What a completed AML/CTF program looks like for a 5-person real estate agency

Most real estate agents can picture the 1 July 2026 deadline.

Fewer can picture what they actually need to produce.

That gap matters. You can read every AUSTRAC guide published and still not know what "a completed AML/CTF program" looks like sitting on a desk. This post fills that gap -- using a fictional 5-person residential sales agency as a reference point.

What the law actually requires

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 requires every reporting entity to maintain an AML/CTF program -- a set of documented policies, procedures, systems, and controls to identify and manage money laundering, terrorism financing, and proliferation financing risk.

There is no prescribed format.

AUSTRAC published a free Program Starter Kit for real estate agencies with up to 15 personnel providing one designated service.

The kit includes three Word documents: a risk assessment, a process document, and a guide to completing them. Once you customise and approve those documents at senior management level, they become your AML/CTF program.

The three core sections

A completed program for a small residential sales agency covers three areas:

Risk assessment
Customer due diligence (CDD) procedures
Monitoring, reporting, and record keeping

Here is what each section contains -- illustrated using Parkside Property Co., a fictional five-person metro agency providing residential sales only.

1. Risk assessment

What it is: A documented analysis of ML/TF/PF risks specific to the business, across four mandatory categories: customers, services, delivery channels, and geography.

What a completed section looks like:

Customers: Parkside serves predominantly Australian-resident buyers and sellers purchasing mid-range residential property (A$400,000--A$1.2 million). A small proportion (around 10%) are Australian citizens living overseas or recent migrants. No current customers are identified as politically exposed persons (PEPs). Overall customer risk: low to medium.

Services: Parkside provides one designated service -- brokering the purchase and sale of residential real estate. No unfinanced transactions (cash purchases) have occurred in the previous 12 months. No above-market-price transactions identified. Service risk: low.

Delivery channels: Clients are generally met in person at appraisals or open homes. Remote-only arrangements account for around 5% of transactions. Delivery channel risk: low.

Geography: Parkside operates in metropolitan Melbourne. No current customers originate from FATF-listed high-risk jurisdictions. All funds flow through Australian bank accounts via standard settlement. Geographic risk: low.

Overall risk rating: Low.

Why the risk assessment drives everything else:

The risk rating determines how much verification your procedures require. Low-risk agencies can apply simplified CDD in appropriate circumstances. Agencies with higher-risk customer profiles or delivery channels need additional controls. The risk assessment needs to be documented before you can write accurate CDD procedures.

2. Customer due diligence procedures

What it is: Documented policies for who gets CDD, what information is collected, how identity is verified, and how higher-risk situations are managed.

What a completed section looks like:

Who: Every new customer (buyer or seller) before Parkside provides its designated service -- brokering a purchase or sale. CDD is completed before the service commences, not after.

What information is collected: For individuals: full name, date of birth, residential address, and government-issued photo ID. For companies: company name, ABN or ACN, registered address, and details of all beneficial owners (persons with 25% or more ownership or effective control of the company).

How verification happens: Parkside uses an electronic verification service through its compliance platform. Where electronic verification cannot be completed, certified copies of original documents are accepted. In-person verification is conducted where feasible.

Ongoing CDD: Client information is reviewed when a repeat transaction occurs, when circumstances change, or when a trigger event arises -- for example, unexplained urgency, a mismatch between the purchase price and the client's apparent financial profile, or requests to structure payments unusually.

High-risk customers: If a customer is identified as a foreign PEP or a transaction shows unexplained characteristics, the matter is escalated to the compliance officer before Parkside proceeds. Enhanced CDD applies in these circumstances: additional information on source of funds and the nature of the business relationship is collected.

Simplified CDD: Applies where the customer is a regulated Australian entity (for example, a licensed financial institution) with its own AML/CTF obligations. Parkside documents the basis for applying simplified CDD.

3. Monitoring, reporting, and record keeping

What it is: Documented procedures for detecting suspicious activity, lodging required reports with AUSTRAC, and storing records for the required period.

What a completed section looks like:

Transaction monitoring: The compliance officer reviews transactions flagged by Parkside's compliance platform -- including structuring patterns, anonymous payment attempts, or unusual settlement requests. All agents are trained to escalate concerns immediately and without tipping off the customer.

Suspicious matter reports (SMRs): Where Parkside suspects a transaction may involve money laundering or terrorism financing, an SMR is lodged with AUSTRAC. Terrorism-related SMRs are lodged within 24 hours. Other SMRs are lodged within 3 business days of forming a suspicion. The compliance officer is responsible for reviewing and lodging all SMRs. Tipping-off the customer about an SMR is prohibited by law.

Threshold transaction reports (TTRs): Cash transactions of A$10,000 or more must be reported to AUSTRAC within 10 business days. Parkside's policy prohibits accepting cash; the policy and its rationale are documented.

Record keeping: All AML/CTF records -- CDD documents, risk assessment, program documents, SMRs, TTRs, training records -- are retained for 7 years. Records are stored in Parkside's compliance platform with access controls in place.

What happens after the program is completed

A completed program is not a one-time document.

Parkside reviews its risk assessment annually, and whenever the business materially changes -- a new service, a new delivery channel, a high-risk customer segment that wasn't there before. The compliance officer monitors for updated AUSTRAC guidance. Staff training is refreshed annually.

The first independent evaluation of Parkside's program is due between 30 June 2029 and 31 December 2030 (the exact date is staggered by the last two digits of Parkside's AUSTRAC Account Number, which is assigned on enrolment).

Where to start with yours

AUSTRAC's Program Starter Kit is designed for agencies with up to 15 personnel providing one designated service.

You open the documents, answer the prompts, customise the defaults to reflect your business, and approve the finished version at principal or director level. That document set is your program.

AML Simple's program wizard covers the same sections with guided prompts and pre-populated examples -- so you're not staring at a blank template. Your answers generate a program document consistent with AUSTRAC's own Starter Kit structure.

You still make the judgment calls.

We just help you work through them systematically.

Source: Anti-Money Laundering and Counter-Terrorism Financing Act 2006; AUSTRAC Real Estate Program Starter Kit (2025). This post describes general AML/CTF obligations and does not constitute legal or compliance advice.