AML for Principals: Accountability, Risk & Readiness

One of the biggest topics at the moment is AML Tranche 2 — it's introducing new compliance obligations for real estate from 1 July. What we're going to look at today is your obligations as a principal, because they are different to general agents. Where the compliance risk sits in your day-to-day operations, what reasonable steps look like in practice, and how to make the most of integrations. David, let's start by setting the scene. What's the fundamental shift in legal accountability for principals under this legislation?

For principals it's about setting up your business to be more structured around things like verification of identity — obligations that in the past would often have been shifted off to the conveyancing role. They're bringing that earlier into the transaction. And importantly, AUSTRAC thinks of real estate agents as partners in the process. This is less about policing your day-to-day, more about how they can minimise the threat of money laundering — and if something does happen, that you can provide them with a strong evidence trail.

The buck does stop with you as a principal, though. There's no getting out of that.

It does. The business is on the hook, and so are the agents who are doing the work. To get the big scary fines out of the way: a body corporate could face up to $30 million for choosing not to comply. Individuals, sole traders, and directors could be in the $6 million range. There are also criminal penalties — if there's a suspicious matter report (SMR) and you tip that person off, that's up to two years imprisonment. It's highly, highly unlikely to happen for the vast majority of agents, but it's there.

Our deadline is July 1st. What do principals have to have done before then in order to be ready?

Number one priority: make sure you are enrolled with AUSTRAC. Your business must be enrolled before you can do anything else. AUSTRAC will then help you with documentation around your responsibilities as a reporting entity.

After that, we're working off the easyAML operational readiness checklist — it's very practical, broken down into all the little things you need to do to get your business ready. The list looks long, but the bigger you are, the more you have to do. If you're a small operator — one to five people — you can absorb a lot of it within your own team.

The very first item on that checklist is: appoint a compliance officer and define their authority. For most small agencies, that's going to be the principal. Which means the buck stops with you — which is where it should be. If there's a risk assessment concern about a particular client, you as the compliance officer are the ones who go through that process.

As a principal inside a real estate group, you've usually got scripts and dialogues for how you handle different scenarios. There's probably just a handful of new scripts you'll need — for explaining the verification process to vendors, for handling clients who push back, for the auction scenario.

A lot of this comes down to specific questions and compliance steps. In the past, the conveyancer sorted a lot of this out. So in many ways, we're just bringing it earlier in the transaction.

Another way to think about CDD is that it's like a disclosure statement for the property — but for the person, for the customer. Here in South Australia you have a Form 1; in Victoria there's the Section 32. Think of it as analogous to that, except rather than it being about the property, it's about the customer.

The two main forms you'll use in Forms Live are the customer onboarding form and the initial risk assessment. The onboarding form gathers the information you need; the risk assessment is what you run against that information. In most cases, the outcome is straightforward — but there are provisions for what to do if a client comes back elevated.

And just to reinforce what we covered in the last webinar — for auctions, you only need to do the buyer check after the hammer comes down and you're dealing with one party. You don't have to run everyone in the room through the process.

That's right. And we'll make sure the provisions are in the agency agreements so principals can recoup the cost of the risk assessment through administrative fees. AUSTRAC has also made concessions in the auction space — you can start the process in parallel after the auction has completed, rather than having to do it with every potential buyer.

Principals already have what feels like hundreds of subscriptions coming off their credit card. How do you decide which AML provider to go with?

The first thing is security. Forms Live is ISO 27001 certified — an international accreditation for information security — and we require the same from anyone we work with. Data must be stored in Australia.

After that, look at capabilities and technology. A lot of providers entering the market are coming from New Zealand, where AML has been in place for some time — they're leveraging existing infrastructure. And make sure the APIs are clean and can integrate well into your workflow.

We've selected integrations that cover the full spectrum of agency size. For smaller or ad hoc agencies: APLYiD and AML Assured, both on a per-transaction model. For higher-volume operations: easyAML and AMLHUB, which are subscription-based. You don't have to pick one and lock in forever — match it to your current volume.

