1. Why the Principal Is Personally Liable
Under the AML/CTF Act, the "reporting entity" is the business itself. But AUSTRAC does not simply fine the company and move on. The principal - the Licensee in Charge - is held responsible for ensuring the agency meets its obligations. This is personal liability, not just corporate liability.
You cannot delegate this responsibility away entirely. Even if you appoint a Compliance Officer, even if you hire an external consultant, even if you use software to automate your processes - the buck stops with you.
The logic is straightforward: the principal holds the licence, controls the business, and has the authority to implement compliance systems. AUSTRAC expects the person with that authority to exercise it.
The penalty reality
Penalties under the AML/CTF Act reach up to $33 million for companies and $6.6 million for individuals. For the most serious offences - such as failing to report a suspicious matter - criminal prosecution and imprisonment are on the table. These are not theoretical numbers. AUSTRAC has enforced penalties against reporting entities in other sectors, and has indicated it will take the same approach with Tranche 2 entities.
2. The 5 Things Only a Principal Can Do
These responsibilities sit with the principal and cannot be delegated. You can seek advice, you can use tools, but the final accountability is yours.
Sign off on the AML/CTF program
The AML/CTF program is the foundation document that governs how your agency handles compliance. The principal must approve it, and it must be reviewed and re-approved at least annually.
Appoint the AML/CTF Compliance Officer
The principal must formally appoint a Compliance Officer. This can be the principal themselves (common in smaller agencies) or a senior staff member with appropriate authority and training.
Approve the ML/TF risk assessment
Your agency must conduct a money laundering and terrorism financing risk assessment. The principal must review and approve the findings, ensuring the assessment reflects your actual business operations.
Ensure adequate training for all staff
Every person in your agency who provides or is involved in designated services must receive AML/CTF training. The principal is responsible for making sure this happens - and that training is kept up to date.
Report to AUSTRAC when required
While day-to-day reporting may be handled by the Compliance Officer, the principal retains ultimate responsibility for ensuring reports (including Suspicious Matter Reports) are filed correctly and on time.
3. What You Can Delegate (and to Whom)
While the five responsibilities above stay with you, there is plenty of operational work that can and should be delegated. The key is to delegate to the right people with the right training.
| Task | Can Be Delegated To |
|---|---|
| Day-to-day CDD collection | Agents |
| Identity verification checks | Agents or admin staff |
| Sanctions and PEP screening | Compliance Officer or software |
| Record keeping and filing | Admin staff or software |
| Suspicious matter identification | All staff (trained) |
| Suspicious matter reporting | Compliance Officer only |
Delegation does not mean abdication
Delegating a task means assigning someone to perform it - not removing yourself from accountability. You must still ensure the person you delegate to is trained, has the resources they need, and is performing the task correctly. If a delegated task is not done properly, AUSTRAC will look to the principal, not the staff member.
4. The Compliance Officer Role
Who should it be?
There is no single answer. It depends on the size and structure of your agency:
- The principal themselves - Common in small agencies with fewer than five agents. Practical and cost-effective, but you must ensure you have the time and knowledge to do the job properly.
- A senior agent - Must have sufficient authority within the agency and receive dedicated AML/CTF training. Cannot be someone junior who lacks the standing to challenge non-compliance.
- An external appointment - Some agencies may choose to appoint an external compliance consultant. This can work, but the principal must still oversee their performance.
What the Compliance Officer does
- Manages the AML/CTF program on a day-to-day basis
- Ensures CDD is completed for every transaction
- Conducts ongoing training for all staff
- Files reports with AUSTRAC (SMRs, TTRs, IFTIs)
- Monitors for suspicious activity across the agency
- Maintains records and audit trails
Appointing a Compliance Officer does not remove the principal's ultimate liability
This is the single most important point in this guide. A Compliance Officer manages the program. The principal is accountable for the program. If the Compliance Officer fails to file a Suspicious Matter Report, AUSTRAC will hold the principal responsible for not having adequate oversight.
5. What AUSTRAC Expects From You
Before July 1, 2026
Enrol with AUSTRAC (opens March 31)
Registration is mandatory. The AUSTRAC Online enrolment portal opens on March 31, 2026. If you are providing designated services on July 1, you must be enrolled by July 29.
Develop your AML/CTF program
Your program must document how your agency will identify, mitigate, and manage ML/TF risks. It must be tailored to your business - a generic template will not satisfy AUSTRAC. The real estate program starter kit provides a starting point.
Conduct an ML/TF risk assessment
Assess the money laundering and terrorism financing risks specific to your agency, your clients, your location, and the types of transactions you handle.
Appoint a Compliance Officer
Formally appoint your AML/CTF Compliance Officer and document the appointment. Ensure they have the authority and resources to do the job.
Train your team
All staff involved in designated services must receive AML/CTF training before July 1. Training must cover CDD procedures, suspicious matter identification, and reporting obligations.
