Who Is Responsible for Tracking Certificates of Insurance?
Read any certificate of insurance free. Upload an ACORD 25 and let AI pull the data in seconds.
PDF, JPG, PNG, BMP, HEIC, TIFF
Upload your certificates of insurance
Drop files here or click to upload
Up to 50 files
Uploading...
Last updated July 2026.
Responsibility for tracking certificates of insurance falls on the party whose contract requires the coverage, which is almost always the business hiring the vendor rather than the vendor or its insurance agent. Inside that business the duty usually sits with risk management, property management, procurement or operations, depending on who signs the contract. The certificate holder carries the exposure if coverage lapses, regardless of who was supposed to be watching.
This question comes up most often after something has already gone wrong, when a claim lands and everyone discovers the vendor's policy expired in March. So it is worth answering carefully.
The short answer: whoever required the insurance
If your contract, lease or purchase order says a vendor must carry one million dollars in general liability and name you as an additional insured, you are the party who required it, and you are the party who has to know whether they still do. That obligation does not transfer to anyone else by default.
Three parties are commonly assumed to be tracking it, and none of them are:
- The vendor. They bought the policy and they know when it renews, but they have no duty to tell you when it lapses, and no incentive to.
- The insurance agent. They issued the certificate. A certificate of insurance is a snapshot on the day it was printed, and the agent is not obligated to notify you of a mid-term cancellation unless a specific endorsement says so.
- Your own insurance broker. They handle your coverage, not your vendors' compliance with your contracts.
The certificate itself says this out loud. The disclaimer on every ACORD 25 states the certificate confers no rights and does not amend the policy. It is evidence, not a promise, and the responsibility to re-check it is yours. Our guide to reading a certificate of insurance walks through what that boilerplate actually means.
Who tracks certificates of insurance inside a company?
The department varies with the size and shape of the business, and this table reflects how the duty typically lands in US organizations.
| Organization type | Usually owns COI tracking | Why it lands there |
|---|---|---|
| Large enterprise | Risk management | They write the insurance requirements, so enforcement follows the requirement. |
| Property management firm | Property manager or a compliance analyst | The management agreement typically requires the manager to verify vendor insurance before use. |
| General contractor | Project manager or contract administrator | Subcontractor coverage has to be verified before site access, which is a project-level gate. |
| Mid-market company | Procurement or finance | The COI gets collected alongside the W-9 during vendor onboarding. |
| Small business | Whoever signs the contract, often an owner or office manager | No dedicated function exists, so it lands on the person holding the pen. |
| HOA or nonprofit | Board member or community manager | Volunteer boards inherit it by default, usually without training. |
The pattern worth noticing: in large organizations the duty is assigned, and in everyone else it is inherited. Inherited duties are the ones that lapse.
Is the property manager responsible for tracking vendor COIs?
Usually yes, and by contract rather than by custom. Most property management agreements require the manager to verify that vendors carry insurance before they work on the property. An uninsured vendor on site is an exposure that flows to the owner and, in many states, to the manager who let them in. That is why property management is one of the few sectors where COI tracking is a named job function rather than something someone does between other tasks. Our COI tracking for property management page covers how that works across a portfolio.
Can you make the vendor responsible for tracking their own COI?
You can require vendors to maintain coverage and to provide updated certificates, and you should. Every well-drafted contract does. But contractual obligation is not the same as operational reality. A vendor that lets its policy lapse has already breached the contract, and you still have an uninsured vendor working for you, plus a claim, plus a lawsuit against a company that just demonstrated it does not carry insurance. The contract gives you a remedy. It does not give you coverage. Verification stays yours because the consequences stay yours.
Who is responsible when a certificate expires and nobody notices?
The business that required the coverage absorbs the exposure. If a vendor's policy lapsed and they cause a loss during the gap, there is no insurer to respond, so the claim lands on your own policy, your own deductible, and your loss history. That is the whole reason expiration tracking exists as a discipline. Our article on what happens when a vendor's insurance expires covers the sequence in detail.
Internally, the answer is less about blame and more about design. When a lapse gets discovered after the fact, the cause is almost always that the duty was never assigned to a named person, only assumed by a department. Insurance renewals happen on the vendor's calendar, not yours, so a process built on someone remembering is a process built to fail.
How do you actually assign the responsibility?
Three things make the difference between an owner and an assumption:
Name a person, not a department. "Risk management tracks COIs" is how lapses happen. A named owner with a named backup is how they do not.
Attach it to a gate, not a calendar. Tie verification to something that already has to happen: vendor setup in the accounting system, site access, or the first payment. A check that blocks a step gets done. A check that lives on a reminder does not. The vendor onboarding checklist shows where the COI check fits alongside the W-9.
Give the owner exceptions, not data entry. This is where most programs quietly break. If the named owner's job is opening PDFs and typing dates into a spreadsheet, the work expands with the vendor list until it stops getting done. Software that reads each certificate and checks it against your rules leaves the person with the only part that needs judgment: the flagged ones. It is the same principle behind any system that routes each exception to a named owner automatically instead of leaving a queue for someone to notice.
The practical summary
Responsibility follows the requirement. If you asked for the insurance, you own knowing whether it is still there, and neither the vendor nor the agent nor the certificate itself will tell you when it stops. Inside your organization, assign it to a named person, tie it to a gate that blocks work, and automate the reading and chasing so the owner spends their time on exceptions.
If you want to see what that looks like as a system rather than a policy, our COI tracking solution page lays out the four jobs it has to do, and what is COI tracking covers the fundamentals if you are new to the process.