CBD Onboarding: Claims and Fulfillment

When underwriting cannabidiol (CBD) and hemp-derived product merchants, most acquirers and payment service providers (PSPs) verify tetrahydrocannabinol (THC) content, check certificates of analysis (COAs), and confirm operations in permitted jurisdictions. These product-level controls are necessary, but they miss a critical exposure that appears weeks or months after approval.

‍

A merchant may sell a compliant 0.3% THC tincture with legitimate third-party lab testing, but if their blog promises it "cures anxiety", their Instagram ad claims it "treats chronic pain", or their affiliate network promotes it as a "natural cancer treatment", the acquirer inherits regulatory risk from the Federal Trade Commission (FTC), the Food and Drug Administration (FDA), and state attorneys general.

‍

This guide provides a systematic approach for risk teams to verify claims compliance across all merchant touchpoints: product pages, content marketing, paid advertising, affiliate networks, influencer partnerships, and customer communications. We outline what to verify at onboarding, how to monitor for claim drift, and where claim violations most frequently occur.

‍

‍

‍

Understanding CBD Regulatory Risk

‍

‍

The Legal Framework

‍

The 2018 Farm Bill (Agriculture Improvement Act of 2018) legalized hemp-derived products containing less than 0.3% delta-9 THC on a dry-weight basis, removing hemp from the Controlled Substances Act. This federal legalization created a regulatory gap: hemp and hemp-derived CBD became legal to produce and sell, but the FDA retained authority over how these products are marketed.

As of January 2026, CBD remains in a regulatory gray area:

‍

What is legal:

• Producing and selling hemp-derived CBD products containing <0.3% THC
• Marketing CBD in topical products (cosmetics, lotions, creams) when compliant with FDA cosmetic regulations
• Selling CBD as an ingredient without health claims

‍

What remains prohibited or restricted:

• Marketing CBD as a dietary supplement (FDA has not established a regulatory pathway)
• Adding CBD to food products in interstate commerce (FDA position as of 2026)
• Making disease treatment claims without FDA approval
• Making structure/function claims without adequate substantiation
• Marketing unapproved CBD drug products (only Epidiolex is FDA-approved)

‍

The FDA has issued warning letters to CBD companies for violations including unsubstantiated health claims, selling unapproved new drugs, and marketing CBD-infused food products. The FTC enforces truth-in-advertising standards under Section 5 of the FTC Act, requiring that claims be truthful, not misleading, and substantiated by competent and reliable scientific evidence.

Critical distinction: The product itself may be legal, but the claims about what it does determine regulatory compliance.

‍

Scale of Enforcement

While CBD has achieved mainstream market penetration (available in pharmacies, grocery stores, and mass retailers), regulatory enforcement remains active and creates financial risk for acquirers processing these merchants.

‍

FDA enforcement data (2019-2023):

• FDA issued warning letters to over 60 CBD companies between 2019 and 2023 for making unsubstantiated health claims
• Common violations cited: claims to treat cancer, Alzheimer's disease, opioid addiction, pain, and pet anxiety without FDA approval
• Enforcement targets both large national brands and small e-commerce merchants
• Average time from warning letter to required response: 15 days

‍

FTC enforcement patterns:

• In 2020, the FTC sent warning letters to CBD marketers making unsubstantiated claims about treating coronavirus (COVID-19)
• In 2022, the FTC took action against companies claiming CBD treats conditions ranging from autism to cancer without adequate scientific evidence
• Enforcement focuses on claims that exploit consumer health concerns (pain, anxiety, sleep disorders, serious diseases)

‍

State-level enforcement:

• State attorneys general in California, Florida, New York, and Texas have issued civil investigative demands (CIDs) to CBD merchants for deceptive marketing
• California Proposition 65 requires warnings on CBD products that may expose consumers to certain chemicals
• New York Department of Health conducted CBD product testing in 2019, finding that multiple products contained significantly less CBD than claimed on labels.

‍

Payment network actions:

• While Visa and Mastercard permit CBD processing under specific conditions, high chargeback rates and regulatory investigations trigger account reviews
• CBD merchants face higher reserve requirements (10-20% vs. 0-5% for standard e-commerce) and extended payout delays (T+7 to T+14 vs. T+2)
• Merchants with FTC or FDA warning letters typically face immediate processing holds pending investigation

‍

‍

Why Claims Matter More Than Products

‍

In our evaluation of CBD merchant risk profiles, we observe that product compliance (THC content, lab testing, ingredient verification) is relatively straightforward to verify at onboarding. Claims compliance is more complex because:

‍

‍

1. Claims appear across multiple channels

• Product pages (easily reviewed)
• Blog posts and articles (often overlooked)
• Email marketing campaigns (not visible to reviewers)
• Social media posts (ephemeral, frequently changing)
• Paid advertisements (subject to platform policies and external review)
• Affiliate and influencer content (distributed across third-party properties)
• Customer reviews and testimonials (user-generated but merchant-controlled)

‍

‍

2. Claims evolve post-approval

• Merchants may have compliant product pages at onboarding but add non-compliant blog content 60 days later
• Marketing teams experiment with messaging, testing claims that drive conversion without considering regulatory compliance
• Seasonal campaigns introduce new claim language (e.g., "CBD for holiday stress", "CBD for New Year wellness resolutions")
• Competitive pressure leads merchants to match competitor claims without verifying substantiation

‍

‍

3. Merchants often don't understand the rules

• Many CBD merchants are small businesses without dedicated legal or compliance teams
• Distinction between permissible wellness claims and prohibited disease treatment claims is nuanced
• Merchants assume if competitors make certain claims, those claims must be legal
• Influencers and affiliates make claims without merchant oversight or approval

‍

‍

4. Regulatory definitions are technical and evolving

• "Structure/function claims" (describing effects on normal body functions) are permitted in some contexts but require substantiation
• "Disease claims" (preventing, treating, curing, or mitigating disease) require FDA approval
• The line between these categories is not always clear (Does "supports immune health" describe normal function or treat immunodeficiency?)

‍

‍

Example scenario:

A merchant applies for processing with a website selling CBD tinctures. Underwriting review finds:

• Product: 30ml bottle, 1000mg CBD, <0.3% THC (compliant)
• COA: Third-party lab report confirms CBD content and THC compliance (compliant)
• Product page: "Premium CBD oil, 1000mg per bottle, organic hemp extract" (compliant, factual description)
• Shipping: Geoblocking enabled for prohibited states (compliant)

‍

Application approved.

‍

60 days after approval, the merchant publishes a blog post titled "How CBD Cured My Anxiety: A Personal Story". The post includes:

• "CBD completely eliminated my panic attacks"
• "After two weeks of CBD, I was able to stop taking my prescription anti-anxiety medication"
• "CBD is a natural cure for anxiety and depression"
• "If you suffer from anxiety, CBD can help you like it helped me"

‍

The product is still compliant. The lab testing is still valid. The shipping restrictions are still enforced. But the merchant is now making disease treatment claims (treating anxiety and depression) without FDA approval and encouraging readers to discontinue prescription medications.

‍

If the FTC or FDA investigates this merchant, the acquirer faces:

• Potential association with deceptive marketing practices
• Reputational risk with card networks
• Increased chargeback exposure (customers who don't experience claimed benefits dispute charges)
• Possible requirement to terminate the merchant relationship

‍

This is why claims matter more than products for CBD risk assessment.

‍

‍

‍

Common CBD Claim Violations

Based on FDA warning letters and FTC enforcement actions, we categorize CBD claim violations into five types:

‍

‍

1. Disease Treatment Claims

‍

Definition: Claims that the product will diagnose, cure, mitigate, treat, or prevent a disease.

‍

Examples of violations:

• "CBD treats chronic pain"
• "CBD cures insomnia"
• "CBD can help with Alzheimer's disease"
• "CBD reduces symptoms of PTSD"
• "CBD is effective against cancer"
• "CBD prevents seizures" (unless for FDA-approved Epidiolex)

‍

Why it violates: Under the Federal Food, Drug, and Cosmetic Act, a product that makes disease claims is considered a drug and requires FDA approval. Only Epidiolex has FDA approval for specific seizure disorders.

‍

Compliant alternatives:

• "May promote a sense of calm" (wellness language, not disease treatment)
• "Supports relaxation" (structure/function claim if adequately substantiated)
• "Contains 25mg CBD per serving" (factual ingredient statement)

‍

‍

2. Unsubstantiated Efficacy Claims

‍

Definition: Claims about product effectiveness that are not supported by competent and reliable scientific evidence.

