The professional reference for Queensland real estate agents A publication by Shaka.deal
Get Paid at Settlement

What Is Risk Assessment in Queensland Real Estate? Definition and Agent Guide

What Is Risk Assessment in Queensland Real Estate? Definition and Agent Guide

A risk assessment under Queensland’s AML/CTF obligations is a mandatory, written document in which a real estate agency identifies and evaluates the money laundering, terrorism financing, and proliferation financing (ML/TF/PF) risks posed by its clients, transactions, services, and operating environment. It is the foundational component of a compliant AML/CTF program — not an optional governance exercise, and not something that can be delegated to a generic template pulled from the internet. Every compliance obligation that follows from enrolment with AUSTRAC flows from this document. Get the risk assessment right, and the rest of the program becomes coherent. Get it wrong, and every other step is built on a flawed foundation.

How Risk Assessment Works in Queensland Real Estate AML/CTF Compliance

The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 passed Parliament on 29 November 2024. Tranche 2 of that Act comes into force on 1 July 2026 and will include professions such as solicitors, accountants, conveyancers, and real estate agents. From that date, any Queensland agent who brokers the sale, purchase, or transfer of real estate — whether acting for the buyer or the seller — becomes a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act), as amended.

As part of an AML/CTF program, a reporting entity must identify and assess its ML/TF risks, and then develop and maintain appropriate policies, procedures, systems, and controls to manage and mitigate those risks. The risk assessment is the first and most critical of those two obligations. It does not describe what you will do if a suspicious client walks through the door — it describes, in structured and documented form, the likelihood and impact of money laundering or terrorism financing occurring across everything your agency does.

Risk assessments are now explicitly the foundation of an AML/CTF program. They are not a “one and done” or “set and forget” exercise. AUSTRAC’s guidance requires agencies to structure their assessment around four primary risk categories: AUSTRAC’s position is that reporting entities must consider a wide range of risk factors, including customer types, geographic locations, products and services offered, and delivery channels.

Under each of those four categories, a Queensland agency must assess its specific circumstances. Customer risk requires consideration of who the agency actually deals with: factors include customers with cash-intensive businesses (which presents an opportunity to mix illicit physical cash with legal earnings), people who buy or sell for others (which can hide the buyer’s identity), customers connected to industries associated with higher ML/TF risks, remote buyers who haven’t personally inspected the property, and politically exposed persons (PEPs), because of their exposure to fraud, bribery, corruption, and links to high-risk jurisdictions.

Geographic risk is particularly relevant for Queensland agencies operating in markets that attract significant offshore investment — Brisbane’s inner-ring suburbs, the Gold Coast, and the Whitsundays are among the areas that routinely attract buyers from high-risk jurisdictions. A customer’s connection to high-risk jurisdictions — where customer funds originate from countries with poor AML/CTF regimes — is a recognised risk factor. Delivery channel risk matters because purely online or non-face-to-face service delivery tends to carry higher ML/TF risk than in-person engagement. An agency that frequently transacts with remote buyers it has never met in person faces a materially different risk profile from one operating purely in a local residential market.

The risk assessment requires agencies to decide how to respond to each risk based on its risk rating — low, medium, or high. High-rated risks will need additional controls to mitigate or manage them, which may include limiting the channels and services that high-risk customers can use, and increasing the monitoring of customer transactions and behaviours. The output of the risk assessment then directly determines how the agency’s customer due diligence (CDD) procedures work: low-risk clients may only require simplified due diligence, while high-risk clients or transactions may require enhanced due diligence (EDD).

An AML/CTF program must be documented and approved by a senior manager of the business. It must be kept up to date, including to reflect significant changes to the business and relevant ML/TF risk information released by AUSTRAC. It must also be independently evaluated at least once every three years.

Why Risk Assessment Matters for Queensland Agents

The scale of the problem the legislation is designed to address is not abstract. Between 2019 and 2024, the Australian Federal Police seized over A$1.1 billion in illegal assets — more than A$720 million of which was in real estate. In 2023 alone, the authorities reported confiscating A$229 million in allegedly laundered real estate, alongside bank accounts, cars, fine art, yachts, and other high-value luxury items. Queensland’s property markets — the Gold Coast in particular — have featured prominently in proceeds of crime investigations for over two decades.

AUSTRAC’s money laundering national risk assessment found the real estate sector poses a high money laundering risk in Australia. AUSTRAC has, in various public assessments, flagged domestic real estate as presenting a very high money laundering risk, reflecting factors such as high transaction values, complex ownership structures, and the potential for large sums of money to be invested or transferred through property transactions. Real estate as an asset class also draws a high volume of international investment, which AUSTRAC has noted can make it highly desirable as a means to transfer and store wealth.

