Nifty Toolkit · RE-00

The AML/CTF Compliance Officer role - what you've actually signed up for.

If you've been nominated as your agency's AML/CTF Compliance Officer ahead of the 1 July 2026 Tranche 2 commencement, this is the briefing you should have been handed on day one. It covers the role's statutory obligations, training and record-keeping duties, your reporting line to AUSTRAC, and the personal and corporate penalties for getting it wrong.

← Back to the Real Estate toolkit

Who needs a Compliance Officer, and who can be one

Every reporting entity under the AML/CTF Act 2006 (Cth) must designate an AML/CTF Compliance Officer as part of its AML/CTF program. From 1 July 2026, that requirement extends to real estate agencies acting in any of the new Tranche 2 designated services - selling, buying or transferring real estate on behalf of a customer.

The Compliance Officer must be a fit-and-proper person at management level, with the seniority and the resources to actually direct the AML/CTF program. AUSTRAC's published view is that this is not a junior role you delegate to the newest hire - it is a substantive duty holder accountable to the board, partners or licensee.

Many small agencies make the principal or licensee-in-charge their Compliance Officer. That is acceptable provided the person has the time, training and authority to perform the duties; it does not work if the same person is also closing settlements and never sees a Suspicious Matter Report before it is filed.

What the role actually does, in plain English

Eight ongoing duties, all auditable.

01Own the AML/CTF Program
Adopt, review and update the agency's Part A (risk assessment) and Part B (customer due diligence procedures) at least annually, and whenever the business or its risk profile materially changes.
02Direct customer due diligence
Make the call on whether standard, simplified or enhanced CDD applies to each customer. Sign off on ongoing customer due diligence (OCDD) reviews and high-risk escalations.
03Triage and lodge SMRs and TTRs
Receive internal alerts, decide whether a Suspicious Matter Report or Threshold Transaction Report must be filed via AUSTRAC Online, and lodge it inside the statutory deadline.
04Oversee training
Ensure every staff member with a customer-facing role completes initial AML/CTF training, refreshes annually, and signs a training register that you keep.
05Maintain the records
Retain identification, transaction and risk-assessment records for 7 years from the end of the customer relationship or transaction.
06Arrange independent review
Procure and act on an independent review of the AML/CTF Program. Frequency is proportionate to risk - typically every 2 to 3 years for a small agency.
07Report internally
Report at least annually to the board, partners or licensee on AML/CTF program effectiveness, exceptions and remediation. Keep written copies of those reports.
08Liaise with AUSTRAC
Be the named contact for AUSTRAC correspondence, audits and enforceable undertakings. Respond to AUSTRAC notices within the time stated on the notice.

Your reporting line to AUSTRAC

AUSTRAC Online is the regulator's portal where you enrol the agency, lodge Suspicious Matter Reports, Threshold Transaction Reports and International Funds Transfer Instructions, and submit the annual Compliance Report. The Compliance Officer is the listed point of contact in the enrolment record.

Timeframes that matter - Suspicious Matter Reports: within 3 business days of forming the suspicion (24 hours if it relates to terrorism financing). Threshold Transaction Reports: within 10 business days. Annual Compliance Report: by 31 March each year, covering the prior calendar year.

If AUSTRAC issues a notice or commences an audit, do not improvise. Notify the principal and your legal or compliance adviser immediately, and respond inside the deadline on the notice. AUSTRAC's enforcement record shows that cooperation and timely response materially affect outcomes.

Training and record-keeping the officer personally signs off

Maintain a training register listing each staff member, the date of initial training, refresher dates and topics covered.
Retain copies of training materials used, so an auditor can verify content - not just attendance.
Keep customer identification records (the documents and verifications obtained at onboarding) for 7 years after the customer relationship ends.
Keep transaction records (the documents underlying each designated service) for 7 years after the transaction.
Keep risk-assessment records - the Part A document, every update, and the reasoning behind enhanced or simplified CDD decisions.
Keep copies of SMRs, TTRs, working papers and the decision rationale - including decisions not to file. The reasoning matters as much as the filing.

Personal liability - the part nobody told you

The AML/CTF Act 2006 (Cth) carries both civil and criminal liability. Civil penalty contraventions are heard in the Federal Court. AUSTRAC has used these aggressively against banks and is increasingly active against smaller reporting entities.

