How to Build an AML/CTF Program for Your Real Estate Agency

Your AML/CTF program is the single most important compliance document your agency will have. It's not a template you download and file away — it's a living set of policies and procedures that governs how your agency identifies customers, manages risk, reports suspicious activity, and trains staff.

Under the AML/CTF Act, every reporting entity must have a written AML/CTF program in place before it begins providing designated services. For real estate agents captured by Tranche 2, that means your program must be ready by 1 July 2026.

What is an AML/CTF program?

An AML/CTF program is a documented framework that sets out how your agency will meet its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. It must be tailored to your specific business — a generic template will not satisfy AUSTRAC.

The program has two mandatory parts: Part A (the core compliance procedures) and Part B (employee due diligence). Both are required. You cannot have one without the other.

Part A: Core compliance procedures

Part A is the operational heart of your program. It must cover the following areas:

1. Customer identification and verification (CDD)

Your program must set out exactly how you identify and verify customers. This includes procedures for individuals, companies, trusts, and other legal structures. It must specify what documents you accept, how you verify them (in person or electronically), and what you do when verification fails.

Remember: CDD applies to both buyers and sellers. Your program must address both.

2. Ongoing customer due diligence

CDD is not a one-time event. Your program must include procedures for ongoing monitoring of customer relationships. This means watching for changes in the customer's circumstances, unusual transaction patterns, or new information that changes the risk profile.

For real estate, ongoing CDD is most relevant when you have a continuing relationship with a customer — for example, a developer who lists multiple properties with your agency over time.

3. Enhanced and simplified due diligence

Your program must define when enhanced due diligence (EDD) is required — high-risk customers, PEPs, complex structures, high-risk jurisdictions — and what additional steps are taken. It must also define when simplified due diligence (SDD) is permitted and the conditions that must be met.

4. Suspicious matter reporting

Your program must include clear procedures for identifying, escalating, and reporting suspicious matters. This means defining what constitutes a “suspicion,” who staff should escalate to (typically the compliance officer), and how SMRs are filed with AUSTRAC.

Critically, your program must also address the tipping off offence — making it clear to all staff that they must never disclose the existence or contents of an SMR to anyone outside the reporting chain.

5. Record keeping

Your program must set out your record keeping procedures. All CDD records, transaction records, SMRs, training records, and compliance documents must be retained for a minimum of 7 years after the end of the relevant customer relationship or transaction.

Records must be stored in a way that allows retrieval within a reasonable timeframe if requested by AUSTRAC. Digital storage is acceptable provided it meets integrity and accessibility requirements.

6. Compliance officer

Your program must identify your AML/CTF compliance officer and describe their role and responsibilities. The compliance officer must be a senior person with sufficient authority to make decisions about the program and its implementation. They must be appointed within 28 days of providing designated services, and AUSTRAC must be notified within 14 days of the appointment.

Part B: Employee due diligence

Part B deals with the people inside your organisation. It's about making sure your own staff don't become the weak link in your compliance framework.

Staff screening

Before an employee is allowed to handle designated services or access customer data, you must conduct appropriate screening. This includes identity verification, criminal history checks (particularly relevant for anyone involved in compliance or financial handling), and checks against sanctions and PEP lists where appropriate.

Ongoing employee monitoring

Part B must also address ongoing monitoring of employees. This includes procedures for detecting unusual behaviour (e.g., an agent who consistently fails to collect CDD, or who has an unexplained lifestyle inconsistent with their income). It also includes procedures for handling internal reports of suspicious behaviour.

Training

While training sits across both Part A and Part B, it's particularly important in Part B. All staff must receive AML/CTF training before they begin handling designated services, and refresher training must be provided at least annually. Training must cover your agency's specific procedures, how to identify red flags, CDD requirements, reporting obligations, and the tipping off offence.

You must keep records of all training delivered, including the date, content covered, and attendees.

Who approves it?

Your AML/CTF program must be approved by a senior manager, board of directors, or equivalent governing body. For sole traders and small agencies, this is typically the principal. For larger agencies or franchise groups, it may be the board or a senior compliance committee.

The approval must be documented — include the name, title, and date of approval in the program itself. AUSTRAC will check for this.

How often to review

Your program must be reviewed and updated:

• At least annually — a scheduled review of the entire program
• Whenever there is a material change — new services, new customer types, new risks, legislative changes, or following an internal incident
• After a compliance assessment — if AUSTRAC identifies gaps, update your program to address them
• Independent review — your program must be independently reviewed within 3 years of being established, and every 3 years thereafter

Relationship to your risk assessment

Your AML/CTF program does not exist in isolation. It must be based on and respond to your ML/TF/PF risk assessment. The risk assessment identifies the risks; the program sets out how you manage them.

If your risk assessment identifies that you have a high volume of overseas buyers, your program must include enhanced due diligence procedures for those customers. If your risk assessment identifies that cash transactions are rare in your business, your program can reflect that — but must still have procedures for handling them when they occur.

The two documents should be read together, and updates to one should trigger a review of the other.

What makes a good program vs a bad one

Common mistakes

1. Using a template without customisation: AUSTRAC explicitly states that your program must be tailored to your business. A generic document signals to the regulator that you haven't taken compliance seriously.
2. Forgetting Part B: Many agencies focus entirely on CDD and reporting (Part A) and overlook employee due diligence (Part B). Both parts are mandatory.
3. No risk assessment: Your program must be based on a documented risk assessment. Without it, the program has no foundation and AUSTRAC will flag it immediately.
4. No training records: You can have the best program in the world, but if you can't prove your staff were trained on it, you're non-compliant.
5. Set and forget: An AML/CTF program is not a one-time document. It must be reviewed and updated regularly. If your program hasn't been touched since it was written, that's a problem.
6. No compliance officer: You must appoint a compliance officer and notify AUSTRAC. This is a separate obligation that many agencies overlook.