AML/CTF Rules 2025: Customer Due Diligence for real estate sector

Disclaimer: The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Understanding AML/CTF Rules 2025 Part 6: Customer Due Diligence (CDD), and what it means for the real estate sector

From 1 July 2026, real estate agencies in Australia that handle property sales must follow new anti-money laundering (AML) laws. A big part of these laws is something called customer due diligence (CDD).

That’s just a formal way of saying: check who your customer really is, record the key details and understand why they are dealing with you.

Let's start by walking through three different scenarios in practice before deep diving into each section.

What does CDD look like for low, medium, and high-risk workflows?

Not all property transactions carry the same level of money laundering risk. A first-home buyer with a local bank loan looks very different to an overseas investor using complex company structures.

The AML/CTF Rules expect you to tailor your checks to the level of risk.

Here are three practical examples; low, medium, and high risk, to show how workflows change depending on the customer. To learn more about each step, simply click on the links to read the deep dives on that section.

Example scenario 1: Low-risk workflow

A local couple is buying their first home through your agency.

Steps:

• Collect and verify both buyers’ IDs (e.g. driver’s licences checked against an independent source).
• Record their residential addresses and dates of birth.
• Note the purpose of the transaction — owner-occupied property purchase.
• Risk-rate them as low: straightforward profile, Australian bank loan, no PEP/sanctions matches, no offshore links.
• Document the CDD outcome in line with your AML/CTF Program.

Example scenario 2: Medium-risk workflow

An Australian-based investor is buying their third residential property as a rental. Their parents in the UK are providing some of the funds for the purchase.

Steps:

Identify and verify the client (the investor)

• Collect and verify their full legal name, DOB, address, and ID against independent sources (e.g. driver’s licence, passport).
• Record that they are the purchaser and ultimate property owner.
• Conduct PEP and sanctions checks 

Identify and verify associated persons (the parents providing funds)

• Collect and verify their identity details (passport, overseas address.) Because the parents are contributing part of the purchase money, they are associated with the transaction.
• Conduct PEP and sanctions checks

Understand the nature and purpose

• Note the nature and purpose -  client is buying their third property as a rental investment. This makes the relationship ongoing (landlord income) rather than one-off.

Risk assessment

Indicators:

• Multiple properties = higher complexity.
• Offshore funding (from parents in the UK).

These raise the risk above a first-home buyer but do not necessarily make it high risk.

Decide on level of due diligence

• Apply standard CDD to the investor.
• Collect additional information on the parents’ contribution (e.g. evidence of their funds such as bank statements).
• EDD (source of wealth/funds checks) is not required unless further red flags arise (e.g. unexplained or high-risk origin of funds).

Ongoing monitoring

• Because the investor now has multiple properties, flag them for ongoing CDD monitoring
• Watch for changes in funding sources (e.g. new overseas accounts or third parties)

Example scenario 3: High-risk workflow

An Irish government minister engages your agency to buy a luxury estate in the Kimberly's, Sydney. They intend to pay through a foreign bank account held in the name of a family member.

Steps:

Identify and verify the client

• Collect and verify the minister’s full legal name, DOB, nationality, and residential address.
• Conduct PEP and sanctions checks - confirm their government position (as a foreign PEP)

Identify and verify the family member’s account ownership

• Since payment will come from the family member’s account, you must treat them as an associated person/beneficial owner.
• Verify their identity to the same standard (ID documents, reliable source checks).

Identify beneficial ownership and control

• Record who is providing funds and who will ultimately own the property.
  In this case: the PEP (buyer) + the family member (funds provider).

Enhanced Due Diligence (EDD) – mandatory

Because the client is a foreign PEP, EDD always applies.

You must:

• Establish Source of Wealth (SoW): how the minister accumulated their overall wealth (e.g. salary, business interests, assets).
• Establish Source of Funds (SoF): the exact origin of the money for this property purchase (the family member’s account — show how those funds were obtained).
• Obtain supporting evidence: bank statements, asset sale records, business income records, etc.

Risk assessment

• Record why this client is high risk:
  • Foreign PEP.
  • Funds provided by a third party.
  • Offshore funding.
• Escalate to senior manager approval before proceeding

Ongoing monitoring obligations

• Monitor transactions and behaviour throughout the engagement.
• If anything unusual arises (e.g. further unexplained third-party transfers), you may need to escalate further or lodge a Suspicious Matter Report (SMR).

Reporting obligations

• If you suspect the funds are illegitimate, you must lodge a Suspicious Matter Report (SMR) with AUSTRAC promptly.
• If cash of AUD $10,000+ is involved at any point, also lodge a Transaction Threshold Report (TTR)

Why do we need to check customers?

Property can be used to hide money from crime. Criminals may buy or sell houses to make funds look legitimate. By collecting and verifying key customer details at the start, you help stop this.

The AML/CTF rules build on what you already do - checking deposits, seller authority and now requiring you to record identities, assess risk, and complete checks within set timeframes.

What you need to collect and check at the start of the relationship (initial CDD)

You must collect different information depending on who the customer is. Let’s break it down.

