Do I need to enrol with AUSTRAC even if my agency is small?

Yes. Enrolment is mandatory for all real estate businesses that conduct conveyancing as a designated service. There is no size exemption - the obligation applies regardless of transaction volume.

Does my existing privacy policy cover the ADM disclosure requirement?

Almost certainly not. From 10 December 2026, any use of automated tools that make or materially contribute to decisions about individuals requires a separate disclosure statement. A general privacy policy does not satisfy this obligation.

Is my PMS vendor responsible for our cyber controls?

No - it is shared responsibility. Your agency is accountable for how the property management software is configured, who has access, and whether offboarding is enforced. Vendor hardening does not equal your compliance.

What is a trust account audit cyber sweep?

A checklist being built into annual trust account reviews by some state regulators: confirming multi-factor authentication, access logs, staff offboarding controls, and payment verification procedures.

When does the Tranche 2 AML/CTF compliance programme need to be in place?

Reporting entities must have a compliant AML/CTF programme in place by 1 July 2026. The enrolment deadline is 29 July 2026.

Compliance Readiness 2026

Real Estate 2026 Compliance Readiness: What Australian Agencies Need to Know

Australian real estate agencies face a wave of converging obligations in 2026. Tranche 2 AML/CTF enrolment is already open - the enrolment deadline is 29 July 2026. Privacy Act reforms take effect 10 December 2026. And settlement scam threats are at record levels.

What is changing for real estate agencies in 2026?

Tranche 2 AML/CTF: Enrolment deadline 29 July 2026; compliant programme required by 1 July 2026.
Read the AML/CTF plain-English guide →
Privacy Act APP reforms: Effective 10 December 2026 - right to erasure, privacy impact assessments, enhanced breach reporting.
ADM disclosure: Automated decision-making statement required by 10 December 2026.
Trust account cyber controls: State regulators building cyber sweeps into annual trust account reviews.
Settlement scam risk: Property sector is the #1 target for business email compromise in Australia.

Why real estate agencies are particularly exposed

No other industry combines settlement money, personal data, trust accounts, AI-assisted appraisal tools, and third-party property management software (PMS) access in a single business. Each of these creates a distinct compliance surface: AML/CTF for the financial flows, Privacy Act and ADM disclosure for the data and automated tools, trust account cyber controls for the financial systems, and business email compromise controls for the settlement process. The convergence means a real estate agency cannot treat any one obligation in isolation - they interact, and a gap in one area can expose the agency on multiple fronts.

Real Estate Agencies

Common blind spots

Check your readiness

Use our free self-assessment tools to identify gaps before your next audit or regulator review.

Real Estate Compliance Quiz - general compliance readiness check
Real Estate AI & PII Compliance Quiz - AI tools and privacy obligations
Real estate compliance toolkit: /toolkit/real-estate

Written by Tim Jones, Founder & Principal Consultant, Nifty Computing

Published 22 April 2026 · Last reviewed 5 May 2026

Applies to: Australia (all states and territories)

Sources: AUSTRAC AML/CTF Act 2006, Privacy Act 1988 (Cth), OAIC APP guidance, State property laws

Need someone to own the fix?

A readiness score is only useful if someone turns it into working controls. Nifty acts as the agency's outsourced internal IT department - one point of call for CRM/PMS access, phones, mobiles, NBN, trust-account workstations, cyber controls and vendor coordination.

See how our ownership model works →

Not sure where to start?

Book a free walkthrough with Nifty Computing - we'll review your readiness score and map out the practical next steps.