Compliance Checklist · Real Estate · 2026

AML/CTF Compliance Checklist for Real Estate Agencies 2026

Every AUSTRAC obligation your agency must meet before 1 July 2026, structured, actionable, and grounded in AUSTRAC's own guidance and Australia's reformed AML/CTF Act.

GateCrown Compliance
Updated March 2026
15 min read
35 checklist items
35
Checklist Items
7
Obligation Areas
Days to 1 July 2026
~$33M
Max Corporate Penalty (100,000 PU at $330)

Save or print this checklist to use internally with your compliance officer and team.

From 1 July 2026, AML/CTF obligations commence for real estate agents, buyer's agents, and property developers who broker the purchase, sale, or transfer of real estate, or who sell or transfer real estate they own without using an independent real estate agent. AUSTRAC expects all newly regulated entities to be enrolled, have a written program in place, have trained their staff, and be ready to conduct customer due diligence and report suspicious matters by 1 July 2026. The formal enrolment deadline is 29 July 2026, but this is the outer limit, not the preparation target.

This checklist covers every core obligation, structured in the order you should complete them, with deadlines and explanatory notes for each item.

Important Scope Note

AML/CTF obligations apply when you are brokering, planning, or executing the purchase, sale, or transfer of real estate. They also apply to property developers selling or transferring real estate they own, where no independent agent is involved. Property management (leasing, managing tenancies) is generally not a designated service. If your agency provides both designated and non-designated services, your program must clearly demarcate these activities.

01 Confirm Your Obligations

🔍
Step 1: Determine If You're Regulated
Complete before you do anything else
DO NOW
  • Confirm you provide a "designated service" Critical
    Use AUSTRAC's online tool at austrac.gov.au to verify your services are captured. Brokering, planning, or executing property sales/purchases/transfers are designated services. Leasing, property management, and purely advisory roles (without executing transactions) are generally not. Property developers who sell or transfer real estate they own, without using an independent agent, are also captured. General or hypothetical advice (e.g. discussing the pros and cons of property ownership), simple referrals to third parties, and short-term lease transactions are specifically excluded.
  • Identify all designated services your agency provides
    Include buyer's agent services, off-the-plan sales assistance, and auction management where your role involves planning, advancing, or executing the sale, purchase, or transfer of real estate. The key question is whether your involvement directly advances the transaction: for example, preparing contracts, conducting title searches, or taking steps to execute the transfer. General or hypothetical advice, simple referrals to third parties, and short-term lease transactions are specifically excluded. If one branch provides only non-designated services, your reporting group must still comply if any other entity in the group is regulated.
  • Assess whether the AUSTRAC starter kit applies to your agency
    You're eligible only if: 15 or fewer total personnel, mostly Australian resident clients, no regular high-risk customers, no overseas property brokering, no fully remote service delivery, not a property developer selling own stock, not mid-acquisition.

02 Enrol with AUSTRAC

📋
Step 2: AUSTRAC Enrolment
Opens 31 March 2026 · Obligations from 1 July · Enrolment deadline 29 July
BY 29 JUL
  • Enrol with AUSTRAC as a reporting entity Critical
    Enrolment opens 31 March 2026. AUSTRAC expects all newly regulated entities to be enrolled and fully operational by 1 July 2026. The formal enrolment deadline is 29 July 2026, but using that as your preparation target is not a compliant approach. Enrolment is free. You'll need your ABN, details of your designated services, and your compliance officer's details.
  • Consider electing a reporting group if you operate multiple regulated entities
    From 31 March 2026, the reformed AML/CTF Act introduces reporting groups, replacing the old business group concept. A reporting group allows related regulated entities to elect a lead entity that manages AML/CTF obligations on behalf of the group. This can consolidate reporting and reduce cost for franchises and multi-office networks, but requires a formal election and specific documentation.
  • Keep enrolment details current
    You must update AUSTRAC when your enrolment details change: new services, change of compliance officer, change of business structure. Failure to update is itself a compliance breach.

