N
    Nifty Computing
    2026 Compliance Readiness Assessment
    Last reviewed

    Is your agency ready for the 2026 compliance landscape?

    A 20-question diagnostic for Australian real estate agencies - sales, property management, and trust-account-holding offices in every state. See where you stand against the Privacy Act reforms, the AUSTRAC Tranche 2 regime commencing 1 July 2026, the OAIC's active 2026 enforcement focus on the property sector, and the cyber controls insurers and aggregators now expect. Each weak answer returns a specific fix you can hand to your IT or compliance lead.

    What's changing (and already changed) for Australian real estate agencies
    • 10 DEC 2026Automated Decision-Making (AI) disclosure rules take effect under the Privacy Act
    • 29 JUL 2026AUSTRAC Tranche 2 enrolment deadline - real estate enters the AML/CTF regime
    • 1 JUL 2026AML/CTF obligations commence for real estate (sales, purchase, transfer)
    • CURRENTOAIC privacy compliance sweep underway - property sector named as a priority

    Property management and leasing are out of AUSTRAC Tranche 2 scope; sales, purchase, and transfer are in scope.

    Your privacy. Your individual answers stay on your device - we don't store them. When you finish, we save an anonymous record of your scores (industry, overall and per-category percentages, state, business type) so we can show how you compare to others in your industry. We also log anonymous counts for when a quiz is started, when a report is downloaded, and (if you later request it) when one is emailed - no identifying information is attached to any of these. We never capture your name, email, IP address, or any business identity.

    20Questions
    LiveAverage time
    10Risk Areas
    What does your agency do? (select one)

    Full quiz content - Real Estate Compliance Quiz 2026 - Privacy Act, AUSTRAC Tranche 2 | Nifty Computing

    This index lists every question, every answer option with its score, every tier band, every recommendation, and every regulatory source used by the real_estate compliance readiness quiz. Last reviewed .

    Tier scoring

    • Compliance Ready - score ≥ 85/100, review every 12 months. Your agency demonstrates strong compliance maturity across the Privacy Act, AML/CTF, and client-data handling. Maintain annual reviews and keep pace with emerging reforms. Recommended next review: 12 months.
    • Good - Minor Gaps - score ≥ 70/100, review every 12 months. Solid foundations with targeted gaps to address before the December 2026 ADM deadline and July 2026 AML/CTF enrolment. Work through the priority findings below. Recommended next review: 12 months.
    • Moderate Risk - Action Needed - score ≥ 50/100, review every 6 months. Several material gaps in your compliance practices. Given the active OAIC focus on real estate and the AML/CTF transition, prioritise the findings below over the next 1–3 months. Recommended next review: 6 months.
    • High Risk - Urgent Action - score ≥ 30/100, review every 1 months. Significant exposure across multiple obligations. An OAIC or AUSTRAC finding is a material risk at this readiness level. Engage professional advice. Recommended next review: 1 month.
    • Critical - Immediate Intervention - score ≥ 0/100, review every 1 months. Your agency has substantial non-compliance with Australian regulatory obligations. Engage qualified compliance advisers as soon as practicable. Recommended next review: 1 month.

    Categories assessed

    • POL - Privacy Policy
    • ADM - Automated Decisions
    • COL - Open Home Collection
    • TEN - Tenant Screening
    • SEC - Security & Breaches
    • VEN - Third-Party Vendors
    • MKT - Direct Marketing
    • TRN - Staff & Governance
    • AML - Anti-Money Laundering
    • CTF - Counter-Terrorism & Sanctions

    Questions

    1. Q1 (POL, weight 3): Does your agency have a written privacy policy published on your website?

      • Yes, and it's reviewed at least annually (score 5)
      • Yes, but we haven't reviewed it in over two years (score 2)
      • Yes, but I'm not sure what's in it (score 1)
      • No, or I don't know (score 0)

      If a weak option is selected: Publish an up-to-date privacy policy on your website. APP 1.3 requires it to be clearly expressed and kept current.

    2. Q2 (POL, weight 2): When was your privacy policy last reviewed or updated?

      • Within the last 12 months (score 5)
      • 1–2 years ago (score 3)
      • 2–5 years ago (score 1)
      • More than 5 years ago, or never (score 0)

      If a weak option is selected: Review your privacy policy annually at minimum - the Privacy Act and APPs have changed materially in the last 24 months.

    3. Q3 (POL, weight 3): Does your privacy policy specifically mention your use of AI or automated decision-making tools?

      • Yes, with clear detail on what tools do and don't do (score 5)
      • Briefly mentioned (score 2)
      • No mention (score 0)
      • Don't know (score 0)

      If a weak option is selected: From 10 December 2026, APP 1.7 requires transparency about automated decision-making. Your policy must name the ADM you use and what data feeds it.

    4. Q4 (POL, weight 2): Does your privacy policy itemise the types of personal information you collect from vendors, buyers and tenants?

      • Yes, clearly itemised by party type (score 5)
      • General description only (score 2)
      • No (score 0)

      If a weak option is selected: Itemise what you collect from each type of party. 'Information we collect' needs specificity, not generic language.

    5. Q5 (POL, weight 2): Is your privacy policy accessible at your office and open homes, not only online?

      • Yes, printed copies available on request (score 5)
      • Available digitally on request (score 3)
      • No in-person availability (score 1)
      • Don't know (score 0)

      If a weak option is selected: Have a printed privacy collection notice or short-form policy available at open homes. In-person collection is the OAIC's current sweep focus.

    6. Q6 (POL, weight 2): Does your privacy policy explain how individuals can access or correct their personal information?

      • Yes, with a clear documented process (score 5)
      • General statement only (score 2)
      • No (score 0)

      If a weak option is selected: APP 12 and APP 13 require you to explain the access and correction process. Name the contact, timeframes and any limits.

