Your week-by-week AML preparation timeline: April to June 2026

You have from now until 1 July 2026 to prepare your agency for compliance. That sounds manageable - until you look at the list of things that need to happen: enrol with AUSTRAC, conduct a risk assessment, build your AML/CTF program, appoint a compliance officer, run employee due diligence, train your staff, and test your procedures.

Done in the wrong order, this gets messy. Done week by week, in sequence, it's a steady 13-week project you can fit around running your agency.

This post gives you the exact sequence, week by week, from 1 April to 30 June 2026.

---

The 13-week plan at a glance

---

Phase 1: Foundation (Weeks 1-4, April)

Week 1 (1-7 April) - Enrol with AUSTRAC

AUSTRAC enrolment opened on 31 March 2026. Your first action in April is to complete it.

Log in to AUSTRAC Connect and complete your enrolment as a newly regulated entity. Follow AUSTRAC's enrolment instructions for your entity type (sole trader, company, partnership, or trust). Have your ABN and business address ready. The process typically takes 20-30 minutes.

Do this first. Everything else builds on your enrolment being in place.

For a step-by-step walkthrough, see our post on how to enrol with AUSTRAC as a real estate agency.

Week 2 (8-14 April) - Download the Program Starter Kit and prepare for your risk assessment

AUSTRAC has published a free Program Starter Kit for real estate agencies. If your agency has 15 or fewer staff and provides one designated service (brokering property sales), this is your starting point.

Download the kit this week and read through the Risk Assessment template. You are not filling it in yet - just familiarising yourself with the four categories you will need to assess: customers, services, delivery channels, and geography. Understanding the structure before you start saves time in weeks 3 and 4.

Agencies with more than 15 staff or multiple designated services will need a more comprehensive risk assessment than the Starter Kit covers. If that applies to you, consider engaging a compliance professional for the assessment.

Week 3 (15-21 April) - Conduct your risk assessment: customers and services

The ML/TF/PF risk assessment is the foundation of your AML/CTF program. It documents the money laundering, terrorism financing, and proliferation financing risks specific to your agency. Without it, you cannot write a program that reflects your actual circumstances.

This week, work through the first two categories:

Customers: Who are your typical clients? Consider whether you regularly work with non-residents, overseas buyers, investors purchasing sight-unseen, or clients from high-risk jurisdictions. A suburban agency selling to local owner-occupiers will assess differently from one handling interstate or international investment purchases.

Services: What transaction types do you handle? Note any that carry higher risk - unfinanced (cash) purchases, above-market-price transactions, or complex ownership structures (trusts, companies).

For each risk factor, rate the likelihood and impact, and note any controls you already have in place.

Week 4 (22-28 April) - Complete your risk assessment and get sign-off

Complete the remaining two categories this week:

Delivery channels: Do you meet clients in person or deal with remote buyers who never inspect the property? Remote transactions carry additional risk factors your program must address.

Geographic locations: Where do your clients and their funds come from? Clients from FATF grey or black-listed jurisdictions require additional scrutiny.

Once all four categories are assessed, document your residual risk levels and review the completed assessment as senior management. Senior management acknowledgment of the completed risk assessment is required under the AML/CTF Act - record who reviewed it and when. The acknowledged assessment is the foundation of your AML/CTF program.

---

Phase 2: Program (Weeks 5-8, April-May)

Week 5 (29 April - 5 May) - Appoint your compliance officer

Your AML/CTF program must name a compliance officer at senior management level - someone with the authority to make decisions and allocate resources. In a small agency, this is usually the principal.

Choose your compliance officer this week and document the appointment. They do not need to be a compliance professional, but they must understand the agency's obligations and be able to act on them. You must notify AUSTRAC of their details by 29 July 2026 - appoint them now so they have time to get up to speed before 1 July.

See our post on understanding the AML/CTF compliance officer role for what the role involves.

Week 6 (6-12 May) - Build your CDD procedures

Your AML/CTF program must document exactly how you identify and verify clients. This week, write your customer due diligence (CDD) procedures.

Your procedure should cover what information to collect (full legal name, date of birth, residential address), which identity documents are acceptable (Australian driver's licence, passport, or other primary photographic ID), and how you verify identity. Acceptable verification methods include (but are not limited to):

• Inspecting the original document in person
• A live video call where the client holds their ID up to camera
• Electronic verification via DVS or an accredited provider
• Biometric verification comparing the client's appearance against their photo ID

Your procedure must also address beneficial ownership identification: for clients that are companies or trusts, you need to identify and verify anyone with 25% or more ownership or effective control. This is a mandatory CDD component.

Additionally, your CDD procedure must include sanctions and PEP screening: every client must be screened against the DFAT Consolidated List and checked for Politically Exposed Person (PEP) status at onboarding, with periodic re-screening throughout the relationship.

