All posts
aml-programtranche-2real-estateaustraccompliance-2026cddscreening

The 5 components of an AML/CTF program: plain English for real estate agents

Every real estate agent in scope for AUSTRAC Tranche 2 needs an AML/CTF program with five specific components. This post explains what each one is, what AUSTRAC expects to see, and how to build it without a compliance consultant.

By AML Simple Team

The 5 components of an AML/CTF program: plain English for real estate agents

Quick answer

An AML/CTF program for a real estate agency has five required components under AUSTRAC guidance: a risk assessment, CDD policies, staff training procedures, an independent review process, and ongoing monitoring and reporting obligations. Each must reflect your specific agency - generic templates are not compliant. AML Simple's Program Generator covers all five in around 15 minutes.

The fastest path to having all five in place: sign up at AML Simple and run through the AML/CTF Program Generator. The wizard asks the right questions about your agency and produces a program covering all five components, consistent with AUSTRAC's own Program Starter Kit structure. Around 15 minutes.

Want to understand what you are building first? Here is what each component involves.

General information only. This article describes regulatory requirements under the AML/CTF Act 2006 (as amended) and AUSTRAC guidance. It is not legal or compliance advice. For guidance specific to your agency, consult a qualified AML/CTF compliance professional. Information current as of June 2026 - confirm with AUSTRAC for binding guidance.


Why your program needs these five components

An AML/CTF program is not a policy document that sits in a drawer. It is the set of controls, procedures, and risk assessments that demonstrate your agency has thought systematically about money laundering and terrorism financing risk - and has measures in place to manage it.

Under the AML/CTF Act 2006, every reporting entity must develop, maintain, and comply with an AML/CTF program before providing a designated service. AUSTRAC's Real Estate Program Starter Kit structures that program around five core areas. Each addresses a different dimension of the compliance obligation.

AUSTRAC is explicit that generic or template-only programs are not sufficient. Every component must reflect your specific agency - your services, your clients, your risk profile.


Component 1: ML/TF risk assessment

What it is

The risk assessment is the foundation of your entire program. It is a structured analysis of the money laundering, terrorism financing, and proliferation financing risks that are specific to your agency.

"Risk" in this context means: given what your agency does, who your clients are, and how transactions flow through your business, what is the likelihood and potential impact of your agency being used to launder money or finance terrorism?

What AUSTRAC expects to see

  • An assessment of your agency's inherent risk (before controls) across the services you provide
  • A consideration of client types and the risk they represent
  • A consideration of geographic factors (e.g., high-value markets, cross-border buyers)
  • An assessment of delivery channels (in-person vs remote onboarding)
  • Your residual risk after controls are applied
  • Evidence that the assessment was done with reference to AUSTRAC guidance, not just hypothetically

What it is NOT

The risk assessment is not a form you fill in once and forget. It is a living analysis that should be reviewed when your business changes, when AUSTRAC updates guidance, or at least annually.

Common mistakes

The most common failure is writing a risk assessment that describes the real estate sector in general without addressing the specific agency. A five-person residential sales agency in suburban Melbourne has a different risk profile to a commercial agency handling high-value CBD transactions. AUSTRAC wants to see your risk, not industry risk.


Component 2: customer due diligence (CDD) policies and procedures

What it is

CDD is the process of knowing who your clients are, understanding the nature of their transactions, and assessing the risk they represent. Your program needs written policies and procedures covering how your agency conducts CDD.

What AUSTRAC expects to see

  • A clear policy on when CDD is required (before or at the time of providing a designated service)
  • The standard CDD process - what you collect and verify (name, date of birth, residential address, identity documents)
  • A process for enhanced CDD - when you go deeper (higher-risk clients, complex transactions, PEPs)
  • A process for ongoing monitoring - not just checking once at the start but reviewing client information as transactions progress
  • Procedures for when you cannot complete CDD - what happens when a client will not cooperate

Your procedures need to be practical. "Staff will conduct CDD" is not a procedure. "Staff will collect two forms of ID (primary and secondary) from each new client before the first inspection appointment and record this in the client file using the CDD checklist" is a procedure.

A note on source of funds

Source of funds - understanding where the money for a transaction is coming from - is part of CDD. Your procedures should address when and how staff collect source of funds information, what documentation is acceptable, and how to handle situations where the explanation is unsatisfactory. For a detailed explanation, see our post on source of funds in real estate AML.


Component 3: staff training procedures

What it is

AML/CTF training for staff who provide or are involved in providing designated services. Your program needs to document how training is delivered, who receives it, and how often.

What AUSTRAC expects to see

  • A policy on who must complete training (typically all staff involved in designated services)
  • What training covers (at minimum: what ML/TF looks like in real estate, red flags, how to escalate concerns, what to do if you suspect something)
  • How training is delivered (in-person, online, written materials - all acceptable)
  • Records of who completed training and when
  • A commitment to refresher training when obligations change or when awareness gaps are identified

What it does NOT need to be

Training does not need to be delivered by an external provider. In-house training that covers the key concepts is sufficient for most small agencies. A 30-minute walkthrough of your compliance procedures, followed by a signed confirmation from each staff member, satisfies the requirement.