    7. Q7 (POL, weight 2): Does your privacy policy state how long you retain different categories of personal information?

      • Yes, with specific retention periods per data type (score 5)
      • General statement about keeping it 'as long as needed' (score 2)
      • No (score 0)

      If a weak option is selected: Specific retention periods are increasingly expected. 'As long as necessary' is no longer adequate for active sweeps or renters' rights reforms.

    8. Q8 (POL, weight 2): Does your privacy policy describe how to make a complaint, including referral to the OAIC?

      • Yes, with OAIC referral pathway (score 5)
      • Internal complaints process only (score 3)
      • No (score 0)

      If a weak option is selected: APP 1.4(g) requires your policy to describe the complaints process, including escalation to the OAIC.

    9. Q9 (ADM, weight 3): Have you identified which software tools in your business use AI or automated decision-making?

      • Yes - we have a documented inventory (score 5)
      • Partially identified (score 2)
      • No inventory exists (score 0)

      If a weak option is selected: Build an ADM inventory before December 2026. You can't disclose what you haven't mapped. Include CRM scoring, tenant apps, lead prioritisation and marketing tools.

    10. Q10 (ADM, weight 3): Do your CRM, tenant screening or marketing tools include any AI-driven scoring or prioritisation?

      • Yes, and we've documented it for disclosure (score 5)
      • Yes, but it's not documented (score 1)
      • No (score 5)
      • Not sure (score 0)

      If a weak option is selected: Most modern CRMs and screening tools include some AI-driven logic. Audit each tool and document what it does before drafting your ADM disclosure.

    11. Q11 (ADM, weight 3): From 10 December 2026, agencies must disclose use of automated decision-making in their privacy policy. Are you prepared?

      • Yes - our privacy policy is already updated (score 5)
      • In progress (score 3)
      • Haven't started yet (score 1)
      • Wasn't aware of this requirement (score 0)

      If a weak option is selected: Start drafting ADM disclosures now. The December 2026 deadline is hard - non-compliant privacy policies can attract $66,000 penalties on first offence.

    12. Q12 (ADM, weight 2): When AI influences a decision about a client (e.g. tenant scoring, lead ranking), is a human involved in the final call?

      • Always, with documented oversight (score 5)
      • Usually, but not documented (score 3)
      • Sometimes (score 1)
      • Fully automated in some cases (score 0)

      If a weak option is selected: Document human-in-the-loop oversight. 'A human approved this' only helps if you can prove it with an audit trail.

    13. Q13 (ADM, weight 2): Do you have a process for clients to request human review of an AI-influenced decision?

      • Yes, a documented process (score 5)
      • Informal process only (score 2)
      • No process (score 0)

      If a weak option is selected: Offer a clear pathway for clients and applicants to challenge AI-influenced decisions. This is expected under emerging ADM rules and helps avoid ACL misleading-conduct exposure.

    14. Q14 (ADM, weight 2): Have staff been trained on what constitutes automated decision-making under the Privacy Act?

      • Yes, within the last 12 months (score 5)
      • General awareness only (score 2)
      • No (score 0)

      If a weak option is selected: Run a short training session on ADM. Most staff don't realise their CRM's lead scoring or email marketing's predictive features meet the definition.

    15. Q15 (COL, weight 3): What personal information do you collect from open home attendees?

      • Name only, with option to provide more (score 5)
      • Name plus one contact method (phone or email) (score 4)
      • Name plus full contact details (score 3)
      • Extensive - including ID, budget, employment, timeline (score 1)
      • I don't know what's on our form (score 0)

      If a weak option is selected: Collect only what's reasonably necessary for the stated purpose. The OAIC's sweep targets overcollection at open homes.

    16. Q16 (COL, weight 2): At open homes, do you explain why you're collecting attendees' information?

      • Yes, verbally and in writing (score 5)
      • Verbally only (score 3)
      • Sometimes (score 1)
      • No (score 0)

      If a weak option is selected: APP 5 requires notification of purpose at or before collection. A printed notice on the sign-in sheet covers you.

    17. Q17 (COL, weight 2): Do you display a Privacy Collection Notice at every open home?

      • Yes, visible at every open home (score 5)
      • On request only (score 2)
      • No (score 0)

      If a weak option is selected: A visible Privacy Collection Notice at the sign-in point is the cleanest way to meet APP 5. Template versions are available from REBA/REIV.

    18. Q18 (COL, weight 2): Can attendees decline to provide some information and still inspect the property?

      • Yes, and this is clearly communicated (score 5)
      • Yes, but not communicated (score 3)
      • No - information is required to inspect (score 1)
      • Don't know (score 0)

      If a weak option is selected: APP 2 requires the option of anonymity or pseudonymity where practical. You generally can't require full ID to inspect a property.

    19. Q19 (COL, weight 2): How are open home attendee records stored?

      • Secure CRM with access controls and audit logs (score 5)
      • Standard cloud tool (shared drive, email attachments) (score 3)
      • Paper forms kept in the office (score 2)
      • Mix of methods, not standardised (score 1)
      • Don't know (score 0)

      If a weak option is selected: Centralise sign-in records in a secure CRM. Paper forms in a drawer and shared spreadsheets create APP 11 exposure.

    20. Q20 (COL, weight 2): How long do you retain open home attendee data?

      • Documented retention period - deleted after it expires (score 5)
      • Until inactive for 12 months, then deleted (score 4)
      • Indefinitely (score 1)
      • Don't know (score 0)

      If a weak option is selected: Set and enforce a retention period for open home data. Indefinite retention is inconsistent with APP 11.2.

    21. Q21 (TEN, weight 2): Have you reviewed your tenancy application form to ensure it only collects information necessary for the assessment?

