In partnership with brickbybrick, the #1 community for modern risk managers.
RiskStack
← All posts
InternationalVendor RiskCompliance

International Vendor Compliance: When COIs Aren't COIs

Tracking compliance for international vendors is harder than domestic. Different document standards, different coverage structures, different verification challenges.

The RiskStack Team

If your vendor base extends outside the United States, you've probably noticed that COI tracking software was not designed with you in mind. The ACORD certificate format is a U.S. document. International insurance markets use different formats, different coverage structures, different language. Trying to force an international vendor's documentation into a U.S.-shaped COI tracker often produces the wrong result.

This isn't a small problem. For manufacturers with global supply chains, technology companies with international service providers, and any business with operations outside the U.S., a meaningful percentage of vendor compliance work involves non-U.S. documentation. And it's the part of the program most likely to be quietly broken.

Why international vendors break U.S. COI software

A few structural reasons:

No ACORD equivalent. The ACORD 25 form is a U.S. standard. There is no global equivalent. Different countries have different formats — the U.K. has its own brokers' letters, Continental Europe uses certificate templates that vary by country and broker, and many emerging markets have no standardized format at all. A platform that expects ACORD 25 input doesn't know what to do with a Lloyd's of London certificate.

Different coverage structures. "General liability" as a U.S. concept maps imperfectly to international equivalents. UK "public liability" covers similar ground but has different exclusions. Continental European "civil liability" follows different conventions. In Asia, coverage structures vary widely by country. Even when the dollar limits look similar, what's actually covered may be quite different.

Different limit conventions. A $1M U.S. general liability policy and a £750K UK public liability policy aren't equivalent — different currency, different scope, different coverage triggers. Translation between standards isn't mechanical.

Compulsory coverage variation. Some countries have national programs that replace U.S. coverage lines. National workers compensation programs exist in many European countries; verifying "workers comp" for a German vendor means confirming participation in the national scheme, not a private policy. Most platforms have no concept of this.

Broker verification gaps. U.S. COI tracking software relies heavily on broker networks for verification. Those networks are domestic. Verifying a Vietnamese vendor's insurance through a U.S.-focused broker network is impossible.

Common patterns of failure

The typical patterns we see when international vendors enter a U.S. COI program:

Pattern 1: Forced ACORD compliance. The platform requires an ACORD 25 input, so the international vendor's broker generates one, even though it's not the standard format in their country. The result is usually a translated approximation that doesn't accurately represent the actual coverage.

Pattern 2: Limit translation errors. The vendor has £2M of public liability. The platform records it as $2M of general liability. The currency translation is wrong, the coverage line is wrong, and the analysis based on this data is wrong.

Pattern 3: Missing compulsory coverage. The platform expects workers comp documentation. The vendor is in a country with national workers comp. The vendor either provides nothing (and is marked non-compliant) or provides irrelevant documentation (and is marked compliant for the wrong reason).

Pattern 4: No verification. The platform's broker network doesn't extend internationally, so the documents get accepted at face value with no verification. This is the area where COI fraud risk is highest, because there's no source of truth checking.

What "good" looks like for international tracking

Platforms that handle international vendors well do a few things:

Multiple format support. The platform accepts non-ACORD documentation as a first-class input, not as a special case. UK brokers' letters, EU certificate templates, custom-format documents — all parseable and trackable.

Coverage mapping. The platform has a way to map international coverage lines to your contract requirements. UK public liability isn't general liability, but it can be mapped to the "general liability" requirement with appropriate annotation about scope differences.

Currency-aware limits. Limits are tracked in the policy's actual currency, with FX-aware comparison to your dollar-denominated requirements.

Compulsory coverage handling. The platform recognizes country-specific compulsory coverage (national workers comp, national health systems, mandated employer liability) and treats them appropriately rather than forcing private-market documentation.

Local verification capability. Some level of verification capability that extends beyond U.S. brokers — at minimum, document authenticity checking; ideally, broker outreach in the relevant country.

In our research, no platform handles international compliance perfectly. The category was built for U.S. needs and the international features are bolted on. That said, the gap between platforms is significant. Larger platforms (TrustLayer, larger enterprise tools) have more developed international handling than the smaller and legacy platforms. If you have meaningful international exposure, this is an area where the platform tier matters.

Practical realities for international compliance

A few practical observations from working with risk managers running international vendor programs:

Documentation is often less, not more. Many countries have less formalized documentation conventions than the U.S. A vendor in some markets may produce a one-page broker confirmation in lieu of a multi-page certificate. The expectation that you'll get an ACORD-equivalent document set is often unrealistic.

Local counsel matters. For high-stakes international vendor relationships (large contracts, sensitive operations), engaging local insurance counsel to verify coverage adequacy is often more reliable than software-based verification. The cost is real, but so is the protection.

Compliance requirements should be locally appropriate. Demanding U.S.-style coverage from a vendor in a market where it isn't standard creates friction without producing safety. Better to specify coverage outcomes (e.g., "vendor will maintain coverage adequate to indemnify Buyer for X scope of liability") and accept locally appropriate documentation.

Volume drives investment. If you have three international vendors, doing this manually is fine. If you have three hundred, you need a platform investment commensurate with the complexity.

A note on data sovereignty

Worth flagging: international vendor data may be subject to data sovereignty rules in the vendor's home country. EU vendors are protected by GDPR. Other jurisdictions have analogous frameworks. A U.S.-based COI tracking platform pulling vendor data into U.S. servers may have compliance obligations under those frameworks. This isn't usually a deal-breaker, but it's worth understanding before committing to a platform that might not have appropriate data handling for international jurisdictions.

Recommendations

If international vendors are part of your program:

  1. Inventory your international exposure. How many vendors, in which countries, with what kind of work? The answer drives the platform decision.
  2. Review your platform's international handling. Does it accept non-ACORD documents? Does it map coverage lines? Does it understand compulsory schemes?
  3. Audit international vendor compliance separately. Don't assume your dashboard's "compliant" rating is meaningful for international vendors — verify a sample manually.
  4. Engage local expertise where stakes are high. For your largest international vendors, local counsel verification is worth the cost.
  5. Consider region-specific approaches. For very large international programs, hybrid approaches (U.S. platform for U.S. vendors, regional approaches for major international markets) often work better than forcing one platform to handle everything.

The takeaway

International vendor compliance is the most under-discussed gap in U.S.-built COI software. Most platforms work well for domestic vendors and approximately for international ones. If your business depends on a global vendor base, the gap is worth taking seriously — both in platform selection and in process design.

See how platforms compare on international support in our research.

Find your COI tracker in three minutes.

Eight questions, personalized shortlist. No sales calls.

Start My Comparison