into your subcontract execution process - the sub cannot be marked "cleared to mobilize" until their COI is on file and verified.

If you're using a project management platform like Procore, this means creating a custom field or a compliance flag on the subcontractor record that must be resolved before the first schedule of values can be approved. Connecting your COI workflow to payment approval is the single most effective forcing function you can use.

2. Verification Checklist

Collection is not verification. Receiving a PDF does not mean the coverage is adequate. Your verification checklist needs to confirm:

• General Liability: per-occurrence minimum met (typically $1M), aggregate minimum met (typically $2M)
• Auto Liability: minimum limit confirmed, and coverage type is "Any Auto" - not just scheduled vehicles
• Umbrella/Excess: minimum aggregate confirmed, and the policy explicitly follows form over the underlying GL and auto
• Workers Compensation: statutory limits for the state where work is performed, employer's liability minimum met (typically $1M/$1M/$1M)
• Additional Insured: your entity is named as additional insured - either by endorsement number or via blanket AI language that covers your project
• Certificate Holder: the certificate holder field exactly matches your company's legal entity name and address
• Waiver of Subrogation: confirmed on GL, auto, and WC lines
• Policy effective and expiration dates: all policies active, no gaps, expiration is after project completion

Every one of these items is binary - pass or fail. A COI that passes 7 out of 8 criteria is a non-compliant COI.

3. Storage and Indexing

Once verified, a COI needs to be stored in a way that makes it retrievable in three different contexts: by subcontractor name, by project, and by expiration date. All three retrieval paths get used - you'll look up by sub when onboarding them on a new project, by project when preparing for an owner audit, and by expiration when running renewal reports.

File naming conventions matter here. A scheme like SUB-ACME-PLUMBING_PROJECT-1234_EXP-2026-12-31.pdf makes bulk sorting by expiration trivial and ties each document to both the sub and the project. Resist the urge to let subs name their own files - you'll end up with a folder full of certificate.pdf and ACORD_final_FINAL_v2.pdf.

4. Renewal Tracking and Alerts

A COI that was valid at project kickoff can become non-compliant mid-project if a policy renews and the sub doesn't send you the updated certificate. This happens constantly with annual policies on multi-year projects, but it also happens on shorter projects if the sub's GL renews in October and your project runs September through December.

Your workflow needs automated alerts at 90 days, 60 days, and 30 days before expiration, sent to both your team and the subcontractor. The alert to your team should flag the work-stop consequence so there's internal urgency. The alert to the sub should be a simple, professional email explaining what they need to provide and by when.

If you're managing 50+ active subcontractors, this alert logic must be automated - there is no way to track this manually at scale without something falling through.

5. Non-Compliance Response - Work Stop Order Process

The most important component of a COI compliance workflow is one that most GCs skip: a defined, documented non-compliance response. If a sub's coverage lapses and you have no formal process, your superintendent makes a judgment call. Sometimes they stop the work. Sometimes they don't, because the sub is mid-pour and stopping now costs $80,000 in lost concrete.

Your policy needs to define: (a) who has authority to issue a work stop order for COI non-compliance, (b) what the process is for documenting the order, and (c) what conditions must be met before work can resume. This documentation protects you if a claim is ever filed during the non-compliant period - you can show exactly what you knew, when you knew it, and what you did about it.

What to Check on Every Subcontractor COI

Most compliance gaps that create real liability exposure aren't about coverage limits - they're about the fine print on the form. Here's a line-by-line breakdown of what to verify on each coverage type.

General Liability

Verify both the per-occurrence limit and the general aggregate limit. These are different numbers. A $1M per-occurrence policy with a $1M aggregate means the second claim of the year is uncovered. Standard commercial projects require $1M per-occurrence and $2M aggregate minimum. Higher-risk trades (demo, excavation, structural steel) often require $2M/$4M.

Also check the policy type: an occurrence-based policy covers incidents that happen during the policy period regardless of when the claim is filed. A claims-made policy only covers claims filed during the policy period. For subcontractors doing work with long-tail liability (waterproofing, roofing, structural), you want occurrence-based coverage. If they have claims-made, verify there's an extended reporting period (tail) in place.

Auto Liability

The description of covered autos matters significantly. "Any Auto" covers owned, non-owned, and hired vehicles. "Scheduled Autos" only covers specific listed vehicles. If your sub sends materials via a rented truck that isn't on their scheduled auto list and causes an accident, their scheduled auto policy won't respond. Require "Any Auto" coverage at minimum.

Umbrella / Excess Liability

An umbrella policy that doesn't follow form over all underlying policies is nearly worthless. Verify that the umbrella explicitly schedules the GL and auto policies as underlying coverage and that the umbrella aggregate is adequate for the scope of work. A $1M umbrella over a $1M GL gives you $2M total - fine for a painting sub, not fine for a structural steel contractor.