‍

Examples of violations:

• "Clinically proven to reduce stress" (without clinical trials)
• "Scientifically shown to improve sleep quality" (without peer-reviewed research)
• "9 out of 10 users report pain relief" (without verified survey data)
• "Guaranteed to work in 7 days" (outcome guarantees without evidence)
• "As effective as prescription medications" (comparative claims without studies)

‍

Why it violates: FTC requires that advertising claims be substantiated. Health-related claims require a reasonable basis consisting of competent and reliable scientific evidence (typically randomized controlled trials for efficacy claims).

‍

Compliant alternatives:

• "Contains full-spectrum hemp extract with naturally occurring cannabinoids"
• "Many users report feeling more relaxed" (if truthful and based on actual feedback)
• "May support overall wellness" (qualified claim that doesn't promise specific outcomes)

‍

‍

3. Drug or Therapeutic Claims

‍

Definition: Claims that position the product as a pharmaceutical alternative or suggest medical supervision.

‍

Examples of violations:

• "Ask your doctor if CBD is right for you" (implies medical treatment)
• "Can be used to wean off prescription medications" (therapeutic intervention)
• "Dosage: Take 25mg three times daily for anxiety" (medical dosing instructions)
• "Recommended by healthcare professionals for pain management" (medical endorsement without verification)

‍

Why it violates: These claims imply the product is intended for medical use, making it an unapproved new drug under FDA jurisdiction.

‍

Compliant alternatives:

• "Consult your healthcare provider before use if you have medical conditions or take medications" (safety disclaimer, not medical positioning)
• "Suggested use: 1 dropper daily" (serving suggestion, not medical dosing)

‍

‍

4. Misleading Labeling and Concentration Claims

‍

Definition: Claims about CBD content or purity that are false or misleading.

‍

Examples of violations:

• Label states "1000mg CBD" but lab testing shows 500mg (false concentration claim)
• "100% pure CBD" when product contains carrier oils and other ingredients (misleading purity claim)
• "Pharmaceutical grade" without meeting pharmaceutical manufacturing standards
• "THC-free" when trace THC is present (even if <0.3%, claiming "zero THC" is misleading if any is detectable)

‍

Why it violates: Misbranding under the FD&C Act and deceptive advertising under FTC regulations.

‍

Compliant alternatives:

• Accurate labeling matching lab-verified content
• "Full-spectrum CBD with naturally occurring trace cannabinoids" (acknowledges other compounds)
• "Contains <0.3% THC as required by federal law" (accurate THC disclosure)

‍

‍

5. Pet Health Claims

‍

Definition: Claims that CBD treats animal diseases or conditions without veterinary drug approval.

‍

Examples of violations:

• "CBD treats arthritis in dogs"
• "Reduces anxiety in pets"
• "Veterinarian recommended for joint pain" (without verified endorsement)
• "Natural alternative to prescription pet medications"

‍

Why it violates: CBD for pets is regulated by FDA's Center for Veterinary Medicine. Disease claims require approval as an animal drug.

‍

Compliant alternatives:

• "Hemp extract supplement for pets" (ingredient description, not claim)
• "May support overall pet wellness" (qualified, non-specific)
• "Consult your veterinarian before use" (safety language)

‍

‍

‍

What We Verify: The Five-Layer Claims Audit

We structure CBD merchant claims review as a five-layer audit, starting with the most visible touchpoint (product pages) and extending to the least visible (customer email communications). Each layer presents distinct claim risks and requires different verification methods.

‍

‍

Layer 1: Product Page Claims

‍

What we review:

• Product titles and descriptions
• Ingredient lists and supplement facts panels
• Dosage instructions or serving suggestions
• FAQ sections on product pages
• Customer review sections and highlighted testimonials
• Product comparison charts
• Related product recommendations
• Health disclaimer presence and accuracy

‍

Common violations found:

‍

insert table here

‍

Product page audit checklist:

• [ ] Product title is descriptive, not therapeutic ("CBD Tincture" not "CBD Pain Relief")
• [ ] Ingredient list is accurate and complete
• [ ] CBD concentration matches lab testing (verify COA)
• [ ] THC content disclosure is accurate (<0.3% or "trace amounts")
• [ ] No disease treatment claims in description
• [ ] Serving suggestions are not medical dosing instructions
• [ ] Required disclaimer present: "These statements have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease."
• [ ] Customer reviews are not selectively featured to make medical claims
• [ ] No comparative drug claims ("better than ibuprofen", "replaces prescription medications")
• [ ] Images do not imply medical use (no images of pills, prescription bottles, or medical settings)

‍

Red flags:

• Product pages cite "clinical studies" or "research" without providing sources
• "Doctor recommended" or "physician formulated" without verified medical professional involvement
• Before/after health outcome testimonials prominently featured
• Product categorized under "Medicine" or "Supplements" in site navigation when CBD dietary supplements are not FDA-approved

‍

‍

Layer 2: Content Marketing and Blogs

‍

This is where we find the majority of claim violations. Merchants maintain compliant product pages but publish blog content making prohibited claims to drive organic search traffic.

‍

What we review:

• Blog post titles and headlines
• Article body content (especially health condition guides)
• Author bios and medical credentials (if claims rely on expertise)
• Internal linking from blogs to product pages (establishing commercial intent)
• Meta descriptions and SEO titles
• Editorial disclaimers or medical review statements
• Citation of sources for health claims
• Comments sections (merchant responses to user questions)

‍

High-risk content types:

"How CBD Treats [Condition]" Articles

‍

Example blog post: "How CBD Treats Chronic Pain: The Complete Guide"

‍

Violation analysis:

• Title makes disease treatment claim ("treats chronic pain")
• Content typically includes: mechanisms of action, dosing recommendations, success stories, comparisons to pharmaceutical pain medications
• Commercial intent: internal links to CBD pain relief products
• Lack of substantiation: cites animal studies or preclinical research without human clinical trials

‍

This content positions CBD as a medical treatment without FDA approval.

‍

"CBD vs. [Medication]" Comparison Articles

‍

Example: "CBD vs. Xanax for Anxiety: Which Is Better?"

‍

Violation analysis:

• Directly compares unapproved CBD to FDA-approved prescription drugs
• Implies CBD is a therapeutic alternative
• May include unsubstantiated claims ("CBD has fewer side effects than Xanax")
• Risk: readers may discontinue prescription medications based on merchant advice

‍

"CBD Dosage for [Condition]" Guides

‍

Example: "CBD Dosage Guide for Anxiety: How Much Should You Take?"

‍

Violation analysis:

• Provides medical dosing advice for treating disease (anxiety)
• Typically includes weight-based dosing charts (implies pharmaceutical precision)
• Lacks medical supervision or individualized assessment
• Risk: readers self-medicate for conditions requiring professional care

‍

"Research Shows CBD..." Claim Articles

‍

Example: "5 Research-Backed Benefits of CBD"

‍

Violation analysis:

• Selectively cites preliminary research (often animal studies or in vitro studies) without context
• Presents ongoing research as established fact
• Fails to disclose that human clinical trials are limited or inconclusive
• Commercial bias: only highlights positive findings, ignores studies showing no effect

‍

Blog content audit checklist:

• [ ] No "treats", "cures", or "prevents disease" language in titles or body content
• [ ] Articles do not provide medical dosing advice for health conditions
• [ ] Research citations are accurate and not overstated (animal studies disclosed as such)
• [ ] Medical claims include disclaimer: "This content is for informational purposes only and is not medical advice"
• [ ] No encouragement to replace prescription medications with CBD
• [ ] Author credentials are accurately represented (not falsely claiming medical expertise)
• [ ] Articles link to product pages (establishes commercial intent, increasing regulatory scrutiny)
• [ ] Comments moderation prevents users from making prohibited claims without merchant disclaimer response

‍

Investigation method: We use automated content scraping to extract all blog URLs, then apply natural language processing (NLP) to flag prohibited claim keywords:

‍

Tier 1 red flags (immediate violation):

• "treats [disease]"
• "cures [condition]"
• "prevents [disease]"
• "CBD instead of [medication]"
• "stop taking [drug]"

‍

Tier 2 yellow flags (context-dependent):

• "research shows"
• "clinically proven"
• "doctor recommended"
• "studies indicate"
• "medical benefits"

‍

Tier 3 watch terms (review for context):

• "supports"
• "promotes"
• "may help"
• "wellness"
• "balance"

‍

Articles with Tier 1 flags are flagged for immediate review. Articles with multiple Tier 2 or Tier 3 flags undergo manual review to assess context and commercial intent.