      • Yes, within the last 12 months (score 5)
      • Yes, but more than 12 months ago (score 3)
      • No (score 1)
      • Not sure what's on our form (score 0)

      If a weak option is selected: Review your tenancy application annually. Overcollection on rental applications is a 2026 regulatory focus (AHURI / National Cabinet renters' reforms).

    22. Q22 (TEN, weight 3): Do you use a third-party tenant screening database such as TICA, NTD or Equifax?

      • Yes, with explicit consent and clear disclosure in the application (score 5)
      • Yes, without specific disclosure to applicants (score 1)
      • No (score 5)
      • Not sure (score 0)

      If a weak option is selected: If you use third-party screening databases, get explicit, informed consent. Burying consent in terms-and-conditions is unlikely to satisfy APP 3.

    23. Q23 (TEN, weight 1): Approximately how many fields does your tenancy application form contain?

      • Fewer than 20 (score 5)
      • 20–40 (score 3)
      • 40–60 (score 1)
      • More than 60, or don't know (score 0)

      If a weak option is selected: Sydney University research has flagged rental forms with 50+ fields as a privacy concern. Audit yours against 'what do we actually use to assess?' - and cut the rest.

    24. Q24 (TEN, weight 2): Does your application form ask for social media handles or lifestyle information?

      • No (score 5)
      • Only if directly relevant (e.g. smoker status for a no-smoking property) (score 3)
      • Yes, some lifestyle fields (score 1)
      • Yes, extensive lifestyle questions (score 0)

      If a weak option is selected: Lifestyle questions carry anti-discrimination risk as well as privacy risk. Remove anything you can't tie to a legitimate assessment criterion.

    25. Q25 (TEN, weight 2): How do you handle declined tenancy applications?

      • Secure destruction after required retention period (score 5)
      • Retained indefinitely but with restricted access (score 3)
      • Retained indefinitely on standard systems (score 1)
      • Mixed or not standardised (score 0)

      If a weak option is selected: Declined applications accumulate risk without business value. Set a retention period (6–12 months is common) and enforce deletion.

    26. Q26 (TEN, weight 2): If an applicant requests a copy of the information held about them, can you produce it?

      • Yes, within 30 days (score 5)
      • Yes, but it would take longer (score 3)
      • Not sure how to do this (score 0)

      If a weak option is selected: APP 12 gives individuals a right to access their personal information. You generally must respond within a reasonable time - 30 days is the operating standard.

    27. Q27 (TEN, weight 3): Do you obtain explicit consent to check third-party screening databases?

      • Yes, with a tick-box and plain-English explanation (score 5)
      • Yes, buried in the application terms (score 2)
      • No explicit consent (score 0)

      If a weak option is selected: Explicit, separate consent for database checks is best practice. Buried terms are increasingly unlikely to satisfy the 'informed consent' standard.

    28. Q28 (SEC, weight 3): Is multi-factor authentication enforced on every staff account across your business-critical systems (email, CRM, trust accounting, document storage)?

      • Yes - handled in-house, and we verify it (reports, logs, or checks) (score 20)
      • Yes - outsourced to our IT provider, verified (they send us reports) (score 20)
      • Yes - in-house, but not formally verified (score 15)
      • Yes - outsourced, but we assume rather than verify (score 15)
      • Partial or inconsistent across staff/devices (score 8)
      • No, or don't know (score 0)

      If a weak option is selected: MFA on every business-critical account is the baseline expectation under APP 11 - missing it is the single biggest breach vector in small business. If your IT provider handles it, ask for a quarterly MFA-coverage report naming any accounts still without MFA.

    29. Q29 (SEC, weight 3): Do you have a documented data breach response plan?

      • Yes, tested within the last 12 months (score 5)
      • Yes, but never tested (score 3)
      • Informal - it's in my head (score 1)
      • No (score 0)

      If a weak option is selected: A documented, tested breach response plan is essential. The Notifiable Data Breaches scheme requires notification within 30 days of becoming aware - speed matters.

    30. Q30 (SEC, weight 2): Do you know the OAIC notification timeframe if a serious data breach occurs?

      • Yes - as soon as practicable, no later than 30 days from awareness (score 5)
      • I have a vague awareness (score 2)
      • No (score 0)

      If a weak option is selected: Know the NDB timeframe cold. Under-notifying is a clear compliance failure; over-notifying internally is always safe.

    31. Q31 (SEC, weight 2): How do you dispose of paper documents containing personal information?

      • Secure shredding / confidential waste service (score 5)
      • Cross-cut shredder in the office (score 4)
      • Regular rubbish or recycling bins (score 0)
      • Don't know (score 0)

      If a weak option is selected: APP 11.2 requires you to destroy or de-identify information you no longer need. Paper in the recycling bin is a documented breach pathway.

    32. Q32 (SEC, weight 2): When staff leave, how quickly are their system access credentials revoked?

      • Same day, with a documented offboarding checklist (score 5)
      • Within a week (score 3)
      • When we get around to it (score 1)
      • Never formally revoked (score 0)

      If a weak option is selected: Same-day credential revocation is the standard. Stale accounts are a common source of post-employment data breaches.

    33. Q33 (SEC, weight 1): Do you have cyber insurance that specifically covers privacy breaches?

      • Yes, with specific privacy breach cover (score 5)
      • General business policy - not sure about privacy cover (score 2)
      • No (score 0)

      If a weak option is selected: Review your business insurance for explicit privacy breach cover. Many small-business policies exclude or sub-limit it.

