All posts
aml-programhow-tocompliance

5 steps to building your agency's AML/CTF program

A practical framework for Australian real estate agency principals who need to build their AML/CTF program before the 1 July 2026 deadline.

By AML Simple Team

5 steps to building your agency's AML/CTF program

From 1 July 2026, every Australian real estate agency that brokers property sales must have an AML/CTF program in place. The good news: AUSTRAC has published a free Program Starter Kit designed specifically for small agencies. The less good news: most principals don't know where to start.

This post explains what the legislation actually requires — broken into five clear steps — so you have a practical framework to work from.

Important: This post describes what the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the Act) and AUSTRAC guidance require. It is not compliance advice and does not replace professional guidance specific to your agency's circumstances. Every agency's obligations may differ depending on their business structure, size, and the services they provide. If you need tailored advice, speak with a qualified AML/CTF compliance professional — or consider our Expert Advice service.

Before you start: enrol with AUSTRAC

Before building your program, your agency must enrol with AUSTRAC via AUSTRAC Online. Enrolment opens 31 March 2026. Your compliance officer must be notified to AUSTRAC by 29 July 2026. These are legal obligations, not optional steps.

Step 1: Conduct your ML/TF/PF risk assessment

What the Act requires: Sections 81 and 165 of the Act impose a legal obligation on every reporting entity to identify, assess, and manage their money laundering, terrorism financing, and proliferation financing (ML/TF/PF) risks. The risk assessment is the foundation of everything else — your policies and procedures must be calibrated to the risks you've identified.

AUSTRAC guidance requires the risk assessment to cover four categories:

  • Customers — who are your clients? Are any non-residents, high-net-worth individuals, or politically exposed persons (PEPs)?
  • Services and products — what designated services do you provide? Are any transactions unfinanced (cash) or above-market-price?
  • Delivery channels — do you meet clients in person, or do you deal with remote buyers sight-unseen?
  • Geographic locations — where do your clients and their funds originate? Are any from high-risk jurisdictions?

For each risk factor, you assess the likelihood and impact (a standard risk matrix), account for the controls you already have in place, and arrive at a residual risk level. The completed assessment must be signed off by senior management.

A concrete example: A small agency in suburban Perth selling residential property to mostly local buyers, all dealt with in-person, would typically assess as lower risk than an inner-city agency regularly handling interstate or overseas purchasers buying without inspection.

Using the Starter Kit: AUSTRAC's Program Starter Kit includes a pre-populated Risk Assessment document (Word format) designed for agencies with 15 or fewer personnel providing one designated service. If that describes your agency, customise it to your circumstances rather than starting from scratch. Larger agencies or those providing multiple designated services will need a more comprehensive assessment.

Step 2: Appoint a compliance officer

What the Act requires: Your AML/CTF program must appoint a fit-and-proper person at senior management level as your AML/CTF compliance officer. This person is responsible for implementing and managing the program on an ongoing basis. You must notify AUSTRAC of your compliance officer's details by 29 July 2026.

"Senior management level" means someone with authority to make decisions and allocate resources — not a junior administrator. In a small agency, this is often the principal.

A concrete example: In a five-person agency, the principal appoints herself as compliance officer. She documents the appointment in the program, notifies AUSTRAC before 29 July 2026, and takes on responsibility for reviewing CDD records, overseeing staff training, and ensuring SMRs are filed when required. The compliance officer doesn't need to be a compliance professional — but must understand the agency's obligations and have the authority to act on them.

Step 3: Build your policies, procedures, and controls

What the Act requires: Your program must establish documented policies, procedures, systems, and controls covering all areas of your AML/CTF obligations. This is the core of the program — the written framework your team follows.

The required components include:

Customer due diligence (CDD):

  • How you identify customers and verify their identity before providing a designated service
  • How you identify beneficial owners (anyone with 25% or more ownership or effective control of a company or trust)
  • How you assess each customer's risk level
  • When enhanced CDD is required (for example, foreign PEPs or high-risk jurisdictions)
  • Procedures for ongoing monitoring and keeping customer information up to date

Monitoring and reporting:

  • How you monitor transactions for suspicious activity
  • How to identify, escalate, and file a Suspicious Matter Report (SMR) — within 24 hours for terrorism financing suspicions, three business days for others
  • How to identify and report Threshold Transaction Reports (TTRs) for physical cash of A$10,000 or more

Record keeping:

  • All AML/CTF records must be retained for a minimum of seven years

Governance and other required components: The program must also address governance arrangements (senior management oversight of ML/TF/PF risk), employee due diligence (background checks for staff in AML-relevant roles), and change management (how the program is updated when your business or the regulations change). Refer to the AUSTRAC Program Starter Kit for the full list of required components.

