From DSCSA Deadlines to FDA Warning Letters: What Pharma Trading Partners Need to Do Now

This article recaps FDA DSCSA enforcement developments in the US pharmaceutical supply chain from 2023 to 2026, with a focus on the first publicly available DSCSA dispenser warning letter and the Sterling Distributors wholesaler case. It explains what went wrong, why Authorized Trading Partner checks and VRS readiness matter now as FDA waivers and exemptions continue to narrow, who is affected, when the remaining deadline applies, and how companies can strengthen DSCSA compliance. It also introduces Spherity CARO, a DSCSA master data hub for ATP verification, license checks, and audit-ready compliance workflows.

DSCSA Enforcement Recap: From Stabilization To Accountability

Over the last 2–3 years, FDA’s DSCSA enforcement posture has shifted from implementation support to targeted accountability.

The enhanced drug distribution security requirements went into effect on November 27, 2023, but FDA provided a one-year stabilization period through November 27, 2024 to give the pharmaceutical supply chain more time to implement, troubleshoot, and mature interoperable electronic systems.

FDA then introduced phased exemptions beyond the stabilization period. Manufacturers and repackagers had an exemption until May 27, 2025; wholesale distributors until August 27, 2025; dispensers with 26 or more full-time employees until November 27, 2025; and eligible small dispensers until November 27, 2026. In addition, individual companies could apply for Waivers, Exceptions, and Exemptions (WEEs) beyond those deadlines. 

FDA stated on its Waivers and Exemptions Beyond the Stabilization Period page that the exemptions were intended to support continued DSCSA implementation without disrupting patient access. For health systems, pharmacy chains, and other dispensers that received or relied on time-limited relief, the expiration of waivers and exemptions turns DSCSA from a planning topic into an operational readiness test.

The takeaway is simple: DSCSA was not postponed indefinitely. FDA gave the industry time to stabilize, then began narrowing relief by trading partner type while continuing inspections and enforcement activity.

What Does A DSCSA Warning Letter Signify? 

A DSCSA warning letter is a formal FDA enforcement action stating that the agency has identified significant violations of DSCSA-related requirements under the Federal Food, Drug, and Cosmetic Act (FD&C Act). In some cases, DSCSA warning letters might even follow FDA inspections where observations are first documented on Form FDA 483, giving companies an early signal that FDA has identified potential compliance gaps requiring corrective action.

For pharmaceutical trading partners, a warning letter signals that FDA expects prompt corrective action and supporting evidence. In recent DSCSA warning letters, FDA has focused on issues such as Authorized Trading Partner (ATP) status, product identifiers, transaction information, transaction statements, verification systems, suspect or illegitimate product procedures, licensing, and recordkeeping.

For the industry, the message is clear: DSCSA compliance is no longer a theoretical future requirement. It is already an inspection and enforcement topic.

Sterling Distributors: The Wholesaler Warning Letter That Raised The Stakes

The Sterling Distributors warning letter dated June 2025 is a clear example of FDA scrutiny of wholesale distributor DSCSA obligations, including licensure, product tracing, verification, and ATP controls.

FDA cited Sterling for several issues, including alleged wholesale distribution without appropriate state licensure, transactions with an unauthorized trading partner, failure to respond to regulator requests, gaps in suspect or illegitimate product investigations, incomplete transaction information and transaction statements, and inadequate verification systems and SOPs.

The key ATP lesson: FDA stated that Sterling could not demonstrate it had verified a direct trading partner’s licensure or reporting status. For wholesalers, ATP verification is not just an onboarding formality. It is a core DSCSA control tied to procurement, quality, serialization, investigations, and regulator response.

Pure Indulgence Aesthetics: FDA’s First DSCSA Warning Letter Targeting A Dispenser

The Pure Indulgence Aesthetics case is different from Sterling because it focused on dispenser obligations. FDA stated that Pure Indulgence operated as a “dispenser” under DSCSA because the statute includes persons authorized to dispense or administer human prescription drugs.

That distinction matters. Sterling shows FDA’s scrutiny of wholesale distributor obligations. Pure Indulgence shows that DSCSA enforcement can also reach downstream healthcare entities that dispense or administer covered prescription drugs.

FDA had issued an FDA 483 Form before eventually escalating to a warning letter in April 2026 that cited Pure Indulgence for being unable to demonstrate compliance with the requirement to conduct transactions only with ATPs. FDA also cited the firm for engaging in transactions involving products that lacked a required product identifier.

For pharmacies, health systems, clinics, med spas, physician practices, and other dispensing organizations, the message is direct: DSCSA risk does not stop at the warehouse door. If an organization handles covered prescription drugs, it may need to prove that products were sourced through ATPs and carried required identifiers.

Why does the first DSCSA dispenser warning letter matter?

The Pure Indulgence warning letter matters because it expands the practical enforcement conversation beyond manufacturers, repackagers, 3PLs, and wholesale distributors.