    34. Q34 (SEC, weight 2): Are your backups tested against actual restoration on a regular schedule (at least annually)?

      • Yes - handled in-house, restore-tested, and evidence retained (score 20)
      • Yes - outsourced to our IT provider, restore-tested and verified by provider report (score 20)
      • Yes - in-house backups exist, but restore testing/evidence is informal (score 15)
      • Yes - outsourced to our IT provider, but we assume rather than verify (score 15)
      • Partial, incomplete, or not covering all critical systems (score 8)
      • No reliable backup and restore process, or don't know (score 0)

      If a weak option is selected: Backups you haven't restored from aren't backups. Test restoration at least annually; quarterly is safer. If your IT provider runs backups, ask for the dated restoration-test report - a provider that can't produce one is charging you for hope.

    35. Q35 (VEN, weight 2): Where does your CRM store client data?

      • Australia (score 5)
      • Australia with offshore failover (score 3)
      • Primarily offshore with documented APP 8 arrangements (score 2)
      • Don't know (score 0)

      If a weak option is selected: Know your data residency. APP 8 makes you accountable for personal information your overseas providers mishandle.

    36. Q36 (VEN, weight 2): Have you reviewed your CRM, trust accounting and marketing vendor contracts for privacy clauses?

      • Yes, all reviewed (score 5)
      • Some reviewed (score 3)
      • No (score 0)

      If a weak option is selected: Vendor contracts should include data breach notification SLAs, clear purpose limitation, and deletion commitments at contract end.

    37. Q37 (VEN, weight 2): Do any of your AI tools (listing copy generators, chatbots, lead scoring) process data outside Australia?

      • No - all data stays local (score 5)
      • Yes, with documented APP 8 compliance (score 4)
      • Yes, with no specific review (score 1)
      • Don't know (score 0)

      If a weak option is selected: Most generic AI tools (ChatGPT, Claude, Gemini) route data through US infrastructure. That's not automatically a breach, but it does require APP 8 consideration.

    38. Q38 (VEN, weight 2): Do your vendor contracts require them to notify you of data breaches within a specified timeframe?

      • Yes, with a specific SLA in writing (score 5)
      • Yes, but vague commitment (score 2)
      • No, or don't know (score 0)

      If a weak option is selected: If a vendor notifies you late, you miss your own OAIC deadline. Push for 24–48 hour notification SLAs in writing.

    39. Q39 (VEN, weight 1): Have you listed which of your tools are subject to US or EU jurisdiction?

      • Yes, we know the jurisdiction of each tool (score 5)
      • Partially (score 2)
      • No (score 0)

      If a weak option is selected: US jurisdiction means potential CLOUD Act exposure. EU jurisdiction means GDPR plus your APP obligations. You need to know which rules apply where.

    40. Q40 (VEN, weight 1): When you change vendors, do you have a process for data migration and secure deletion from the old system?

      • Yes, a documented process (score 5)
      • Informal (score 2)
      • No (score 0)

      If a weak option is selected: Get a certificate of destruction from the outgoing vendor. 'They said they'd delete it' isn't evidence you've met APP 11.2.

    41. Q41 (MKT, weight 3): Do all your marketing emails include a functional unsubscribe link?

      • Yes, always (score 5)
      • Usually (score 2)
      • Sometimes (score 1)
      • No, or not sure (score 0)

      If a weak option is selected: The Spam Act requires a functional unsubscribe on every commercial message. 'Usually' is a compliance failure.

    42. Q42 (MKT, weight 3): Do you obtain explicit consent before adding contacts to marketing lists?

      • Yes, explicit opt-in required (score 5)
      • Implied consent (existing clients) only (score 3)
      • Contacts added automatically from open homes or enquiries (score 1)
      • Don't know (score 0)

      If a weak option is selected: Auto-enrolment from enquiries is the most common Spam Act breach in agencies. Switch to explicit opt-in at the point of collection.

    43. Q43 (MKT, weight 3): Before outbound call campaigns, do you wash lists against the Do Not Call Register?

      • Yes, always (score 5)
      • Sometimes (score 2)
      • No (score 0)
      • N/A - we don't make outbound calls (score 5)

      If a weak option is selected: DNCR washing is mandatory for unsolicited telemarketing. Real estate is a known ACMA enforcement target.

    44. Q44 (MKT, weight 2): Do you maintain a suppression list of contacts who have opted out?

      • Yes, integrated across marketing tools (score 5)
      • Yes, but maintained manually (score 3)
      • No (score 0)

      If a weak option is selected: Opt-outs must stick across systems. Someone who unsubscribes from one list then gets added to another via a different tool is a reportable breach.

    45. Q45 (MKT, weight 2): How quickly are unsubscribe requests honoured?

      • Within 5 business days (Spam Act requirement) (score 5)
      • Within 30 days (score 3)
      • Eventually (score 1)
      • Not formally tracked (score 0)

      If a weak option is selected: The Spam Act mandates unsubscribe action within 5 business days. Tracking this needs to be automated, not manual.

    46. Q46 (MKT, weight 2): Do your SMS and direct mail campaigns meet the same consent standard as email?

      • Yes - consistent consent standard across all channels (score 5)
      • Email yes, other channels less consistent (score 2)
      • No consistent standard (score 0)
      • Don't know (score 0)

      If a weak option is selected: Consent rules apply across channels. SMS in particular is covered by the Spam Act - same rules as email, same penalty regime.

    47. Q47 (TRN, weight 2): When did your staff last receive formal privacy training?

      • Within the last 12 months (score 5)
      • 1–2 years ago (score 3)
      • More than 2 years ago (score 1)
      • Never, or don't know (score 0)

      If a weak option is selected: Annual privacy training is the industry standard. In property, where so much sensitive data flows through daily operations, it's the cheapest risk reduction available.

    48. Q48 (TRN, weight 2): Does your agency have a designated Privacy Officer?

      • Yes, named and formally trained in the role (score 5)
      • Yes, but informal (score 3)
      • No (score 0)

      If a weak option is selected: Appoint a named Privacy Officer. They don't need to be a specialist - they need to be the accountable point of contact for privacy questions and incidents.