These steps are not exhaustive — the specific scope of your obligations depends on your business circumstances.

A concrete example: A three-step CDD checklist pinned near the front desk: (1) collect name, date of birth, and residential address; (2) verify identity using a current driver's licence or passport (inspect in person, or via video call for remote buyers); (3) record the document type, number, issuer, and expiry date — plus who verified it and when. That's the skeleton of a CDD procedure.

Further reading: CDD is a topic that deserves its own post — see How to verify client identity for real estate AML/CTF compliance for a full walkthrough.

Step 4: Train your staff

What the Act requires: All staff who perform AML-relevant duties must receive AML/CTF risk awareness training before they start those duties. Training is not a one-off event — the Act requires ongoing training, at a minimum annually, to keep staff current as obligations evolve.

Training must cover:

  • What the AML/CTF Act requires and why
  • How to identify suspicious activity and real estate-specific red flags
  • How to escalate concerns internally to the compliance officer
  • CDD procedures — what to collect, how to verify, when to ask more questions
  • SMR and TTR procedures — including the tipping-off offence (it is a criminal offence to tell a client an SMR has been or will be filed)
  • Record-keeping requirements

Training records must be maintained for seven years.

A concrete example: A one-hour onboarding session for new agents covering the agency's AML/CTF program, followed by a 30-minute annual refresher. The compliance officer records attendance dates for each staff member in the program file.

Staff don't need to become compliance experts — they need to know enough to spot a red flag and escalate it rather than ignore it.

Step 5: Set up your ongoing compliance routines

What the Act requires: Having a program document is not the end point — the Act requires active, ongoing compliance. The key ongoing obligations are:

Customer due diligence and re-screening: Ongoing CDD is a live obligation from 1 July 2026. For each transaction, you must verify client identity before providing your designated service. You must also re-screen clients against updated sanctions lists and re-assess risk when circumstances change. This is the day-to-day compliance work that the program document enables.

Annual Compliance Report: Between 1 January and 31 March each year, your agency must lodge an Annual Compliance Report with AUSTRAC. The first report covers the period 1 July to 31 December 2026, and is due by 31 March 2027. The report summarises your compliance activities, training conducted, any program changes, and SMRs and TTRs filed.

Risk assessment reviews: Your risk assessment must be reviewed when your business changes (new services, new markets, new staff structures) or when regulatory requirements change. Best practice is an annual review at minimum.

Independent evaluation: The Act requires regular independent evaluation of your program. The first evaluation for newly regulated entities is due around 2030–2032. AUSTRAC guidance suggests the frequency depends on the size and complexity of your business.

Update your AUSTRAC enrolment: Any changes to your business details (compliance officer, addresses, services) must be notified to AUSTRAC within 14 days.

A concrete example: A compliance officer at a busy agency blocks one hour in the calendar each week to review new CDD records, check that nothing has been missed, and file any pending screening results. At the end of the financial year, she runs through the Annual Compliance Report checklist before March.

Putting it together: the AUSTRAC Program Starter Kit

AUSTRAC has made this significantly easier than it sounds. Their Program Starter Kit for real estate provides Word templates covering the risk assessment, program structure, and process documentation — pre-populated with common real estate scenarios. Once customised and approved by senior management, those materials become your AML/CTF program.

The Starter Kit is designed for agencies with 15 or fewer personnel providing one designated service. If that's your agency, start there. Larger or more complex agencies will need to go further.

Where AML Simple fits in

AML Simple guides you through each of these steps in a structured workflow — from risk assessment to compliance officer appointment, CDD procedures, staff training records, and ongoing monitoring. It's a compliance workflow tool, not a substitute for professional advice.

AML Simple guides you through each step — start free →

About this post: AML Simple is a compliance workflow tool, not a provider of legal or regulatory advice. This post describes requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and AUSTRAC guidance as a general educational resource. It does not constitute legal advice and is not a substitute for professional advice specific to your circumstances. AUSTRAC's guidance and legislation take precedence over any description in this post — always check primary sources. If you need advice tailored to your agency, speak with a qualified AML/CTF compliance professional or consider our Expert Advice service.

Back to all posts

We use cookies from LinkedIn and Facebook to measure our ad performance. Your account data is never shared with advertisers.