ACORD 25 COI ExtractionThe Complete Guide for Risk Management (2026)

The ACORD 25 certificate was never designed to be a data record. It was designed to be a courtesy — a one-page summary an insurance agent hands a contractor to confirm coverage exists, with express language disclaiming any rights to the certificate holder. Yet on construction projects, in property management portfolios, and across supply chain vendor onboarding, this document gets treated as the authoritative source of insurance compliance. The gap between what an ACORD 25 is and what the industry needs it to be is the structural reason manual COI tracking fails at scale — and the starting point for understanding what extraction can and cannot solve.

Stop typing data by hand — let AI read it for you
Upload an image or PDF — structured spreadsheet data in 10 seconds
Try It Now
No sign-up · No credit card · Results in 10 seconds
ACORD 25 Certificate of Liability Insurance data extraction guide — form anatomy, ISO endorsement mapping, and compliance tracking workflow for risk management teams

Key Takeaways

  1. For every 500 ACORD 25 certificates your team transcribes into a spreadsheet, 75 to 100 fields contain errors — and nobody re-audits manual data entry, so the dashboard stays green until a claim is denied.
  2. The ACORD 25's own disclaimer says it "confers no rights upon the certificate holder." Its cancellation block guarantees zero days of notice. Certificate holder is not additional insured. Compliance teams verify against a document designed as an agent courtesy summary, never as a data record.
  3. Semantic AI extraction reads fields by meaning rather than pixel coordinates — define your column schema once, extract 200 certificates in 90 seconds, and turn data entry into auditable risk management.

What ACORD 25 Actually Is — and What It Is Not

The ACORD 25, formally titled "Certificate of Liability Insurance," is the most widely used insurance certificate form in the United States commercial market — roughly 90% of all certificates of insurance issued. ACORD (Association for Cooperative Operations Research and Development) is a non-profit standards body founded in 1970 by a consortium of insurance carriers to standardize what had been decades of proprietary, incompatible certificate formats. By 1988, the ACORD 25 became the universal standard for documenting liability coverage.

The form condenses an entire liability policy — 100+ pages across multiple carriers — onto a single sheet displaying general liability, automobile liability, workers' compensation, umbrella/excess liability, and sometimes specialty coverages, each with policy numbers, effective dates, expiration dates, and limits.

It also contains a legal disclaimer that, in its December 2025 revision, became even more explicit: "LIMITS SHOWN MAY HAVE BEEN REDUCED BY PAID CLAIMS" and "LIMITS SHOWN ARE INCLUSIVE OF AMOUNTS REQUESTED BY THE CERTIFICATE HOLDER AND MAY NOT REFLECT POLICY LIMIT AMOUNTS IN EXCESS OF THOSE REQUESTED." The certificate states it "confers no rights upon the certificate holder" and "does not amend, extend or alter the coverage." In plain English: information, not a contract. It tells you what the agent believes the policy says at the moment of issuance. It does not guarantee the policy hasn't changed.

Every compliance workflow that treats collecting ACORD 25 forms as equivalent to compliance has a blind spot embedded in the document's own legal language. For the broader COI ecosystem, see our complete guide to COI data extraction. If you are new to the concept, start with what COI data extraction is.

Every Block of the ACORD 25, Annotated

Understanding what extraction captures means understanding what each block communicates — not just which fields to type. The ACORD 25 has seven functional blocks, and missing the compliance significance of any one creates a gap no amount of data entry speed will fill.

Block 1: PRODUCER

The insurance agency or broker who issued the certificate — name, address, contact. Straightforward to extract. The compliance significance is indirect: the producer is your escalation path when coverage needs verification, and a missing phone number means no contact when a policy lapses.

Block 2: INSURED

The entity that purchased the policy — typically the subcontractor, vendor, or tenant whose coverage you are verifying. Must be the legal entity name exactly as on the policy. Many small contractors operate under DBAs while their policy is issued to a different legal entity. If the certificate name does not match the entity in your contract, a claim may not be covered. Extraction captures the printed name. Cross-referencing against your vendor database is a separate verification step.

Block 3: INSURER(S) AFFORDING COVERAGE

Up to six carriers (Insurer A–F), each with its NAIC number. Large contractors often split coverage across carriers — one for GL, another for auto, a third for workers' comp. The extraction challenge is mapping each carrier letter to the coverage type it underwrites further down the form. This relationship is spatial — carrier column aligns vertically with coverage rows — not explicit in text. Position-based tools that misread column alignment silently swap carriers between coverage types.

Block 4: COVERAGES — The Compliance Engine

Five coverage type rows, each with policy number, effective/expiration dates, and a limit grid. This is where 80% of compliance review time goes.