03 Build Your AML/CTF Program

📄
Step 3: Written AML/CTF Program
Must be approved before 1 July 2026
BY 1 JUL
  • Appoint a designated AML/CTF Compliance Officer Critical
    Must be documented in writing. For many real estate agencies, this role is commonly taken by the Licensee in Charge (LIC), but any suitably qualified person with appropriate seniority and authority can be appointed. The compliance officer oversees day-to-day implementation, staff training, and program maintenance. This appointment must be formalised. A verbal understanding is not sufficient.
  • Complete an ML/TF/PF Risk Assessment specific to your business Critical
    Must cover: the nature of your designated services, your customer types (individuals, companies, trusts, foreign nationals), transaction volumes and values, your delivery channels (in-person vs remote), and your geographic exposure. The risk assessment must be documented and reviewed regularly. A generic template that doesn't reflect your actual business is non-compliant.
  • Develop written AML/CTF policies and procedures Critical
    Must include: how you identify and verify customers (CDD), how you conduct enhanced due diligence for high-risk customers (EDD), how you monitor ongoing client relationships, your suspicious matter reporting procedure, your threshold transaction reporting procedure, and how you keep records.
  • Document your process for identifying Politically Exposed Persons (PEPs)
    PEPs are individuals who hold (or have held) prominent public roles: politicians, senior government officials, executives of state-owned entities, military officers. PEPs require specific AML/CTF handling and must be assessed on a case-by-case basis. Foreign PEPs trigger enhanced CDD obligations. Domestic PEPs and international organisation PEPs require additional controls where the customer is assessed as high ML/TF risk. Your program must document how you identify PEPs and what controls apply to each category.
  • Document procedures for non-individual customers (companies, trusts, SMSFs)
    Know Your Business (KYB) obligations apply. You must identify the entity, its beneficial owners (individuals who own or control 25%+ of the entity), and verify their identities. This is significantly more involved than individual CDD and cannot be handled with standard KYC forms.
  • Obtain senior management approval of the completed program
    Your AML/CTF program must be formally approved by senior management (for sole principals, by the principal practitioner) before it becomes operative. This approval must be documented with signature and date. The program cannot be "operative" if it's sitting in draft.
  • Include a sanctions screening procedure in your program
    You must not provide services to individuals or entities on Australian sanctions lists (DFAT) or UN sanctions lists. Your program must document how you screen customers against these lists before and during the transaction.

04 Customer Due Diligence (CDD)

🪪
Step 4: Know Your Customer Processes
Operative from 1 July 2026 for all transactions
FROM 1 JUL
  • Collect and verify identity of all buyers and sellers before providing designated services Critical
    For individuals: full name, date of birth, residential address. Verified against a reliable and independent source, either physical documents (passport, driver's licence) or an electronic verification platform (EVP). You cannot take the customer's word for it.
  • Implement electronic identity verification (EVP) platform or document-based process
    Electronic verification is faster, cheaper per check, and produces a better evidence trail. Providers like VerifiMe, APLYiD, or similar EVPs that access the Document Verification Service (DVS) are the most practical approach for high-volume agencies.
  • Apply Enhanced Due Diligence (EDD) for high-risk customers
    EDD must be applied in high-risk scenarios, including: transactions involving Foreign PEPs or their associates, customers with complex or opaque ownership structures, transactions involving unusually high values or unusual payment methods, and any customer or transaction flagged as elevated risk in your risk assessment. Overseas-resident customers are not automatically subject to EDD as a category, but their risk profile must be assessed. If the risk assessment rates them as higher risk, EDD applies. EDD includes source of wealth and source of funds checks.
  • Conduct ongoing CDD: monitor existing client relationships
    CDD is not a one-time check. You must monitor ongoing client relationships and update customer information when risk profiles change. For real estate, this typically means re-verifying customers at each new transaction, not assuming a previous check is still valid.
  • Document what to do if CDD cannot be completed
    If a customer refuses to provide identity documents, or if verification fails, your program must define what happens next, including whether this triggers a Suspicious Matter Report (SMR). As a general rule, you should not proceed with the designated service if CDD cannot be completed. Note that AUSTRAC's reform guidance does allow for delayed initial CDD in limited circumstances (for example, certain auction situations), where specific conditions are met. Your program should address whether and how this applies to your business model.
  • Obtain senior management approval before providing services to Foreign PEPs
    AUSTRAC requires explicit senior management sign-off before providing any designated service to a Foreign PEP. This approval must be documented. This is not optional even if the transaction appears routine.

