Independent review of your AML program: what real estate agencies need to know

You have built your AML/CTF program. Your risk assessment is documented, your procedures are written, your staff have been trained. Are you done?

Not quite. Under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), your program must also be independently reviewed at regular intervals. For many small agencies, this requirement comes as a surprise — and raises immediate questions about cost, who can do it, and how often it needs to happen.

This post answers those questions. AML Simple keeps a record of each review your program has undergone — so when AUSTRAC asks, you have the audit trail ready.

What the law requires

Part A of your AML/CTF program — the part that covers your overall governance framework — must include provisions for an independent review of your program. This is set out in the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (Cth), Chapter 8.

The review must assess whether:

Your program is adequate — that it covers the obligations the law requires
Your program is effective — that it is actually working in practice, not just on paper
The findings are reported to senior management and used to update the program where needed

AUSTRAC does not prescribe a fixed review interval, but the standard expectation — consistent with the AUSTRAC Program Starter Kit — is that agencies review their program at least every two years, or sooner when there is a significant change in the business (new services, new staff, new client types, a major transaction that raised flags).

What "independent" actually means

"Independent" does not mean external. It means the reviewer must not be reviewing their own work.

In practice, for a small agency:

The principal cannot review a program they wrote themselves — that is not independent
A senior employee who was not involved in writing the program can conduct the review, provided they have the knowledge to assess it meaningfully
An external AML consultant or law firm can conduct the review — this is the most defensible option for small agencies with limited in-house expertise
A peer agency — in some franchise or network structures — can review each other's programs under a shared arrangement

If you are a sole-principal agency or a 2–3 person team, independent review almost certainly means going external. The cost varies, but for a small agency with a straightforward program, a desktop review by a qualified consultant typically runs A$500–A$2,000.

For a practical breakdown of what building and maintaining your program costs overall, see our post on AML compliance costs for small agencies.

What the reviewer is looking at

A well-conducted independent review will typically cover:

Program completeness — Does your program include all the required elements? A Part A program must cover risk assessment, transaction monitoring, staff training, compliance officer appointment, and the independent review mechanism itself. Our post on what to include in your AML/CTF program covers the full list.

Risk assessment currency — Is your risk assessment still accurate? If your client mix has changed, if you have started working with more overseas buyers, or if AUSTRAC has issued new guidance, your risk assessment may need updating.

Procedure effectiveness — Are your written procedures being followed in practice? A reviewer will often ask to see a sample of completed CDD files to check that the procedure on paper matches what actually happened in a transaction.

Training records — Have all staff completed training? Are records of completion being kept?

Compliance officer awareness — Does the person holding the compliance officer role understand their responsibilities? See our guide to the AML/CTF compliance officer role for what AUSTRAC expects of that person.

Incident log — Has the agency recorded any suspicious matters, threshold transactions, or internal escalations? Have those been handled correctly?

What happens after the review

The reviewer produces a report. That report must be provided to your senior management — which in a small agency typically means the principal.

Any findings of inadequacy or ineffectiveness must be acted on. If your training records are incomplete, fix them. If your risk assessment is out of date, update it. If a CDD procedure was not being followed, retrain staff and document the remediation.

AUSTRAC expects to see a closed loop: review → findings → remediation → updated program. If you are audited, you want to be able to show that cycle has occurred.

How AML Simple supports your review cycle

AML Simple is a compliance tool — it does not conduct independent reviews, and we do not provide AML/CTF advice. What it does do is make the review process significantly easier by keeping everything in one place.

Your reviewer gets access to:

Your current program document, version-controlled with change history
Your risk assessment, with the rationale recorded at the time it was completed
Your training log — who completed what, and when
Your CDD records, searchable by client and transaction
Your compliance officer designation and any changes over time

When a reviewer asks "show me your last 20 CDD files," you can export them in minutes. When AUSTRAC asks "has your program been reviewed?", you can show the review date, the findings, and the remediation steps — all logged in the system.

If you have not started your program yet, sign up free and the program wizard will build the structure your reviewer will later assess — including the independent review clause your Part A program is required to contain.

The two-year clock

If you are starting your program now — as many agencies are, ahead of the July 2026 deadline — your first independent review should be scheduled for no later than mid-2028. Put it in your calendar now. It is easy to defer, and easy to forget.

AUSTRAC's enforcement posture under Tranche 2 is not focused on large penalties for first-time technical breaches by small agencies that are trying to comply. But agencies that cannot demonstrate they have maintained their program — including through review — are in a different category.

Do the work. Keep the records. Review it on schedule. That is the baseline AUSTRAC expects.

This content is general information only and does not constitute legal or AML/CTF advice. AML Simple is a compliance workflow tool, not a law firm or AML/CTF advisory service. For advice specific to your agency, speak with a qualified AML/CTF professional.