Introduction
As a real estate principal, you're likely hearing about AML/CTF programs everywhere but finding little practical guidance on actually building one. This guide breaks down exactly what goes into your program, gives you a working template you can adapt today, and shows you how to implement it without disrupting your operations.
What Tranche 2 Means for Principals
Come July 2026, your real estate agency becomes a "reporting entity" under Australia's AML/CTF Act. This means you need a written AML/CTF program that covers how you'll identify clients, monitor transactions, report suspicious matters, and keep records for seven years.
The good news: you don't need to build a bank-level system. Your program just needs to be appropriate for your agency's size, services and risk profile. A 10-person agency in suburban Brisbane needs something different from a 200-agent franchise network.
The Core Obligations (Real Estate & Conveyancers, Plain English)
KYC/KYB and CDD
Know Your Customer means verifying who your buyers and sellers actually are. Customer Due Diligence goes further - you need to understand beneficial ownership (who really owns that company buying the property), the purpose of the transaction, and source of funds.
Ongoing Monitoring & Red Flags
Watch for changes in client behaviour, unusual payment structures, or transactions that don't match what you know about the client. Example: a retail worker suddenly buying multiple investment properties with cash.
Reporting
Submit Suspicious Matter Reports (SMRs) when something doesn't add up. Threshold Transaction Reports (TTRs) for cash over $10,000. Timeline: SMRs within 3 business days of forming suspicion; TTRs within 10 business days.
Record-Keeping (7 Years)
Every CDD document, transaction record, suspicious matter decision, training log and program update. Store them so you can retrieve any record within hours if AUSTRAC asks.
AML/CTF Program
Your written procedures covering all the above, split into Part A (customer identification and risk assessment) and Part B (training, review and governance). Name your AML/CTF Compliance Officer. Schedule independent reviews every 3 years minimum.
Quick Wins You Can Action This Week
- Map your current client onboarding process - identify what ID you already collect and where the gaps are for beneficial ownership and source of funds verification
- Create a basic risk rating system: Low (local owner-occupiers), Medium (interstate investors, companies), High (foreign buyers, complex structures, PEPs)
- Draft a one-page "unusual transaction indicators" list specific to property: cash deposits over $50k, rapid buy-sell within 6 months, purchase price significantly above/below market value
- Set up a compliance folder structure in your cloud storage: /AML-Program, /Client-CDD, /Training-Records, /Reports-Filed, /Reviews-Audits
- Add a 15-minute AML segment to next week's team meeting covering: what suspicious activity looks like, who to report concerns to internally, no tipping off rules
Step-by-Step: Set Up CDD That Doesn't Slow Deals
Map your client types and services
List every service you provide (residential sales, commercial leasing, property management, buyer's agency) and typical client types for each. Property management might be 90% low-risk local landlords. Commercial sales might include more complex company structures requiring deeper checks.
Define ID + beneficial ownership checks
For individuals, collect driver's licence plus one secondary document. For companies, ASIC search plus identification of all shareholders over 25%. For trusts, trust deed plus trustee and beneficiary identification.
Set refresh triggers
Update CDD when: ownership structure changes, client becomes a PEP, adverse media appears, transaction pattern shifts dramatically, it's been 3 years since last review for high-risk clients.
Create a red-flag list your agents actually use
Client avoids providing financial information, uses multiple solicitors for simple transaction, requests unusual settlement arrangements, buyer never inspects property, payment comes from unrelated third party.
Log decisions + store securely
Every CDD file needs: date collected, who collected it, risk rating assigned, any concerns noted, next review date. Name files consistently like "2026-01-SMITH-John-CDD" for instant retrieval.
For Founders/Principals: Keep Cost & Risk Down
Choose a compliance model that fits your structure. Centralised works for single offices - one person handles all CDD and reporting. Hybrid suits multi-branch agencies - branches do initial ID collection, head office handles verification and monitoring. Decentralised gives each agent responsibility but requires extensive training and quality control.
Assign an AML/CTF accountable person who reports to the board quarterly. This person owns program updates, manages AUSTRAC relationship, oversees training, and makes final suspicious matter decisions. Budget 0.2-0.5 FTE for agencies under 50 people.
Budgeting tips: Digital ID verification ($5-15 per check), sanctions screening ($2-5 per search), online training platform ($50-100 per agent annually), independent review ($5,000-15,000 every three years), ongoing monitoring tools ($200-500 monthly). Start with essentials: program documentation, basic training, manual processes. Add automation as you scale.
For Licensed Conveyancers: VOI vs CDD (Don't Get Caught Out)
VOI confirms someone is who they claim to be. CDD confirms identity PLUS understands the business relationship, source of wealth, transaction purpose, and requires ongoing monitoring. Your existing VOI process becomes step one of five in full CDD.
Practical example: Clean VOI completed for buyer Jane Smith. But CDD reveals funds coming from offshore account in different name, purchase through complex trust structure, and buyer is politically exposed person's spouse. Each element increases risk and triggers enhanced monitoring requirements.
14-Day Action Plan (Printable)
Day 1-2
List all your services, map typical client journey from enquiry to settlement, identify where you currently collect information
Day 3-4
Draft basic CDD checklist (name, address, ID docs, source of funds question, beneficial owner if company) and five red flags relevant to your market
Day 5-6
Create folder structure for records, establish naming convention, test cloud storage access permissions for relevant staff
Day 7-8
Write Part A covering customer identification procedures and Part B covering staff training and program governance
Day 9-10
Run all-hands meeting explaining AML basics, suspicious matter escalation path, and consequence of non-compliance
Day 11-12
Research and trial digital ID verification services, sanctions screening tools, and select preferred providers
Day 13-14
Conduct retrieval test (can you find a specific client file in under 60 seconds?), schedule monthly review meetings for first quarter
FAQs (Real Estate & Conveyancers)
Q: Is VOI enough under Tranche 2?
No. VOI confirms identity only. CDD requires identity verification plus understanding beneficial ownership, transaction purpose, source of funds, and ongoing monitoring for changes or suspicious activity.
Q: When do I file a suspicious matter report?
File within three business days when you form a reasonable suspicion about identity fraud, money laundering, terrorism financing, or any transaction that doesn't make commercial sense given what you know about the client.
Q: What records must I keep for 7 years?
Your AML/CTF program documents, all customer identification records, transaction records, suspicious matter reports (filed or considered but not filed), training attendance logs, independent review reports, and any correspondence with AUSTRAC.
Q: How detailed does my program need to be?
Detailed enough that a new compliance officer could follow it step-by-step. Include specific procedures, not general statements. "Verify identity using 100-point check including one photo ID and one secondary document" not "conduct appropriate identity verification."
Q: Can we share one program across our franchise network?
You can share template procedures, but each reporting entity needs its own program reflecting its specific risks, clients and processes. A Sydney CBD commercial agency faces different risks than a regional Victorian residential office.
Conclusion
Building your AML/CTF program before July 2026 isn't about creating perfect documentation - it's about establishing practical procedures your team can actually follow. Start with the basics outlined here, test them with real transactions, and refine based on what works in your agency. Early preparation means you'll enter the Tranche 2 era confident and compliant, not scrambling to catch up while trying to run your business.
Additional Information
For more comprehensive information on Tranche 2 AML/CTF reforms and regulatory obligations, visit AUSTRAC's official website at: https://www.austrac.gov.au/about-us/amlctf-reform/new-amlctf-rules