05 Transaction Monitoring & Reporting

📊
Step 5: Monitoring and Reporting Obligations
Ongoing from 1 July 2026
ONGOING
Report Type Trigger Deadline Notes
Suspicious Matter Report (SMR) Any activity you suspect may relate to ML/TF/PF, regardless of amount 24hrs (terrorism) / 3 days (other) Do not tip off the customer that an SMR has been filed. "Tipping off" is an offence.
Threshold Transaction Report (TTR) Cash transactions of $10,000 AUD or more Within 10 business days Applies to physical cash. Electronic transfers don't trigger TTRs in the same way.
International Funds Transfer Instruction (IFTI) Sending or receiving funds internationally on behalf of a customer Within 10 business days Transitional arrangements apply. Check AUSTRAC for the latest IFTI timeline.
Annual AML/CTF Compliance Report Each calendar year, covering compliance activities for the prior year 1 Jan – 31 Mar each year Must be lodged whether or not AUSTRAC sends a reminder. Good record-keeping throughout the year is essential to complete this accurately.
  • Train all staff to recognise AML red flags Critical
    Red flag recognition is the frontline of your reporting obligations. If staff don't know what to look for, suspicious matters go unreported. See the red flags list below.
  • Establish an internal reporting pathway for suspicious matters
    Staff must know exactly who to report to internally, and on what timeline. The internal pathway (agent to compliance officer to AUSTRAC) must be documented in your program and trained into your team.
  • Never tip off customers about an SMR filing Critical
    Disclosing to a customer (or any third party) that you have filed or are considering filing an SMR is a criminal offence under the AML/CTF Act. Your staff must understand this absolutely.

Key AML Red Flags for Real Estate Agents

Unusual payment methods Requests to pay in cash, cryptocurrency, or through third parties with no apparent relationship to the buyer or seller.
Price mismatches Buying significantly above or below market value, or requests to under- or over-declare the price on contracts.
Funds from unexplained sources Large deposits or purchase funds that cannot be traced to a plausible income source for the buyer.
Reluctance to provide identification Unusual hesitation or repeated evasion around identity verification requirements.
Transactions involving multiple parties with unclear relationships Funds coming from someone other than the buyer, or contracts being signed by unclear third parties.
Rapid buy-sell cycles Purchasing and immediately re-selling property at a loss or negligible gain. This is a classic layering technique.
Complex ownership structures with no apparent purpose Multiple trusts, offshore companies, or nominee arrangements without clear commercial rationale.
Pressure to close quickly without documentation Urgency to settle with minimal paperwork or pressure to bypass standard CDD processes.

06 Record Keeping

🗃
Step 6: Records Obligations
7-year retention requirement
ONGOING
  • Retain all CDD records for at least 7 years Critical
    This includes identity documents or evidence of verification, risk ratings assigned to each customer, the basis for any EDD decisions, and the source of wealth/funds information collected for high-risk customers.
  • Retain all transaction records for 7 years
    Records of each designated service you provide, including transaction details, parties involved, and any associated reporting (SMRs, TTRs). Records must be retrievable. AUSTRAC can request them at any time.
  • Retain your AML/CTF program and all versions for 7 years
    Every version of your program, including superseded drafts, must be kept. AUSTRAC may want to see how your program evolved in response to regulatory changes or internal incidents.
  • Retain training records for all staff for 7 years
    Date of training, content covered, staff member name, and completion evidence. Without training records, you cannot demonstrate that staff were equipped to conduct compliant CDD.
  • Ensure records are stored securely and retrievable within a reasonable time
    Records don't need to be on paper. Digital storage is acceptable. But they must be secure (protected from unauthorised access), backed up, and capable of being retrieved promptly if AUSTRAC requests them.

07 Staff Training

🎓
Step 7: Training Requirements
Before 1 July 2026 and ongoing thereafter
BY 1 JUL
  • Train all personnel involved in providing designated services before 1 July 2026 Critical
    Training must cover: what ML/TF/PF is and why it matters, your agency's specific red flags, how to conduct CDD correctly, how to use the SMR reporting pathway, and what tipping off is and why it's illegal. Training must be tailored to each person's role and risk exposure. CDD conducted by untrained staff creates a serious compliance risk and may evidence inadequate governance and procedures in an AUSTRAC examination.
  • Train compliance officer to a higher standard than general staff
    Your compliance officer should have a deeper understanding of the AML/CTF Act, the reporting thresholds, EDD procedures, and program review requirements. Consider a specialist AML compliance course beyond the basic staff module.
  • Schedule and document ongoing refresher training Ongoing
    AML/CTF training is not a one-off obligation. AUSTRAC requires training to be provided on an ongoing basis, as often as necessary and tailored to role and risk. As regulations evolve and new staff join, training must be updated and documented. An annual refresher cycle is widely adopted as good practice. Document your chosen cadence in your program.
  • Train new staff before they conduct any CDD
    Any new agent or staff member who will be involved in customer due diligence must complete AML training before they conduct their first verification check. Keep a training register updated with hire dates and training completion dates.