Civil penalty exposure for an individual is up to 20,000 penalty units per contravention. At the current Commonwealth penalty unit value of $330 (set under s.4AA Crimes Act 1914 (Cth) from 1 July 2025), that is a maximum of approximately $6.6 million per contravention. Bodies corporate face up to 100,000 penalty units - approximately $33 million per contravention.

Criminal liability under s.142 of the AML/CTF Act - providing false or misleading information, or producing a false or misleading document, to AUSTRAC - carries up to 10 years' imprisonment, 10,000 penalty units, or both. This is the offence that catches Compliance Officers who sign off on filings they know are wrong.

Officers can also be personally liable as accessories under s.11.2 of the Criminal Code Act 1995 (Cth), where they aid, abet, counsel or procure a contravention by the reporting entity. In practice, this means: if you knew, or were wilfully blind to, the program failing and did nothing, you carry exposure independent of the agency.

Penalty unit value, maximum civil penalty units per contravention, and the s.142 imprisonment ceiling stated above are current as at 12 May 2026. The Commonwealth penalty unit is reviewed periodically under s.4AA of the Crimes Act 1914 (Cth) - confirm the current value against the Attorney-General's Department before quoting these figures externally.

What the agency itself is on the hook for

The reporting entity - your agency - carries the primary civil penalty risk. AUSTRAC will pursue the entity first and seek officer-level liability where there is evidence of personal culpability or accessorial conduct.

Beyond fines, AUSTRAC's enforcement toolkit includes enforceable undertakings (a public commitment to remediate, often coupled with an independent monitor), infringement notices (smaller administrative penalties), public warning notices, and ultimately deregistration or loss of designated-service authority.

Reputational damage is the under-rated cost. AUSTRAC's enforcement page publishes outcomes by entity name and is indexed by Google. For a real estate brand, that is harder to recover from than the fine itself - vendors and buyers see it before they call you.

What 'good' looks like - your first six months as Compliance Officer

A 90-second sanity check you can use to brief the principal.

Month 1

Complete external AML/CTF Compliance Officer training - any AUSTRAC-aligned course. Keep the certificate.
Read the agency's Part A risk assessment and Part B procedures cover to cover. If there isn't one yet, that is your first project - see the AML/CTF Program Drafting Wizard in this toolkit.
Confirm AUSTRAC Online enrolment lists your name as the Compliance Officer, with current contact details.

Months 2–3

Run initial AML/CTF training for every customer-facing staff member. Record names, dates, topics and the refresher schedule.
Audit the customer identification records for the last 90 days. Gaps go on a remediation log with target dates and an owner.
Decide and document the agency's tiered CDD approach - when does simplified, standard or enhanced due diligence apply, and on what evidence.

Months 4–6

Establish the monthly internal review cadence. Pick a fixed day, walk the checklist, sign the log.
Test the SMR workflow with a real or paper example. Confirm every customer-facing staff member knows how to escalate to you.
Diary the first annual Compliance Report (due 31 March) and the first scheduled independent review.
Brief the principal or partners with a short written status report - program adopted, training complete, SMR pathway tested, records retention working.

If you take one thing from this page

The Compliance Officer role is not optional, not delegable to the newest hire, and not 'just paperwork'. It carries personal civil-penalty exposure into the millions of dollars and criminal exposure up to 10 years. It is also entirely manageable when treated as a substantive role with time, training and authority - which is exactly what AUSTRAC expects, and exactly what your agency principal needs to give you. If you have just been told 'you're the Compliance Officer now' with no further conversation, send this page back upstairs and have that conversation today.

What to do next

Draft your AML/CTF Program →
Generate the Part A risk assessment and Part B procedures the Compliance Officer is required to own.
Read the full AML/CTF guide →
Six-minute plain-English walkthrough of Tranche 2: scope, the 12 setup steps, the per-customer workflow and a glossary.
Acronyms A–Z →
Every AUSTRAC, AML/CTF and FATF acronym you'll encounter, expanded in plain English.
Diary the deadlines →
Download the state-aware compliance calendar so AUSTRAC enrolment, the annual Compliance Report and trust audit dates land in your diary.

This briefing is general information only and is not legal advice. Penalty unit values and statutory references reflect Commonwealth law as at the page's last-reviewed date. Confirm current values and obligations against AUSTRAC guidance and your professional adviser before acting.