Case Study: A Brisbane Property Manager’s First AML/CTF Compliance Audit
The email arrived on a Tuesday afternoon in early January 2026. The subject line read: AML/CTF — Action Required by July 1. Marcus, the principal of a twelve-person residential sales and property management agency in Brisbane’s inner north, read it twice and then put it in a folder labelled “Compliance — 2026.” He had heard about Tranche 2. He knew it was coming. But the deadline had always felt abstract, and right now his rent roll was full, his settlement pipeline was strong, and three of his property managers were stretched thin across 380 properties.
By April, that folder was open every day.
This is the story of how Marcus’s agency went from initial awareness to first lodgement of a suspicious matter report (SMR) in under six months — the decisions that worked, the ones that needed fixing, and what the process revealed about an agency that thought it had solid foundations.
Note: All identifying details in this case study have been anonymised or composited. This account is drawn from common agency experiences during the 2026 Tranche 2 implementation period and is intended for practical guidance only.
Understanding What Had Actually Changed
Marcus’s first mistake was assuming that because his agency was primarily a property management operation, the AML/CTF obligations might not fully apply. Property managers, valuers, and mortgage brokers are not specifically listed by AUSTRAC as providers of the real-estate designated services that commence on 1 July 2026 — and AUSTRAC advises businesses to verify their status using its eligibility checker. That distinction mattered enormously for how the agency scoped its program.
What Marcus’s agency did provide, unambiguously, was sales services — and those were squarely inside the new regime. Businesses providing certain real estate services are required to comply with AML/CTF Tranche 2 requirements from 1 July 2026 where those services are deemed to be ‘designated services’ under the Act. Under Tranche 2, real estate agents and property developers are treated as “reporting entities” that provide services in relation to property transactions, meaning AML/CTF obligations apply to a wide range of property dealings where there is a transfer of ownership or control of real estate.
The legislative basis was clear. On 29 November 2024, Parliament passed the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 (Cth), amending the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and making the most transformational changes since the Act commenced in 2006. The amendments are likely to result in approximately 90,000 new reporting entities. Marcus was running one of them.
Once the scope question was resolved — his agency’s sales division was in; his pure property management function needed careful verification — the team could start building. The stakes of getting it wrong were not theoretical. If obligations are not met under AML/CTF law, AUSTRAC can take steps to enforce compliance and apply significant penalties up to $6,600,000 for individuals and $33,000,000 for a body corporate.
Step One: The Initial Assessment
Marcus appointed himself as the agency’s AML/CTF Compliance Officer (AMLCO), a decision that made sense given the agency’s size. The AML/CTF compliance officer must be at management level and is required to ensure compliance with the provider’s AML/CTF obligations. For sole traders and small-to-medium enterprises, this will likely be the owner or principal of the business or someone in senior management.
His first structured task was a gap analysis — assessing what the agency already did versus what it would need to do. He pulled three months of file samples across both sales and property management and asked a simple question at each step: Do we know who this person actually is?
The answer was uncomfortable. The agency verified identity for some sales clients, inconsistently, using photocopied drivers’ licences that sat in a manila folder. It had no systematic process for beneficial ownership — if a buyer was purchasing through a company or family trust, the agency had no standard inquiry. It had no sanctions screening. It had no documented risk rating for any client, new or existing.
What it did have was a strong trust account framework under the Property Occupations Act 2014 (Qld), meticulous monthly reconciliations, and a clean audit history. Those foundations were not nothing — but they addressed state-level obligations, not the new federal regime. Real estate trust account regulations can feel manageable until one missed process turns into an audit issue or compliance breach. In 2026, agencies need to manage trust account regulations alongside new AUSTRAC AML/CTF obligations and increased public scrutiny from regulators.
The gap analysis produced a working list of eight areas requiring policy, process or technology. Marcus estimated it would take roughly ten weeks to build a compliant program from scratch — and he started in early February, five months before the July deadline.
Step Two: Risk Rating the Client Base
Before the agency could write a single policy, it needed a money laundering and terrorism financing (ML/TF) risk assessment. A risk assessment requires identifying and assessing money laundering, terrorism financing and proliferation financing risks. This wasn’t optional housekeeping — it was the analytical foundation on which every policy decision downstream would rest.
Marcus worked through four risk dimensions for the agency’s sales operations: customer risk, transaction risk, product and service risk, and delivery channel risk.