Commercial General Liability. Up to five sub-limits: Each Occurrence, Damage to Rented Premises, Medical Expense, Personal & Advertising Injury, and General Aggregate. A checkbox marks Claims-Made vs Occurrence — a critical distinction. Occurrence policies cover incidents that happen during the policy period regardless of when the claim is filed; Claims-Made requires both incident and claim filing to occur within the policy period. If a subcontractor carries Claims-Made and switches carriers without tail coverage, prior-period claims may not be covered. The aggregate can apply Per Policy, Per Project, or Per Location. A GC requiring $2 million per-project aggregate must verify the "PROJECT" box is checked — otherwise claims from other projects may erode the aggregate below the required minimum.

Automobile Liability. Coverage type checkboxes — Any Auto, Owned Only, Scheduled, Hired, Non-Owned — are essential for construction sites where subs drive onto the property. Hired and non-owned auto coverage is frequently missing from cost-conscious contractors.

Umbrella / Excess Liability. Sits above primary limits. Often has different effective dates and carriers than underlying policies, creating a multi-dimensional mapping problem across the grid.

Workers' Compensation. Includes the exclusion checkbox: "ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED?" In residential construction and any trade where owners work on site, a "Yes" here means the owner has no WC coverage — a compliance flag as significant as any limit shortfall.

Other Coverages. Free-form field for specialty lines — professional liability, pollution, cyber. Requires variable content handling rather than fixed-position extraction.

For the ISO endorsement numbers that govern which form is attached — CG 20 10 vs CG 20 37, CG 20 01, CG 24 04 — see why manual additional insured verification on ACORD 25 creates blind spots.

Block 5: DESCRIPTION OF OPERATIONS

The most litigated block on the form. ACORD's Forms Instruction Guide says it is for identifying "operations, locations and vehicles." In practice, agents use it as a catch-all for additional insured language, waiver of subrogation, primary and non-contributory wording, and cancellation provisions — all of which properly belong in policy endorsements, not a free-text box. Agent associations have explicitly warned that entering coverage language here can create E&O liability for the agent and a false sense of security for the certificate holder. Language written into this block is not legally binding unless the corresponding endorsement actually exists on the policy.

For extraction, this block is unstructured text — often multi-paragraph, sometimes continuing onto an ACORD 101 Additional Remarks page. Semantically aware extraction captures the full text and flags keywords ("Additional Insured," "CG 20 10," "30 days notice"). It cannot verify whether endorsements exist on the policy.

Block 6: CERTIFICATE HOLDER

The entity receiving the certificate. Being listed as certificate holder means you get a copy. It does not grant any rights under the policy. This is the most misunderstood concept in COI compliance: certificate holder ≠ additional insured. The former gets notified (maybe). The latter can file a claim (if properly endorsed).

Block 7: CANCELLATION

Pre-printed text states notice will be delivered "in accordance with the policy provisions" — which in many policies means zero days for certificate holders. The block does not guarantee 30 days' notice. It does not guarantee any notice. It is a disclaimer disguised as a commitment. The expiration date is the most actionable compliance field on the entire form — a hard deadline after which coverage is unambiguously no longer in force. Automated renewal tracking built on extracted expiration dates is the only reliable hedge. For more on scaling this process, see the limits of batch ACORD 25 verification.

Key Fields and Their Compliance Significance

Not all fields carry equal weight. These five carry compliance implications disproportionate to their space on the form.

The Additional Insured Checkbox — and Why CG 20 10 ≠ CG 20 37

The "ADDL INSD" Y/N checkbox indicates some endorsement was attached — but not which form. CG 20 10 (Additional Insured — Ongoing Operations) covers only work in progress. Once the sub finishes and leaves site, coverage ends. CG 20 37 (Additional Insured — Completed Operations) extends coverage to post-completion defects. A sub who checks "Y" but only carries CG 20 10 leaves the GC exposed for completed operations claims. CG 20 01 provides primary and non-contributory status. CG 24 04 waives subrogation.

Extraction captures the checkbox. Determining which form is attached requires reading the Description block or attached ACORD 855. For the full breakdown of this blind spot, see the manual additional insured verification problem.

The Policy Limits Grid

Five sub-limits in a compact table where column labels vary: "EACH OCCURRENCE" vs "EACH OCC" vs "PER OCC." Position-based extraction that relies on column coordinates will misalign values when labels or widths shift between agencies. The compliance risk: a GC requires $2M per occurrence. Extraction misreads the aggregate value as the per-occurrence. Dashboard turns green. Six-figure coverage gap becomes invisible.