‍

‍

Layer 3: Paid Advertising Channels

‍

CBD advertising is restricted or prohibited on major platforms, creating compliance complexity. Merchants may attempt to circumvent platform policies or make prohibited claims in ads that evade platform moderation.

‍

Platform policies (as of January 2026):

‍

Google Ads

• Permitted: FDA-approved CBD pharmaceutical products (Epidiolex) in specific countries
• Permitted (limited): Topical hemp products (lotions, creams, cosmetics) without health claims in certain countries
• Prohibited: Ingestible CBD products (tinctures, capsules, edibles, beverages) in most markets
• Prohibited: All CBD health or therapeutic claims

‍

Risk: Merchants may attempt to advertise CBD by using euphemisms ("hemp extract", "cannabinoid supplement", "plant-based wellness") without explicitly stating "CBD". Google's policy enforcement is inconsistent; some ads are approved, others are rejected or suspended post-approval.

‍

Facebook and Instagram (Meta)

• Prohibited: All CBD product promotion (organic and paid)
• Prohibited: CBD-related content even without direct product sales (educational content, news, advocacy)
• Limited exception: Topical hemp seed oil products (not CBD) in some markets

‍

Enforcement: Meta uses automated content moderation to detect CBD references. Accounts promoting CBD products face:

• Ad disapproval
• Account restriction (unable to run any ads)
• Page or profile suspension (for repeat violations)

‍

Risk: Merchants running Instagram influencer campaigns may violate Meta policies if influencers tag the merchant or use branded hashtags. Meta attributes influencer content to the sponsoring merchant.

‍

TikTok

• Prohibited: All CBD content and advertising
• Prohibited: Hemp products with cannabinoid content
• Enforcement: Content removal, account bans, creator marketplace restrictions

‍

Risk: TikTok's younger demographic (50%+ of users under age 24) increases regulatory sensitivity. CBD merchants targeting this demographic via TikTok face heightened scrutiny from regulators concerned about youth marketing.

‍

Amazon

• Prohibited: CBD product listings (all forms: topicals, ingestibles, pet products)
• Permitted: Hemp seed oil products (derived from seeds, not flowers/leaves, with no cannabinoid content)

‍

Risk: Merchants may attempt to list CBD products by mislabeling them as hemp seed oil. Amazon conducts product testing sweeps and removes non-compliant listings. Repeat violations result in account suspension.

‍

Advertising audit checklist:

• [ ] Merchant discloses all active advertising channels (Google, Facebook, Instagram, TikTok, programmatic, native, affiliate)
• [ ] Ad creative samples reviewed for claim compliance (no disease treatment, no drug comparisons, no unsubstantiated efficacy claims)
• [ ] Landing pages for ads reviewed (ad may be compliant but landing page makes prohibited claims)
• [ ] Platform policy compliance verified (merchant not advertising on prohibited platforms)
• [ ] Ad account status checked (no prior disapprovals, suspensions, or policy strikes)
• [ ] Merchant has ad approval process requiring compliance review before launch

‍

Investigation method: We request merchant ad account access or screenshots of active campaigns, then:

1. Ad creative review: Extract all ad copy, headlines, descriptions, and images
2. NLP claim analysis: Flag prohibited keywords (same methodology as blog content review)
3. Landing page audit: Navigate destination URLs and review claim compliance
4. Platform policy check: Verify merchant is not running ads on prohibited platforms
5. Compliance documentation: Request merchant ad compliance guidelines and training materials

‍

Red flags:

• Merchant refuses to disclose ad channels or provide account access
• Active campaigns on platforms that prohibit CBD (Facebook, TikTok)
• Ad creative includes Tier 1 prohibited claims ("CBD treats anxiety", "CBD cures pain")
• Landing pages make disease treatment claims even if ads are vague
• Multiple ad account suspensions or policy violations in merchant's history

‍

‍

Layer 4: Affiliate and Influencer Content

‍

Affiliates and influencers create distributed compliance risk: claims appear on third-party properties outside the merchant's direct control, but regulatory agencies may attribute those claims to the merchant.

‍

FTC position: Merchants are responsible for monitoring and correcting affiliate and influencer claims, especially when:

• The merchant provides talking points or promotional materials to affiliates
• The merchant compensates affiliates based on sales (establishing financial relationship and control)
• The merchant features or amplifies influencer content (reposting on official channels)
• The merchant fails to take corrective action when notified of prohibited claims

‍

Common affiliate claim violations:

‍

Influencer Personal Testimonials

Example Instagram post: "This CBD oil CURED my anxiety! I used to have panic attacks daily, but after 2 weeks of @CBDBrand, I'm panic-free. Use code SARAH20 for 20% off! #anxietyrelief #CBDcures #mentalhealth"

‍

Violation analysis:

• Disease claim: "cured my anxiety"
• Treatment claim: addressed specific medical condition (panic attacks)
• Implied endorsement: influencer's experience suggests product will work for followers
• Commercial relationship: affiliate code establishes merchant compensation

‍

If the merchant compensates this influencer and does not require correction, the merchant may be liable for the prohibited claim.

‍

Affiliate Blog "Review" Posts

Affiliates operate CBD review sites that rank and compare products, earning commissions on clicks and sales. These sites frequently make prohibited claims:

Example: "Top 5 CBD Oils for Pain Relief: Our 2026 Rankings"

‍

Content includes:

• Comparison table rating products by "pain relief effectiveness"
• "Clinical research shows CBD is effective for chronic pain" (unsubstantiated)
• Dosing recommendations for pain management
• Direct affiliate links to merchant sites

‍

Violation: The affiliate site makes disease treatment claims ("pain relief") and positions CBD as a therapeutic product. If the merchant provides affiliate materials or compensates the affiliate, the merchant shares liability.

‍

YouTube and Video Content

Influencers create long-form video content (product reviews, "day in my life with CBD", condition-specific testimonials) that often includes prohibited claims.

Example: "How I Quit My Anxiety Medication with CBD | My CBD Journey"

‍

Video content includes:

• Personal story of using CBD to replace prescription anti-anxiety medication
• Dosing advice for anxiety
• Before/after mental health descriptions
• Affiliate link in video description

‍

Risk: YouTube content is long-lived and searchable, creating enduring claim exposure. Videos may accumulate millions of views, amplifying prohibited claims.

‍

Affiliate and influencer audit checklist:

• [ ] Merchant has written affiliate agreements prohibiting medical claims
• [ ] Affiliate onboarding materials include FTC and FDA compliance guidelines
• [ ] Merchant monitors affiliate content (spot-check 10-20% of affiliates monthly)
• [ ] Merchant has takedown process for non-compliant affiliate content (24-48 hour response time)
• [ ] Influencer contracts include claim compliance requirements and require merchant pre-approval of content
• [ ] Merchant does not provide talking points or promotional materials that suggest medical uses
• [ ] Merchant discloses all active affiliate partnerships (affiliate networks, individual influencers, referral programs)

‍

Investigation method:

1. Affiliate network audit: Request list of all affiliates and affiliate URLs
2. Content sampling: Review top 20 affiliates by volume (80/20 rule: 20% of affiliates drive 80% of sales)
3. Claim detection: Apply same NLP methodology to affiliate content as used for merchant blog content
4. Social media monitoring: Search merchant brand name and product names on Instagram, TikTok, YouTube; filter for affiliate links or discount codes
5. Compliance infrastructure review: Request affiliate agreement templates, compliance training materials, and evidence of affiliate monitoring

‍

Red flags:

• Merchant has no written affiliate agreements or compliance policies
• Merchant cannot provide list of active affiliates
• Top affiliates consistently make prohibited claims without merchant intervention
• Merchant provides affiliates with claim-heavy promotional materials ("CBD for Pain Relief - Affiliate Marketing Kit")
• Merchant features influencer content making prohibited claims on official brand channels (reposting Instagram posts about "CBD curing" conditions)

‍

‍

Layer 5: Customer Communications

‍

Customer-facing communications (emails, SMS, chatbots, customer service responses) can introduce claim liability, especially when personalized advice crosses into medical recommendations.

‍

What we review:

• Email marketing campaign content (newsletters, promotional emails, abandoned cart recovery)
• Automated email series (welcome sequences, post-purchase follow-ups)
• Customer service scripts and FAQ responses
• Live chat and chatbot messaging
• SMS marketing content
• Packaging inserts and included materials (if merchant provides samples)

‍

Common violations:

‍

Personalized "Recommendations"

Example customer service response:

"Thank you for contacting us! Based on your question about managing sleep issues, we recommend our 1500mg CBD tincture. Most customers with insomnia take 50mg one hour before bed and report significant improvement in sleep quality within a week. Let us know if you need a stronger dose!"