In its Mutual Evaluation Report of Australia, the Financial Action Task Force (FATF) referred to the lack of oversight regulating real estate agents’ and lawyers’ compliance with anti-money laundering and counter-terrorism financing legislation, notwithstanding this being a high-risk area for money laundering. That gap in oversight is precisely what the Tranche 2 reforms are designed to close. The reforms bring Australia closer to international standards set by the Financial Action Task Force, addressing concerns that the property sector has become a blind spot in the national fight against financial crime.

For a Queensland agent, the risk assessment matters in practical terms because it is the document that, if AUSTRAC ever conducts a compliance review, demonstrates that the agency understood its specific risks and took a considered, documented approach to managing them. A generic risk assessment copied from a template and left unchanged is not evidence of compliance — it is evidence of the opposite. AUSTRAC can take enforcement action for non-compliance, which may result in civil penalty orders of up to $33 million for businesses and $6.6 million for individuals. Other regulatory actions include enforceable undertakings, infringement notices, and remedial directions. Additionally, written notices may be issued directing a business to appoint an external auditor to evaluate its management of money laundering, terrorism financing, and proliferation financing risks.

Failure to enrol with AUSTRAC by the prescribed date may result in penalties that include daily fines of up to $19,800 for businesses and $3,960 for individuals. These are not theoretical outcomes. AUSTRAC has a well-documented history of active enforcement in the financial services sector, and there is no reason to expect a softer approach to real estate.

What the Law Requires

The AML/CTF program must be written, ongoing, and regularly updated, outlining how the business identifies, mitigates, and manages the risks of its services being used for money laundering, terrorism financing, or proliferation financing. The program must be tailored to suit the nature, size, and complexity of the business, and should include a comprehensive risk assessment along with documented policies, procedures, systems, and controls.

When the Tranche 2 entities’ provisions commence on 1 July 2026, the AML/CTF Act will apply to approximately 70,000 additional businesses, bringing the total number of reporting entities to around 90,000. Real estate professionals are specifically captured. From 1 July 2026, real estate agents who broker property transactions and property developers who sell directly off-the-plan without engaging an independent agent will be deemed “reporting entities” under the national AML/CTF and proliferation financing regime.

A key factor in determining whether the services you provide are captured depends on the nature of the service, not just the profession of the provider. If you are providing a designated service, AML/CTF obligations will apply, regardless of whether you are a sole practitioner or a large firm. A principal running a ten-person agency in Cairns faces the same foundational obligations as a national franchise network — the difference is in the complexity and scale of what the risk assessment must cover, not whether one is required.

Under AUSTRAC’s requirements, you must review your risk assessment at least once every three years. Your review must be appropriate to the nature, size, and complexity of your business. A review will also be required where certain triggers occur — for example, where AUSTRAC communicates information that identifies or assesses risks associated with the reporting entity’s provision of its designated services, or where there is a significant change to any of the factors in the risk assessment. Where the change is within the entity’s control, the review must be completed prior to the change taking place. Where it is outside the entity’s control, the review must be completed as soon as practicable after the change.

Businesses must maintain records of all due diligence activities, transaction reports, and relevant correspondence for at least seven years. Customer due diligence records must be kept for at least seven years from the date the business relationship ends. These are not suggestions — they are legally mandated minimum periods, enforceable under the AML/CTF Act.

Common Mistakes to Avoid

The most prevalent error Queensland agencies will likely make is treating the risk assessment as a compliance form to be filed rather than a working analytical document. The most common mistake agencies make is treating the program as a box-ticking exercise rather than a working document. A program that sits in a drawer and is never updated provides little protection — legally or practically.

A related mistake is failing to tailor the assessment to the agency’s actual client base and transaction mix. AUSTRAC’s guidance makes clear that risk assessments must reflect the specific nature of the business. An agency that handles predominantly first-home buyer transactions in outer Brisbane suburbs faces a genuinely different risk profile from one specialising in off-the-plan sales to overseas investors on the Gold Coast. Both need a risk assessment — but they should not produce the same document.

Agencies that operate in multi-office or franchise structures should also be aware of their obligations within a reporting group. Where there are multiple members of a business group that provide designated services, a “lead entity” will need to be appointed to be responsible for assessing risk across the business group and at the level of each member, and developing an enterprise-wide AML/CTF program. This does not eliminate the need for an individual agency to understand its own risk exposure — it centralises some of the program administration but retains each entity’s underlying obligations.

Proliferation financing is another category that Queensland agents may overlook. The regulations now explicitly cover the concept of “proliferation financing,” referring to the financing of the development, sale, or use of weapons of mass destruction. While this risk is acknowledged to be lower in typical residential real estate transactions than money laundering risk, it must still be considered and documented in the risk assessment.

Finally, agencies must not rely on third parties to discharge their obligations without appropriate documentation. In some cases, an agency can rely on another reporting entity — such as a franchisor or conveyancer — to complete customer verification, but it must be covered by a written agreement, completed within 15 days of contract exchange (or settlement, whichever comes first), and the agency still carries ultimate responsibility.