The Expiration Date

The most binary compliance field: after this date, coverage does not exist. The challenge is staleness, not readability. A COI issued in March reflects the policy period at that moment. If the sub changes carriers in May, the March COI becomes stale with no visible indicator. Extracted dates must be paired with a process that requests fresh certificates at appropriate intervals.

Workers' Comp Exclusion Checkbox

The "PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED?" checkbox is often skipped by reviewers focused on GL limits. In residential and light commercial construction where owners work on site, it is arguably more important than the GL per-occurrence limit. An excluded owner who gets injured has no coverage, and the financial exposure is direct medical costs plus potential liability claims against the GC.

Description of Operations Keywords

While not legally binding, keyword patterns signal issues warranting review: any CG or WC endorsement number, "Primary and Non-Contributory," "Waiver of Subrogation," "30 days written notice." NLP-based extraction that flags these and routes the certificate for human review creates a safety net that keyword-oblivious extraction misses entirely.

Manual vs AI Extraction: The Math That Makes the Decision

Industry association studies suggest manual insurance processing carries error rates of 15-20%. For every 100 certificates a coordinator transcribes into a spreadsheet, 15 to 20 contain at least one transcription error — a mistyped limit, a swapped date, a missing zero. At 500 certificates, the expected error count is 75 to 100 verifiably wrong data points. Certificial, a COI network platform, has documented that organizations on document-based tracking typically achieve 60-70% compliance rates, compared to approximately 90% after switching to automated verification with structured source data.

But the deeper problem is not error rate. It is error detection. Nobody re-audits manual transcriptions. The spreadsheet looks complete. The dashboard shows green. The gap is invisible until a claim is denied.

DimensionManual ExtractionAI Semantic Extraction
Speed per certificate15-45 minutes5-10 seconds
Error rate15-20% (industry association data)<1% extraction error; compliance interpretation still human
Multi-form handling (25/27/28)Different mental templates per formSame pipeline; form type auto-classified
Non-standard insurer formatsManual re-orientation per layoutSemantic recognition — zero per-agency configuration
Coverage limit grid alignmentProne to column-shift errors when abbreviations varyReads values by semantic label, not column position
Multi-page continuityManual correlation across pages — often missedMaintains document context across ACORD 25 + ACORD 101

What this table cannot show — because no tool solves it — is the verification gap between extracted data and ground truth. If a certificate says "$2,000,000" and the policy says "$1,000,000," extraction faithfully reports the printed value. The data is accurate relative to the document but wrong relative to the policy. Closing this gap requires either direct carrier verification or a network platform receiving structured data directly from insurers. For what batch verification handles, see our guide on batch ACORD 25 verification limits.

Stop typing data by hand — let AI read it for you
Upload an image or PDF — structured spreadsheet data in 10 seconds
Try It Now
No sign-up · No credit card · Results in 10 seconds

Step-by-Step ACORD 25 Extraction Workflow

Moving from a stack of COI PDFs to a compliance-ready spreadsheet follows a clear sequence. Each step addresses a failure mode from the manual workflow.

1

Collect and classify incoming certificates

Certificates arrive through email, portals, and sometimes fax. AI extraction systems can auto-classify by form structure — ACORD 25, 27, 28, or non-standard. A collection link — a shareable URL where subs and vendors upload directly to your processing queue — eliminates inbox management entirely.

2

Define your extraction schema

Specify the columns: Named Insured, Policy Number, Carrier, Each Occurrence Limit, General Aggregate, Effective Date, Expiration Date, Additional Insured, Waiver of Subrogation, Certificate Holder, Description of Operations. With semantic AI extraction — reading fields by meaning rather than position — you type these column names once and the AI locates each value across every certificate regardless of agency format.

3

Run batch extraction

Upload all classified certificates in a single batch. The extraction engine processes them concurrently, outputting one row per certificate in a unified Excel or CSV table. Batch-first design collapses 15 hours of data entry into approximately 90 seconds for 200 certificates.

4

Validate against requirements

Compare each row against project-specific or portfolio-wide requirements: Does GL per-occurrence meet the contract minimum? Is expiration at least 30 days out? Is Additional Insured marked Y? A rules engine can flag violations automatically, but ambiguous endorsement language in the Description block still requires human judgment.

5

Route deficiencies and track renewals

Flagged certificates with insufficient limits, missing endorsements, or expiring coverage trigger notification to the vendor. As renewal dates approach, pre-expiration requests go out automatically. This closes the loop manual tracking consistently leaves open: the gap between one-time review and ongoing compliance throughout the contract period.

Test the extraction workflow on an ACORD 25 certificate:

JPG/PNG/PDF AI Extraction

Files are processed securely and not stored.