‍

Violation analysis:

• Disease claim: treating insomnia
• Dosing advice: specific medical recommendation (50mg for sleep)
• Efficacy claim: "significant improvement" without substantiation
• Outcome expectation: "within a week"

‍

Compliant alternative:

"Thank you for your interest! Our 1500mg CBD tincture is one of our most popular products. Suggested use is 1-2 droppers daily. We recommend starting with a lower amount and adjusting as needed. For specific health concerns, please consult your healthcare provider. Let us know if you have other questions!"

‍

Promotional Email Campaigns

Example email subject line: "Say Goodbye to Anxiety with CBD - 30% Off This Week"

‍

Body content:

• "Millions suffer from anxiety and depression. CBD is a natural, side-effect-free treatment that works."
• "Clinical studies show CBD reduces anxiety symptoms by 40%."
• "Stop relying on prescription medications. Try CBD today."

‍

Violation: Disease treatment claims, unsubstantiated efficacy data, encouragement to discontinue medications.

‍

Post-Purchase Dosing Guides

Some merchants include dosing guides or "wellness journals" with purchased products, providing condition-specific dosing advice.

Example insert: "CBD Dosage Guide"

‍

Insert table here

‍

Violation: Medical dosing chart for treating specific diseases (anxiety, pain, insomnia) without FDA approval.

‍

Customer communication audit checklist:

• [ ] Email marketing templates reviewed for claim compliance (no disease treatment language)
• [ ] Customer service scripts prohibit medical advice or condition-specific recommendations
• [ ] Chatbot messaging does not provide dosing advice for health conditions
• [ ] Automated email sequences do not make therapeutic claims
• [ ] Packaging inserts reviewed (no dosing charts for medical conditions)
• [ ] Customer service team trained on FTC/FDA compliance (annual training documented)

‍

Investigation method:

1. Email archive review: Request access to email marketing platform; review last 90 days of campaigns
2. Customer service audit: Request scripts, training materials, and sample interactions (randomly select 20-30 customer service tickets)
3. Chatbot message review: Navigate merchant website, initiate chat, ask health-related questions to test bot responses
4. Packaging materials: Request samples of all included materials (inserts, dosing guides, brochures)

‍

Red flags:

• Customer service provides specific dosing advice for medical conditions
• Email campaigns consistently reference health conditions, pain relief, anxiety treatment
• Chatbot recommends products based on user-disclosed health issues
• Merchant includes dosing charts for conditions in product packaging
• No evidence of customer service compliance training

‍

‍

‍

Shipping and Jurisdiction Verification

CBD legality varies by state, and merchants selling nationally must implement controls to prevent sales in prohibited jurisdictions. We verify both policy documentation and technical enforcement.

‍

‍

State Restriction Overview (January 2026)

‍

Prohibited states (all CBD products):

• Idaho: All forms of CBD prohibited under state law
• Nebraska: CBD products remain controlled substances under state law

‍

Restricted states (specific product types or conditions):

• Iowa: Ingestible CBD restricted; topicals permitted
• South Dakota: CBD legality limited; restrictive state regulations
• New York: Ingestible CBD sales require licensed retail; online sales restricted for certain product types

‍

Highly regulated states (permitted with compliance requirements):

• California: Prop 65 warnings required; testing mandates; labeling requirements
• Colorado: Mandatory testing; labeling standards; serving size limits
• Connecticut: Testing requirements; product registration
• Massachusetts: Testing and labeling mandates
• Oregon: Testing, labeling, and serving size regulations

‍

Moderately regulated states (permitted, evolving frameworks):

• Texas: Legal, but local ordinances may restrict; monitoring required
• Florida: Legal; evolving regulatory framework
• Louisiana: Restrictions on sales channels (pharmacy-only for some products)
• North Carolina: Legal; labeling requirements

‍

State law changes: CBD regulations change frequently (quarterly or annually in many states). Merchants must monitor changes and update shipping restrictions accordingly.

‍

‍

Shipping Restriction Verification

‍

Policy documentation review:

• [ ] Shipping policy clearly lists states where shipping is prohibited or restricted
• [ ] Policy is prominently linked (footer, checkout, FAQ)
• [ ] Policy includes date last updated (should be recent; quarterly review recommended)
• [ ] Terms of Service acknowledge state-level restrictions
• [ ] Age verification policy stated (18+ or 21+ depending on state requirements)

‍

Technical controls verification:

• [ ] Geolocation blocking: Test checkout from prohibited state IP addresses (should be blocked)
• [ ] Address validation: Enter restricted state shipping addresses (should be rejected with clear error message)
• [ ] Zip code validation: Restricted zip codes flagged at checkout
• [ ] Real-time restriction updates: Merchant has process to update restrictions when state laws change

‍

Testing methodology:

‍

We use VPN services to simulate checkout from prohibited states:

1. Idaho IP address: Attempt to complete checkout for CBD tincture

• Expected: Order blocked with message: "We cannot ship CBD products to Idaho per state law"
• Red flag: Order proceeds to payment without restriction

2. New York address: Attempt to order ingestible CBD product

• Expected: Order blocked or warning displayed about NY restrictions
• Red flag: Order ships without verification of licensed retail status

3. Restricted zip code: Enter address in locality with CBD ban (some cities/counties prohibit CBD even in otherwise permissive states)

• Expected: Zip code flagged and order blocked
• Red flag: No zip-level restriction enforcement

‍

‍

Common shipping compliance failures:

‍

insert table here

‍

Investigation process:

1. Review shipping policy documentation
2. Conduct test transactions from 5-10 restricted jurisdictions (VPN simulation)
3. Verify address validation rejects prohibited addresses
4. Request merchant's process for monitoring state law changes (should be quarterly review at minimum)
5. Check customer service scripts for handling inquiries from restricted states

‍

‍

‍

Laboratory Testing and Transparency Standards

Third-party lab testing provides evidence of product claims (CBD concentration, THC compliance, contaminant absence) and demonstrates quality control. We evaluate both testing rigor and public accessibility.

‍

‍

Certificate of Analysis (COA) Requirements

‍

What a compliant COA includes:

• Laboratory name and accreditation (ISO/IEC 17025 or equivalent)
• Test date and batch/lot number
• Product identification (name, SKU, manufacturer)
• Cannabinoid profile (CBD, THC, CBG, CBN, etc.) with mg per serving and percentage
• Terpene profile (optional, but indicates full-spectrum vs. isolate)
• Contaminant testing:

• Heavy metals (lead, arsenic, cadmium, mercury)
• Pesticides (residual agricultural chemicals)
• Residual solvents (from extraction process)
• Microbials (bacteria, mold, yeast)

• Pass/fail indicators for each test category
• Lab signature or QR code for verification

‍

Red flags:

• COA is generic or undated (no batch specificity)
• COA is over 12 months old (not current)
• Laboratory is not ISO/IEC 17025 accredited
• COA shows "N/D" (not detected) for all contaminants without listing detection limits (suggests testing was not performed)
• CBD concentration on COA does not match label claim (e.g., label says 1000mg, COA shows 750mg)
• No COA available or merchant cannot produce upon request

‍

‍

Testing Frequency and Batch Tracking

‍

Best practice: Every production batch is tested before release.

Acceptable practice: Testing conducted on representative samples (e.g., test every 10th batch for consistent suppliers with historical compliance).

Red flag practice: Single COA used for all products or batches; infrequent testing (annual or less).

‍

Batch tracking verification:

• [ ] Products display batch or lot numbers on labels
• [ ] COA batch number matches product label batch number
• [ ] Merchant can provide COA for any batch currently in inventory
• [ ] Merchant has batch tracking system (can trace product from raw material to finished good)

‍

Investigation method:

1. Request COAs for all products sold by merchant
2. Verify batch numbers on COAs match product listings or labels
3. Check lab accreditation status (search lab name in ANSI National Accreditation Board database)
4. Confirm test dates are recent (within 6-12 months for active products)
5. Verify CBD concentrations match label claims (±10% variance is typical and acceptable; >20% variance suggests quality control issues)

‍

‍

Public Accessibility

Transparent merchants make COAs easily accessible to customers:

‍

Best practice:

• QR code on product label linking to batch-specific COA
• COA linked from product page (click to view PDF)
• Searchable COA database on website (enter batch number, retrieve COA)

‍

Acceptable practice:

• COA available upon request (email customer service)
• Generic COA accessible on website (not batch-specific, but demonstrates testing)

‍

Red flag:

• No COA provided or accessible
• Merchant claims testing but cannot produce documentation
• COA provided only after pushback or investigation

‍

‍

Contaminant Testing Standards

‍

Heavy metals (measured in parts per million, ppm):

• Lead: <0.5 ppm
• Arsenic: <0.2 ppm
• Cadmium: <0.2 ppm
• Mercury: <0.1 ppm

Pesticides: Must pass state-specific limits (California, Colorado, Oregon have strictest standards)

Microbials: Total yeast and mold <10,000 CFU/g; no E. coli or Salmonella

Residual solvents (if applicable): Must meet USP limits for Class 2 or Class 3 solvents

‍

Risk assessment:

• Products that fail heavy metal testing pose consumer health risk and create product liability exposure
• Pesticide contamination violates food safety standards and may trigger FDA enforcement
• Microbial contamination can cause acute illness, especially in immunocompromised consumers

‍

‍

‍

Refund Policies and Consumer Protection

CBD products generate higher dispute rates than general e-commerce (industry average 1.2-1.8% vs. 0.6-0.9% for standard retail). Clear, fair refund policies reduce dispute risk and demonstrate consumer protection commitment.

