COA fraud in 2025: why it’s suddenly everyone’s problem

In 2025, more operators are discovering an uncomfortable truth: a Certificate of Analysis (COA) can be the most “polished” document in your compliance binder—and still be wrong, manipulated, or outright counterfeit.

Retailers and distributors report familiar patterns:

• Edited PDFs where potency or contaminant results are altered after a legitimate lab report was issued
• Mismatched batch/lot IDs where the COA doesn’t actually correspond to the inventory received
• “Lab shopping” where the same product is repeatedly tested until a preferred result is produced, then used as “proof” for broader production
• Franken-COAs assembled by copying a header/letterhead from one report and combining it with results from another

At the same time, regulators are tightening testing expectations, and courts continue to support state authority to regulate intoxicating hemp-derived products (which often rely on COAs to justify legality at retail). That combination increases the risk that weak paperwork becomes not just a business nuisance, but a trigger for enforcement and a civil liability multiplier.

This article is informational only, not legal advice.

The regulatory baseline: what states already expect from a COA

While requirements vary by state, most regulated programs converge on a few core expectations:

• COAs must be produced by a state-licensed (or otherwise authorized) lab
• The COA must map clearly to a specific batch/lot and sample
• The COA must reflect required panels (e.g., potency, residual solvents, pesticides, microbiological contaminants, heavy metals, mycotoxins—depending on product type)
• Retailers must be able to produce COAs during inspections and demonstrate chain-of-custody/traceability

Examples of official regulatory references businesses routinely use:

• California Department of Cannabis Control (DCC) lab testing and compliance resources: https://cannabis.ca.gov/licensees/
• New York Office of Cannabis Management (OCM) lab testing and quality assurance resources: https://cannabis.ny.gov/
• Colorado Marijuana Enforcement Division (MED) rules and guidance: https://sbg.colorado.gov/marijuanaenforcement
• Oregon program resources (OLCC/OHA): https://www.oregon.gov/olcc/pages/cannabis.aspx
• Washington State Liquor and Cannabis Board (WSLCB) rules and guidance: https://lcb.wa.gov/
• Michigan Cannabis Regulatory Agency (CRA) rules and bulletins: https://www.michigan.gov/cra
• Massachusetts Cannabis Control Commission (CCC) regulations and guidance: https://masscannabiscontrol.com/

Even where a state doesn’t explicitly mandate “digital signatures,” most do require accurate records, truthful labeling, and traceability—which means a retailer that cannot validate COAs is exposed when something goes wrong.

Why COA fraud is spiking: the 2025 incentive stack

COA fraud rises when three forces align:

1) Price compression + inventory pressure

When margins are thin, the temptation grows to:

• Stretch a “passing” COA to cover adjacent lots
• Ignore red flags in paperwork to move product
• Accept “lab swaps” when a vendor promises a clean retest

2) Patchwork rules for intoxicating hemp

Many intoxicating hemp products are marketed nationally, but enforcement and legality are increasingly state-specific. As more states restrict certain cannabinoids, serving sizes, or total THC concepts, the COA becomes the primary defense a product brand uses to claim compliance.

If that COA is manipulated—or simply uses outdated methods—retailers can be left holding the bag.

3) The science bar is rising (AOAC CASP + reference materials)

Legitimate labs are increasingly expected to demonstrate:

• Method validity against recognized performance requirements
• Proficiency testing (PT) performance
• Use of appropriate reference materials

Two developments matter here:

• AOAC CASP (Cannabis Analytical Science Program) has published standard method performance requirements (SMPRs) and maintains programs around method evaluation and quality systems that labs use to demonstrate competence. Start here: https://www.aoac.org/science-programs/cannabis/
• NIST continues to develop and publish reference materials that strengthen comparability and defensibility of analytical results (helping distinguish robust labs from those operating on shaky calibration). NIST Cannabis reference material hub: https://www.nist.gov/programs-projects/cannabis-quality-assurance-program

The result: a widening gap between labs that can defend results technically—and documentation that’s easy to counterfeit.

The modern retailer control stack: move from “PDF trust” to verifiable evidence

If your intake process still relies on emailed PDFs, you’re operating in an environment that assumes good faith. 2025 doesn’t.

Below are practical, field-tested counter-fraud controls that do not require rewriting your entire compliance program.