If your customer is an individual

Ask for:

• Full legal name and any other names used
• Date of birth
• Residential address

Check identity documents (e.g. driver’s licence, passport, government ID) against independent, reliable sources such as the government ID Match service.

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person is not a PEP and is not on a sanctions list.

If your customer is a person (sole trader)

Ask for:

• Full legal name and any other names used
• Any business name they use
• Business number (ABN or ACN). If they don’t have one, another official ID number will do
• Business address
• What their business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the person / business is not a PEP and is not on a sanctions list.

If your customer is a company or partnership

 Ask for everything you’d ask a sole trader, plus:

• Company number (like ACN)
• Registered office address
• Proof the business exists (for example, a company register extract)
• How it is run and who has authority (constitution, partnership agreement, or similar)
• Full names of directors or people in charge
• Details of who owns or controls the business

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the business and all Directors / controllers are not PEPs and are not on a sanctions list.

If your customer is a trust or equivalent 

 Ask for everything you’d ask a company or partnership, plus:

• The name and type of trust (family trust, unit trust, etc.)
• Proof the trust exists (like a trust deed)
• How it is run and who can make decisions
• Names of trustees and people in charge
• Names of beneficiaries (or a description if it’s a large group, like “children of the settlor”)
• Details of who set it up or controls it

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the trust and all trustees / controllers and beneficiaries are not PEPs and are not on a sanctions list.

If your customer is a government body

 Ask for:

• Full name and any other names used
• The country or part of the country where it was set up E.g. The Independent Broad‑based Anti‑corruption Commission (IBAC) is established in Victoria, Australia. Not just "Australia".
• A unique number if they have one
• Main address
• Proof it exists
• Names of the person / people in charge
• What the business does (nature / purpose)

As specified in your AML Program and defined level of risk for this type of customer, you may also need to check the government body and all people in charge are not PEPs and are not on a sanctions list.

Establishing the identity of persons associated with the customer. I.e. Don’t stop at the first level

Sometimes the customer you see is not the one you’re really dealing with. For example:

• A company may be acting for another business
• Someone might be signing on behalf of the real customer

Example: A client comes to your agency to purchase a commercial property. The purchaser on the contract is an Australian company and one director attends to sign the paperwork. During CDD you find that the company is owned by another company registered in Singapore, which in turn is controlled by two individuals based in Hong Kong.

In short, treat any associated person like a mini-customer for KYC purposes, collecting the relevant information depending on their type. 

Beneficial owners: who really owns or controls the customer?

Finding the beneficial owner simply means working out who ultimately owns or controls the business, trust or governing body.

• If the customer is a listed company (like on the ASX), you don’t need to dig deeper – because their ownership is already public.
• If you can’t find out who owns a business after reasonable steps, you must:
  
  • Record what you tried
  • Collect and verify the CEO’s details instead

Knowing the nature and purpose of the business relationship or occasional transaction

This part is about understanding who your customer is, what they do and why they are engaging you - without going overboard on checks when the risk is low.

Low and medium risk customers

For most clients, you only need the basics:

• Confirm the customer’s identity (for individuals, verify their ID).
• Collect enough information to understand the purpose of the relationship or transaction based on their risk.
• Specify the customer’s risk using the KYC information you have.
• Make sure the customer doesn’t fall into a category that requires enhanced due diligence (EDD) - see below.

Example: A local couple buys their first home through your agency. They are salaried employees, paying with an Australian bank loan. You verify their IDs, note the purpose of the transaction (owner-occupied property purchase) and record their risk as low.

When enhanced due diligence (EDD) is required

You must dig deeper if there are higher risks. EDD applies if:

• The customer is rated high risk.
• You’ve lodged a suspicious matter report (SMR) but wish to continue to act.
• The customer (or their owner/representative) is a foreign PEP.
• The customer is linked to a high-risk country flagged by FATF.
• The service is provided through a nested arrangement (your service flows through another provider).
• The AML/CTF Rules specifically require it for that type of customer.
• The service or transaction looks unusual - for example:
  
  • No clear legal or business purpose.
  • Very complex or unusually large.
  • A strange or inconsistent transaction pattern.

For example: An overseas investor with no clear ties to Australia wants to buy a luxury apartment overlooking Sydney Harbour. Instead of purchasing directly, they set up two Australian companies and a discretionary trust to complete the transaction, and plan to fund it entirely in cash from an offshore account. Because the structure is large, complex and unusual for their profile, you must apply EDD.

Extra checks under EDD

In these cases, you must check:

• Where the customer’s wealth (Source of Wealth / SoW) comes from. i.e how the customer built their overall wealth (e.g. business ownership, investments, inheritance) and;
• Where the specific funds (Source of Funds / SoF) for the particular transaction or business relationship come from (e.g. salary, property sale, company profits).

You also need to keep this information up to date whenever you review or refresh the customer’s KYC for ongoing CDD.

When normal ID isn’t possible

Sometimes people can’t provide standard ID, like older adults without a driver’s licence or passport. You can still work with them if you:

• Take reasonable steps to confirm who they are
• Record what you did
• Manage the extra risk

Previous compliance in a foreign country

If your agency is part of an international group, you don’t always need to redo CDD in Australia.