Customer risk was where the exercise became genuinely illuminating. The agency’s sales pipeline included a consistent cohort of overseas buyers — primarily from Southeast Asia — purchasing properties in the $600,000–$1,200,000 range. Some were buying through corporate structures. A handful had limited interaction with the agency directly, relying instead on intermediaries. Using third parties such as accountants, lawyers, and buyer’s agents can also hide the true identity of the buyer. That pattern elevated several buyer files to a higher inherent risk rating than Marcus had previously considered.
The agency also carried clients who were politically exposed persons (PEPs), though it had never formalised that category. Customers who operate a charitable trust and buy a luxury property, or who are a politically exposed person (PEP) or closely linked to one, are red flag indicators — and foreign PEPs must always be treated as high-risk customers.
Transaction risk mapped to the types of deals the agency handled. All-cash purchases — where a buyer needed no bank finance — drew the most attention. For non-financed purchases, the risk can be more significant. Criminals can avoid customer due diligence obligations and the regulated loan market if they can self-finance. Marcus had settled three all-cash sales in the previous twelve months. None had been subject to any enhanced scrutiny. They were now flagged for retrospective review.
Delivery channel risk captured how clients were onboarded. Delivery channel risk is how you onboard and provide services to customers. The risks are higher when you act remotely or through intermediaries. About 20 percent of the agency’s buyers in the past year had been introduced remotely — offshore enquiries, interstate buyers, and purchasers represented by a third-party agent in a conjunction arrangement.
By the end of the risk assessment process, the agency had segmented its client-facing work into three tiers: low-risk (local buyers, standard finance, face-to-face), medium-risk (domestic company or trust structures, interstate buyers using intermediaries), and high-risk (overseas buyers, all-cash purchases, PEPs, complex or opaque ownership structures). The level of information collected and verified to complete customer due diligence (CDD) will depend on the ML/TF risk profile of the customer. Enhanced CDD must be applied in high-risk scenarios. Simplified CDD may be applied in low-risk scenarios.
The completed risk assessment wasn’t a declaration that the agency was laundering money. It was evidence that the agency understood its exposure — and that it had a documented, defensible basis for the policies it would build next. That distinction matters when AUSTRAC comes asking.
Step Three: Building the AML/CTF Program
An AML/CTF program protects a business from criminal exploitation through money laundering, terrorism financing and proliferation financing. It helps fulfil obligations and contributes to a safer Australian financial system. It must include a risk assessment — identifying and assessing ML/TF risks — and AML/CTF policies: developing and maintaining appropriate policies, procedures, systems and controls to manage and mitigate those risks.
Marcus worked with a compliance consultant to build a two-part written program. Part A covered governance — the agency’s AML/CTF governance structure, risk assessment methodology, transaction monitoring approach, staff training requirements, and reporting obligations. Part B covered customer due diligence procedures — the specific steps staff would follow at client onboarding, what information was required at each risk tier, and how enhanced due diligence would be triggered and documented.
Several decisions during the build phase shaped the program’s practical design.
Customer Due Diligence Procedures
For standard sales clients, the agency adopted a digital identity verification process integrated into its existing CRM. New buyers and vendors would complete identity verification before the agency took any action on their behalf. The agency’s long-standing practice of accepting a scanned driver’s licence was replaced with DVS-connected verification that confirmed the document against the government’s Document Verification Service.
For medium-risk clients — companies and trusts — the agency built a beneficial ownership checklist requiring agents to identify and verify individuals with greater than 25 percent ownership interest. This was new territory for most of the sales team, who had never been asked to look behind a company name before.
For high-risk clients, the program required enhanced customer due diligence: source of funds documentation, enhanced identity checks, AMLCO sign-off before any listing or buyer engagement proceeded, and documented rationale. For businesses captured by AML/CTF reforms, they need to perform initial and ongoing customer due diligence and enhanced due diligence for any potential high-risk customers and implement AML controls as part of an ongoing risk-based program for compliance.
Record Keeping
The program codified record-keeping requirements. Comprehensive records of customer identification, transactions, and AML/CTF program activities must be maintained for a period of seven years. These records are subject to inspection by AUSTRAC. Every CDD file, every risk rating, every decision to proceed or decline — all of it required retention in a structured, searchable format. The agency’s existing property management software was adequate for transactional records; compliance-specific documentation moved to a dedicated folder structure within the agency’s cloud storage, access-controlled and time-stamped.
AUSTRAC Enrolment
Enrolment opens 31 March 2026 for newly regulated industries. Marcus enrolled within the first week the portal was available. It took approximately forty minutes. The AMLCO details, agency ABN, and designated services provided were all logged. The agency’s enrolment number became the reference point for all subsequent reporting. There was no good reason to delay this step — and several good reasons not to.
