Tranche 2 for Real Estate: a 5-phase plan to hit 1 July 2026

The reality

From the second half of 2026, real estate businesses that provide designated services must enrol with AUSTRAC and comply with Australia’s AML/CTF regime. That means four non-negotiables:

• Develop and maintain an AML/CTF Program tailored to your business
• Conduct initial and ongoing customer due diligence (CDD)
• Report specified transactions and suspicious matters
• Make and keep records that evidence all of the above

If any of those aren’t designed, implemented, and testable, you will struggle in audits and supervisory reviews. Period.

Your time-boxed, 5-phase execution plan

This is the pragmatic way to sequence the work. Treat the dates as planning anchors and flex as AUSTRAC guidance drops.

Phase 1 -- Foundation & assessment (Sep–Dec 2025)

• Stand up program governance and get stakeholders aligned.
• Due diligence your current controls (e.g., any KYC you already run; third-party roles).
• Set risk appetite and document your RA methodology.
• Complete the ML/TF/PF risk assessment (RA).
• Start regulatory requirements mapping and begin Program drafting in parallel.

Phase 2 -- Framework build-out (Jan–Mar 2026)

• Continue AML/CTF Program drafting and target AUSTRAC enrolment preparation by 31 March 2026 (align timing with official guidance as it lands).
• Draft core policies and procedures: RA, KYC, OCDD/ECDD, screening, transaction monitoring and reporting, governance and reporting, training, record-keeping, independent review.
• Finalise screening protocols (PEPs, sanctions, adverse media).
• Define your customer risk rating methodology and outline transaction monitoring scenarios tied to the RA.
• Finish your role-based training module.

Phase 3 -- Technology integration (Apr–May 2026)

• Implement customer onboarding/KYC capture.
• Stand up screening (if separate from onboarding).
• Trial transaction-monitoring tooling and confirm data flows.
• Lock your management/Board reporting templates and KRIs.
• Build the data foundations: single customer view, data integration/quality, historical retention.
• Run UAT on the end-to-end flow.

Phase 4 -- Testing & training (June 2026)

• Test individual procedures and run full end-to-end scenarios.
• Validate regulatory requirements mapping and control effectiveness.
• Roll out role-specific training; deliver system training where new tech is in play.

Phase 5 -- Go-live & stabilisation (late June 2026)

• Phase your rollout by business unit if needed.
• Provide hypercare support and tighten anything that wobbles.
• Prepare to evidence compliance from Day 1 of obligations.

Why this phasing works: it pushes the RA and Program drafting early (where most projects stall), threads policy, tech, and training concurrently, and leaves June for genuine integrated testing...not hope.

The backbone: a focused ML/TF/PF risk assessment (Phase 1 detail)

Don’t outsource your brain. Own the RA and make it specific to your book of business.

Five steps to done:

Understand the business and appetite - clarify services, channels, customer profiles, geographies, threat environment, and what “within appetite” actually means.

Inherent risk assessment - identify risks across customer, product, channel, jurisdiction, industry, employee, location, and external threat typologies; leverage NRA/AUSTRAC intel.

Controls assessment - aggregate what exists, document it in a controls register, and assess design and operating effectiveness.

Residual risk assessment - apply controls to inherent risks; confirm residuals are within appetite (or document remediation).

Board/Senior Management - present the RA, and feed its outputs directly into Program drafting, training content, and your transaction monitoring rules mapping.

Deliverables you should have on the shelf by the end of Phase 1:

• Risk Appetite Statement (ML/TF/PF)
• RA methodology and model
• Completed RA with rationale
• Controls register with owners and frequencies
• A traceable map from risks → controls → policies/procedures → monitoring rules

Turn RA into an operating program (Phase 2 detail)

The RA isn’t a trophy; it’s the blueprint. Your Program and policies should read like an operating manual, not a legal essay.

Program & policy artefacts to complete:

• Framework: methodology for RA and emerging-risk reviews; customer RA; new products/channels assessment; training governance.
• Customer lifecycle: KYC capture, OCDD/ECDD triggers, beneficial ownership, reliance/outsourcing rules.
• Transactions: scenario library tied to identified risks; tuning/thresholds; alerts workflow; AUSTRAC reporting SOPs.
• Governance & reporting: committee/charter, escalations, KRI/KPI pack, Board reporting cadence.
• Independent review: scope, frequency, evidence requirements.
• Record-keeping: retention, retrieval times, audit trails.
• People: appoint your AMLCO; update JDs and employment agreements to enable screening; write role-specific SOPs.

Get the data and tooling right (Phase 3 detail)

You don’t need to boil the ocean, but you do need clean inputs and auditable outputs.

• Onboarding/KYC: capture data at source; minimise re-keying; ensure reliable verification and sanctions/PEP/adverse media checks.
• Screening: decide whether it’s embedded in onboarding or a separate engine; document match handling and false-positive reduction.
• Transaction monitoring: start with scenarios that directly map to your top residual risks; prove why thresholds are set as they are; version-control your rules.
• Data platform: create a single customer view; lock down data lineage; maintain historical states for “what did we know when?”.
• UAT: run end-to-end workflows that mirror real cases and document the results.

Training that actually changes behaviour (Phase 4)

Tick-box training won’t cut it. Split training by role and system:

• All staff: AML/CTF risk awareness grounded in your RA, real typologies, and red flags.
• Front-line/ops: how to capture KYC correctly, escalate, and record interactions.
• Analysts/compliance: alert triage, case management, reporting standards.
• Leaders/Board: accountability, governance, reporting literacy, and challenge.

What “ready on Day 1” looks like

If AUSTRAC (or your Board) asks for evidence, you can show - immediately:

• Approved AML/CTF Program linked clearly to your RA.
• Live KYC onboarding with screening and exception handling.
• Transaction-monitoring scenarios mapped to risks, with documented tuning decisions and case records.
• Completed and logged training by role, with assessments where appropriate.
• KRIs/KPIs in a management pack and a calendar for governance meetings.
• A record-keeping system that can retrieve any item within SLA.

Common traps to avoid

• Waiting for “perfect” guidance. Build now, then tune - AUSTRAC has flagged more guidance ahead, so design for iteration.
• Treating this as a document project. It’s an operating system. If policies don’t match how you work (and your tech/data), they’ll fail in testing.
• Under-specifying data. If you can’t join customers, accounts, properties, transactions, and alerts into a coherent story, you can’t defend decisions.
• Leaving training and testing to the end. Do that, and you’ll discover gaps when there’s no runway left.

How Lane Consulting & Advisory helps

Lane Consulting & Advisory (LCA) builds risk assessments and programs that actually run - no generic boilerplate, no junior hand-offs. We work shoulder-to-shoulder with your legal advisers to ensure your RA drives your Program, scenarios, training, and governance, and we plan the cadence to adjust as AUSTRAC guidance lands rather than panic in June 2026. If you want a principal-led team that has done this across highly regulated industries (incl. gaming) and is comfortable pairing with top-tier law firms, let’s talk.

This article is general information, not legal advice. Get specific advice for your context before acting.