The ML/TF risk assessment is the foundation of your AML/CTF program. AUSTRAC requires you to assess four risk areas - your customers, your designated services, your delivery channels, and the countries you deal with - and document how each creates exposure to money laundering and terrorism financing. Your risk ratings then drive every policy and control in your program. For small agencies, AUSTRAC endorses an impact-only scoring approach. For medium-complexity agencies, use a likelihood x impact matrix. The assessment must be approved by a senior manager, kept current, and updated when your business or the risk environment changes.
What the Risk Assessment Must Cover: The Four Risk Areas
Under section 26C of the AML/CTF Act 2006 and the AML/CTF Rules 2025, your ML/TF risk assessment must identify, measure, and document your agency's exposure across four specific risk areas. These are not optional categories or best-practice suggestions - they are the legislated framework that AUSTRAC will assess your program against.
Customers
Who uses your services - the types of customers you deal with, their risk profiles, and the ML/TF risks they may present to your agency.
Designated Services
What you provide - the specific real estate services you offer that fall within the scope of the AML/CTF Act.
Delivery Channels
How you deliver your services - whether face-to-face, through online platforms, via third-party intermediaries, or through other channels.
Countries and Jurisdictions
Your geographic exposure - the countries and jurisdictions your customers, funds, or transactions are connected to.
Your risk assessment must cover not only the services you currently provide, but also any services you plan to offer in the near future. If your agency is expanding into buyer's agency, property management, or commercial sales, those planned services must be included in the risk assessment before the AML/CTF program is finalised.
The AML/CTF Rules 2025 also require agencies to consider proliferation financing risks - the risk that your services could be used to facilitate the financing of weapons of mass destruction. For most real estate agencies, this risk is low, but it must still be documented. In practice, this is primarily addressed through sanctions screening and country risk assessment.
AUSTRAC's Sources of Information
AUSTRAC expects your risk assessment to be informed by external intelligence, not based solely on your own assumptions about what risks exist in the real estate sector. Before you begin scoring risks, review the following AUSTRAC publications:
- AUSTRAC's ML/TF Risk Assessment Framework Quick Guide for Real Estate Professionals (January 2026) - a sector-specific guide that walks through the four risk areas with real estate examples and a pre-populated template for small agencies.
- AUSTRAC Risk Insights for Real Estate - published risk indicators and typologies specific to real estate transactions, including case studies of how property is used to launder proceeds of crime in Australia.
- AUSTRAC Money Laundering National Risk Assessment 2024 - the national-level risk assessment that identifies real estate as a high-risk sector for money laundering in Australia.
- AUSTRAC Reform Guidance - Step 2: Identify and Assess Your Risks - the general risk assessment methodology guidance applicable to all reporting entities, including real estate agencies.
You should also draw on your own internal data - your customer base, the types of transactions you handle, the geographic markets you operate in, and any suspicious activity or unusual transactions you have encountered. If your agency is newly regulated under Tranche 2, you may not have formal records, but you should still document what you know about your business from experience.
Identifying and Assessing Your Risks
For each of the four risk areas, you need to identify the specific risk factors that apply to your agency and assess how each factor creates exposure to money laundering or terrorism financing. The following cards set out the risk factors AUSTRAC expects real estate agencies to consider, drawn from AUSTRAC's published guidance and the AML/CTF Rules 2025.
Customer Risk Factors
Customer risk is typically the most significant risk area for real estate agencies. The types of customers you deal with, their ownership structures, their source of funds, and their geographic connections all influence the ML/TF risk your agency faces.
- Customers using complex ownership structures - trusts, companies, nominee arrangements High
- Customers who are politically exposed persons (PEPs) or associates of PEPs High
- Customers unwilling or unable to provide standard identification or source of funds information High
- Customers transacting through third parties or intermediaries without clear rationale High
- Customers from or connected to high-risk jurisdictions High
- Customers making large or unusual cash payments Medium
- First-time buyers or investors with no prior transaction history with your agency Medium
- Long-standing customers with established transaction history and consistent behaviour Low
- Customers purchasing owner-occupied residential property with standard mortgage finance Low
Service Risk Factors
Different real estate services carry different levels of ML/TF risk. High-value transactions, services involving complex structures, and services where the agent has limited visibility over the full transaction chain tend to present higher risk.