Step Four: Training Staff
Practitioners must ensure all staff receive appropriate AML/CTF training, covering both the requirements of the regime and the practice’s internal processes. For Marcus, this was the step he had underestimated most. Writing a program is one thing. Getting a team of twelve — including three property managers, five sales agents, a receptionist, and two administrative staff — to understand and apply it is another.
He ran two mandatory training sessions in April, both held in the agency’s boardroom on a Saturday morning. The sessions covered three areas: the legal framework and why the obligations existed; the agency’s specific policies and what staff were required to do; and how to identify red flags and escalate concerns to the AMLCO.
The red flag training was the most engaging part of both sessions. Staff who had spent years in property could name the patterns intuitively — they’d just never had a framework to act on them. The training gave language to instinct. It also gave staff permission to ask uncomfortable questions of clients, which several agents had previously avoided out of concern it would seem intrusive or damage the relationship.
Preparing personnel is critical to help meet AML/CTF obligations. Personnel due diligence and training ensure that people performing AML/CTF functions in a business have the right skills, knowledge and integrity to meet obligations and manage risk — and they must understand how to identify, manage and mitigate ML/TF risks.
Two things came out of the training sessions that Marcus had not anticipated.
First, one of the property managers flagged a landlord on the rent roll — a company entity whose beneficial ownership had never been confirmed — and asked how to handle re-verification of existing clients. It was a fair question. The program needed a transition procedure for existing clients who would be receiving designated services going forward. Marcus added it.
Second, an agent raised a scenario: what if a client asks why they’re being asked for source of funds information? The training had covered the tipping-off prohibition — SMRs submitted by a reporting entity are subject to the tipping-off prohibitions outlined in section 123 of the AML/CTF Act, which means a reporting entity must not disclose that a suspicious matter report has been communicated to AUSTRAC. But agents also needed confident, client-appropriate language that explained CDD requests without creating suspicion or alarm. They drafted a brief script: “As part of our compliance with Australian financial regulations, we’re required to collect and verify this information before proceeding. It’s the same process our solicitors and banks use.” Simple, accurate, non-alarming.
Step Five: The First Suspicious Matter Report
It came in May, three weeks before the July deadline.
One of the agency’s senior sales agents was working with a buyer who had originally been rated medium-risk — an individual purchasing through a discretionary family trust, with a local solicitor acting on his behalf. The property was a three-bedroom townhouse in Newmarket, listed at $895,000. The buyer had been introduced by another agency in a conjunction arrangement.
During the CDD process, several things accumulated that individually seemed explainable but in combination prompted escalation to Marcus. The buyer’s identity documents had been provided by the conjunction agent and had not been independently verified by Marcus’s agency. The source of funds for the deposit — $89,500, paid by bank transfer — came from an account held in a different name than the purchaser, with no documented explanation for the third-party payment. When the agent asked about this, the solicitor’s office said it was “handled” and requested they proceed to contract.
The buyer had little apparent interest in the physical property — no inspection had been requested, and the offer had been made at list price with no negotiation, after a single inspection by the conjunction agent.
Third parties being responsible for all transactions, costs and/or repayments associated with a property without a clear reason for being involved is a red flag indicator. The pattern also matched another indicator: a customer having funds or transaction activity that doesn’t match their financial standing, and refusing to identify the source of their wealth or providing unclear information.
Marcus reviewed the file the same afternoon. He did not contact the buyer’s solicitor to ask further questions — that risked a tipping-off issue. He documented every element of his reasoning in the agency’s compliance file: what had been observed, by whom, on what date, and why it met the threshold of reasonable suspicion.
A Suspicious Matter Report (SMR) is a report you must submit to AUSTRAC when you have reasonable grounds to suspect that a customer or transaction is linked to criminal activity. The clock starts when the suspicion is formed, not when the transaction occurs. Marcus had formed his suspicion on a Thursday afternoon. An SMR must be submitted within three business days of forming the suspicion in most cases. That meant the report needed to be in by the following Tuesday.
He lodged it on Monday morning, through AUSTRAC Online. The SMR included all six elements AUSTRAC requires: who was involved, what the transaction was, where it occurred, when each relevant event happened, why it was suspicious, and how the suspicious activity had manifested. Full visibility of suspicious activity requires that SMRs contain the six essential key elements — who, what, where, when, why and how.
The transaction did not proceed. The buyer withdrew before contracts were exchanged, citing a change in circumstances. Marcus received no further communication from AUSTRAC about the report — which is normal. SMRs alert authorities to potential money laundering, terrorism financing, proliferation financing and other crime. It’s vital that SMRs are accurate and timely to help combat crime and protect the community.