Document which methods your agency will use, and write the step-by-step process for each scenario - in-person individual client, remote buyer, company or trust client.

For a full guide to CDD requirements, see customer due diligence for real estate: a plain-English guide.

Week 7 (13-19 May) - Complete your AML/CTF program

Build out the remaining sections of your program this week:

Monitoring and reporting: How will you identify suspicious activity? What is the internal escalation process for filing a Suspicious Matter Report (SMR)? Who in the agency can authorise an SMR? Note the SMR deadlines: 24 hours for terrorism financing suspicions, three business days for other suspicious matters. Also document your Threshold Transaction Report (TTR) procedure: TTRs are required for physical cash transactions of A$10,000 or more, filed within 10 business days.

Record keeping: All AML/CTF records must be retained for seven years. Document how and where you will store CDD records, screening results, training records, and program versions.

Governance: Who oversees AML/CTF compliance at senior management level? How will the program be updated when your business changes or regulations change?

Once all sections are complete, have senior management formally approve the program. Date and version it. This approved document is your AML/CTF program.

See our 5-step guide to building your AML/CTF program for a detailed walkthrough of each component.

Week 8 (20-26 May) - Employee due diligence

Before any staff member performs AML-relevant duties, you must conduct background checks appropriate to their role. This typically means verifying identity, conducting reference checks, and considering criminal history.

Work through your staff list this week. For each person in an AML-relevant role, document what you checked, what you found, and the date. Keep these records for seven years.

---

Phase 3: Training (Weeks 9-10, May-June)

Week 9 (27 May - 2 June) - Train your staff

Every person who performs AML-relevant duties must be trained before they carry out those duties. Deliver your initial training this week.

Training must cover:

• What the AML/CTF Act requires and why your agency now has obligations
• Your agency's specific CDD procedures - what to collect, how to verify, when to ask more questions
• How to identify suspicious activity and real estate-specific red flags
• How to escalate concerns to the compliance officer
• SMR and TTR procedures - including the tipping-off offence (it is a criminal offence to tell a client that an SMR has been filed or will be filed)
• Record-keeping requirements
• Consequences of non-compliance

A structured one-to-two hour session with documented attendance is sufficient for most small agencies. Keep a record of who attended and when - you will need this for your Annual Compliance Report.

Week 10 (3-9 June) - Test your CDD workflow end to end

Before obligations are live, walk through your entire CDD process as if you were handling a real client.

Check that you can: collect full legal name, date of birth, and residential address; verify identity using an acceptable method and record the outcome; screen the client against the DFAT Consolidated List; and store the complete record in your record-keeping system.

Do this for at least two scenarios - an in-person client and a remote buyer. Identify any gaps or points of friction now, while you still have time to fix them.

---

Phase 4: Ready (Weeks 11-13, June)

Week 11 (10-16 June) - Check your records setup and screening process

Confirm your record-keeping system can capture all required fields for each CDD record: document type, document number, issuing authority, expiry date, verification method, who verified it, and date of verification. If you are using a spreadsheet or manual system, test it with a sample record.

Confirm you can access the DFAT Consolidated List and run a client name through your screening process. If your current approach is manual (checking names against the PDF), consider whether software would make this more reliable and auditable.

Week 12 (17-23 June) - Review and brief your team

Run a final review of your completed program against the AUSTRAC Program Starter Kit checklist. Confirm every required component is present - risk assessment, governance, CDD procedures, monitoring and reporting, record keeping, training.

Brief your entire team on the final procedures. They should know: what they need to do from 1 July, who the compliance officer is, and who to contact if they have a question or spot something unusual.

Confirm your compliance officer is clear on their role and knows the reporting deadlines.

Week 13 (24-30 June) - Final readiness check

Final week before obligations commence. Check:

• Your AUSTRAC enrolment is complete and your business details are current
• Your compliance officer has been (or is ready to be) notified to AUSTRAC (deadline: 29 July 2026)
• All staff who perform AML-relevant duties have been trained and attendance recorded
• Your CDD workflow has been tested and any gaps resolved
• Your record-keeping system is ready to receive live CDD records from 1 July

From 1 July, CDD, ongoing monitoring, and reporting obligations are live. You will conduct CDD on every new client before providing your designated service, screen against the DFAT list, and file SMRs and TTRs when required.

---

---

Start now - not in June

Thirteen weeks feels like a long time. It is not. Agencies that leave the risk assessment until May and the program until June run out of time to train staff and test their procedures before 1 July. The sequence matters: the risk assessment feeds the program, the program feeds training, and training must happen before duties commence.

Start in week 1. By week 8, the hard work is done. Weeks 9-13 are for testing and refining - the part most agencies skip, and the part that makes the difference between a program that exists on paper and one your team can actually use.

---