What Queensland Agents Need to Know About Risk Assessment

Enrolment Comes First, But the Risk Assessment Drives Everything

If you provide a designated service with a geographical link to Australia, you must enrol with AUSTRAC. Enrolment opens 31 March 2026 for newly regulated industries and cannot be done earlier. Enrolment is the gateway — but it is the risk assessment that gives the rest of the program its structure. Queensland agencies within the real estate industry captured by the AML/CTF Act must ensure they conduct a comprehensive ML/TF risk assessment to identify, assess, mitigate, and manage ML/TF risk exposures. This is a critical first step in complying with the AML/CTF Act and AML/CTF Rules by 1 July 2026.

AUSTRAC has developed a Starter Program specifically for real estate agencies — a set of customisable documents including a program template, a risk assessment document, and a process document, with common real estate risk factors already identified. The Starter Kit is designed for agencies with 15 or fewer personnel providing only one designated service (brokering real estate). Agencies with more than 15 staff, multiple designated services, or complex business structures will need a more comprehensive program that goes beyond what the Starter Kit covers.

For larger Queensland agencies — particularly those with commercial and residential divisions, property management arms, or active involvement in off-the-plan project sales — the risk profile is substantially more complex. For larger real estate agencies and developers, this may mean dedicated compliance personnel or third-party support.

The Risk Assessment Must Reflect Your Actual Business

The risk assessment is a bespoke document. It cannot legitimately describe a fictional agency — it must describe yours. That means documenting the actual types of properties you sell, the types of buyers and sellers you work with, the jurisdictions those clients come from, and how you deliver your services (in-person, remote, through referrers, or through third-party platforms).

Tranche 2 also flags specific behavioural indicators that real estate agents will be expected to consider as part of a risk-based approach: remote buyers who have never personally inspected a property, customers purchasing on behalf of undisclosed third parties, and politically exposed persons that may require enhanced due diligence due to their potential exposure to fraud, bribery, or links to high-risk jurisdictions. Each of these factors needs to be addressed in the risk assessment in the context of your agency’s actual client base — not as a general acknowledgment, but as a specific risk rated for likelihood and impact.

At the heart of the amended regime is the increased importance of the money laundering and terrorism financing risk assessment, which must now also include proliferation financing risk. Reporting entities will be required to ensure that their AML/CTF program responds in a more bespoke manner to the ML/TF risks identified in their risk assessments. This represents a deliberate move away from prescriptive, one-size-fits-all compliance and toward genuine risk-based thinking. Regulators will be looking for evidence that an agency understood its own risk profile — not that it downloaded a document.

Who Is Responsible

Each reporting entity must appoint an AML/CTF compliance officer (AMLCO) responsible for overseeing risk assessments, policies, training, transaction monitoring, and AUSTRAC reporting, as well as ensuring AML/CTF policies are effectively implemented. AUSTRAC must be notified within 14 days of appointing an AML/CTF compliance officer. In practice, this is typically the principal licensee in a Queensland agency. For smaller businesses, this role is often fulfilled by a senior manager.

The compliance officer does not need to be the person who drafts the risk assessment, but they are accountable for its accuracy, its currency, and its integration into how the agency actually operates. Updates to AML/CTF policies must be documented in the AML/CTF program within 14 days after making the update. This means the updates must be recorded in writing, along with the dates that the changes were made.

What This Means for Queensland Agents

The risk assessment is not a bureaucratic formality that arrives with the Tranche 2 reforms and then sits in a compliance folder. It is a live document that reflects how your agency actually operates, who your clients are, and where your exposure to financial crime risk genuinely sits.

Real estate is one of the most common property types found by law enforcement in relation to proceeds of crime investigations. This shows its popularity as an asset and the ease with which illicit funds can be laundered or invested in this sector. Queensland’s major markets — particularly the Gold Coast, Brisbane’s inner suburbs, and coastal resort markets — carry higher inherent risk profiles than a regional residential agency with a stable local client base. Your risk assessment must reflect that honestly.

Every Queensland agent who brokers property transactions needs to act now. Steps new Tranche 2 reporting entities can take now to stay ahead of the curve include preparing their ML/TF risk assessment, either internally or by engaging an external qualified risk consultant, and identifying senior management personnel to take carriage of AML/CTF compliance, including board and staff training to raise awareness of the business’ imminent AML/CTF obligations.

The obligations are law. If you are caught under Tranche 2, you will be required to comply by 1 July 2026. This date is legislated, so understanding your obligations is essential to being adequately prepared. AUSTRAC’s guidance, including the Real Estate Sector Starter Program and the Risk Insights and Indicators of Suspicious Activity for the Real Estate Sector, is available at austrac.gov.au and is the appropriate starting point for any Queensland agency working through this process for the first time.

Powered by Shaka.deal

Split your conjunction commission on-chain. Instant. Irrevocable.

Queensland.estate is a publication by Shaka.deal — an on-chain payment routing tool that lets Queensland agents route commission splits to multiple wallets simultaneously at settlement. 1% fee.

Get Paid at Settlement →