    49. Q49 (TRN, weight 2): Do new staff receive privacy training as part of onboarding?

      • Yes, documented as part of induction (score 5)
      • Informal coverage during onboarding (score 2)
      • No (score 0)

      If a weak option is selected: Privacy training on day one prevents the 'I didn't know' incidents that cause most small-agency breaches.

    50. Q50 (TRN, weight 1): Do you maintain a register of privacy complaints or incidents, even minor ones?

      • Yes, actively maintained (score 5)
      • Yes, but informally (score 3)
      • No (score 0)

      If a weak option is selected: A simple privacy incident log - date, what happened, action taken - is invaluable if the OAIC ever comes knocking, and surfaces patterns worth fixing.

    51. Q51 (TRN, weight 2): Is your leadership team aware of the regulatory deadlines hitting in 2026 (Privacy Act ADM, AML/CTF Tranche 2)?

      • Yes, and actively preparing (score 5)
      • Aware, but no action yet (score 2)
      • Not aware (score 0)

      If a weak option is selected: Leadership awareness is the starting point. Without it, compliance projects get deprioritised until something goes wrong.

    52. Q52 (TRN, weight 2): Do you have a documented process for handling access and correction requests from clients or tenants?

      • Yes - documented, with timeframes (score 5)
      • Informal process (score 2)
      • No - we've never received one (score 1)
      • No process (score 0)

      If a weak option is selected: APP 12 and APP 13 requests will increase as public awareness of privacy rights grows. Have a named contact, a form, and a 30-day response target.

    53. Q53 (AML, weight 3): Have you determined whether your agency will be required to enrol with AUSTRAC by 29 July 2026 under the Tranche 2 reforms?

      • Yes - already enrolled with AUSTRAC (score 5)
      • Yes - confirmed we're required, implementation plan in place (score 4)
      • We think we need to enrol but haven't acted yet (score 2)
      • We haven't checked whether Tranche 2 applies to us (score 0)
      • Wasn't aware of the Tranche 2 reforms (score 0)

      If a weak option is selected: AUSTRAC enrolment for Tranche 2 entities opened 31 March 2026 with a hard deadline of 29 July 2026. This applies to real estate agents, buyer's agents, and property developers who provide designated services (sale, purchase or transfer of real estate). Property management and leasing are explicitly excluded.

    54. Q54 (AML, weight 3): Have you developed a documented AML/CTF program, including a money laundering and terrorism financing risk assessment?

      • Yes - complete, documented and approved by senior management (score 5)
      • In progress or partially drafted (score 2)
      • Haven't started (score 0)
      • Not sure what an AML/CTF program is (score 0)

      If a weak option is selected: A documented AML/CTF program including an ML/TF risk assessment, policies, procedures and controls is required from 1 July 2026. AUSTRAC is publishing a starter kit for small, low-complexity businesses - use it as a baseline rather than starting from scratch.

    55. Q55 (AML, weight 3): Do you have a documented Customer Due Diligence (CDD) process to verify the identity of buyers and sellers before providing designated services?

      • Yes - documented process, with staff trained (score 5)
      • Informal or inconsistent process (score 2)
      • No documented process (score 0)
      • Not aware CDD is required (score 0)

      If a weak option is selected: From 1 July 2026, you must complete initial CDD on the party you act for before providing designated services. For the counterparty, you have 28 days after contract exchange (or before settlement) under the 2026 amendments.

    56. Q56 (AML, weight 3): When your customer is a company, trust or partnership, do you identify the beneficial owners - the individuals who ultimately own or control the entity?

      • Yes - documented process, including chain-of-ownership checks (score 5)
      • Sometimes, when it seems relevant (score 1)
      • No - we only verify the entity itself (score 0)
      • Not aware this is required (score 0)

      If a weak option is selected: Beneficial ownership identification is a core CDD obligation. You must establish the identity of the individuals who ultimately own or control corporate and trust customers. This is where complex laundering structures hide - taking the obligation seriously is your defence.

    57. Q57 (AML, weight 3): How do you verify a customer's source of funds for significant real estate transactions, particularly where ML/TF risk appears elevated?

      • Documented process with supporting evidence collected (score 5)
      • We ask verbally and record the response (score 2)
      • We rely on the conveyancer or bank to verify (score 1)
      • We don't have a specific process (score 0)

      If a weak option is selected: Source of funds verification is required as part of enhanced CDD for high-risk customers. Relying on 'the bank will check' is insufficient under Tranche 2 - you are the reporting entity for the designated service you provide, and AUSTRAC expects your own documentation.

    58. Q58 (AML, weight 2): Have staff been trained to recognise red flags for potential money laundering (structuring, cash deposits, complex offshore ownership, reluctance to explain source of funds)?

      • Yes - documented training within the last 12 months (score 5)
      • General awareness only (score 2)
      • No formal training (score 0)

      If a weak option is selected: Staff training is mandatory under the AML/CTF Rules. Personnel must be trained to recognise ML indicators relevant to real estate - including structuring, unusual payment methods, reluctance to provide source of funds, and complex ownership structures. Document every training session.

    59. Q59 (CTF, weight 3): Do you screen customers against the DFAT Consolidated List for Targeted Financial Sanctions (TFS)?

      • Yes - every customer, documented process (score 5)
      • Yes - for high-risk customers only (score 3)
      • Ad hoc, without a formal process (score 1)
      • No, or not aware this is required (score 0)

      If a weak option is selected: TFS screening against the DFAT Consolidated List is mandatory before providing designated services. Sanctions listings change frequently - a one-time check at onboarding isn't enough. Use a reputable screening tool or AUSTRAC's guidance to build a repeatable process. Criminal penalties apply for dealing with sanctioned persons.