What are some of the risks of trying to handle this with paper forms?

You might choose a mixture of both. For very low-risk onboarding, you could do it yourself using the Forms Live CDD forms. For anything that looks like it might be medium or high risk, the integration is valuable because it guides you through the process step by step and makes sure you don't miss anything.

If you're using an AML integration, it replaces the need to fill out the forms — it streamlines the onboarding and risk assessment through their system. Forms Live provides the forms for agencies that want to do it without a third-party subscription. But we do encourage using a provider, because efficiency is the main advantage — especially for the compliance officer who has to centrally manage everything.

One of the real risks of going manual is that you end up photocopying driver's licences and storing identity documents — and there's enormous pressure on agencies at the moment not to do that, because of the security risk.

That's the frustrating tension here. AUSTRAC does require you to store this information — which is why it's so important that you're storing it securely and in Australia. If you're using an integrated provider or Forms Live itself, it's all stored appropriately. If you're printing and filing passport copies, that's where your risk sits.

If I've been diligent and signed up to an AML provider, and I'm also a Forms Live customer — how do I bring them together?

Very simply — through the Connections tab in Forms Live, which is the same place all our other integrations live. Once connected, you don't have to do anything else. It becomes part of the workflow: you initiate the onboarding and risk assessment, the VOI — all through Forms Live. The client's details are pre-populated from the form, and you just start the process.

The compliance officer would then jump into both systems to complete the risk assessment, but for the agent out in the field, the change to their day-to-day is minimal. It's part of the agency agreement process, part of signing up a vendor — and then out to market.

From the forms list, you can see AML status indicators alongside your signing status. A form can be in draft, out for signing, and have an AML check in progress — all visible at a glance. And importantly, you can start the AML process while a form is still in draft, or after finalising it. You don't have to wait.

The Forms Live app has just been released, and it's all about managing the signing process on mobile — tracking who's signed, who it's waiting on, sending reminders, getting notifications when someone views or signs a form. The extension of that will be AML status: if you have an outstanding risk assessment in progress, you'll be able to see it progressing through your phone. So you can track your sales journey for a customer without having to jump in and out of systems.

Nobody wants 49 tabs open. The goal is to have it all running from one place as you go about your day.

As a principal, you need to be able to prove you've handled compliance if AUSTRAC ever asks. How is Forms Live making that audit trail easier?

Think of Forms Live as your audit trail by definition. All your onboarding forms and risk assessments sit inside Forms Live against the relevant property. If AUSTRAC reaches out and needs more information on a specific transaction, you find the property, pull the forms for that transaction, and send them through. It's all there.

Forms Live data is stored in Australia and doesn't leave. We have ISO 27001 accreditation. So whether you're using a third-party integration or our own CDD forms, the records are held securely.

What about clients who aren't comfortable with technology?

Absolutely, you can verify someone in person or with wet-ink forms if needed. And think about it logically — if you're physically in the room with someone, your risk level is already lower because you can see and identify them directly. The cases where digital VOI matters most are interstate buyers, overseas buyers, anyone you've never met in person.

If you're a principal watching this and thinking you're not prepared — the first step is registering on the AUSTRAC website. The second is thinking about which AML provider you want to use, and checking which ones are integrated with Forms Live at formslive.com.au/aml. Download the operational readiness checklist. Try to keep things digital where you can — that's where you'll save the most time and have the clearest records if you ever get audited. And keep your eye open as new integrations come on board.

My personal view is it'll be a little interesting in those first few months, but once you get into a flow it'll become standard procedure. AUSTRAC will be working with the industry to minimise disruption, and we as technology providers are doing everything we can to make it as painless as possible. My focus is making sure you have the information you need so you can focus on what you do best — communicating with customers and selling property.

Your job isn't to capture criminals. It's simply to take the steps so that if anything does happen, there's an evidence trail. Report what needs to be reported, do your due diligence, and let AUSTRAC do what they will with it. That's where your job starts and ends.