After July 1, 2026
- Perform CDD on every transaction - Verify the identity of buyers and sellers before providing a designated service
- Screen against sanctions and PEP lists - Check every client against DFAT sanctions lists and politically exposed person databases
- Monitor for suspicious activity - Watch for red flags across all transactions
- File reports when required - Suspicious Matter Reports (SMRs) within 24 hours of forming a suspicion, Threshold Transaction Reports (TTRs) for cash transactions of $10,000 or more
- Keep records for 7 years - All CDD documentation, screening results, risk assessments, and reports must be retained for a minimum of 7 years
- Update your program annually - Review and update your AML/CTF program at least once every 12 months
6. Penalty Breakdown for Principals
The penalties under the AML/CTF Rules 2025 and the Act are structured to ensure that non-compliance is never the cheaper option. Here is what principals face:
| Offence | Penalty |
|---|---|
| Failing to enrol with AUSTRAC | Up to $33M (body corporate) |
| No AML/CTF program in place | Up to $33M (body corporate) |
| Failing to perform CDD | $330,000 per breach (infringement notice) |
| Failing to report a Suspicious Matter | Criminal offence - up to 2 years imprisonment |
| Inadequate record keeping | $330,000 per breach |
Imprisonment is on the table
Failing to file a Suspicious Matter Report is not just a fine - it is a criminal offence that can result in up to 2 years imprisonment. This applies to individuals, meaning the principal or Compliance Officer can face criminal prosecution. If you become aware of suspicious activity and do not report it to AUSTRAC, you are committing an offence. This is not a theoretical risk - AUSTRAC has referred matters for criminal prosecution in other sectors.
Each failure is treated as a separate breach. If your agency processes 20 transactions without performing CDD, that is 20 separate penalty events, each carrying its own fine.
7. Common Mistakes Principals Are Making
"I will wait until July to sort this out"
AUSTRAC enrolment opens on March 31 and the portal will be congested as thousands of new reporting entities attempt to register simultaneously. Your AML/CTF program, risk assessment, Compliance Officer appointment, and staff training all need to be in place before July 1 - not on July 1. Waiting until the last moment is a compliance failure waiting to happen.
"My receptionist can handle compliance"
The AML/CTF Compliance Officer must have the authority and training to fulfil the role. A receptionist or junior admin staff member does not have the standing to challenge a senior agent who is cutting corners on CDD, escalate concerns to the principal, or make decisions about suspicious matter reporting. The CO role requires seniority.
"We only do rentals, this does not apply"
Property management and residential leasing are not designated services under Tranche 2. But if your agency also handles sales - even occasionally - those transactions are captured. Check whether any part of your business involves the sale, purchase, or transfer of real estate. If it does, you must comply.
"I will just use paper forms"
AUSTRAC expects systematic, auditable processes. A photocopied driver's licence in a manila folder does not constitute a compliant CDD process. You need time-stamped records, sanctions screening results, risk assessments, and an audit trail that can be produced years later. Paper-based systems will struggle to meet these requirements.
"One of the big franchises will sort it for us"
If you are an independent agency, you must comply individually. Even if you are part of a franchise network, the obligation sits with each reporting entity - each individual agency. A franchise head office may provide guidance or tools, but the principal of each office is personally liable for their own compliance.
8. How AMLTranche Helps Principals
AMLTranche is built specifically for Australian real estate agencies facing Tranche 2 compliance. Here is what it does for principals:
- Generates your AML/CTF program in minutes - Tailored to your agency, not a generic template
- Automates CDD workflow for your agents - Guided step-by-step process for every transaction
- Handles sanctions and PEP screening - Automatic checks against the DFAT Consolidated List and PEP databases
- Identity verification built in - Electronic identity verification for individuals, companies, and trusts
- Audit-ready record keeping - Time-stamped, tamper-proof records retained for 7 years
- From $179/mo, no setup fees - Compliance should not break the bank
Get your agency AUSTRAC-ready in under an hour
AMLTranche handles your AML/CTF program, CDD workflows, sanctions screening, identity verification, and 7-year audit trails - built for Australian real estate.
Start Free → Book a Demo →Get a free compliance checklist for your business:
No spam. Unsubscribe anytime.
Frequently Asked Questions
Can a principal also be the Compliance Officer?
Yes. In small agencies, the principal commonly acts as both the Licensee in Charge and the AML/CTF Compliance Officer. There is no legal requirement for the roles to be held by different people. However, the principal must ensure they have the time and knowledge to fulfil both roles effectively. In larger agencies, appointing a dedicated Compliance Officer is strongly recommended.
What happens if I do not enrol by July 29?
Providing a designated service without being enrolled with AUSTRAC is a criminal offence under the AML/CTF Act. If you are providing real estate services on July 1, 2026, you must be enrolled by July 29, 2026 (within 28 days). Failure to enrol can result in penalties of up to $33 million for a body corporate. AUSTRAC enrolment opens on March 31, 2026, so there is no reason to delay.
Am I personally liable or is the company liable?
Both. The company (the reporting entity) is liable for civil penalties of up to $33 million per breach. The principal or Licensee in Charge is also personally liable, facing individual penalties of up to $6.6 million and potential criminal charges including imprisonment of up to 2 years for certain offences. Personal liability cannot be avoided by operating through a company structure.
Do I need a separate AML program for each office?
Not necessarily. If all offices operate under the same licence and provide the same services, a single AML/CTF program can cover multiple offices. However, the program must account for any differences in risk profiles between locations - for example, offices in high-value property markets may have different risk factors. Each office must implement the program consistently and all staff must be trained.
How often do I need to update my AML program?
You must review and update your AML/CTF program at least once every 12 months. You must also update it whenever there is a material change to your business operations, risk profile, or when AUSTRAC issues new guidance. The annual review should include reassessing your ML/TF risk assessment, checking that procedures remain adequate, and confirming that training is up to date.
Published: 5 March 2026. This article is for general information only and does not constitute legal advice. For advice specific to your circumstances, consult a qualified legal professional.