AML/CTF Program Template

Document control

Part A — general systems and controls

A1. Purpose and scope

This Program describes the general systems and controls that Acme Real Estate Agency Pty Ltd (the “Firm”) has implemented to identify, mitigate and manage the risk of money laundering and terrorism financing (ML/TF) arising from the designated services it provides. It is adopted under sections 81 and 82 of the AML/CTF Act 2006 and Chapter 4 of the AML/CTF Rules.

A2. ML/TF risk assessment

The Firm has conducted a written risk assessment of its exposure to ML/TF. The assessment considers, at minimum:

• Customer types— including individuals, Australian companies, foreign companies, trusts, partnerships, government bodies and high-risk customers (politically exposed persons, jurisdictions of concern).
• Designated services— assisting in the buying or selling of residential and commercial real estate.
• Delivery channels— in-person meetings, telephone, email, electronic identity verification platforms.
• Foreign jurisdictions— the jurisdictions of buyers and sources of funds, with particular attention to FATF high-risk and non-cooperative jurisdictions.

The risk assessment is documented in a separate schedule (Schedule 1) and is reviewed at least every 12 months and whenever there is a material change in business or in the regulatory environment.

Worked example output:Acme’s overall ML/TF risk is assessed as MEDIUM. The principal drivers are high-value transactions, recurring exposure to corporate and trust buyers, and the use of conveyancer-introduced clients whose source of funds is not always immediately apparent.

A3. Governance and oversight

The Firm’s senior management has approved this Program in writing and is responsible for its ongoing oversight. Senior management receives an AML/CTF report at least annually, covering risk-assessment changes, KYC workflow metrics, any reports lodged with AUSTRAC and the status of the independent review.

AML/CTF Compliance Officer: [Name, Title]. The Compliance Officer is a senior manager with authority to access all records of the Firm and to require any staff member to provide information relevant to compliance. The Compliance Officer is the primary point of contact with AUSTRAC.

A4. Employee due diligence

Before any employee is given access to the Firm’s AML/CTF systems or customer records, the Firm conducts an employee due diligence check that includes verifying the employee’s identity, qualifications (if relevant to the role), prior employment history for at least 5 years and a National Police Check. The result is retained in the employee’s personnel file for 7 years after the employee ceases employment.

A5. Training

All employees with any customer-facing role complete initial AML/CTF training within 30 days of commencement and an annual refresher. Training covers: the nature of ML/TF risk in real estate, the customer identification procedure in Part B, sanctions and PEP screening, suspicious matter indicators, the tipping-off offence and the internal escalation path. Training delivery, date and content are recorded for each employee.

A6. Independent review

The Firm commissions an independent review of Part A every two years (or earlier if there has been a material change). The reviewer must be independent of the AML/CTF Compliance Officer and the design of Part A. The review report is provided to senior management with a written response and an action plan for any findings.

A7. AUSTRAC feedback

The Firm subscribes to AUSTRAC’s industry alerts, monitors published typologies and incorporates relevant guidance into the next risk-assessment review. AUSTRAC feedback (including any compliance assessment or remedial direction) is reviewed by senior management within 30 days of receipt.

A8. Record-keeping (general)

All AML/CTF Program documents, risk-assessment outputs, training records, employee due diligence records, independent review reports and AUSTRAC correspondence are retained for 7 years from the date the document is superseded or the relevant relationship ends, whichever is later. Records are stored in a controlled-access cloud folder, encrypted at rest, with daily backups and a quarterly restoration test.

Part B — customer due diligence procedures

B1. When customer identification is required

The Firm carries out applicable customer identification procedures (ACIP) before providing a designated service to a customer, except where the AML/CTF Rules permit deferred verification. The Firm identifies and verifies the customer, any agent acting on the customer’s behalf and any beneficial owner.

B2. Individual customers

For an individual customer, the Firm collects and verifies:

• full name;
• date of birth;
• residential address.

Verification is achieved through a reliable and independent source: an Australian passport, driver licence or Medicare card combined with a recent utility bill or bank statement. The Firm may use an electronic verification service that meets the reliable-and-independent-source standard.

