How to complete your ML/TF risk assessment as a real estate agency
Your ML/TF risk assessment is the foundation of your AML/CTF program — without it, your client risk ratings have no documented basis. Here is how to complete one for a typical real estate agency.
Your ML/TF risk assessment is the single most important document in your AML/CTF program. Every other compliance decision — how you rate clients, what CDD you apply, when you escalate concerns — is supposed to flow from it. Without a documented risk assessment, you cannot properly defend any of those decisions.
Here is how to complete one for a typical real estate agency — and how to get it done quickly.
The fastest path: let the wizard do the structure
The AML Simple AML/CTF Program Generator builds your risk assessment as part of generating your full AML/CTF program. The wizard asks you about your customer types, the services you provide, how you deliver them, and where you operate — and structures the risk assessment section of your program around your answers.
The resulting document is consistent with AUSTRAC's Program Starter Kit structure, which includes a risk assessment template designed specifically for real estate agencies with 15 or fewer staff.
Three steps to get there:
- Sign up to AML Simple — around 2 minutes
- AUSTRAC Enrolment Cheat Sheet — around 5 minutes
- AML/CTF Program Generator — around 15 minutes, risk assessment included
Want to understand exactly what goes into a risk assessment before you build one? Here is the full picture.
What a risk assessment actually is
The risk assessment documents two things: (1) the money laundering, terrorism financing, and proliferation financing risks your agency faces, and (2) the controls you have in place to manage them.
AUSTRAC does not tell you what risks to find or how to score them. It expects you to think about your actual business and document your reasoning. A risk assessment that says "all risks are low" with no supporting analysis will not hold up to scrutiny.
The legal basis is clear: AML/CTF Act 2006, s 165 requires every reporting entity to identify, assess, and manage ML/TF risks. It is not optional, and it is not once-and-done — you must review it when circumstances change and at least every three years.
Source: AML/CTF Act 2006, s 165; AUSTRAC risk assessment reform guidance
The four risk categories AUSTRAC requires
Your risk assessment must cover four mandatory categories. Here is what each one means for a typical real estate agency.
1. Customers
Think about the types of clients your agency typically deals with:
- Non-resident buyers — overseas purchasers are a known higher-risk profile; they may be harder to verify, and funds can be harder to trace
- High-value purchasers — particularly those paying cash with no financing
- Companies and trusts — complex ownership structures can be used to obscure the true owner
- Politically Exposed Persons (PEPs) — foreign government officials and their associates
- Clients who are reluctant to provide ID — an immediate red flag
For each customer type, consider: how often do you deal with them, what is the inherent money laundering risk they present, and what controls do you have in place?
2. Services
The designated service for real estate is brokering purchases and sales. Consider the risk profile of your specific service mix:
- Residential sales — moderate base risk; large transaction values and competitive markets create opportunity for price manipulation
- Off-the-plan sales — higher risk; pre-settlement period can obscure fund origins
- Auctions — auction settings can create urgency pressure and limit CDD time (though delayed CDD provisions exist for this; see AML/CTF Act 2006, s 29)
- Commercial sales — can involve complex corporate structures and larger transaction values
- Luxury or high-value property — above-market-price transactions can be a red flag for value manipulation
3. Delivery channels
How you deliver your service affects your risk profile:
- In-person — lowest risk; you can physically inspect identity documents
- Remote (video call) — acceptable but higher risk than in-person; requires documented process
- Fully online, buyer never inspected the property — higher risk; no in-person contact, potential for identity fraud
Remote delivery requires additional controls in your program. AUSTRAC accepts video call verification, but you must document the process and record that you confirmed the client's identity on the call.
Source: AUSTRAC verification guidance
4. Geographic locations
Where you operate and where your clients and funds originate matters:
- High-risk jurisdictions — if you deal with buyers or funds from countries on the FATF grey or black list, the risk profile is elevated
- High-value markets — Sydney, Melbourne CBD, and other premium markets attract international buyers at scale
- Your own location — consider whether your area has characteristics associated with property money laundering (high cash usage, unusual transaction patterns, complex ownership structures being common)
Source: AUSTRAC risk insights for real estate
The methodology: inherent risk → controls → residual risk
AUSTRAC expects a structured methodology. For each risk factor you identify:
- Inherent risk — what is the risk before any controls are applied? Rate it (e.g. low / medium / high, or on a 1–4 scale)
- Controls — what do you actually have in place to manage this risk?
- Residual risk — what is the risk after controls are applied?
A simple example:
| Risk factor | Inherent risk | Controls | Residual risk |
|---|---|---|---|
| Non-resident buyers | High | Mandatory video call verification + source of funds request for offshore-funded purchases | Medium |
| Domestic individual buyers, in-person | Low | Standard initial CDD + DFAT screening | Low |
| Trust purchasers | High | Beneficial ownership identification + enhanced CDD for complex structures | Medium |
You do not need a PhD in risk management to complete this. You need to think carefully about your actual business, document your reasoning, and have senior management review and sign off on the result.
What must be documented
Your risk assessment must include:
- Identified risk factors with supporting rationale
- The four risk categories assessed (customers, services, channels, geography)
- Likelihood and impact rating for each risk factor
- Description of your controls
- Residual risk determinations
- The scoring methodology you used
- Senior management or governing body acknowledgment
- Date of assessment, version, and when you will review it next
Source: AUSTRAC risk assessment documentation requirements
When to update your risk assessment
You must review your risk assessment when:
- You start offering a new service
- You open in a new market or geographic area
- Relevant regulatory guidance changes
- Your customer mix changes materially
- AUSTRAC publishes new risk insights for your sector
At minimum, review it every 3 years — aligned with the independent evaluation cycle.
The entity-level vs client-level distinction
There are two types of risk assessment in the AML/CTF framework. They are distinct:
- Entity-level risk assessment — this section — documents the ML/TF risks facing your agency as a whole. It is part of your AML/CTF program.
- Client-level risk rating — applies your entity-level framework to individual clients during CDD to rate them as low, standard, or high risk.
Without the entity-level assessment, your client ratings have no documented basis. The entity assessment comes first.
Source: AUSTRAC guidance on customer risk ratings
For the full compliance picture, see the complete AUSTRAC Tranche 2 guide for real estate agencies.
This content is general information only and does not constitute legal or AML/CTF advice. For tailored advice, consult a licensed AML/CTF advisor. AML Simple is a compliance tool, not a law firm.
Want a personalised Tranche 2 readiness score for your agency? Take the free 5-minute Readiness Check → amlsimple.com/check