Digitally signed COAs: what to require, and how to verify

What a digital signature is (and isn’t)

A digital signature is not the same as a typed name or an image of a signature. In practice, it means the COA PDF is cryptographically signed (often via Adobe Approved Trust List / certificate-based signing), so:

• Any change after signing invalidates the signature
• The signer identity (or organizational certificate) can be verified
• The document’s integrity is provable

What to put in your vendor requirements

Require that COAs be issued as:

• Digitally signed PDFs (certificate-based)
• With signature metadata showing the lab entity and timestamp
• With an uneditable report ID and sample ID

How intake staff can verify in under 60 seconds

Train receiving/QC staff to:

1. Open the PDF in Adobe Acrobat (or a verification-capable viewer)
2. Confirm the signature is “Valid” and the document has not been modified
3. Click signature properties to confirm the certificate chain and organization
4. Record the COA report ID in your intake log

If a vendor says “we can’t digitally sign,” treat it as a maturity signal and increase scrutiny (portal verification + raw data requests).

Verifiable QR links: force the COA to live where it can’t be quietly edited

The easiest way to defeat PDF tampering is to stop treating the PDF as the “source of truth.”

Better pattern: QR code → lab portal → report view/download

Require that product packaging or case labels include a QR code that resolves to:

• The lab’s domain (not a URL shortener)
• A report page showing the same batch/lot, sample ID, client, date tested, and results
• A downloadable, digitally signed PDF copy

What to watch for (common fraud tells)

• QR resolves to a generic file-sharing link (Drive/Dropbox)
• QR resolves to a brand’s marketing site rather than the lab portal
• Report page lacks a stable report ID or shows “results pending” while PDF shows full results
• The COA “lab” domain is newly registered or mismatches the lab name

Hash checks and immutable logs: simple cryptographic integrity without heavy IT

If you want a lightweight integrity control, implement hashing.

Operational approach

• When a COA is received, generate a SHA-256 hash of the file
• Store the hash in an internal log (and ideally in a system with change tracking)
• If the COA is resent later, re-hash and compare

If the hash differs, the file changed. That doesn’t automatically prove fraud (labs do reissue corrected reports), but it triggers a required escalation: verify through the lab portal and request a reissued, digitally signed version.

Raw data links and “on-demand” instrument files: the fraud deterrent that works

The most effective fraud deterrent is requiring that vendors and labs can produce raw analytical data when asked.

What to request (practical, not punitive)

For potency and common contaminants, ask for:

• Chromatograms (PDF exports are okay as an initial step)
• Instrument sequence / batch run list showing sample order
• Calibration curve and QC checks (blanks, spikes, duplicates)
• Sample prep notes and chain-of-custody

Where possible, request native instrument files (vendor-dependent) or a secure raw-data package with metadata.

When to request raw data

Use a risk-based trigger, for example:

• New vendor onboarding
• Any COA with unusually high potency compared to category norms
• Any COA that conflicts with label math
• Any “retest” after an initial fail
• Any product category receiving heightened regulatory attention (e.g., inhalables, high-potency edibles)

Why this works

Counterfeiters can edit a PDF quickly. They typically cannot fabricate coherent raw data with QC and metadata that stands up to scrutiny.

AOAC CASP, PT performance, and NIST: how to use “quality signals” as fraud filters

Retail compliance teams rarely have time to judge analytical chemistry. But you can still use objective signals.

Require proficiency testing participation and results summaries

Include contractual requirements that the lab (or the vendor’s lab) can provide:

• Evidence of regular proficiency testing (PT) participation for relevant analytes/matrices
• A summary of recent PT performance (pass/fail or z-scores as applicable)

AOAC CASP is one place labs align around method performance expectations and competence frameworks. Resource: https://www.aoac.org/science-programs/cannabis/

Ask what methods are used—and whether they align with recognized performance requirements

Your goal is not to prescribe a method, but to prevent “black box” testing.

Minimum fields to collect:

• Method name/ID
• Instrument platform (e.g., HPLC-DAD, LC-MS/MS, GC-MS)
• LOD/LOQ for key analytes
• Measurement uncertainty (if available)

Prefer labs using appropriate reference materials

NIST’s cannabis-related quality assurance efforts are useful here because they push labs toward traceable, comparable measurement. Start with NIST’s QA program page: https://www.nist.gov/programs-projects/cannabis-quality-assurance-program

Retailer audit playbook (spot-check protocol) that actually fits real operations

Below is a short protocol designed for store managers, intake staff, and compliance leads. It is meant for routine use—no special equipment required.

Step 1: COA identity and traceability (2 minutes)

Confirm the COA includes and matches:

• Lab name and license/authorization identifier (where applicable)
• Report ID
• Sample ID
• Batch/lot ID that matches the package/case and your inventory record
• Collection date / received date / analysis date

Red flags:

• Missing sample ID
• Batch ID format doesn’t match what the lab typically issues
• COA date is after the product’s packaging/label print date (not always wrong, but triggers review)

Step 2: Label/COA congruence (5 minutes)

Spot-check:

• Product name and product type match (e.g., edible vs. concentrate)
• Serving size and servings per package
• The potency values on the label match the COA within allowable rounding/variance

The “mg-per-serving math” check

Do this calculation during intake:

• If the COA shows total mg per package, confirm: (mg per package) ÷ (servings per package) = mg per serving
• If the COA shows concentration (mg/g) for an edible, confirm net weight aligns

Fraud tell: a label that is mathematically inconsistent with the COA (common when a PDF was edited but the rest of the report wasn’t).

