COAs Are Not Component Verification. Five FDA Warning Letters Just Said So.

Five warning letters landed on FDA's compliance page in the same posting cycle. Five manufacturers. Five sets of CGMP violations. And across the cluster, a repeated finding that most quality teams have quietly accepted as adequate: the supplier certificate of analysis, treated as the endpoint of component verification.

The letters posted June 2, 2026 named Revlon Group Holdings LLC, Umendra Life Sciences Private Limited, Shantou Qiwei Industry Co. Ltd., Laboratorios Dr. Collado S.A., and Zydus Lifesciences Limited. The enforcement focus across that cluster was component control, specifically the talc and asbestos testing gap. FDA has scrutinized talc used in drug and cosmetic-adjacent products for asbestos contamination since its 2020 guidance update on testing methodology. This cluster signals that scrutiny has moved into active enforcement at scale.

What ties these five together is not just product category. It is the shared assumption that a supplier COA constitutes verification. A COA documents what the supplier claims about its material. It does not document what the manufacturer confirmed. Under CGMP requirements, your component specifications and your incoming testing results must stand on their own. A COA is one data point in that process, not the conclusion of it.

FDA inspectors are trained to pull that thread. They ask whether your specifications cover all relevant quality attributes for a given raw material, whether your methods are appropriate and suitable for the matrix, whether you can demonstrate the work behind your approved supplier status, and whether your testing results tie back to specifications that FDA would accept. When the answer to any of those questions is "we rely on the COA," that is the finding.

The talc and asbestos angle sharpens that picture. Testing for asbestos contamination in talc is not a simple compendial procedure. It requires specific analytical methodology, validated for the product matrix, with documented rationale for method selection. A COA that states asbestos is not detected is only as defensible as the method behind it. If the manufacturer cannot demonstrate that its approved methodology is appropriate, that the supplier's testing program was verified against a suitable method, and that the specification covers asbestos at a relevant detection threshold, then the COA is not evidence. It is a record of what someone else said.

FDA's enforcement pattern in this cluster makes that distinction explicit. The June 2026 warning letters did not find that these companies had no testing. They found that what passed for testing did not satisfy the standard of evidence a CGMP quality system requires. That is a harder gap to close than a missing procedure. It is a gap in understanding what component verification is supposed to demonstrate.

That same pattern runs through a parallel enforcement action from the same period. FDA issued a warning letter to Macau-Union Pharmaceutical Limited on May 29, 2026, and it follows a related logic. The violations involve finished-product release testing and microbiological testing under USP procedures. FDA found inadequacies in both the testing program and the underlying method justification. The letter also addresses sub-potency findings and carries import-alert consequences for the firm.

Release testing failures are rarely about missing data. They tend to involve method deficiencies, incomplete USP alignment, or documentation that looks complete but cannot withstand regulatory scrutiny. USP chapters governing microbial enumeration and specified organism testing require clear method suitability demonstration before results can be considered reliable. If your microbial method was transferred without suitability validation, or if your specification does not accurately reflect the compendial requirement, then a passing test result is not necessarily a clean result in FDA's view. The test happened. The evidence of adequacy did not.

The Macau-Union import-alert consequence is the operational cost of that gap. Import alerts and the detention without physical examination designation that accompanies them mean every future shipment from that facility is presumed non-compliant until the firm can demonstrate adequate corrective action. That is not a documentation problem. It is a quality system problem that FDA traced back through the release testing program and found unsupported at its foundation.

The inspection-readiness lesson running through both signals is the same one FDA keeps writing into warning letters: documentation that a test occurred is not the same as evidence that the test was adequate, method-appropriate, and tied to a specification that regulatory review would accept. COAs from qualified suppliers reduce your incoming testing burden. They do not eliminate the manufacturer's obligation to confirm that materials meet its own specifications. Release testing must be backed by validated, suitability-demonstrated methods that would survive a regulatory challenge, not just internal approval.

If your component verification package rests on COA review without confirmed specification alignment, that is the gap this June cluster is describing. If your USP method suitability documentation is incomplete for microbial or release methods, that is the gap the next enforcement cycle will find. These June 2026 actions are not outliers. They are a signal about where FDA expects to see documented, defensible evidence rather than documented activity.