- Brokering sales of high-value properties where purchase prices significantly exceed market norms High
- Transactions involving cash components or non-standard payment methods High
- Off-market or private treaty sales with limited price transparency High
- Transactions involving property flipping - rapid buy and resell within short timeframes Medium
- Commercial property sales involving complex lease structures Medium
- Acting for both buyer and seller in the same transaction Medium
- Transactions where the stated purpose does not align with the property type or customer profile High
- Standard residential sales at market value with conventional mortgage financing Low
Delivery Channel Risk Factors
How you deliver your services affects your ability to verify customer identity, observe transaction behaviour, and detect suspicious activity. Non-face-to-face channels and those involving intermediaries generally present higher risk.
- Transactions conducted entirely remotely without face-to-face contact High
- Services delivered through third-party intermediaries such as migration agents or overseas representatives High
- Online platforms where customer identity verification is limited Medium
- Instructions received from persons other than the verified customer Medium
- Face-to-face service delivery with in-person identity verification Low
Country and Jurisdiction Risk Factors
Geographic risk relates to the countries your customers, their funds, or their beneficial owners are connected to. AUSTRAC expects you to consider both the source of funds and the nationality or residence of the parties involved.
- Customers or funds originating from countries identified by FATF as high-risk or under increased monitoring High
- Customers or funds connected to countries with known deficiencies in AML/CTF frameworks High
- Transactions involving funds routed through multiple jurisdictions without clear commercial rationale High
- Customers connected to jurisdictions subject to Australian sanctions High
- All parties and funds are domestic with no international connections Low
- Funds originating from countries with robust, FATF-compliant AML/CTF frameworks Low
How to Score Your Risks: Inherent Risk Methodology
Once you have identified the risk factors relevant to your agency, you need to score them. AUSTRAC's guidance distinguishes between two types of risk, and understanding the difference is essential for getting the methodology right.
The baseline level of ML/TF risk before any controls, policies, or procedures are applied.
This is the risk that exists simply because of what your agency does, who it deals with, how it delivers services, and where its customers and funds are connected to.
Newly regulated agencies should focus on inherent risk first. This is the starting point for your risk assessment.
The level of ML/TF risk that remains after your AML/CTF controls are in place and operating effectively.
Residual risk can only be assessed once you have designed, implemented, and tested your controls. For newly regulated agencies, this will come later.
Over time, your program reviews should assess whether controls are reducing inherent risk to an acceptable residual level.
Scoring Approach
AUSTRAC does not mandate a single scoring methodology. The approach should be proportionate to the size and complexity of your agency:
- Small, low-complexity agencies (single office, residential sales, domestic customers) - AUSTRAC endorses an impact-only approach. Rate each risk factor as low, medium, or high impact based on the potential consequences if the risk materialised.
- Medium-complexity agencies (multiple offices, commercial and residential, some international buyers) - use a likelihood x impact matrix. Assess both how likely the risk is to occur and what the impact would be if it did.
- Larger or higher-complexity agencies (high-value markets, significant international buyer base, complex structures) - consider a more granular scoring model with additional risk dimensions, and engage specialist compliance support.
Likelihood x Impact Risk Matrix
For small agencies using impact-only scoring, use the right column only (treat likelihood as implicit).
Worked example: A suburban residential agency in Melbourne with predominantly domestic buyers would likely rate customer risk as low to medium (mostly owner-occupiers with standard financing), service risk as low (standard residential sales at market value), delivery channel risk as low (face-to-face), and country risk as low (minimal international exposure). A luxury agency in Sydney's eastern suburbs with significant international buyers, trust structures, and high-value properties would rate most risk areas as medium to high.
AUSTRAC's guidance uses the word "evaluate" to describe this step. Evaluate means more than just assigning a number. It means documenting the rationale behind each rating - why you scored a risk as medium rather than high, what factors you considered, and what evidence you relied on. This documented rationale is what AUSTRAC reviews when assessing your program. A risk matrix without explanation is incomplete.
From Risk Assessment to AML/CTF Policies
The risk assessment is not an end in itself. Its purpose is to drive the design of your AML/CTF policies and procedures. Every control in your program should be traceable back to a risk identified in your assessment. If you have identified a risk but have no corresponding policy or control, your program has a gap. If you have a policy that does not correspond to any identified risk, it may be unnecessary or your risk assessment may be incomplete.
In practice, this means your risk ratings directly determine the level of customer due diligence you apply, the monitoring intensity you assign, and the escalation thresholds you set. For example:
- Cash transactions rated as high risk - your program should include specific procedures for handling cash payments, including enhanced due diligence triggers, threshold transaction reporting, and escalation protocols.
- Foreign buyers rated as medium to high risk - your program should require enhanced identity verification, source of funds documentation, and country-specific screening for customers from or connected to higher-risk jurisdictions.