‍

‍

Policy Elements to Verify

‍

Return window:

• 30 days (minimum acceptable for e-commerce)
• 60 days (best practice for CBD, allows customers to evaluate effectiveness)
• 90 days (premium brands, demonstrates product confidence)

‍

Condition requirements:

• Unopened products only (restrictive; may increase disputes)
• Opened products accepted within X days (customer-friendly; higher risk of use-and-return)
• Defective or mislabeled products accepted anytime (required for consumer protection)

‍

Refund method:

• Full refund to original payment method (best practice)
• Store credit only (acceptable if clearly disclosed before purchase)
• Restocking fees (typically 10-20%; should be disclosed pre-purchase)

‍

Shipping costs:

• Customer pays return shipping (standard practice)
• Merchant provides prepaid return label (premium service)
• Merchant covers return shipping for defective products (required in many states)

‍

Processing time:

• Refund issued within 5-10 business days of return receipt (best practice)
• Longer timelines (15-30 days) increase customer frustration and dispute likelihood

‍

‍

State-Specific Requirements

‍

California:

• Must honor refund policy as stated; cannot arbitrarily deny returns
• "No refunds" policies are legally questionable for defective products
• Consumer protection laws provide strong buyer rights

‍

New York:

• Full refund required if product does not conform to representations
• Cannot charge restocking fees on defective products

‍

Federal FTC standards:

• Refund policy must be clearly disclosed before purchase
• Cannot make false claims about product quality then refuse refunds
• Mail Order Rule requires timely processing (typically 30 days or stated timeframe)

‍

‍

Dispute Rate Analysis

We compare merchant dispute rates to CBD industry benchmarks:

Acceptable: <1.5% overall dispute rate Concerning: 1.5-2.5% dispute rate (warrants investigation) High-risk: >2.5% dispute rate (immediate review required)

‍

Common dispute reasons:

• "Product didn't work" (suggests over-promised efficacy)
• "Unrecognized charge" (descriptor mismatch)
• "Unauthorized subscription" (unclear subscription terms)
• "Product not as described" (quality issues, concentration discrepancies)
• "Merchant refuses refund" (policy not honored)

‍

Investigation triggers:

• Dispute rate exceeds 2.0% for two consecutive months
• Specific dispute reason (e.g., "didn't work") exceeds 30% of total disputes
• Customer service inquiries about refunds spike (suggests policy friction)

‍

‍

‍

Multi-Jurisdiction Compliance Matrix

We organize state CBD requirements into a compliance matrix covering product types, labeling, testing, and sales channel restrictions:

‍

insert table here

‍

Notes:

• "Last Updated" indicates when state regulations last changed; quarterly review recommended
• "Standard" labeling = ingredient list, net weight, manufacturer info, CBD content, THC disclosure
• "Restricted" = special conditions apply (licensing, sales channel limits, product type restrictions)

‍

‍

‍

What Good Looks Like: Compliant CBD Merchant Profile

Based on evaluation of hundreds of CBD merchant applications, we identify low-risk profile characteristics:

‍

‍

Product Compliance

‍

CBD source and content:

• Hemp-derived (not marijuana-derived)
• <0.3% delta-9 THC on dry-weight basis (confirmed by lab testing)
• CBD concentration matches label claims (within ±10%)
• Batch tracking implemented (every product traceable to source batch and COA)

‍

Product types (risk tiered):

• Lowest risk: Topicals (creams, lotions, balms, cosmetics)
• Low-moderate risk: Tinctures and oils (for sublingual use)
• Moderate risk: Capsules and soft gels
• Higher risk: Edibles (gummies, beverages, food products) due to FDA position on CBD in food
• Highest risk: Pet products (veterinary drug compliance questions)

‍

Laboratory testing:

• Third-party testing by ISO/IEC 17025 accredited lab
• Batch-specific COAs (not generic)
• Full panel testing (cannabinoid profile, heavy metals, pesticides, microbials, residual solvents)
• Testing frequency: every batch or representative sampling with documented methodology
• COAs publicly accessible (QR code, website database, provided upon request)

‍

‍

Marketing Compliance

‍

Product page language:

• Factual, non-therapeutic descriptions ("CBD oil, 1000mg per bottle, organic hemp extract")
• Accurate ingredient lists and supplement facts panels
• Serving suggestions, not medical dosing ("1-2 droppers daily")
• Required disclaimers prominently displayed:

• "These statements have not been evaluated by the Food and Drug Administration"
• "This product is not intended to diagnose, treat, cure, or prevent any disease"
• "Consult your healthcare provider before use if pregnant, nursing, or taking medications"

‍

Content marketing:

• Educational focus (explaining what CBD is, how it's made, sourcing practices)
• Avoids condition-specific guides ("CBD for anxiety", "CBD for pain")
• Research cited accurately (distinguishes animal studies from human trials, preclinical from clinical)
• Author credentials accurately represented (does not falsely claim medical expertise)
• Disclaimers on health-related content ("for informational purposes only, not medical advice")

‍

Advertising:

• Complies with platform policies (no CBD ads on prohibited platforms like Facebook, TikTok)
• Ad creative avoids prohibited claims (no "treats", "cures", drug comparisons)
• Landing pages maintain claim consistency (ads and destination pages both compliant)
• No history of ad account suspensions or policy violations

‍

Affiliate and influencer controls:

• Written affiliate agreements prohibit medical claims
• Compliance training provided to affiliates and influencers
• Active monitoring program (spot-check affiliate content monthly)
• Takedown process for non-compliant content (24-48 hour response)
• Does not provide claim-heavy marketing materials to affiliates

‍

‍

Operational Compliance

‍

Business structure and licensing:

• Properly registered business entity (LLC, Corporation) in state of operation
• Appropriate business licenses (general business license; industry-specific licenses where required)
• Beneficial ownership disclosed (no nominee directors or offshore opacity)
• No prior merchant account terminations for prohibited claims or high chargebacks

‍

Shipping and jurisdiction controls:

• Geoblocking or order rejection for prohibited states (Idaho, Nebraska)
• Address validation prevents shipping to restricted localities
• Shipping policy clearly lists exclusions (prominently linked, recently updated)
• Process for monitoring state law changes (quarterly review minimum; documented updates)
• Age verification at purchase (18+ or 21+ per state requirements)

‍

Supply chain transparency:

• Hemp sourcing disclosed (domestic U.S. preferred; if imported, country of origin stated)
• Manufacturer identified (merchant manufactures in-house OR names contract manufacturer)
• Supply chain documentation available (purchase orders, supplier agreements, hemp farm sourcing)
• Organic or quality certifications (if claimed) verified (USDA Organic, GMP, etc.)