Integrating Extraction Into Compliance Tracking Systems

Extraction outputs data. Compliance tracking systems consume data. The handoff between the two is where most automation stalls — not because either step fails, but because extracted fields don't match the fields the tracking system expects.

Construction platforms like Procore and CMiC have built-in insurance compliance modules. Property management systems like Yardi Voyager and MRI Software link COI data to tenant and vendor records. ERPs like Sage 300 and Viewpoint Vista route insurance compliance through accounting workflows. Each has its own field naming conventions and integration methods.

The integration layer involves three decisions. Field mapping: the column extraction labels "Each Occurrence Limit" may need to land in a field the compliance system calls "GL_Per_Occurrence_Limit." Define this mapping once. Coverage requirement rules: a roofing sub may require $2M/$4M GL; a cleaning vendor $1M/$2M. Rules are defined in the tracking system, not in extraction. Renewal trigger logic: automated alerts triggered by approaching expiration dates with configurable lead times — 60, 30, 14 days — prevent the most common compliance failure: an expired certificate nobody noticed. For scaling challenges, see batch ACORD 25 verification limits.

ACORD 25 vs ACORD 27 vs ACORD 28 vs ACORD 140

The ACORD 25 represents roughly 90% of all COIs, but it is not the only form crossing a risk manager's desk. Requesting the wrong form or missing coverage that belongs on a companion form leaves verifiable gaps.

FormOfficial NameCoversWho Requests ItKey Extraction Challenges
ACORD 25Certificate of Liability InsuranceGL, auto, workers' comp, umbrella, specialty liabilityGCs, property owners, any entity verifying contractor/vendor liabilityCoverage limit grid column alignment; Claims-Made vs Occurrence checkbox; Description block free-text parsing
ACORD 27Evidence of Property InsuranceBuilding coverage, business personal property, equipment breakdownCommercial landlords, lenders, mortgagees verifying tenant property coverageNarrative description blocks; coinsurance percentages; mortgagee/loss payee identification
ACORD 28Evidence of Commercial Property InsuranceCommercial property — more detailed than ACORD 27 with loss payee provisionsCommercial lenders requiring detailed property coverage evidenceDenser field set with additional interest provisions; COPE data fields
ACORD 140Property Section (application form)Building characteristics, construction type, occupancy, fire protection — for underwriting, not certificatesUnderwriters and agents submitting property applicationsNot a certificate form — used during quoting, not compliance tracking; multi-page; requires ACORD 125 attachment

A critical distinction: the ACORD 140 is an application form for submitting property risk data to carriers during underwriting. It documents what coverage was requested, not what was bound. Mistaking it for a certificate of coverage is a category error. For the broader COI landscape including non-standard certificates, see our complete guide to COI data extraction.

Industry-Specific COI Compliance Contexts

An ACORD 25 carries different compliance weight depending on the contractual relationships it sits within. The risks, error patterns, and extraction priorities shift with context.

Construction

Construction is the highest-volume consumer of ACORD 25 certificates. A mid-size GC with 45 subcontractors and three active projects processes roughly 180 certificate updates per year. At 200 subcontractors, manual review consumes a full-time role. The AIA A201-2017 General Conditions (§11.1) requires contractors to maintain specific insurance and provide certificates. Sub-tier contractors pass obligations down the chain, with each tier requiring certificates from the tier below.

The construction-specific risks center on audit premium recapture and uninsured claims. When a sub's COI is missing or expired, the GC's workers' comp and GL carriers reclassify payments to that sub as uninsured subcontracted cost and charge the GC's policy retroactively at the full manual rate — the Audit Noncompliance Charge can reach 200% of what the premium would have been. A December 2024 Marsh survey of over 230 global contractors found that 70% of US contractors experienced moderate or substantial cost increases from supply chain constraints — meaning margin buffers to absorb uninsured claims are thin. For practical extraction guidance, see how to extract ACORD 25 COI data to Excel.

Property Management

A commercial property manager overseeing 20 buildings with 15 tenants each tracks 300 COIs continuously, with staggered annual renewal dates. The dominant compliance gap is the 30-day notice of cancellation: landlords require it; insurers rarely provide it as a matter of policy provision; the certificate's cancellation block follows policy provisions — which often means zero days for a certificate holder. This gap is structural and cannot be fixed by better extraction.

What extraction fixes: expiration tracking. Three hundred certificates with staggered dates tracked manually guarantee lapses. Automated extraction pushes every expiration date into a sortable column, triggers alerts 60 days before expiry, and escalates when renewal certificates don't arrive. Compliance moves from reactive (discovering lapsed coverage after the fact) to proactive.