    60. Q60 (CTF, weight 3): Do you have a process to identify whether a customer (or their beneficial owner) is a Politically Exposed Person (PEP)?

      • Yes - documented process using a reputable PEP database (score 5)
      • We ask on our onboarding form but don't screen further (score 2)
      • No specific process (score 0)
      • Not aware PEP screening is required (score 0)

      If a weak option is selected: Foreign PEPs trigger mandatory enhanced CDD under the 2026 Rules. Domestic PEPs and international organisation PEPs require risk-based consideration. Include PEP self-declaration on onboarding forms plus database screening - self-declaration alone is insufficient.

    61. Q61 (CTF, weight 2): Are you aware of the FATF high-risk jurisdictions requiring enhanced CDD, and do you have a process to flag customers with links to those jurisdictions?

      • Yes - documented process, list reviewed regularly (score 5)
      • General awareness only (score 2)
      • No process (score 0)
      • Wasn't aware of FATF high-risk jurisdiction obligations (score 0)

      If a weak option is selected: FATF publishes lists of high-risk and increased-monitoring jurisdictions. Customers with significant ties to these jurisdictions (nationality, residence, business, or source of funds) require enhanced CDD. Subscribe to FATF updates and document how your process incorporates the current lists.

    62. Q62 (CTF, weight 3): Do you know the AML/CTF reporting timeframes - specifically the 24-hour deadline for terrorism financing suspicions?

      • Yes - 24 hours for terrorism financing, 3 business days for other suspicions (score 5)
      • Know there are deadlines but not the specifics (score 2)
      • No (score 0)

      If a weak option is selected: Terrorism financing SMRs must be lodged within 24 hours of forming a suspicion - actual hours, including weekends. Other suspicious matters have a 3 business day deadline. Late submission is a civil penalty offence.

    63. Q63 (CTF, weight 3): Do staff understand the 'tipping off' prohibition - not disclosing to a customer or third party that a Suspicious Matter Report has been or may be lodged?

      • Yes - documented in AML/CTF policies and staff trained (score 5)
      • General awareness (score 2)
      • No awareness (score 0)

      If a weak option is selected: Tipping off is a criminal offence under s123 of the AML/CTF Act. Staff must not tell a customer - or anyone other than AUSTRAC - that an SMR has been lodged or is being considered. This includes not changing customer-facing behaviour in ways that signal a report. Frequent enforcement target.

    64. Q64 (CTF, weight 3): Have you designated an AML/CTF Compliance Officer and established the required governance structure (governing body, senior manager, compliance officer)?

      • Yes - all three roles formally identified and documented (score 5)
      • Compliance officer appointed, other roles informal (score 3)
      • In progress (score 1)
      • No (score 0)
      • Not aware of the governance requirements (score 0)

      If a weak option is selected: The AML/CTF Rules require you to identify three governance roles: governing body (overall accountability), senior manager (approves the program), and AML/CTF compliance officer (day-to-day). In smaller businesses these may be the same person - but the roles must still be documented. Notify AUSTRAC of your compliance officer by 29 July 2026.

    Guidance

    Privacy Policy

    Your privacy policy is the document the OAIC will read first if anything goes wrong, and it's the explicit focus of the current compliance sweep. The bar has lifted - what worked in 2022 won't satisfy current scrutiny.

    • Audit your current policy against APP 1.4 (Within 30 days · Privacy Officer): Walk through every requirement: identity, kinds of information collected, how you collect and hold it, purposes, disclosure (including overseas), access and correction process, complaints process and OAIC referral, and now ADM disclosure.
    • Add automated decision-making disclosure (Before 10 Dec 2026 · Privacy Officer + IT lead): Map every tool that uses AI, scoring or rule-based logic to make or influence decisions about people. Disclose what they do, what data they use, and whether a human reviews the output. CRMs, lead scoring, tenant screening and marketing platforms typically all qualify.
    • Specify retention periods by data type (Within 60 days · Privacy Officer): 'As long as necessary' is no longer adequate. Set explicit periods: open home enquiries (12 months from last contact), declined applications (6 months), settled transactions (7 years for tax/AML), marketing contacts (until opt-out).
    • Make the policy accessible at the point of collection (Within 30 days · Office Manager): Print a short-form privacy collection notice for every open home and reception desk. Add a QR code linking to the full policy. The OAIC sweep is targeting in-person collection.

    Automated Decisions

    From 10 December 2026, APP 1.7 requires you to disclose AI and automated decision-making in your privacy policy. This is the most under-prepared area in Australian real estate right now.

    • Build an ADM inventory (Within 30 days · Privacy Officer + IT): List every tool that scores, ranks, prioritises, recommends, or auto-decides anything about clients. CRMs (lead scoring), marketing tools (audience targeting), tenant screening (application ranking), chatbots (intent classification), and AI writing tools all count.
    • Classify each tool by decision impact (Within 60 days · Privacy Officer): Three tiers: (1) makes a final decision with no human input, (2) materially influences a decision a human signs off on, (3) provides background information only. Tier 1 and 2 must be disclosed; tier 3 is best practice but not strictly required.
    • Document human-in-the-loop oversight (Within 90 days · Operations Manager): For every tier 2 tool, document who reviews the AI output, how often, what they're checking for, and how the review is recorded. 'A human approved this' only stands up if you can prove it with an audit trail.
    • Draft the ADM disclosure section (Before 10 Dec 2026 · Privacy Officer + legal review): Plain-English explanation of each tool, what data it uses, what decisions it makes or influences, and how clients can request human review. Get this drafted by October 2026 to leave room for legal review and rollout.

    Open Home Collection

    The OAIC's first-ever compliance sweep launched in January 2026 specifically targets in-person collection at real estate open homes. Overcollection and missing collection notices are the headline findings to expect.