‍

Customer protection:

• Clear, fair refund policy (30-60 day return window)
• Refund policy honored consistently (low "merchant refuses refund" dispute rates)
• Customer service trained on compliance (no medical advice, no dosing recommendations for conditions)
• Privacy policy addresses health information (if merchant collects health data via surveys or quizzes)

‍

‍

Risk Indicators (Scoring)

We assign risk scores based on observed profile elements:

‍

Low-risk (Score 1-3):

• Topical products only
• No health claims anywhere (product pages, blog, ads)
• ISO-accredited lab testing with public COAs
• Geoblocking enforced for prohibited states
• No affiliate program or tightly controlled influencer partnerships
• <1.0% dispute rate
• No FDA or FTC warning letters

‍

Medium-risk (Score 4-6):

• Ingestible products (tinctures, capsules)
• Qualified wellness claims ("may support", "promotes") with disclaimers
• Third-party testing with some gaps (not all batches, not fully public)
• Shipping restrictions in policy but technical controls not verified
• Affiliate program with compliance guidelines in place
• 1.0-1.8% dispute rate
• No enforcement history

‍

High-risk (Score 7-10):

• Edibles or pet products
• Disease treatment claims or drug comparisons
• No lab testing or non-accredited labs
• Ships to all states without restriction
• Uncontrolled affiliate network making prohibited claims
• 2.0% dispute rate
• Prior FDA warning letter or FTC investigation
• Prior MID termination

‍

Actions by risk tier:

• Low: Standard onboarding and monitoring
• Medium: Enhanced onboarding (additional documentation, compliance interview); quarterly monitoring
• High: Decline or require remediation before approval; if approved, monthly monitoring and elevated reserves

‍

‍

‍

Common Compliance Misses

Based on hundreds of CBD merchant reviews, we observe recurring compliance gaps:

‍

‍

1. Blog Content Violations (70% of Merchants)

‍

Issue: Merchants maintain compliant product pages but publish blog posts making prohibited claims to drive SEO traffic.

Example titles we frequently encounter:

• "How CBD Cures Anxiety: The Science Explained"
• "CBD Dosage Guide for Chronic Pain"
• "CBD vs. Prescription Medications: Which Is Safer?"
• "10 Diseases CBD Can Treat Naturally"

‍

Why it's missed: Underwriting teams review product catalogs and primary pages but don't systematically crawl blog content. Marketing teams publish content without compliance review, focusing on keywords that drive organic traffic (which are often condition-specific).

‍

Impact: Blog content is public, searchable, and archivable. FDA and FTC enforcement actions cite blog posts as evidence of prohibited claims. Customers who read condition-specific blogs have higher expectation of therapeutic effect, leading to disputes when results don't match claims.

‍

Detection method: Automated website crawling extracts all URLs under /blog/*, /news/*, /articles/*, /resources/*. NLP analysis flags prohibited claim keywords. Manual review of flagged articles determines severity and context.

‍

‍

2. Influencer Claim Amplification (55% of Merchants)

‍

Issue: Merchants partner with influencers who make prohibited claims, then amplify that content on official brand channels (reposting to Instagram, sharing on Facebook, embedding in email campaigns).

Example scenario:

• Influencer posts: "This CBD cured my insomnia! After years of sleeping pills, I'm finally medication-free thanks to @BrandName CBD. Use code SLEEP20!"
• Merchant reposts to official Instagram with caption: "We love hearing success stories like this! 💚 #CBDworks"

‍

Why it's missed: Merchants view influencer content as "authentic testimonials" rather than advertising. They don't apply claim compliance standards to user-generated or partner content.

‍

Regulatory reality: FTC holds merchants responsible for claims made by compensated endorsers. Reposting influencer content constitutes endorsement of the claims. "We love hearing success stories" reinforces the prohibited claim.

‍

Impact: Influencer content reaches large audiences (often larger than merchant's owned channels). Prohibited claims amplified by the merchant carry greater weight and regulatory exposure.

‍

Detection method: Social media monitoring searches for merchant brand mentions, product tags, and affiliate codes. Content with prohibited claims is flagged. We verify whether merchant engaged with or amplified the content (likes, comments, reposts, features in email campaigns).

‍

‍

3. Customer Service Medical Advice (40% of Merchants)

‍

Issue: Customer service representatives provide condition-specific dosing advice or recommend products based on customer health disclosures.

Example customer inquiry: "I have chronic back pain and trouble sleeping. Which of your products would you recommend and how much should I take?"

‍

Non-compliant response (common): "For pain and sleep, we recommend our 1500mg Full Spectrum Tincture. Most customers with similar issues take 50mg in the morning for pain and 75mg before bed for sleep. You should notice improvement within a week. Let us know if you need a stronger dose!"

‍

Violation: Disease treatment advice (back pain, insomnia), specific medical dosing, efficacy timeline, implied outcome.

‍

Compliant response: "Thank you for your interest! Many of our customers enjoy our 1500mg Full Spectrum Tincture for daily wellness. Suggested use is 1-2 droppers daily, and we recommend starting with a lower amount and adjusting based on your personal experience. For specific health concerns or dosing advice, please consult your healthcare provider. We're here to answer product questions anytime!"

‍

Why it's missed: Customer service training focuses on product knowledge and sales, not regulatory compliance. Representatives want to be helpful and provide specific answers. Merchants don't monitor customer service interactions for compliance.

‍

Impact: Customer service responses create written records of medical advice. Customers may rely on this advice for health decisions. If outcomes are poor (product doesn't relieve pain as suggested), customers dispute charges or file complaints citing merchant's medical recommendations.

‍

Detection method: Request sample customer service tickets (random selection of 20-30 from past 90 days). Review for medical advice, condition-specific dosing, efficacy promises. Check for compliance training documentation and scripts prohibiting medical recommendations.

‍

‍

4. Inadequate State Restriction Enforcement (35% of Merchants)

‍

Issue: Merchants list shipping restrictions in policy but don't enforce technically.

Example:

• Shipping policy states: "We do not ship CBD products to Idaho or Nebraska per state law"
• Testing reveals: Website accepts orders with Idaho shipping addresses; order proceeds to fulfillment

‍

Why it's missed: Merchants assume updating policy language is sufficient. They don't implement technical controls (geoblocking, address validation) to enforce restrictions. E-commerce platforms default to "ship anywhere" unless explicitly configured otherwise.

‍

Impact: A single shipment to a prohibited state creates legal exposure. State authorities monitor inbound CBD shipments; packages are intercepted, leading to investigations. Merchants face state AG enforcement, fines, and potential criminal liability. Acquirers face association with regulatory violations.

‍

Detection method: VPN testing from prohibited states. Enter restricted shipping addresses at checkout. Verify error messages and order blocking. Request merchant's technical enforcement documentation (geolocation rules, address validation configuration, quarterly restriction updates).

‍

‍

5. Outdated or Missing Lab Reports (30% of Merchants)

‍

Issue: COAs are generic (not batch-specific), outdated (>12 months old), or unavailable.

Example findings:

• Merchant lists 15 products but provides only 3 COAs
• COA is dated January 2024 (now 24+ months old)
• COA shows different product name or CBD concentration than current listing
• Merchant claims "all products tested" but cannot produce documentation

‍

Why it's missed: Small merchants may not understand testing requirements or frequency. Testing is expensive ($200-500 per sample); merchants reduce costs by infrequent testing. Products change (formulation updates, new suppliers) but COAs aren't updated.

‍

Impact: Outdated COAs don't prove current product quality. CBD concentration degrades over time; year-old testing may not reflect current potency. Missing COAs suggest no testing occurred; product quality and safety are unverified. Customers who request COAs and receive outdated or mismatched documentation lose trust and dispute charges.

‍

Detection method: Request COAs for all products. Verify batch numbers, test dates, and concentration matches. Check lab accreditation. For products without COAs, request testing documentation or immediate testing commitment (merchant pays for third-party testing within 30 days as condition of approval).

‍

‍

6. Subscription Disclosure Failures (25% of Merchants)

‍

Issue: Merchants offer "Subscribe & Save" programs with inadequate disclosure of recurring charges, leading to high "unauthorized subscription" disputes.

Common problems:

• Checkbox for "subscribe and save 20%" is pre-checked (requires customer to opt-out)
• Subscription terms not clearly disclosed before purchase ("$39.99/month recurring" not visible until post-purchase confirmation)
• Difficult cancellation process (requires phone call, email to non-responsive address, or multi-step website process)
• No reminder email before recurring charge

‍

Regulatory requirement: FTC's Negative Option Rule requires clear, conspicuous disclosure of subscription terms before purchase, simple cancellation mechanism, and reminder notices before recurring charges.

‍

Impact: Subscription disputes are treated harshly by card networks. High subscription dispute rates (>1.0% of subscription charges) trigger monitoring programs and potential MID termination. Customers who feel deceived by hidden subscriptions file complaints with FTC and state AGs.

‍

Detection method: Test subscription purchase flow. Verify disclosure clarity (terms visible before payment). Attempt cancellation via all stated methods (website, email, phone). Review customer disputes for "unauthorized subscription" as stated reason. Check for reminder email automation.

‍

‍

‍

Claim Drift: Post-Approval Monitoring

CBD merchants may be compliant at onboarding but introduce prohibited claims weeks or months later. We recommend monitoring during a critical 90-day window and ongoing surveillance thereafter.