Common mistakes

The most common failure is treating training as a one-time event. Initial training before staff begin providing designated services is the minimum - ongoing training as your procedures evolve is expected.


Component 4: independent review procedures

What it is

An independent review is a periodic check that your AML/CTF program is operating effectively and that your compliance controls are working as intended. It is independent because it should not be done solely by the person responsible for compliance - there needs to be a separate perspective.

What AUSTRAC expects to see

  • A commitment to periodic independent review (at least annually for most agencies, more frequently if the risk level warrants it)
  • A process for who conducts the review (an external consultant, a senior manager who is not the compliance officer, or another person who can review objectively)
  • What the review covers (testing CDD processes, checking records, reviewing training completion, assessing whether the risk assessment is still current)
  • How findings are reported to senior management
  • A process for addressing findings

Practical guidance for small agencies

For a small agency, "independent review" does not necessarily mean hiring an external auditor. A review conducted by the principal (if they are not the day-to-day compliance officer) or by a trusted colleague who understands the obligations can satisfy the requirement. The key is independence - the reviewer should not be reviewing their own work.

If your agency does use an external reviewer, make sure the engagement is documented and the findings are recorded.


Component 5: ongoing monitoring and reporting obligations

What it is

This component covers the ongoing activities that keep your compliance program running after the initial setup. It includes monitoring transactions and client relationships over time, and meeting your reporting obligations to AUSTRAC.

What AUSTRAC expects to see

  • A process for ongoing monitoring of client relationships and transactions - not just checking in at the start
  • Procedures for identifying suspicious matters and escalating them
  • A clear process for lodging suspicious matter reports (SMRs) when required
  • Procedures for threshold transaction reports (TTRs) if applicable
  • Records of all reporting activity
  • Procedures for keeping your program and risk assessment up to date as your business and the regulatory environment change

The suspicious matter report (SMR) obligation

An SMR is a report to AUSTRAC that you have encountered a matter that gives rise to a suspicion of money laundering or terrorism financing. You must lodge an SMR as soon as practicable after forming a suspicion - this is not a discretionary judgment about whether to report. If you have a suspicion, the obligation to report follows.

Tipping off is prohibited. If you have lodged or are planning to lodge an SMR, you cannot tell the client. This is a legal requirement under the AML/CTF Act 2006.

Your program must document your SMR procedures so staff know exactly what to do if they encounter a suspicious matter.


How the components fit together

The five components are not independent silos. They work as a system:

  • The risk assessment tells you where your risks are highest
  • CDD procedures are calibrated to those risks - standard CDD for lower-risk, enhanced for higher-risk
  • Training ensures staff understand both the procedures and the reasoning behind them
  • Independent review checks that the procedures are being followed and still fit the risk profile
  • Ongoing monitoring ensures the whole system stays current and that suspicious matters are reported

A program that has all five components, genuinely reflects your agency, and is actually being followed is what AUSTRAC expects. Not a perfect document, but an honest and practical one.


Building all five components without a consultant

For most small residential sales agencies, the AUSTRAC Program Starter Kit provides the structural framework and AML Simple provides the fastest implementation path.

The AML/CTF Program Generator in AML Simple walks through each of the five components as a structured wizard. It asks the right questions about your agency's services, client types, risk factors, and existing controls. The output is a written program document that covers all five components, is specific to your agency, and is consistent with the structure AUSTRAC recommends.

The process takes around 15 minutes. After that, senior management review and sign-off is the final step before your program is in place.

Start your AML program at AML Simple

For the full picture of what your AML program needs to contain, read our complete AML program guide.

For the full picture of what Tranche 2 means for your agency, read our AUSTRAC Tranche 2 complete guide.


Frequently asked questions

Does my program need to cover all 5 components even if my agency is very small?

Yes. The five-component structure applies to all reporting entities regardless of size. What changes for small agencies is the depth and complexity of each component - a one-person operation has a simpler risk profile than a 50-person agency, and the program should reflect that. Proportionate, not absent.

Can I use a template program?

AUSTRAC explicitly states that generic template programs are not compliant. A template can give you a starting structure, but every section must be adapted to your specific agency. The AML Simple Program Generator produces a program customised to your agency's answers - it is not a static template.

How long should my program document be?

There is no mandated length. A well-structured program for a small residential agency is typically 5-15 pages. The goal is clarity and completeness, not volume. A 5-page document that accurately describes your agency's risk and controls is better than a 50-page document that is mostly irrelevant boilerplate.

Does the program need to be reviewed every year?

The Act requires that you maintain and comply with your program on an ongoing basis, which implies regular review. AUSTRAC guidance refers to periodic independent review - for most agencies, annually is appropriate. Review is also triggered when your business changes materially (new services, new markets) or when AUSTRAC updates its guidance.

What if my risk assessment identifies a high-risk area? Do I have to disclose that to AUSTRAC?

Your risk assessment is an internal document used to design your compliance controls. You do not automatically share it with AUSTRAC. However, AUSTRAC can request to review your program (including the risk assessment) as part of a compliance review, so it needs to be accurate and complete. Having identified a high-risk area and put controls in place to address it is exactly what AUSTRAC wants to see - it shows the system is working.

We use cookies for advertising measurement. See our Privacy Policy.