Whether the suspicion was correct or not, the agency had done exactly what the law required.
The Post-Implementation Review
Marcus conducted a brief internal review in late June, before the July 1 deadline. The questions he asked of his own program were blunt: What worked? What was harder than expected? What would break under volume?
The CDD process for standard low-risk clients was working smoothly. Digital identity verification added less than five minutes to the onboarding workflow and had been accepted without complaint by clients. The medium-risk process — beneficial ownership for companies and trusts — was taking longer than anticipated because agents were sometimes uncertain about which documents to request and how to assess the responses. That pointed to a training gap, not a policy gap.
The high-risk process had only been triggered once. That was the SMR file. Having the AMLCO involved in every high-risk onboarding was manageable for one transaction but would create a bottleneck at volume. Marcus began drafting a delegation matrix that would allow a senior sales agent to handle enhanced CDD under defined conditions, with AMLCO review within 24 hours.
One area where the program had underperformed: the conjunction arrangement. The SMR file had come through a conjunction, and the initial CDD had been provided by the referring agency. Agencies can rely on another Tranche 2 entity, such as a lawyer or conveyancer, to complete client onboarding checks and share them. The reliance option reduces the need for agents to repeat identity verification checks while still meeting compliance obligations. But that reliance framework requires a documented agreement — a formal acknowledgement from the relying entity and the relied-upon entity. Marcus’s agency had no such agreement in place. The SMR had exposed the gap. The policy was updated before July 1.
What This Means for Queensland Agents
The experience described here is not unusual. Across Queensland, hundreds of agencies spent the first half of 2026 doing exactly what Marcus’s did: starting later than ideal, discovering that existing processes were less documented than assumed, and finding that training surfaced operational questions that no one had asked before.
Several things are worth carrying forward from this account.
Scope before you build. The first step is confirming whether you are a reporting entity and which of your activities constitute designated services. Impacted businesses must assess whether they are providing designated services, and if so, take action to enrol with AUSTRAC and implement an AML/CTF program. Getting this wrong early means building a program that either over-reaches or leaves genuine obligations unaddressed. Use AUSTRAC’s eligibility checker, and if you operate both sales and property management, assess each stream separately.
The risk assessment drives everything. Agencies that skip a genuine risk assessment and go straight to policy-writing produce documents that don’t reflect their actual business. A risk assessment must identify and assess money laundering, terrorism financing and proliferation financing risks, and the policies developed must be appropriate to manage and mitigate those risks. The risk assessment is also what AUSTRAC will examine first if they audit you — it’s the evidence that your program is genuinely risk-based, not a generic template.
Train for the conversation, not just the compliance. The agents in this case study already had good instincts about suspicious patterns. What they lacked was the permission structure and the vocabulary to act on them. Training that only explains the legislation without preparing staff for the client interaction creates agents who know what they should do but hesitate to do it. Conjunction arrangements, remote onboardings, all-cash transactions, opaque structures — these are the scenarios that need to be rehearsed in training, not just listed in policy.
The tipping-off prohibition is non-negotiable. Tipping off under section 123 of the AML/CTF Act is a criminal offence with a maximum of imprisonment for two years or 120 penalty units, or both. Every agent who might be involved in a suspicious transaction needs to understand this clearly. The right process — document internally, escalate to the AMLCO, submit the SMR — must be embedded before the situation arises, not improvised during it.
Lodging an SMR does not mean accusing your client. One of the most persistent hesitations agents express is that filing an SMR feels like an accusation. It isn’t. It is the reporting of a suspicion formed on reasonable grounds, submitted to AUSTRAC for assessment. On their own, one indicator may not suggest suspicious activity. If you’re unsure whether there are reasonable grounds for a suspicion, you should conduct further monitoring and examination, including applying enhanced customer due diligence measures. Reasonable grounds are an objective standard — what a reasonable person in your position, with your knowledge, would conclude from the available facts.
An independent evaluation is coming. AUSTRAC requires an independent evaluation of an AML/CTF program at least once every three years, with staggered first-evaluation deadlines under the Transitional Rules 2026. Building a program that is genuinely operational — not just documented — is the difference between a clean evaluation and a costly remediation. Start as you mean to go on.
The July 1, 2026 deadline is not a finish line. It is a baseline. For agencies like Marcus’s, the work of building a robust, living AML/CTF program — one that updates when the client base changes, when new services are offered, when staff turn over — has only just begun.