- Trust structures rated as high risk - your program should include procedures for identifying beneficial owners behind trust structures, obtaining trust deeds, and verifying the identity of trustees and beneficiaries.
- Digital or remote delivery channels rated as medium risk - your program should include specific procedures for verifying identity remotely, additional verification steps for non-face-to-face transactions, and enhanced monitoring of transactions initiated through online channels.
The link between risk assessment and policy must be explicit. AUSTRAC's good practice guidance notes that agencies should be able to demonstrate how each policy decision was informed by the risk assessment. A program that cannot trace its controls back to identified risks is a program that will not withstand regulatory scrutiny.
When Must You Update Your Risk Assessment?
The risk assessment is not a one-time document. Under the AML/CTF Rules 2025 and AUSTRAC's reform guidance, your risk assessment must be kept current and updated whenever there is a material change to your business, your risk environment, or the regulatory landscape.
AUSTRAC identifies the following triggers for updating your risk assessment:
- New designated services - you start providing a new type of real estate service that falls within the scope of the AML/CTF Act, such as expanding from residential sales into commercial property or buyer's agency.
- New customer types - you begin dealing with a customer segment you have not previously served, such as international investors, corporate buyers, or self-managed super fund trustees.
- New delivery channels - you introduce a new way of delivering services, such as launching an online platform, using a digital identity verification provider, or engaging overseas agents to refer buyers.
- New countries or jurisdictions - you begin dealing with customers, funds, or beneficial owners connected to countries you have not previously had exposure to.
- New AUSTRAC guidance - AUSTRAC publishes updated risk insights, sector-specific guidance, or typologies relevant to real estate that may change how you assess your risks.
- Compliance review findings - your internal compliance review or independent evaluation identifies gaps in your risk assessment, risks that were underrated, or new risks that were not previously captured.
- Suspicious activity or incidents - you identify suspicious transactions, file suspicious matter reports, or become aware of ML/TF activity in your market that suggests your risk profile has changed.
What AUSTRAC Considers Good and Poor Practice
AUSTRAC's Real Estate Program Starter Kit includes a pre-populated risk assessment template designed for small, low-complexity agencies. This template can be a useful starting point, but it must be reviewed, customised to reflect your specific business, and approved by a senior manager before it can be relied upon. AUSTRAC is explicit that the starter kit cannot be adopted without modification. If your agency has any complexity - multiple offices, international buyers, commercial properties, or trust structures - you will likely need a more detailed risk assessment than the starter kit provides.
The Risk Assessment Completion Checklist
- Identify all designated services your agency provides or plans to provide that fall within the scope of the AML/CTF Act.
- Document your customer base - the types of customers you deal with, their typical profiles, ownership structures, and geographic connections.
- Document your delivery channels - how you deliver services, including face-to-face, online, through intermediaries, and any remote or non-face-to-face arrangements.
- Identify and document the countries and jurisdictions your customers, funds, or beneficial owners are connected to.
- Review AUSTRAC's published risk insights, national risk assessments, and sector-specific guidance for real estate.
- For each of the four risk areas, identify the specific risk factors that apply to your agency and assess how each creates ML/TF exposure.
- Choose a scoring methodology proportionate to your agency's size and complexity - impact-only for small agencies, likelihood x impact for medium-complexity agencies.
- Score each identified risk and document the rationale behind every rating.
- Ensure each identified risk has a corresponding control, policy, or procedure in your AML/CTF program.
- Have the risk assessment reviewed and approved by a senior manager, with the approval dated and documented.
- Set a review schedule and document the triggers that will require an update to the risk assessment.
Need Your Risk Assessment Built Properly?
GateCrown builds ML/TF risk assessments for Australian real estate agencies that go beyond the AUSTRAC starter kit - specific to your agency's actual customer mix, transaction types, geographic exposure, and delivery channels, with the documented rationale AUSTRAC expects to see.
Talk to a Compliance Specialist →How Much Does AML/CTF Compliance Cost? →Complete cost breakdown of setup and ongoing compliance costs.
AUSTRAC Starter Kit vs Professional Compliance →Decide which path suits your agency.
AML/CTF Compliance Checklist 2026 →Every obligation your agency must meet, step by step.
Franchise Real Estate Networks →How multi-office and franchise agencies can streamline compliance.
Small Real Estate Agencies Guide →A practical guide for agencies with limited resources.
Staff Training Guide →What to train, who to train, and how to document it.
Independent Evaluation Guide →What the independent evaluation covers and the staggered 2029 deadline.
Customer Due Diligence Guide →Step-by-step CDD for every customer type.
The Complete AML/CTF Guide →GateCrown's comprehensive compliance guide.