Your AML program is a document. That's the problem.

47 days to 1 July 2026, and a lot of agencies have the same thing: a PDF.

A written AML/CTF program. Might even have been reviewed by a lawyer. Might quote AUSTRAC's Program Starter Kit.

The problem isn't the document. The problem is that AUSTRAC's obligations don't start when you file the document. They start when a client walks in on 1 July and wants to buy a property.

At that point, the document either works or it doesn't.

What "works" actually means

An AML/CTF program under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 is not a policy submission. It's a set of systems, procedures, and controls that must be operational — not just documented.

AUSTRAC's own Program Starter Kit for small real estate agencies describes six areas a functioning program covers. Not six chapters. Six things that need to be running.

Here's what each one looks like in practice, and where most agencies fall short.

1. Governance and oversight

On paper: a statement that the principal is responsible for AML compliance.

In practice: someone who can actually make compliance decisions on the day a problem comes up.

Your program needs to name an AML/CTF Compliance Officer — a real person, not a role — who is at senior management level and has been notified to AUSTRAC. The notification deadline under the AML/CTF Transitional Rules 2026 is 29 July 2026. If you haven't appointed a compliance officer yet, that's the first gap.

AML Simple's onboarding walks you through the appointment step and generates your AUSTRAC notification record. If you'd prefer to do it manually, the AUSTRAC Online portal handles the notification directly.

2. Customer onboarding and KYC

On paper: a procedure describing what documents you'll collect and how you'll verify them.

In practice: a workflow your staff can actually run, for every client, before you provide any service.

Initial customer due diligence (CDD) applies to all customers before you broker a sale or purchase. That means identity verification (name, date of birth, address, plus document verification) and a risk rating for every person.

Common gaps here:

The procedure describes what to collect but not how to verify it.
Risk rating is mentioned but there's no decision tree for what counts as low, medium, or high.
The process works for individuals but has nothing for companies, trusts, or beneficial ownership.

Beneficial ownership is a known failure point. Under the Act, AML/CTF programs are required to include procedures for identifying who ultimately controls or benefits from a transaction — anyone holding 25% or more of an entity, or exercising effective control. A company buying through a trust through a SMSF is exactly the kind of structure your program needs to handle.

AML Simple's CDD workflow covers individual verification, company searches, trust and SMSF structures, and risk rating in one guided sequence. If you're building it manually, AUSTRAC's Starter Kit includes template CDD procedures you can adapt.

3. Ongoing CDD

On paper: a statement that customer information will be updated periodically.

In practice: a system that flags when reviews are due and keeps records of when they happened.

Ongoing CDD means monitoring existing client relationships throughout the transaction — not just at onboarding. If a client's circumstances change, your risk rating should change too.

Most small agencies don't have a system for this. The document says it will happen. There's no process to make it happen.

4. Monitoring and investigation

On paper: a statement that you'll monitor transactions for suspicious activity.

In practice: staff who know what patterns to look for and what to do when they spot them.

Monitoring doesn't mean installing software that scans transactions. For most small real estate agencies, it means trained staff who recognise when something doesn't add up.

Cash, unusual payment structures, purchases that don't match apparent income, urgency to settle without explanation. These are the kinds of patterns your staff need to be watching for on every transaction.

Your program needs to describe how staff escalate concerns — to whom, by when, and what happens next.

5. Suspicious matter reporting

On paper: a section explaining that SMRs must be filed within 3 business days (or 24 hours for terrorism financing).

In practice: someone who knows how to write one.

Suspicious Matter Reports go to AUSTRAC via AUSTRAC Online. They require a factual narrative describing the suspicious activity, the individuals involved, and why the matter is considered suspicious.

This is the part most agencies haven't practised. Filing an SMR under time pressure, on a real client, is very different from reading the policy.

AML Simple has an AI-assisted SMR drafting tool that structures the narrative and prompts for the required information. If you're doing it manually, AUSTRAC's guide to filing SMRs is publicly available and worth reading before you need it.

6. Training and awareness

On paper: a statement that staff will receive AML/CTF training before performing AML-relevant duties.

In practice: actual training, completed, with records showing who did it and when.

Under the Act, training must happen before staff perform any AML-relevant function. That includes reception staff who handle client details, agents who collect ID, and property managers if they're also involved in sales.

Training doesn't need to be expensive. AUSTRAC publishes free training resources and the Starter Kit includes training guidance.

What it does need to be is documented. Date, staff member, content covered. That record needs to be kept for at least 7 years.

The pattern in under-prepared programs

A written program describes what the agency intends to do. An operational program has the workflows, records, and trained staff to actually do it.

The gap between them is usually not knowledge. Most principals who've read the guidance understand the obligations at a conceptual level.

The gap is process. The document says "verify identity" — but there's no Docusign link, no verification service, no agreed workflow for what happens when a client is overseas. The document says "monitor transactions" — but there are no training records showing staff know what to look for.

With 47 days to go, the question isn't whether your document is correct. The question is whether your agency can actually run the process on 1 July.

The fastest way to close the gap

AML Simple is a workflow tool, not a document generator.

Sign up at app.amlsimple.com — around 2 minutes. The program wizard builds your AML/CTF program using AUSTRAC's Starter Kit structure and generates the underlying procedures in a format your staff can follow. CDD, screening, SMR filing, and record-keeping are all built into the same dashboard.

If you already have a written program and want to check whether it's operational, the six areas above are a reasonable self-audit. Work through each one and ask: is there a working process behind this section, or just a description of one?

AML Simple is a compliance workflow tool. It helps you implement your AML/CTF obligations, but does not provide legal advice. If you need advice about your specific circumstances, consult a qualified AML compliance professional.