You can rely on CDD already completed by your overseas office if:

That office was regulated under proper AML/CTF laws aligned with FATF standards.
The CDD was done correctly (or not required due to low risk).
You have immediate access to the KYC records and verification data.

Example: Your agency’s Singapore office verified an overseas investor buying property there last year under Singapore’s AML laws. The same client now wants to purchase a building in Melbourne through your Australian office. Because the Singapore CDD meets FATF standards and your Australian office can access the verification records, you can rely on the previous checks instead of repeating the process.

What if they're a PEP

PEPs are people with prominent public roles (politicians, judges, senior officials, heads of international organisations).

Because they may have access to public funds or influence, they carry higher ML/TF risk in property deals.

Initial CDD – when you first identify a PEP

If your customer (or their beneficial owner, or someone acting for them) is a PEP, you must go further than standard checks.

• Foreign PEPs – always high risk. You must establish their source of wealth and source of funds.
• Domestic or international organisation PEPs – you must establish source of wealth and funds if their ML/TF risk is assessed as high.
• Special case – if you serve a PEP through an overseas branch in their home country, you can treat them as a domestic PEP instead of foreign, but enhanced checks still apply if the risk is high.
  
  Example: A former finance minister from Malaysia buys an investment property in Brisbane through your agency. As a foreign PEP, you must collect and verify evidence of both their wealth (e.g. career earnings, business interests) and the source of funds used for the purchase.

Ongoing CDD – keeping PEP checks up to date

PEP status isn’t a one-off check; you must monitor them throughout the relationship.

• Foreign PEPs – always require ongoing reviews.
• Domestic PEPs – review only if the customer’s ML/TF risk is high.
• International organisation PEPs – review only if the customer’s ML/TF risk is high.
• Special case – if you’re dealing with a foreign PEP in their home country through your local branch, treat them as a domestic PEP.
  
  Example: Your agency manages several properties for an Australian state MP (a domestic PEP). If the MP begins funnelling rental payments through offshore companies, raising their ML/TF risk, you must escalate to enhanced monitoring and update their KYC records.

Providing services before completion of initial CDD (delayed verification)

Timing: can you start before checks are finished?

In most industries, CDD must be finished before services start. But for some low-risk cases, they can begin work and complete checks later - with strict conditions.

Real estate is treated differently. Because property deals move quickly and involve multiple parties, the law sets special rules (Division 9) with shorter deadlines and specific reliance arrangements.

When delayed CDD is allowed

• Seller’s agents can delay initial CDD for the buyer/transferee.
• Buyer’s agents can delay initial CDD for the seller/transferor.
• Professional service providers (e.g., lawyers or conveyancers) acting for the buyer/transferee can delay initial CDD for their client.

This only applies if the work is done through your Australian office.

Deadline: You must complete the missing ID checks within 15 days of contract exchange, or by settlement - whichever comes first.

What you must still do upfront

Even when relying on another party (see below) or delaying CDD, your agency is only considered compliant if:

• The service is real estate related (brokering or assisting with a sale, purchase, or transfer).
• The service is provided in Australia.
• You have completed basic ID steps:
  • If the customer is an individual, you’ve taken reasonable steps to check they are who they claim to be (e.g. collect and sight ID).
  • You’ve risk-rated the customer using the KYC information you already have.
  • You’ve collected the KYC information that matches their risk profile.

This means you can’t simply push all CDD onto someone else. You must at least confirm identity basics, assess risk, and collect enough information to understand the transaction.

How reliance works

To avoid duplication, you can enter into a written reliance arrangement with another reporting entity in the same deal (e.g. a lawyer, conveyancer or someone in your Reporting Group).

This arrangement must:

• Ensure the other party completes full verification (e.g. beneficial ownership) within 15 days.
• Give you access to the KYC records and verification data before settlement.
• Clearly document who is responsible for what, including record-keeping.

Important: Reliance doesn’t let you skip CDD altogether. You still need to know who your customer is, what the transaction is for, and why it makes sense.

Example: A real estate agency brokers a sale. It confirms the buyer’s identity, assesses ML/TF risk and collects basic KYC information. Under a formal reliance arrangement with the buyer’s lawyer, the lawyer completes verification of beneficial ownership within 15 days. The agency can rely on this verification as long as it obtains the KYC records before settlement. 

Ongoing customer due diligence

Ongoing CDD includes active monitoring of those customers who engage in repeat transactions with your agency.

In real estate it generally doesn't apply to one-off family home buyers, instead it applies more to investors, developers and high-net-worth individuals who buy and sell multiple properties.

Your obligation is to watch for unusual activity that could trigger a Suspicious Matter Report (SMR)

What to look for

Patterns that don’t fit: A customer who buys or sells multiple properties in a short period without a clear investment or personal reason.

Unusual behaviour: Sudden changes in how transactions are structured (e.g. moving from personal ownership to layered trusts or companies).

Inconsistent funding: Properties purchased with different sources of money each time, including unexplained offshore transfers.

Attempts to obscure ownership: Using nominees or complex arrangements across deals.