What is a Business-Wide Risk Assessment? AML/CTF Guide for Real Estate Agencies Australia 2026
Of all the AML/CTF obligations landing on real estate agents from 1 July 2026, the business-wide risk assessment causes the most confusion. It's the document agencies are least familiar with — and the one everything else depends on. Get your BWRA right and your policies, your CDD and your training all flow from it. Get it wrong and the rest of your program rests on sand.
Here's what it is, why AUSTRAC requires it, and how a real estate agency actually completes one.
What the BWRA is
Under the reformed AML/CTF Act, every reporting entity must conduct a money laundering, terrorism financing and proliferation financing (ML/TF) risk assessment before it provides designated services. This is the document widely referred to as the business-wide risk assessment.
In plain terms, it answers one question: where is my agency most exposed to being used to launder money or finance crime? You identify the risks, assess how serious each is, and that assessment then drives the controls you put in your AML/CTF policies. Together, the risk assessment and the policies make up your AML/CTF program — the reforms replaced the old "Part A / Part B" structure with these two documents.
A key feature of the risk-based approach is proportionality. Your BWRA must be appropriate to the nature, size and complexity of your business. A two-person regional agency and a national franchise will produce very different documents — and both can be compliant.
Why AUSTRAC requires it
AUSTRAC's whole regime is risk-based. Rather than prescribing identical rules for every business, it asks each reporting entity to understand its own risks and respond proportionately. The BWRA is where that understanding is documented. Without it, you can't show why your controls are set the way they are — and "we used a template someone sent us" is precisely what AUSTRAC has warned against.
The risk factors a real estate agency should assess
The Act requires your risk assessment to have regard to a defined set of matters: the designated services you provide, the customers you provide them to, the methods and channels you deliver them through, the foreign jurisdictions you deal with, and the risk information AUSTRAC publishes (notably its National Risk Assessments for money laundering, terrorism financing and proliferation financing).
Translated into practical factors a property agency should work through, that means assessing:
- Customer type — individuals, companies, trusts, SMSFs; established locals versus first-time or unknown buyers.
- Beneficial ownership and control — how easily you can identify the real people behind a customer.
- Politically exposed persons (PEPs) — your likely exposure to senior public officials and their associates.
- Geographic risk — the locations of your customers, their funds, and the properties involved.
- Offshore and foreign-buyer risk — overseas purchasers, foreign-sourced funds and cross-border arrangements.
- Funding and payment methods — cash components, third-party payers, and unusual settlement structures.
- Trust and corporate structures — layered or opaque ownership with no clear commercial rationale.
- The designated services you provide — sales, buyer's-agent work, development sales; which parts of your business are actually in scope.
- Delivery channels — in-person versus remote/online onboarding, and the verification methods you use.
- Property and transaction characteristics — high-value, off-the-plan, rapid resale, or values out of step with the market.
- Proliferation financing — exposure to sanctions evasion linked to weapons-of-mass-destruction financing (often low for a typical agency, but it must be considered and documented).
- Your own controls and vulnerabilities — gaps in current processes, staff awareness, and oversight.
For each factor, you assess the likelihood and impact of the risk materialising, arrive at a risk rating, and then point to the control that manages it. That last link — risk to control — is what turns a risk assessment from a description into a working document.
Note that proliferation financing must be assessed across the board, even where your exposure is low. Recording that you considered it and why your exposure is limited is itself part of compliance.
How to complete one, step by step
- Scope your business. Map which of your services are designated services and therefore in scope.
- Gather risk information. Read AUSTRAC's National Risk Assessments and its real estate sector risk insights; pull in what you know about your own client base.
- Identify and rate each risk across the factors above.
- Link each risk to a control — the procedure, check or system that manages it. These controls become your AML/CTF policies.
- Have it approved by senior management and document that approval.
- Schedule review — at least every three years, and on any significant change.
Where Veriqua fits
Building a defensible risk assessment from a blank page is hard when you've never done one. Veriqua's BWRA module is designed to guide a real estate agency through each risk factor, draws on AUSTRAC's National Risk Assessments and sector risk insights, helps you rate likelihood and impact, and links each identified risk to a control — producing a documented, version-controlled risk assessment you can hand to a reviewer.
Importantly, the tool structures and accelerates the work; the risk judgements and approval remain yours. AUSTRAC expects reporting entities to own their risk assessment rather than adopt a generic one, and a guided process helps you do exactly that.
Frequently Asked Questions
What is a business-wide risk assessment under the AML/CTF Act?↓
How often must a real estate agency update its risk assessment?↓
What risk factors must a real estate agency assess in its BWRA?↓
Can a real estate agency use a template for its risk assessment?↓
Related articles
AML/CTF Compliance Checklist for Real Estate Agents
The full obligations map — enrolment, program, CDD, SMRs and training.
Customer Due Diligence for Property Transactions
Who you verify, what you collect, and when enhanced CDD applies.
SMR and TTR Guide for Real Estate Agents
When to report, the deadlines, and the tipping-off rule.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at February 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Rules 2025 and AUSTRAC guidance as at that date, all of which may change. It is not legal, financial or compliance advice and must not be relied on as such. The risk factors above are a practical guide, not an exhaustive or prescribed statutory list; your risk assessment must reflect your own business. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.