‍

‍

The 90-Day Claim Drift Window

‍

Days 1-30 (Baseline establishment):

• Verify initial marketing claims match onboarding documentation
• Capture baseline blog content (number of posts, topics, claim language)
• Document advertising channels and claim types
• Establish dispute rate baseline
• Monitor customer service interactions (sample 10-15 tickets for claim language)

‍

Days 31-60 (Pattern detection):

• Detect new blog posts or website content (monitor via RSS feeds or site change detection)
• Review any new advertising campaigns (request updates or monitor via ad transparency tools)
• Compare product descriptions to baseline (detect claim escalation)
• Track dispute reasons (watch for "product didn't work" or "not as described" increases)

‍

Days 61-90 (Drift assessment):

• Conduct comprehensive website re-crawl (compare to baseline for new content making prohibited claims)
• Review influencer and affiliate content (search for brand mentions, check for new partnerships)
• Assess dispute rate trajectory (if increasing, investigate causes)
• Make disposition: continue standard monitoring, flag for enhanced review, or conduct investigation

‍

After 90 days:

• Quarterly website compliance audits (blog content, product pages, advertising)
• Monthly dispute rate monitoring (alert if exceeds 1.5% for two consecutive months)
• Semi-annual affiliate content sampling (review top 20 affiliates)
• Annual policy review (ensure state restrictions updated, lab testing current, disclaimers present)

‍

‍

Common Drift Patterns

‍

Blog proliferation:

• Month 1: 5 blog posts, all educational ("What is CBD?", "How is CBD made?")
• Month 2: 10 new posts, introducing condition topics ("CBD and Wellness", "Understanding Cannabinoids")
• Month 3: 15 new posts, explicit health claims ("CBD for Anxiety", "How CBD Relieves Pain", "CBD Dosage Guide for Insomnia")

Progression: Educational → Wellness-focused → Condition-specific → Prohibited claims

‍

Influencer ramp-up:

• Month 1: No influencer partnerships
• Month 2: Partnership with 5 micro-influencers; content is general ("I love this CBD brand")
• Month 3: Partnership expands to 20 influencers; content includes medical testimonials ("CBD cured my anxiety", "No more pain meds thanks to CBD")

Progression: No influencers → General endorsements → Medical testimonials without compliance controls

‍

Ad claim escalation:

• Month 1: Google Ads for hemp topicals; conservative claims ("Natural hemp lotion")
• Month 2: Expanded to native advertising; wellness claims ("Support your wellness journey with CBD")
• Month 3: Programmatic display ads; disease claims ("CBD for pain relief", "Anxiety treatment alternative")

Progression: Compliant ads → Wellness language → Prohibited therapeutic claims

‍

‍

Automated Drift Detection

We implement automated monitoring to detect claim drift without manual review:

‍

Website change detection:

• Daily crawl of merchant sitemap
• Flag new URLs (new blog posts, product pages, landing pages)
• NLP analysis of new content for prohibited keywords
• Alert if Tier 1 red flag terms detected ("treats", "cures", "prevents disease")

‍

Social media monitoring:

• Daily search for brand mentions on Instagram, TikTok, Facebook, Twitter
• Filter for posts with affiliate links or product tags
• Flag posts with medical claim keywords
• Alert if merchant engages with (likes, comments, reposts) flagged content

‍

Dispute pattern analysis:

• Daily dispute feed from processor
• Track dispute reasons and rates
• Alert if "product didn't work" disputes exceed 25% of total disputes (suggests efficacy over-promise)
• Alert if dispute rate exceeds 1.8% for 7 consecutive days

‍

Advertising surveillance:

• Monitor Facebook Ad Library for merchant ads (if merchant claims no Facebook ads but ads appear, indicates policy violation)
• Google Ads Transparency Center for keyword targeting and claim language
• Native ad platforms (Taboola, Outbrain) for display ad creative

‍

‍

‍

Investigation Protocol

When drift signals or compliance gaps are detected, we follow a structured investigation to determine violation severity and required remediation.

‍

‍

Step 1: Evidence Collection (Timeline: 1-2 business days)

‍

Automated collection:

• Website crawl with timestamp (archives current state for comparison)
• Screenshot capture of all flagged pages
• Export of blog post content (full text extraction for analysis)
• Social media content capture (influencer posts, merchant replies, reposts)
• Advertising creative download (Google Ads, Facebook ads if accessible)

‍

Manual collection:

• Purchase transaction (test order to receive packaging, inserts, post-purchase emails)
• Customer service interaction (submit inquiry to observe response quality and claim language)
• COA request (email merchant requesting lab reports for all products)
• Affiliate content sampling (visit top 10 affiliate URLs, document claims)

‍

‍

Step 2: Claim Categorization (Timeline: 2-3 business days)

Organize identified claims into violation tiers:

‍

Tier 1 - Severe (immediate enforcement risk):

• Explicit disease treatment claims ("CBD treats cancer", "cures anxiety")
• Drug comparison claims ("CBD works better than prescription medications")
• Medical dosing advice for conditions ("Take 50mg for chronic pain")
• Encouragement to discontinue prescription medications ("Stop taking your anxiety meds and try CBD")

‍

Tier 2 - Moderate (regulatory gray area, high risk):

• Unsubstantiated efficacy claims ("clinically proven to reduce stress" without studies)
• Structure/function claims without adequate substantiation ("supports immune health" without evidence)
• Therapeutic language that approaches disease claims ("helps with sleep issues", "provides pain relief")
• Customer testimonials making medical claims without prominent disclaimers

‍

Tier 3 - Low (best practices violations, lower risk):

• Missing disclaimers ("not FDA evaluated" absent from product pages)
• Vague wellness claims without context ("promotes wellness", "supports balance")
• Lab testing gaps (some products lack current COAs)
• Shipping restriction enforcement issues (technical controls not implemented)

‍

‍

Step 3: Merchant Outreach (Timeline: 5 business days)

‍

For Tier 1 violations:

• Immediate outreach via phone and email
• Provide specific claim examples and citation of relevant regulations (FD&C Act, FTC Act)
• Request immediate corrective action (claim removal within 24-48 hours)
• Require written remediation plan addressing all flagged content

‍

For Tier 2 violations:

• Email outreach with detailed findings report
• Request corrective action within 7 business days
• Require substantiation documentation (clinical studies, research citations) for any claims merchant wishes to maintain
• Request compliance plan (how merchant will prevent future violations)

‍

For Tier 3 violations:

• Email with best practices recommendations
• Request updates within 14 business days (less urgent timeline)
• Offer compliance resources (FDA guidance links, claim templates, industry best practices)

‍

‍

Step 4: Remediation Verification (Timeline: Varies by tier)

‍

Tier 1:

• Daily monitoring of merchant website for claim removal
• Re-crawl flagged pages to confirm prohibited content removed
• Verify social media posts edited or deleted
• Confirm influencer content corrected or disclaimers added
• If merchant non-responsive or refuses remediation within 48 hours: recommend account restriction (processing hold pending compliance)

‍

Tier 2:

• Weekly monitoring during remediation window
• Review substantiation documentation provided by merchant (evaluate quality of studies, applicability to product)
• Verify claim modifications (e.g., "clinically proven" changed to "preliminary research suggests")
• If merchant provides inadequate substantiation: require claim removal as alternative to account restriction

‍

Tier 3:

• Monitor at end of 14-day window
• Verify updates made (disclaimers added, lab reports uploaded, shipping controls implemented)
• If merchant non-compliant: escalate to enhanced monitoring tier (more frequent reviews, elevated reserves if risk warrants)

‍

‍

Step 5: Disposition and Ongoing Monitoring

‍

Merchant complies:

• Document remediation actions taken
• Elevate to enhanced monitoring tier (monthly website audits for 6 months)
• Re-assess after 90 days; if no new violations, return to standard monitoring

‍

Merchant refuses or slow to remediate:

• Escalate to risk committee for account review
• Options: processing restrictions (limits on volume or transaction count), elevated reserves (20-30% vs. standard 10%), suspension pending full compliance, termination

‍

Merchant has FDA/FTC enforcement action:

• Immediate processing hold
• Request merchant legal response to enforcement agency
• Require third-party compliance audit (merchant pays for external legal/regulatory review)
• Termination likely unless merchant demonstrates full remediation and regulatory resolution

‍

‍

‍

Implementation Roadmap

For acquirers and PSPs onboarding CBD merchants, we recommend this phased implementation:

‍

‍

Phase 1: Enhanced Underwriting (Month 1-2)

Objective: Upgrade initial merchant review to include claims assessment.