    • Strip your sign-in form back to essentials (Within 30 days · Sales Manager): Name and one contact method should be the default. Anything beyond that needs a documented reason tied to a stated purpose. Asking for budget, employment, or timing at first inspection is hard to justify under APP 3.
    • Display a Privacy Collection Notice at every open home (Within 14 days · Office Manager): Printed A5 card next to the sign-in sheet covering: who you are, what you're collecting, why, who you'll share it with, how to access/correct, where to find your full policy. REIV/REIA have template versions.
    • Make optional fields visibly optional (Within 30 days · Sales Manager): Mark required fields clearly. Train agents that attendees can decline most fields and still inspect. APP 2 expects anonymity or pseudonymity 'where practical' - for an open home, that's most of the time.
    • Centralise sign-in records and set retention (Within 90 days · IT + Office Manager): Move from paper forms to a secure digital system (your CRM is fine if access is controlled). Set 12-month inactive-contact deletion. Audit who in the office can see open home data.

    Tenant Screening

    Tenant screening is in the regulatory crosshairs - University of Sydney/AHURI research published in January 2026 named opaque algorithmic screening as a priority issue, and National Cabinet's renters' reforms are tightening application standards.

    • Review your application form against actual decision criteria (Within 60 days · Property Management lead): For every field: what assessment criterion does this support? Cut anything you can't tie back. Forms with 50+ fields are now publicly flagged as a privacy concern. Aim for under 30 fields.
    • Get explicit, separate consent for database checks (Within 30 days · Property Management lead): TICA/NTD/Equifax checks need a tick-box consent with plain-English explanation of what's being checked and why - not buried in application terms. The 'informed consent' standard is rising.
    • Set retention and deletion for declined applications (Within 60 days · Property Management lead): 6–12 months from decline date is industry standard. Build automated deletion into your trust accounting / PM system. Indefinite retention of declined applications is regulatory risk with no business value.
    • Document an applicant access process (Within 30 days · Property Management lead): APP 12 access requests will increase as awareness grows. Have a written process: who handles it, how to verify identity, what to provide, what to redact, 30-day response target.

    Security & Breaches

    APP 11 requires reasonable steps to protect personal information. The Notifiable Data Breaches scheme requires fast notification when something goes wrong. Both standards have lifted with new $2.5M penalties for serious breaches.

    • Enable MFA on every business-critical account (Within 14 days · IT lead): Email, CRM, trust accounting, document storage, social accounts. No exceptions for senior staff. Use an authenticator app (not SMS) where possible. This is the single highest-impact security action - most small business breaches start with a compromised password.
    • Document a data breach response plan (Within 60 days · Privacy Officer + IT): One page is enough. Cover: who declares an incident, who decides on notification, the 30-day OAIC clock, the comms approach to affected individuals, evidence preservation, who calls the lawyer/insurer. Test it with a tabletop exercise quarterly.
    • Implement a same-day staff offboarding checklist (Within 30 days · Office Manager): When someone leaves, accounts are revoked the same day: email, CRM, trust accounting, MFA tokens, shared passwords, building access, mobile MDM. Stale accounts of departed staff are a common breach vector.
    • Test your backups by actually restoring from them (Within 90 days, then quarterly · IT lead): Pick a non-critical file and restore it. Time how long it takes. Verify integrity. Backups you've never tested are not backups. Quarterly cadence catches silent backup failures before they matter.

    Third-Party Vendors

    APP 8 makes you accountable for personal information that overseas vendors mishandle. With AI tools, marketing platforms, and CRMs increasingly routing data through US infrastructure, this is a growing exposure area.

    • Inventory your vendors by data sensitivity and jurisdiction (Within 60 days · Privacy Officer + IT): List every tool that touches personal information. For each: vendor name, data stored, data residency, jurisdiction (US/EU/AU), contract end date, last review date. CRMs, trust accounting, email marketing, document storage, AI tools, SMS, transcription, accounting.
    • Review contracts for breach-notification SLAs (Within 90 days · Operations + legal review): Push for 24–48 hour breach notification in writing. Without it, a vendor's slow notification eats into your own 30-day OAIC clock. Renegotiate at next renewal; for high-risk vendors, raise it sooner.
    • Document APP 8 compliance for offshore tools (Within 90 days · Privacy Officer): For each overseas vendor, document either (a) reasonable steps you've taken to ensure they handle data in line with the APPs, or (b) the customer consent that authorises the cross-border transfer. Vendor security pages and SOC 2 reports are useful evidence.
    • Get certificates of destruction at vendor change (Process from now on · Office Manager): When you switch a vendor, request written confirmation that all your data has been deleted from their systems. 'They said they would' isn't evidence of APP 11.2 compliance. Keep the certificates for 7 years.

    Direct Marketing

    The Spam Act and the Do Not Call Register are heavily enforced in real estate - ACMA prosecutes agencies regularly. Penalties scale with volume; the regulator does not need malice to act.

    • Audit consent for every list in every marketing tool (Within 60 days · Marketing lead): For each list: where did these contacts come from, what consent was given, when, how is it recorded? Auto-enrolment from open home sign-ins or enquiries is the most common Spam Act breach in agencies. Move to explicit opt-in at point of collection.
    • Make every marketing message unsubscribe-compliant (Within 30 days · Marketing lead): Functional unsubscribe link in every commercial email and SMS. Honour requests within 5 business days (not 30). Audit your templates - old ones often have broken or missing unsubscribe links.
    • Wash outbound call lists against the DNCR before every campaign (Process from now on · Marketing lead): Mandatory under the Do Not Call Register Act. Real estate is a known ACMA enforcement target. The DNCR provides a paid washing service; integrate it into your campaign workflow, not as an afterthought.
    • Centralise your suppression list across all marketing tools (Within 90 days · Marketing + IT): Someone who unsubscribes from your email list should not get added back via a different tool, a CSV import, or an enquiry form. Maintain one master suppression list and integrate it with every channel.