Many downstream healthcare organizations have historically viewed DSCSA as a supply chain or serialization issue. But FDA’s dispenser-focused enforcement shows that DSCSA also touches sourcing decisions, supplier controls, product identifier checks, transaction documentation, and dispensing records.

For dispensers, the question is not only “Did we buy from a familiar supplier?” The question is: Can we prove that the supplier was an authorized trading partner, that the product was properly identified, and that the records support the transaction?

That is why ATP verification, master data governance, and auditable compliance workflows are becoming critical for dispensers as well as wholesalers.

What Are Common Reasons for Receiving A DSCSA Warning Letter?

Recent FDA warning letters point to recurring DSCSA compliance weaknesses across the pharmaceutical supply chain. Common issues include:

• Failure to verify ATP status

• Transactions with unauthorized partners

• Missing or incomplete transaction information

• Inadequate product identifier verification

• Weak suspect or illegitimate product procedures

• Failure to respond to regulator requests

• Licensing gaps

• Product transactions involving packages without required DSCSA identifiers

In practice, many findings are not just isolated mistakes. They often reveal broader control failures: trading partner data is incomplete, license checks are manual, VRS workflows are disconnected from ATP status, and audit evidence is scattered across spreadsheets, emails, and portals.

Spherity has previously discussed similar themes in its DSCSA implementation blog, including ATP failures, product verification gaps, and suspect product investigation record issues. This is why DSCSA compliance increasingly requires automated, interoperable, and evidence-ready systems.

Why Should Dispensers and Wholesalers Act Now?

They need to act now because FDA’s phased relief is ending, and the remaining exemption window is narrow.

The broad exemption periods for manufacturers, repackagers, wholesale distributors, and large dispensers have already passed in sequence. The key remaining date is November 27, 2026 for eligible small dispensers.

But small dispensers should not treat that date as a reason to wait, and larger dispensers should not assume that WEE relief removes operational pressure. DSCSA readiness requires supplier verification, license checks, master data cleanup, VRS readiness, SOP alignment, exception handling, and audit evidence.

For large dispensers and wholesalers, the message is even more urgent: FDA warning letters show that DSCSA compliance is already being enforced through inspections, regulator requests, and review of operational records.

What Are the Penalties for Non-Compliance with DSCSA?

Failure to comply with DSCSA requirements can be treated as a prohibited act under the FD&C Act. FDA warning letters may also state that failure to promptly correct violations can result in legal action, including seizure and injunction, without further notice.

The business consequences can also be significant: disrupted product flows, delayed shipments, failed trading partner onboarding, friction with dropship partners and customers, reputational damage, additional inspections, and increased scrutiny from regulators and supply chain partners.

For regulated companies, DSCSA non-compliance is not only a quality or IT issue. It is a commercial continuity risk.

Several WEEs have already expired and with drugs worth millions on the road, manufacturers are feeling the increased scrutiny from wholesalers. The need for compliance ripples up and down the supply chain.

How Frequently Must Supplier Licenses Be Checked To Maintain ATP Status?

DSCSA requires trading partners to transact only with ATPs. A one-time supplier check is not enough when license status, location data, ownership, trading partner roles, and reporting information can change anytime throughout the year.

A sensible approach is to verify ATP status during onboarding, before high-risk transactions, when master data changes, when licenses are renewed, when an entity changes role or location, and when VRS, tracing, quality, or procurement exceptions arise.

A practical approach is to leverage automation that runs ATP checks on trigger or simply by default. Manual reviews may work for a small supplier base and with sufficient staff time and expertise, but they do not scale across a national pharmaceutical network with thousands of trading partner relationships, locations, licenses, and system records.

For a deeper look at why ATP checks are a foundational DSCSA requirement, read Spherity’s article.

Why Is VRS Important For DSCSA Compliance?

The Verification Router Service, or VRS, supports interoperable product identifier verification by routing verification requests and responses between pharmaceutical trading partners and manufacturer or repackager repositories.

VRS is especially important because DSCSA compliance depends on both product trust and trading partner trust. The product identifier helps verify the package. ATP credentials help verify whether the requester or responder is an authorized trading partner.

VRS should be seen as a practical compliance tool, not just a technical routing mechanism. When connected with ATP credentialing and reliable master data, VRS can support product verification while helping organizations ensure that verification requests and responses occur between trusted, authorized trading partners. This is the compliance gap Spherity CARO is designed to help close.

Read more on how to evaluate DSCSA ATP credential adoption here.

Use VRS now: Verification Should Be Part of Daily DSCSA Operations

VRS should not be treated as an emergency-only tool. Pharmacies, dispensers, and wholesalers can use it to verify product identifiers, investigate scan failures, and support faster decisions when product legitimacy is questioned. Drug Topics described VRS as a powerful tool when a barcode fails to scan correctly, allowing pharmacy staff to check product information with the manufacturer, and also emphasized documenting DSCSA processes and knowing how to access DSCSA data.

VRS helps answer: Is this product identifier valid? ATP credentialing helps answer: Is this trading partner authorized and trusted? Together, they create a trusted verification layer that connects product identity with trading partner authorization.