Supply Chain / Vendor Management

Supply chain COI compliance differs from construction and property management in one critical way: the certificate requester often has no contractual leverage to enforce coverage requirements. A manufacturer onboarding a raw materials supplier who is one of only two qualified sources globally cannot threaten to terminate over a missing certificate. The compliance posture must be monitoring and risk quantification rather than strict enforcement.

PwC's 2025 compliance survey found that 77% of executives were negatively impacted by compliance complexity. For supply chain organizations, insurance compliance is one of dozens of dimensions tracked in separate systems by different teams. Centralizing COI data extraction into a spreadsheet cross-referenced against supplier master data creates a single source of truth for the insurance dimension. Without extraction, that data lives in individual PDFs in individual email inboxes.

FAQ

Does extracting data from an ACORD 25 verify that coverage actually exists?

No. Extraction reads what is printed — policy numbers, limits, dates, checkboxes. It does not verify the policy is still in force, that limits are current, or that referenced endorsements exist. The ACORD 25 itself disclaims it "confers no rights upon the certificate holder." Extraction gives you data from the certificate faster and more accurately than manual entry. Verification requires carrier contact, a network platform with direct insurer data, or periodic re-certification.

Can AI extraction handle non-standard insurer formats?

Yes, if the extraction is semantic rather than position-based. Semantic extraction reads fields by meaning — it identifies "$1,000,000" as a GL per-occurrence limit because of surrounding context, not pixel coordinates. Template-based OCR, which relies on fixed zonal positions, fails on non-standard formats because positions vary per insurer. Semantic extraction handles any layout without per-agency configuration, though accuracy on non-standard forms is typically lower than on standard ACORD layouts due to more variable field labels.

What fields should I extract from every ACORD 25?

At minimum: Named Insured, Policy Number, Carrier Name, GL Each Occurrence Limit, GL General Aggregate Limit, Policy Effective Date, Policy Expiration Date, Additional Insured (Y/N), Waiver of Subrogation (Y/N), Certificate Holder, and Description of Operations (full text). For auto coverage, add Combined Single Limit and coverage type checkboxes. For workers' comp, add the proprietor/partner/officer exclusion checkbox. These 15-20 fields cover the compliance checks that prevent the most common and expensive coverage gaps.

How long does it take to set up ACORD 25 extraction?

With a semantic AI extraction tool, setup is defining your column schema — the fields you want extracted — which takes minutes. There is no template creation, sample training, or per-agency configuration. The same schema applies to all certificates. The real implementation time goes into defining compliance rules: what minimum limits apply to which contractor types, what endorsement language is required, and renewal frequency.

Does the ACORD 25 cancellation block guarantee 30 days' notice?

No. The pre-printed text says notice will be delivered "in accordance with the policy provisions." Many standard ISO policies provide notice only to the first named insured. The cancellation block is the most widely misinterpreted section of the ACORD 25. The only reliable protection against policy cancellation is periodic re-verification — requesting fresh certificates at appropriate intervals.

What changed in the ACORD 25 (2025/12) revision?

The December 2025 revision added an updated logo, a 2025 copyright, a reformatted coverages grid keeping the same data fields, and — critically — revised disclaimer language. A new sentence reads: "LIMITS SHOWN ARE INCLUSIVE OF AMOUNTS REQUESTED BY THE CERTIFICATE HOLDER AND MAY NOT REFLECT POLICY LIMIT AMOUNTS IN EXCESS OF THOSE REQUESTED." This addresses the pattern where certificate holders requested specific limits and the certificate appeared to confirm those limits existed when the policy actually had higher limits but the certificate was reporting only the requested amount.

Making ACORD 25 Data Work for Risk Management

Every general contractor, property manager, and compliance coordinator reviewing ACORD 25 certificates makes real-time risk decisions: whether to let a subcontractor start work, approve a tenant's lease, or onboard a supplier. The quality of those decisions depends on the accuracy of the data in front of them. When that data was manually typed from a PDF into a spreadsheet by someone whose primary responsibility is not data entry, the foundation cracks before the first compliance check runs.

ACORD 25 extraction does not make risk decisions — it makes them possible. It removes transcription as a variable and puts extracted data into a format that can be compared against requirements, tracked over time, and escalated when gaps appear. The remaining work — verifying endorsements, interpreting policy language, making the judgment call on borderline certificates — is risk management. Extraction gives risk managers back the time to do it.

Try extraction on an ACORD 25 COI now. See whether the data you have been typing by hand lands in a spreadsheet in 10 seconds.

📮 contact email: [email protected]