    Staff & Governance

    Compliance projects fail when there's no named owner and no recurring training. The OAIC and AUSTRAC both expect to see governance evidence - not just policies on paper but actual people held accountable.

    • Appoint a named Privacy Officer and (separately) AML/CTF Compliance Officer (Within 30 days · Director): In small agencies the same person can hold both roles, but they must be separately documented. Notify AUSTRAC of your AML/CTF Compliance Officer by 29 July 2026. The Privacy Officer is the named contact in your privacy policy.
    • Run annual privacy and AML/CTF training for all staff (Annually, first session within 90 days · Compliance Officer): Document attendance, content, date. Cover privacy basics, ADM, breach response, AML red flags, sanctions, tipping off. Use industry-body materials (REIV/REIA) plus AUSTRAC's free resources to keep it efficient.
    • Add privacy + AML training to staff onboarding (Within 60 days · HR + Office Manager): Day-one privacy training prevents the 'I didn't know' incidents that cause most small-agency breaches. 30 minutes is enough - recorded video plus an acknowledgement form.
    • Maintain a simple incident register (Process from now on · Privacy Officer): Date, what happened, action taken, lessons. Cover privacy, AML, security incidents - even minor ones. Invaluable evidence if a regulator asks. Surfaces patterns you'd otherwise miss.

    Anti-Money Laundering

    From 1 July 2026, real estate agents become AUSTRAC-regulated entities under Tranche 2. This is the biggest regulatory change to hit Australian real estate in a generation. Penalties run up to $33M for body corporates.

    • Confirm whether Tranche 2 applies, then enrol with AUSTRAC (Before 29 Jul 2026 · Director): If you broker, plan, or execute the sale/purchase/transfer of real estate, you're in scope. Property management and leasing are out of scope. Enrolment is via AUSTRAC Online - opens 31 March 2026, hard deadline 29 July 2026. Late enrolment attracts immediate AUSTRAC attention.
    • Develop a documented AML/CTF program with risk assessment (Before 1 Jul 2026 · AML/CTF Compliance Officer): Required components: ML/TF risk assessment for your business, written policies and procedures, customer due diligence process, transaction monitoring, staff training, independent review schedule. AUSTRAC has published a starter program kit for small businesses - use it as your baseline.
    • Build a Customer Due Diligence (CDD) workflow (Before 1 Jul 2026 · AML/CTF Compliance Officer): For the party you act for: complete initial CDD before providing the designated service. For the counterparty: complete within 28 days of contract exchange or before settlement. Document identity, beneficial owners (for non-individual customers), nature and purpose of the transaction, ML/TF risk rating.
    • Document a source-of-funds verification process for high-risk transactions (Before 1 Jul 2026 · AML/CTF Compliance Officer): For transactions where ML/TF risk is elevated (PEPs, complex ownership, FATF jurisdictions, unusual payment methods), collect evidence of source of funds and source of wealth. Bank statements, sale records, inheritance documents, employment evidence. Don't rely on the conveyancer or bank to do this - under Tranche 2, you are the reporting entity.

    Counter-Terrorism & Sanctions

    CTF and sanctions obligations carry the heaviest penalties in the AML/CTF regime - including criminal penalties for individuals. Tipping off and dealing with sanctioned persons can both result in imprisonment.

    • Build sanctions screening into customer onboarding (Before 1 Jul 2026 · AML/CTF Compliance Officer): Screen every customer (and every beneficial owner) against the DFAT Consolidated List for Targeted Financial Sanctions before providing designated services. Lists change frequently - use a screening tool that updates automatically. Re-screen periodically for ongoing relationships. Criminal penalties apply for dealing with sanctioned persons.
    • Add PEP screening to your CDD process (Before 1 Jul 2026 · AML/CTF Compliance Officer): Include a PEP self-declaration question on your onboarding form, then verify against a reputable PEP database. Self-declaration alone is insufficient. Foreign PEPs trigger mandatory enhanced CDD; domestic and international organisation PEPs require risk-based consideration.
    • Train every customer-facing staff member on tipping off (Before 1 Jul 2026, then annually · AML/CTF Compliance Officer): Tipping off is a criminal offence under s123 of the AML/CTF Act. Staff must not tell a customer - or anyone other than AUSTRAC - that an SMR has been lodged or considered. They must not visibly change customer-facing behaviour in ways that signal a report. Document this training specifically.
    • Lock the SMR timeframes into your incident process (Before 1 Jul 2026 · AML/CTF Compliance Officer): 24 hours for terrorism financing suspicions (actual hours, including weekends). 3 business days for all other suspicions (money laundering, fraud, tax evasion). Clock starts when the suspicion is formed, not when the transaction occurs. Late submission is a civil penalty offence - build the deadline into your compliance calendar with automated reminders.

    Disclaimer

    General disclaimer

    This assessment is an indicative self-diagnostic tool and does not constitute legal, regulatory, or compliance advice. It reflects the regulatory landscape as of April 2026, including the Privacy and Other Legislation Amendment Act 2024 and the AML/CTF Amendment Act 2024 Tranche 2 reforms.

    AUSTRAC and AML/CTF advice

    The Anti-Money Laundering and Counter-Terrorism Financing obligations addressed in this assessment are complex and the application varies by business size, services provided, and customer base. This tool is not a substitute for an AUSTRAC-specific compliance review by a qualified AML/CTF adviser, lawyer, or industry-body authorised provider.

    Privacy advice

    Privacy Act compliance involves factors specific to each agency's operations and systems. For a definitive privacy compliance review, consult a qualified privacy lawyer.