All posts
aml-programcompliancetranche-2getting-started

What must your AML/CTF program actually include? A guide for real estate agencies

Your AML/CTF program is the written document AUSTRAC will ask for if they audit your agency. Here is exactly what it must cover — and what the 2026 reforms changed about how it should be structured.

By AML Simple Team

Every regulated real estate agency must have a documented AML/CTF program before commencing obligations on 1 July 2026. If AUSTRAC conducts a compliance assessment of your agency, your program is the first thing they will ask for.

This post explains exactly what your program must include, what changed in the 2026 reforms, and how to get one in place quickly.

The fastest path: generate your program in 15 minutes

The AML Simple AML/CTF Program Generator asks you the right questions about your agency — your services, team size, geographic location, customer types, and delivery channels — and generates a program document consistent with AUSTRAC's own Program Starter Kit structure.

Three steps:

  1. Sign up to AML Simple — around 2 minutes. Enter your ABN, your profile is pre-filled.
  2. AUSTRAC Enrolment Cheat Sheet — around 5 minutes. Every enrolment field pre-filled.
  3. AML/CTF Program Generator — around 15 minutes. Your program document, ready for senior management sign-off.

The generator produces a program you understand and can defend — not a document you downloaded and signed without reading. That distinction matters when AUSTRAC asks you about it.

Want to know what goes into the program before you generate it? Here is the full breakdown.

What changed in 2026: no more Part A / Part B

Before the 2026 reforms, the AML/CTF Act prescribed a specific two-part structure (Part A and Part B) for AML/CTF programs. The 2026 reforms removed this structure.

Your program can now be organised however you want — there is no required format. What matters is the substance: your program must address all the required components, and it must be appropriate for your business's size and complexity.

This is good news for small agencies. A 15-person real estate agency does not need a 200-page document. A clear, well-organised program that covers the required components and reflects how your agency actually operates is what AUSTRAC is looking for.

Source: AML/CTF Act 2006, s 81; AUSTRAC program reform guidance

What your program must cover

1. ML/TF/PF risk assessment

This is the foundation of your program. It documents the money laundering, terrorism financing, and proliferation financing risks specific to your business across four categories: customers, services, delivery channels, and geographic locations.

Without a documented risk assessment, your CDD decisions have no documented basis. AUSTRAC expects to see your analysis, not just a conclusion.

For a detailed guide, read How to complete your ML/TF risk assessment as a real estate agency.

Source: AML/CTF Act 2006, s 165; AUSTRAC risk assessment guidance

2. Governance

Your program must describe how senior management and the governing body oversee AML/CTF compliance — who is responsible, how often compliance is reviewed, and how decisions are made and documented.

For small agencies, this is often a single line: "The principal reviews AML/CTF compliance monthly and is responsible for approving program updates." That is genuine governance. What it cannot be is silence — you must document it.

3. Compliance Officer

Your program must name the Compliance Officer — the person responsible for implementing and managing the program day to day. They must be at senior management level, with the authority to allocate resources and make compliance decisions.

Your Compliance Officer's details must be notified to AUSTRAC by 29 July 2026. Any subsequent change must be notified within 14 days.

4. Employee due diligence

Your program must describe your process for conducting background checks on staff who perform AML-relevant roles. This does not require elaborate vetting — for most small agencies, it means verifying identity, checking work history, and for compliance-sensitive roles, considering a National Police Check.

The program must say what you do and why that is appropriate for your agency's risk profile.

5. Staff training

Your program must describe your training approach: what training is provided, to whom, when (initial and ongoing), and how completion is recorded.

Training must happen before staff perform AML-relevant duties — and records must be retained for 7 years.

For the full training requirements, read AML/CTF staff training requirements for real estate agencies.

Source: AML/CTF Act 2006, s 26F(4)(e)

6. Customer due diligence procedures

This is one of the most detailed sections. Your program must describe:

  • What information to collect from individuals, companies, and trusts
  • How to verify identity — your chosen verification methods (in-person document inspection, video call, electronic verification)
  • Beneficial ownership — how you identify the real owners behind companies and trusts
  • Client risk rating — how you assess each client's risk (low/standard/high) and what drives Enhanced CDD
  • Ongoing CDD — how you update client information over time and when you re-screen

Your CDD procedures need to be specific enough that any staff member who reads them knows exactly what to do with a new buyer client on their first day.

Source: AML/CTF Act 2006, s 34; AUSTRAC CDD guidance

7. Sanctions and PEP screening

Your program must describe how you screen clients against the DFAT Consolidated Sanctions List and how you identify and manage Politically Exposed Persons (PEPs).

This includes: when screening happens (at onboarding and on an ongoing basis as the list updates), what tool you use, and how you handle a potential match — including the process for escalating confirmed matches to the Compliance Officer and considering a Suspicious Matter Report.

Source: DFAT Consolidated Sanctions List

8. Transaction monitoring

Your program must describe how you detect suspicious activity in transactions. This does not require automated software — for a small agency, a documented process for reviewing transactions against the red-flags list and escalating concerns to the Compliance Officer is sufficient.

The program should include your agency's specific red-flag indicators — the behaviours and transaction patterns that would trigger further scrutiny or an SMR assessment.

Source: AUSTRAC risk indicators for real estate

9. SMR and TTR procedures

Your program must describe:

  • How you identify activity that may warrant a Suspicious Matter Report
  • Your internal escalation process — who assesses the concern and makes the filing decision
  • The filing deadlines you must meet (24 hours for terrorism financing; 3 business days for money laundering)
  • The tipping-off rule — that disclosing an SMR to the subject is a criminal offence
  • Your Threshold Transaction Report process for cash transactions of $10,000 or more

10. Record keeping

Your program must describe what records you keep, how long you keep them (7 years minimum for all AML/CTF records), and where they are stored. Electronic records are acceptable — they must be accessible and retrievable on request.

Source: AML/CTF Act 2006, s 107

11. Change management

Your program must describe how you update it when risks or regulations change — who triggers the review, who approves changes, and how the updated version is dated and retained.

12. Independent review

Your program must be independently evaluated at regular intervals appropriate for your business's size and complexity. For most small agencies, this means at least every 3 years. The first evaluation deadline for Tranche 2 entities is staggered: 30 June 2029 to 31 December 2030, based on your AUSTRAC Account Number.

What "good" looks like

A well-constructed program for a small real estate agency with 5–10 staff and one designated service:

  • Is 15–30 pages — enough to be substantive, not so long it is unreadable
  • Is written in plain English that your staff can actually follow
  • Reflects your specific agency — your customer types, your geographic market, your delivery channel
  • Has been reviewed and signed off by senior management, with the date recorded
  • Is version-controlled — you know which version is current and can produce prior versions

It does not need to be perfect. It needs to be genuine — a real description of how your agency operates and manages AML/CTF risk.

AUSTRAC's Program Starter Kit provides the template structure. AML Simple generates the content. Senior management review and sign-off makes it yours.

For the full compliance picture, read the complete AUSTRAC Tranche 2 guide for real estate agencies.

This content is general information only and does not constitute legal or AML/CTF advice. For tailored advice, consult a licensed AML/CTF advisor. AML Simple is a compliance tool, not a law firm.

Want a personalised Tranche 2 readiness score for your agency? Take the free 5-minute Readiness Check → amlsimple.com/check

Back to all posts

We use cookies for advertising measurement. See our Privacy Policy.