‍

Actions:

• [ ] Add claims review to underwriting checklist (product pages, blog content, advertising)
• [ ] Train underwriters on CBD compliance basics (FD&C Act, FTC Act, FDA position on CBD)
• [ ] Implement NLP-based claim detection (automated scanning of merchant websites)
• [ ] Require COA submission for all products during application
• [ ] Test geoblocking and shipping restrictions during underwriting (VPN simulation)
• [ ] Verify affiliate and influencer compliance policies (request written agreements)

‍

Deliverables:

• Updated underwriting procedures document
• Claim detection tool integrated into workflow
• Underwriter training completion (100% of team)

‍

Timeline: 6-8 weeks for tool implementation and training

‍

‍

Phase 2: Ongoing Monitoring Infrastructure (Month 3-4)

Objective: Build continuous surveillance capabilities for claim drift.

‍

Actions:

• [ ] Deploy website change detection (daily crawls, new content flagging)
• [ ] Implement social media monitoring (brand mentions, influencer content)
• [ ] Configure dispute rate alerts (threshold-based notifications)
• [ ] Build merchant self-service compliance dashboard (merchants can access compliance status, flagged content, remediation requirements)
• [ ] Establish investigation workflow (case assignment, evidence collection, merchant outreach, remediation tracking)

‍

Deliverables:

• Automated monitoring platform live for all CBD merchants
• Investigation playbook and case management system
• Merchant-facing compliance portal

‍

Timeline: 8-10 weeks for platform development and testing

‍

‍

Phase 3: Proactive Compliance Program (Month 5-6)

Objective: Help merchants maintain compliance through education and resources.

‍

Actions:

• [ ] Create merchant compliance resource center (guides on permissible claims, state restrictions, lab testing requirements)
• [ ] Host quarterly compliance webinars for CBD merchant portfolio
• [ ] Provide claim template library (example product descriptions, blog topics, advertising copy that are compliant)
• [ ] Offer proactive compliance audits (merchant can request review before launching new content or campaigns)
• [ ] Build state law change notification system (automatic alerts when CBD regulations change in any jurisdiction)

‍

Deliverables:

• Merchant resource portal with guides, templates, training videos
• Quarterly webinar series scheduled
• Proactive audit service launched

‍

Timeline: 6-8 weeks for content development and portal build

‍

‍

Phase 4: Portfolio Optimization (Month 7+)

Objective: Continuously improve portfolio quality and reduce risk exposure.

‍

Actions:

• [ ] Segment portfolio by risk tier (low, medium, high based on compliance scoring)
• [ ] Implement differentiated pricing and reserves (lower rates/reserves for low-risk, higher for high-risk)
• [ ] Conduct annual portfolio review (identify persistently non-compliant merchants for termination)
• [ ] Benchmark portfolio metrics (dispute rates, claim violation rates, remediation success) against industry standards
• [ ] Refine underwriting criteria based on performance data (if certain merchant characteristics predict compliance issues, tighten underwriting)

‍

Deliverables:

• Risk-tiered portfolio with differentiated economics
• Annual portfolio review completed
• Underwriting criteria updated based on data

‍

Timeline: Ongoing

‍

‍

‍

Key Metrics to Track

‍

Claim compliance metrics:

‍

• Claim violation detection rate: % of merchants with at least one claim violation detected post-onboarding

• Industry benchmark: 40-60% of CBD merchants have some claim violation within first year
• Target: <30% through enhanced underwriting and merchant education

• Remediation success rate: % of merchants who successfully remediate claim violations within required timeframe

• Industry benchmark: 60-70% compliance rate
• Target: >85% through clear guidance and merchant support

• Repeat violation rate: % of merchants with claim violations in multiple review periods (indicating persistent non-compliance)

• Industry benchmark: 20-30% of merchants have repeat violations
• Target: <15%

‍

Operational metrics:

‍

• Dispute rate (CBD portfolio): Total disputes / total transactions for CBD merchants

• Industry benchmark: 1.2-1.8% for CBD
• Target: <1.5%

• "Product didn't work" dispute rate: Disputes citing lack of efficacy / total disputes

• Industry benchmark: 30-40% of CBD disputes
• Target: <25% (suggests claim over-promising reduced)

• State shipping violation rate: Shipments to prohibited states / total shipments

• Industry benchmark: 0.5-1.0% (mostly errors)
• Target: <0.1%

‍

Portfolio health metrics:

‍

• MID termination rate: CBD merchant terminations / total CBD merchant accounts

• Benchmark: 8-12% annual termination rate for CBD
• Target: <5%

• FDA/FTC enforcement exposure: Merchants with warning letters or investigations / total CBD merchants

• Benchmark: 1-2% of merchants face enforcement annually
• Target: <0.5%

‍

Efficiency metrics:

‍

• Average investigation time: Days from violation detection to disposition

• Target: <10 business days

• Underwriting review time: Days from application to approval/decline for CBD merchants

• Target: <5 business days (competitive "speed to yes" with enhanced review)

‍

‍

‍

Closing Question

‍

Do you review marketing claims or only the catalog?

If your onboarding process verifies product THC levels and lab reports but doesn't audit blog posts, advertising copy, email campaigns, influencer partnerships, and customer service interactions, you're evaluating half the risk profile.

‍

The product may be compliant. The merchant may have legitimate business intentions. But if their marketing promises disease treatment, their influencers claim medical miracles, or their customer service provides dosing advice for health conditions, regulatory enforcement will find the acquirer equally exposed.

‍

We recommend risk teams ask:

• Where else is this merchant making claims? (Beyond product pages: blogs, ads, emails, affiliates)
• How do they control third-party content? (Influencers, affiliates, user reviews)
• What happens when claims drift post-approval? (Monitoring systems, investigation protocols, remediation processes)
• Do they understand the rules, or are they guessing? (Compliance training, legal review, substantiation for claims)

‍

CBD risk is not static. It evolves as merchants test messaging, launch campaigns, and expand distribution. The question is not whether the merchant is compliant today, but whether they will remain compliant tomorrow.

‍

‍

‍

How Ballerine Supports CBD Claims Monitoring

We provide the infrastructure to make CBD compliance manageable, scalable, and proactive:

‍

Automated claim detection:

• Natural language processing scans merchant websites, blogs, social media, and advertising for prohibited claim types
• Tier-based flagging system (severe, moderate, low risk) prioritizes investigation resources
• Daily monitoring detects new content and claim drift within 24 hours of publication
• Pattern recognition identifies claim escalation trends (merchant moving from wellness language to disease claims over time)

‍

Multi-jurisdiction compliance tracking:

• Real-time monitoring of CBD regulations across all 50 states plus international markets
• Automatic alerts when state laws change affecting merchant shipping, labeling, or product requirements
• Jurisdiction-specific compliance checklists (California Prop 65, New York DFS labeling, etc.)
• Geoblocking verification testing (automated simulation of orders from prohibited states)

‍

Lab report validation:

• Automated COA collection and verification (batch number matching, test date currency, accreditation checks)
• THC concentration verification against federal 0.3% threshold
• Contaminant testing completeness review (heavy metals, pesticides, microbials, solvents)
• COA public accessibility verification (QR code functionality, website link validation)

‍

Affiliate and influencer surveillance:

• Social media monitoring for brand mentions, product tags, and affiliate links
• Influencer content claim analysis (detect medical testimonials and prohibited language)
• Merchant engagement tracking (flags when merchant amplifies non-compliant influencer content)
• Affiliate URL crawling and claim detection across distributed affiliate network

‍

Continuous website monitoring:

• Daily sitemap crawls detect new pages, blog posts, product listings, advertising campaigns
• Content change detection alerts to modifications of existing pages (product descriptions updated, disclaimers removed)
• Advertising channel verification (detect merchant ads on prohibited platforms like Facebook, TikTok)
• Customer review moderation alerts (flag user-generated content making medical claims)

‍

Case management and remediation workflow:

• Automated case creation when violations detected (evidence captured, merchant notified)
• Remediation tracking with deadlines and escalation (Tier 1: 48 hours, Tier 2: 7 days, Tier 3: 14 days)
• Merchant communication templates (violation notices, remediation guidance, compliance resources)
• Verification tools confirm remediation completed (re-crawl pages, validate claim removal)

‍

Merchant compliance portal:

• Self-service dashboard showing compliance status, flagged content, required actions
• Access to claim template library, compliance guides, and state law summaries
• Proactive audit request functionality (merchant can submit new content for pre-launch review)
• State law change notifications (automatic alerts for jurisdictions where merchant operates)

‍

This transforms CBD merchant underwriting from periodic manual reviews into continuous, automated compliance assurance. Risk teams can onboard CBD merchants with confidence, knowing both product quality and marketing claims are actively monitored across all channels.

‍

‍