Workers Compensation

WC is statutory - every employee doing work on your site needs to be covered. Verify the policy covers the correct state (or all states if the sub operates across state lines). Also verify the employer's liability section - the "Bodily Injury by Accident" and "Bodily Injury by Disease" limits. These are separate from the WC statutory benefits and cover scenarios where an injured worker sues the employer in tort. Standard minimum is $1M per accident / $1M policy limit / $1M per employee.

Additional Insured and Waiver of Subrogation

This is where most compliance failures actually hide. A certificate can show your name in the description field but that does not make you an additional insured. You need either a specific endorsement (look for CG 20 10 and CG 20 37 for completed operations) or verified blanket additional insured language in the policy. Many subs have blanket AI endorsements that automatically extend AI status to anyone they're contractually obligated to name - verify this is in place.

Waiver of subrogation prevents the sub's insurer from coming after you after paying a claim to the sub. Require it on GL, auto, and WC lines. It's typically cheap to add and has enormous downstream value.

Common Compliance Gaps That Slip Through Manual Review

Even experienced reviewers miss these. Build them into your verification checklist as explicit checkboxes - don't rely on institutional knowledge.

Wrong Additional Insured Name

Your legal entity is "Meridian Construction Group LLC." The certificate lists "Meridian Construction" as additional insured. That is a non-compliant certificate. In a coverage dispute, the carrier will argue the endorsement doesn't apply because the named entity doesn't match. Require exact legal entity name match, including LLC, Inc., LP, or Corp designations.

Umbrella Doesn't Follow Form Over GL

The umbrella schedules only the auto policy as underlying. The GL is uncovered above $1M per-occurrence. This is surprisingly common and almost never caught in manual review because reviewers see "umbrella: $5M" and move on. Check the umbrella declarations page or require the sub's broker to confirm in writing that the umbrella follows form over all underlying policies.

Auto Policy Excludes Certain Vehicle Types

A commercial auto policy may exclude vehicles over a certain GVW, or exclude specific vehicle types like cranes or aerial lifts. If those exclusions apply to equipment the sub actually uses on your project, you have an uninsured exposure. This is most relevant for trades that use heavy equipment as part of their scope.

Certificate Issued But Endorsement Not Added

This is the single most common compliance fraud in the industry. A broker issues a certificate showing you as additional insured - but they never actually added the endorsement to the policy. The certificate is a summary document, not a policy document. It does not create coverage. At claim time the carrier reviews the actual policy, not the certificate, and if the endorsement isn't there, you're not covered.

The only way to catch this is to require a copy of the actual endorsement, or to work with subs whose brokers provide an ACORD certificate with the endorsement number clearly listed in the description of operations field.

Expiration During Active Project Phase

A sub's GL policy expires October 15. Your project has a 30-day punch list period running through November 30. Any warranty callback work done after October 15 is uninsured if the sub doesn't renew and provide an updated certificate. Your renewal tracking system needs to account for project close-out timelines, not just scheduled completion dates.

Automating the Workflow with an API

Manual COI verification is the bottleneck in every compliance workflow. A single reviewer can check maybe 15-20 COIs per day if they're being thorough. On a large commercial project with 60 subcontractors that each have annual renewals, you're looking at 60+ reviews at project start plus 60+ renewal reviews throughout the project - well over 100 individual reviews per project per year.

The solution is to parse the COI programmatically and compare extracted values against your project-specific requirements template. COI ParseAPI handles this by accepting a PDF upload and returning structured JSON with every coverage field extracted - including carrier names, policy numbers, coverage types, per-occurrence and aggregate limits, effective and expiration dates, named insured, certificate holder, and additional insured status.

A parsed response for a standard ACORD 25 looks like this:

{
  "form_type": "ACORD_25",
  "named_insured": {
    "name": "Apex Mechanical LLC",
    "address": "1200 Industrial Pkwy, Columbus OH 43215"
  },
  "certificate_holder": {
    "name": "Meridian Construction Group LLC",
    "address": "400 Commerce Blvd, Columbus OH 43215"
  },
  "coverages": {
    "general_liability": {
      "carrier": "Travelers Casualty and Surety",
      "policy_number": "GLO-9982341",
      "effective_date": "2026-01-01",
      "expiration_date": "2027-01-01",
      "per_occurrence": 1000000,
      "general_aggregate": 2000000,
      "products_completed_ops_aggregate": 2000000
    },
    "auto_liability": {
      "carrier": "Travelers Property Casualty",
      "policy_number": "BA-7723901",
      "effective_date": "2026-01-01",
      "expiration_date": "2027-01-01",
      "combined_single_limit": 1000000,
      "covered_autos": "ANY_AUTO"
    },
    "umbrella": {
      "carrier": "Travelers Excess and Surplus",
      "policy_number": "CUP-5519823",
      "effective_date": "2026-01-01",
      "expiration_date": "2027-01-01",
      "each_occurrence": 5000000,
      "aggregate": 5000000,
      "follows_form": true
    },
    "workers_compensation": {
      "carrier": "Ohio Bureau of Workers Compensation",
      "policy_number": "WC-4421198",
      "effective_date": "2026-01-01",
      "expiration_date": "2027-01-01",
      "statutory": true,
      "employers_liability_per_accident": 1000000,
      "employers_liability_policy_limit": 1000000,
      "employers_liability_per_employee": 1000000
    }
  },
  "additional_insured": true,
  "waiver_of_subrogation": true,
  "compliance_score": 98,
  "flags": []
}

With this data in hand, your compliance rules engine can run automated checks against a project requirements template. For a $5M commercial office build you might define minimum requirements like this:

{
  "project_id": "PROJ-2024-0891",
  "project_name": "Lakeside Office Complex - Phase 2",
  "requirements": {
    "general_liability": {
      "per_occurrence_min": 1000000,
      "aggregate_min": 2000000
    },
    "auto_liability": {
      "combined_single_limit_min": 1000000,
      "required_covered_autos": "ANY_AUTO"
    },
    "umbrella": {
      "aggregate_min": 5000000,
      "follows_form_required": true
    },
    "workers_compensation": {
      "statutory_required": true,
      "employers_liability_min": 1000000
    },
    "additional_insured_required": true,
    "waiver_of_subrogation_required": true,
    "certificate_holder_exact_match": "Meridian Construction Group LLC"
  }
}

The comparison is then deterministic: parse the COI, validate each field against the requirements object, return pass/fail with specific deficiency reasons. A reviewer doesn't need to read the PDF at all - they review the flagged deficiencies and either approve or send back to the sub for correction.

This approach scales. You can run 200 COI verifications in the time it previously took to do 20, and the consistency of programmatic checks eliminates the human variability that lets deficiencies slip through.

Integrating with Procore and Other PM Tools

The final step is connecting your COI compliance workflow to the project management tools your team actually uses, so COI status is visible in context rather than buried in a separate compliance system.

Webhook-Based Ingestion

The most common integration pattern is a webhook that fires when a subcontractor uploads a new insurance certificate - whether through your vendor portal, an email processor, or a document management system. The webhook handler calls the parse API, runs compliance checks, and writes the result back to the subcontractor record in your PM tool.

In Procore, this means updating a custom field on the Company or Commitment record to reflect current COI status: COMPLIANT, NON_COMPLIANT, EXPIRING_SOON, or EXPIRED. Procore's API supports reading and writing custom fields via the REST API, so this integration is straightforward to build.

Document Storage and Audit Trail

Store the raw PDF, the parsed JSON response, and the compliance check result as a linked set of documents on the subcontractor record. When an owner's insurance auditor asks for proof that you verified subcontractor coverage on a project two years ago, you need to produce: (a) the original certificate, (b) evidence of when it was reviewed, (c) what the review found, and (d) any corrective action taken. A structured document set makes this trivial.

Status Flags and Dashboards

Build a project-level COI compliance dashboard that shows every subcontractor with current status and days until next expiration. This view should be accessible to your PM, superintendent, and project controller - not just your compliance coordinator. When COI status is visible to everyone, non-compliance gets escalated faster.

Color coding works well here: green for compliant, yellow for expiring within 60 days, red for expired or non-compliant. Anyone who glances at the dashboard can immediately see whether there's a problem that needs attention.

Putting It All Together

A COI compliance workflow that actually works has five non-negotiable components: a collection trigger tied to contract execution and payment approval, a thorough verification checklist that covers all seven coverage elements, indexed storage that supports three retrieval paths, automated renewal alerts at 90/60/30 days, and a documented non-compliance response process with defined escalation authority.

Manual execution of this workflow is possible for small GCs with fewer than 20 active subcontractors at a time. At larger scale, the only path to consistent compliance is automation - parsing COIs programmatically, running rules-based checks, and surfacing results in the tools your team uses every day.

The liability exposure from a single non-compliant subcontractor incident dwarfs the cost of building this workflow properly. And beyond the financial risk, having a documented, auditable COI compliance system is increasingly a competitive differentiator - owners doing due diligence on their GC selection look at this, bonding companies look at this, and your insurance carrier looks at this at renewal.

For a deeper look at the specific insurance requirements by trade and project type, see Construction Subcontractor COI Requirements and Certificate of Insurance Compliance Best Practices.