What Software Solutions Help Reduce DSCSA Warning Letter Risk? 

No software can guarantee that a company will never receive an FDA warning letter. But DSCSA compliance software can reduce risk by automating controls that are difficult to manage manually. Operating a compliance package also demonstrates to the regulator that the company is taking serious steps to protect the supply chain and patients.   

The most relevant capabilities include ATP verification, digital credentialing, license checks, VRS integration, trading partner master data management, audit logs, product verification support, and exception workflows.

Spherity’s DSCSA compliance software, CARO, is designed for this DSCSA operating reality. CARO helps companies authenticate direct and indirect ATPs, verify licenses, manage golden master data, and connect ATP credentials with VRS, tracing, ERP, and compliance systems. Read more about our DSCSA compliance software here.

Spherity’s DSCSA Compliance Software As A DSCSA Master Data Hub for ATP and VRS Readiness

Spherity CARO helps pharmaceutical companies move from manual DSCSA evidence collection to automated trust infrastructure.

It supports DSCSA compliance by helping organizations verify trading partner identity, monitor ATP credentials, check license status, maintain golden master data records, and integrate with VRS and tracing workflows.

This is especially relevant for DSCSA enforcement because many warning letter themes are, at their core, data and evidence problems:

1. Who was the trading partner?

2. Were they authorized?

3. Which license applied?

4. Which location was involved?

5. Was the product identifier verified?

6. Could the company retrieve the evidence?

Spherity CARO is built to help answer those questions with auditable, system-based proof.

What Makes Spherity’s DSCSA Software Solution Different From Manual Supplier Checks?

Manual supplier checks are reactive and difficult to scale. They often depend on spreadsheets, emails, static screenshots, or one-time onboarding files. They might introduce a single point of failure when there is only one staff member who knows how to perform all required checks.

Spherity CARO supports a more scalable model. It helps organizations maintain verified trading partner records, monitor credentials, manage license data, reduce duplicate or polluted master data, and support ATP-aware workflows across DSCSA systems. Automated workflows reduce the  maintenance effort of a compliance program and hand-overs between staff are easier to manage.

That distinction matters in an FDA inspection, PBM or trading partner dispute. The question is not simply whether a company has supplier data somewhere. The question is whether the company can prove that its trading partner controls worked when they were needed.

Besides, state boards are already using VRS technology for inspections. Using similar software for one’s compliance program is bound to give a leg up should any inspector ever come knocking. 

ATP Credentialing Strengthens VRS and Product Verification

ATP credentialing adds a trusted identity layer to DSCSA workflows. It helps trading partners confirm that the party requesting or responding to product verification is authorized under DSCSA.

This matters because VRS is not just about routing a product identifier request. It is about enabling trusted, auditable interaction between authorized supply chain entities.

Without reliable ATP data, VRS workflows can create operational friction, manual exceptions, and uncertainty around whether a requester or responder should be trusted. More about DSCSA ATP verification in pharma supply chains here.

What Should DSCSA Trading Partners Do Now?

Companies should use the latest FDA enforcement activity as a prompt to strengthen the controls most likely to be tested.

A practical DSCSA readiness checklist includes:

1. Verify direct and indirect trading partner ATP status.

2. Check license and location data against authoritative sources.

3. Clean up trading partner master data, including GLNs and addresses.

4. Confirm VRS workflows are connected to trusted identity and ATP credentials.

5. Test product identifier verification and exception workflows.

6. Review SOPs for DSCSA roles, responsibilities, and escalation paths.

7. Make audit evidence easily retrievable.

8. Use VRS tools as part of routine product verification and document how verification exceptions are handled.

The most resilient organizations will not treat DSCSA as a serialization-only requirement. They will treat it as a trust network challenge involving product identity, organizational identity, license status, master data, and interoperable verification. For a deeper look at how CARO supports these workflows, read Spherity’s article on CARO’s next chapter in DSCSA compliance as a service.

More About Spherity’s Role in DSCSA Compliance Automation

Spherity Inc. is a global pioneer in digital identity software, helping enterprises create secure identity integrations for organizations, machines, products, data, and algorithms. Leveraging self-sovereign identity and verifiable credentials, Spherity streamlines compliance with data protection and security regulations.

For DSCSA, Spherity offers CARO, a Drummond-certified ATP credentialing and master data solution. Spherity CARO automates identity and license verification, supports golden master data records, and integrates ATP credentials with VRS, tracing, ERP, and compliance systems.

Spherity’s ATP credentialing solution for the DSCSA compliance won the HDA Distribution Management Award for strengthening the security of the US pharmaceutical supply chain. As FDA enforcement moves from stabilization to accountability, Spherity helps manufacturers, repackagers, wholesalers, 3PLs, dispensers, and solution providers prove that they are authorized, connected, and trusted.

Prepare before the next inspection, trading partner request, or DSCSA deadline. Explore how our DSCSA compliance software enables automated ATP checks, license verification, VRS-ready credentials, and audit-ready DSCSA master data: https://www.spherity.com/caro