Step 3: Prohibited or restricted cannabinoids (state-by-state, but one universal control)

Because rules differ widely, set one universal intake control:

• The COA must list all cannabinoids your state requires to be reported
• Any cannabinoid that is restricted in your state must be explicitly reported (not “ND” without LOD/LOQ)

If the COA does not list the relevant analytes, it is not fit for retail reliance.

Step 4: Contaminant panels (category-dependent)

Confirm the COA includes the required panels for the product type and matrix. At a minimum, you should ensure:

• Panels are present (not just “Pass” with no numbers)
• Units and action limits are stated where required
• Results have realistic method detection limits

Fraud tell: “Pass” everywhere with identical fonts and alignment that look like a template, or missing units/LOQs.

Step 5: Verification step (portal or signature)

Require at least one of:

• Valid digital signature, or
• QR/URL that resolves to the lab portal report

If neither exists, escalate to raw data request or reject.

Step 6: Document and retain

Create a simple intake record:

• COA report ID
• File hash
• Verifier initials
• Portal link (if applicable)
• Notes on any discrepancies and resolution

This matters because if enforcement asks “how did you vet this,” you can show a repeatable control.

Contract clauses that reduce COA fraud risk (and shift incentives)

Your purchase agreements and vendor onboarding docs are your strongest levers. Consider adding clauses (review with counsel):

1) Authenticity and audit cooperation

• Vendor warrants COAs are authentic, unaltered, and issued by authorized labs.
• Vendor must provide lab portal verification and/or digitally signed COAs.
• Vendor must provide raw data artifacts upon request within a defined SLA.

2) Payment tied to authentic, method-valid COAs

• A portion of payment is contingent on receipt of COAs that meet defined criteria (IDs, panels, signature/portal verification).
• If COAs are invalidated, retailer may offset costs of recalls, disposal, regulatory responses, and re-testing.

3) PT performance and lab quality disclosures

• Vendor must disclose the testing lab(s) used.
• Vendor must provide evidence of PT participation relevant to product category.
• Vendor must notify retailer of lab changes or any lab enforcement actions impacting validity.

4) Retesting and dispute process

• Define when retesting is allowed, how samples are chosen, and who selects the lab.
• Prohibit “retest until pass” behavior by defining objective triggers and limiting retest attempts.

Enforcement and liability: why “paper compliance” is no longer enough

Even if a retailer did not alter a COA, stocking product based on weak or unverifiable documentation can create layered exposure:

• Regulatory enforcement for selling noncompliant product, recordkeeping deficiencies, or labeling violations
• Product liability claims if contaminants or mislabeling lead to consumer harm
• Consumer protection allegations (unfair/deceptive practices) if potency/contents are misrepresented
• Contract and indemnity disputes with suppliers when COAs are challenged

A defensible program is one that shows you used reasonable, repeatable controls to verify what you sold.

Implementation roadmap: adopt controls without overwhelming staff

If you need a phased approach:

Phase 1 (2–4 weeks): eliminate “PDF-only” risk

• Require COA portal links or digital signatures
• Train staff on signature verification and batch/label congruence
• Add intake logging + file hashing

Phase 2 (30–60 days): raise vendor accountability

• Add contract language tying payment to authentic COAs
• Require PT participation disclosure and lab identity disclosure
• Establish raw-data request SOP

Phase 3 (quarterly): audit and improve

• Run monthly spot checks across categories
• Track vendors with repeated discrepancies
• Review state bulletins for analyte list changes, action limits, and labeling updates

Key takeaways for 2025–2026

• COA fraud is not hypothetical; it’s a predictable outcome of margin pressure, patchwork rules, and rising testing sophistication.
• The fastest wins are digitally signed COAs and QR/portal verification.
• Add a meaningful deterrent by requiring raw data availability and documenting a consistent intake audit.
• Use quality signals like AOAC CASP-aligned expectations, PT participation, and NIST reference-material literacy to filter vendors and labs.

Next step: operationalize this into your compliance program

If you want help turning these controls into a repeatable SOP—aligned to your specific state rules, product categories, and inspection realities—use https://cannabisregulations.ai/ to track updates, standardize intake audits, and strengthen your cannabis compliance documentation across licensing, regulations, and dispensary rollout requirements.