08 Program Maintenance (Ongoing)

🔄
Step 8: Keep Your Program Current
Review triggers and annual obligations
ONGOING
  • Conduct periodic risk assessment reviews and update when triggered Ongoing
    Your risk landscape changes as your business evolves. New services, new client demographics, new payment methods, and AUSTRAC guidance changes all require risk assessment updates. Review should occur at scheduled intervals and whenever a material change triggers it. AUSTRAC's guidance also requires an independent program evaluation at least once every 3 years. Build this into your compliance calendar from year one.
  • Trigger a program review on any material business change
    Material changes include: new designated services, new business lines, significant change in client profile, acquisition of another agency, change in compliance officer, significant regulatory updates from AUSTRAC. Any of these requires a documented program review.
  • Monitor AUSTRAC updates and guidance releases
    Subscribe to AUSTRAC's email updates at austrac.gov.au. AUSTRAC continues to publish sector-specific guidance after 1 July 2026. Your compliance officer must review and act on new guidance as it's released.
  • Lodge your annual AML/CTF compliance report between 1 January and 31 March each year
    Reporting entities must submit an annual compliance report to AUSTRAC covering the previous calendar year. The filing window is 1 January to 31 March. This is a standing obligation, not discretionary, and without thorough record-keeping throughout the year, completing it accurately becomes very difficult.
What "Good" Looks Like to AUSTRAC

AUSTRAC's regulatory expectations for 2025-26 focus on genuine outcomes, not just paperwork. They want to see that your program reflects your actual risk profile, that your staff can demonstrate knowledge of their obligations, and that you're actively monitoring and reporting. A polished document that doesn't match how you actually operate will not satisfy a compliance examination.

Don't Work Through This Alone

GateCrown delivers a complete, done-for-you AML/CTF compliance installation for real estate agencies. Every item on this checklist handled, documented, and ready for 1 July 2026. Fixed fee. No surprises.

Get Your Compliance Package →

Frequently Asked Questions

Do I need to comply if I only manage rentals, not sales?

Generally, no. Property management (leasing, managing existing tenancies) is not a designated service under Tranche 2. AML/CTF obligations apply specifically to brokering the purchase, sale, or transfer of real estate. However, if your agency also handles sales, your program must clearly separate these activities.

I have 18 staff. Can I still use the AUSTRAC starter kit?

No. The starter kit's eligibility ceiling is 15 personnel. With 18 staff, you're outside the criteria and should not use the kit in its standard form. You can use it as a base to build from, but you'll need professional augmentation to address your full risk profile.

What if my overseas buyer doesn't want to provide identity documents?

As a general rule, you should not proceed with the designated service if CDD cannot be completed. You should also consider whether the refusal is itself a suspicious circumstance warranting an SMR. AUSTRAC's guidance does allow delayed initial CDD in limited circumstances, including certain auction scenarios, where specific conditions are met. Your program should document whether and how that exception applies to your business. Document your decision-making in all cases.

Can one compliance officer manage AML/CTF across multiple branches?

Yes. From 31 March 2026, the reformed AML/CTF Act introduces reporting groups, which allow related regulated entities to elect a lead entity whose compliance officer oversees the group's program. This replaces the older business group concept. It requires a formal election and specific documentation. Individual branches cannot simply share a compliance officer without establishing the reporting group structure.

What if AUSTRAC audits us and finds gaps in our program?

AUSTRAC may issue a written direction requiring you to fix the gap, commission an independent audit, or, in serious cases, take enforcement action. If gaps are found, your best position is a genuine, documented effort to comply, evidence of an ongoing review process, and prompt remediation. Courts ultimately determine whether any program meets the law's requirements, which is why precision in documentation matters from day one.

Further Reading

How Much Does AML/CTF Compliance Cost for Real Estate Agents? →Full cost breakdown: setup, ongoing, and by agency size.

AUSTRAC Starter Kit vs Professional Compliance Program →Decide which path suits your agency before you spend anything.

This article is for informational purposes only and does not constitute legal, financial, or professional advice. Content is based on publicly available AUSTRAC guidance, the AML/CTF Act 2006 (Cth), and the AML/CTF Rules 2025. GateCrown is not a law firm. You should seek independent legal advice before relying on this content for compliance purposes. Regulations and penalty unit values are subject to change.