B3. Australian company customers

For an Australian company, the Firm collects:

• full name as registered by ASIC;
• ACN and (if registered) ABN;
• whether the company is registered as a proprietary or public company;
• registered office address;
• principal place of business;
• full name of every director (for proprietary companies);
• full name and address of every beneficial owner (see B5).

Verification is by reference to an ASIC company search and, where appropriate, the company’s certificate of registration.

B4. Trust customers

For a trust customer, the Firm collects:

• full name of the trust;
• the type of trust (discretionary, unit, etc.);
• country in which the trust is established;
• identifying information for the trustee(s), settlor (if not a sham), appointor (if any) and each beneficiary or, where beneficiaries are a class, a description of the class;
• identifying information for every beneficial owner of the trust (see B5).

Verification is by reference to a certified copy or extract of the trust deed (or, for a regulated trust, an authorised public source).

B5. Beneficial owners

A beneficial owner is an individual who ultimately owns or controls (directly or indirectly) 25% or more of the customer, or who otherwise exercises control. The Firm collects each beneficial owner’s full name and residential address and verifies the same in the same manner as an individual customer (B2). Where no individual meets the 25% threshold, the Firm identifies and verifies the senior managing official of the customer.

B6. Politically exposed persons (PEPs)

The Firm screens every customer, agent and beneficial owner against a recognised PEP list at onboarding and on any material change. Where a PEP match is confirmed the Firm applies enhanced customer due diligence (B8) and obtains senior management approval before continuing or commencing the business relationship.

B7. Sanctions screening

The Firm screens every customer, agent and beneficial owner against the DFAT Consolidated List at onboarding, on any material change and at least monthly for active customers. The Firm may also screen against the UN, OFAC and EU sanctions lists where relevant to the transaction. A positive match prevents the Firm from providing the designated service and triggers the SMR consideration in B11.

B8. Enhanced customer due diligence

The Firm applies enhanced customer due diligence to any customer rated HIGH in the risk assessment, any confirmed PEP, any customer connected to a high-risk jurisdiction and any customer in respect of whom the Firm has formed a suspicion (whether or not an SMR is lodged). Enhanced measures include collecting and verifying the source of funds, the source of wealth and the purpose of the transaction, and obtaining senior management approval.

B9. Ongoing customer due diligence

The Firm reviews customer information on a risk-based cadence: HIGH risk customers at least monthly, MEDIUM risk customers at least quarterly and LOW risk customers at least annually. Trigger events that force an immediate re-review include: a change in beneficial ownership; a change in jurisdiction; the customer becoming a PEP; the Firm forming a suspicion; and any AUSTRAC alert affecting the customer.

B10. Transaction monitoring

The Firm monitors transactions for unusual patterns that are inconsistent with the customer’s known profile. For Acme Real Estate, the principal red flags are: unexplained third-party funders; unusually large deposits from offshore accounts; deliberate use of cash; and reluctance to provide standard identification information.

B11. Suspicious matter reporting

If a member of staff forms a suspicion, the staff member escalates immediately to the AML/CTF Compliance Officer. The Compliance Officer reviews the matter, consults the senior managing director if needed and lodges a Suspicious Matter Report with AUSTRAC within 3 business days of the suspicion being formed (within 24 hours if the suspicion concerns terrorism financing). The Firm does not disclose the existence or contents of the SMR to the customer or any third party (tipping-off offence, AML/CTF Act s.123).

B12. Record-keeping (Part B)

Customer identification records, beneficial-owner verification records, screening results, enhanced due-diligence outputs and SMR-related records are retained for 7 years from the end of the customer relationship (or from the date of the report for SMR-related records). The storage location, encryption and access controls described in A8 apply.

Schedules

• Schedule 1— ML/TF risk assessment.
• Schedule 2— Designated services list.
• Schedule 3— Approved electronic verification provider(s).
• Schedule 4— Training register.
• Schedule 5— Independent review report log.
• Schedule 6— AUSTRAC reports log (SMR, TTR, IFTI, ACR).