Cyber Security for Real Estate Agents: AML/CTF Obligations and the BEC Risk in Property Transactions
From 1 July 2026, Australian real estate agents become regulated reporting entities under the AML/CTF regime for the first time. But the most immediate cyber threat to your agency — settlement fraud — has been active for years, and it doesn't wait for a compliance deadline.
Property transactions involve some of the largest single transfers of money that most Australians ever make. For a real estate agent sitting in the middle of those transactions — holding client identity documents, communicating with buyers, sellers, conveyancers, and lenders, and coordinating the chain of events that leads to settlement — that creates a very specific and well-understood cyber risk profile.
Business email compromise (BEC) in property transactions is not a theoretical threat. It is the most financially destructive form of cybercrime affecting the Australian real estate sector, and the mechanics are simple: an attacker compromises or spoofs an email account involved in the transaction, monitors the correspondence, and at the critical moment inserts fraudulent payment instructions that redirect funds to an account they control. By the time the substitution is discovered, the funds have moved on — often offshore. Recovery rates are low.
The same BEC pattern targets mortgage brokers and conveyancers across every property transaction — the attack works wherever large funds move between parties coordinating by email.
Now, layered on top of that existing threat, comes a significant regulatory shift. The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 brings real estate agents into AUSTRAC's regulatory framework for the first time, with full compliance required from 1 July 2026. Understanding both dimensions — the immediate fraud risk and the incoming compliance obligations — is essential for any agency operating in today's environment.
What the AML/CTF Reforms Actually Mean for Agents
The Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 passed Parliament on 29 November 2024 and received Royal Assent on 10 December 2024. It brings lawyers, accountants, real estate agents, and dealers in precious metals into Australia's AML/CTF framework — making Australia one of the last FATF member countries to regulate these sectors.
For real estate agents, the designated services that trigger obligations include brokering the sale, purchase, or transfer of residential, commercial, industrial, and rural property on behalf of buyers or sellers. From 31 March 2026, enrolment with AUSTRAC opens. From 1 July 2026, compliance is mandatory.
The core obligations for newly regulated agencies are:
- Enrol with AUSTRAC — from 31 March 2026; failure to enrol before providing designated services is a breach
- Develop and maintain an AML/CTF program — a written, risk-based program covering your agency's ML/TF risk assessment, policies, procedures, and controls; must be approved by a senior manager and independently reviewed every three years
- Conduct customer due diligence (CDD) — verify the identity of clients at the outset of a transaction; this means collecting and verifying identity documents, understanding the nature of the transaction, and assessing the source of funds where risk warrants it
- Report suspicious matters — file a Suspicious Matter Report (SMR) with AUSTRAC when you have reasonable grounds to suspect a transaction may involve money laundering or other criminal proceeds
- Keep records — retain identity verification records, transaction records, and due diligence documentation for a minimum of seven years
- Train your staff — all staff involved in designated services must understand the agency's AML/CTF obligations and their role in meeting them
The "reliance" option matters for smaller agencies. Where a conveyancer or solicitor involved in the same transaction has already completed identity verification for a client, agents can rely on that verification rather than duplicating the process — provided the reliance arrangement is documented. This reduces the administrative burden but does not remove your ultimate responsibility for compliance.
Critically, the AML/CTF obligations create a data security imperative that goes beyond the compliance checklist itself. To meet your CDD and record-keeping requirements, you will be collecting and retaining copies of passport pages, driver's licences, proof of address, and potentially beneficial ownership documentation for buyers and sellers. That data must be stored securely for seven years — and it is exactly the kind of data that attackers target.
Why Real Estate Is a Primary BEC Target
Business email compromise in real estate has a specific anatomy that sets it apart from generic phishing. The attacker does not need to rush — they can patiently monitor email threads for weeks, building a detailed understanding of the transaction, the parties involved, the expected settlement date, and the amounts at stake. When the moment is right, a single fraudulent email is enough.
The scenario most commonly seen in Australian property transactions is straightforward: the attacker compromises the email account of one party — the agent, the conveyancer, the buyer, or the seller — and uses access to monitor the transaction. As settlement approaches, they send an email appearing to come from a legitimate party (the agent, the solicitor, or the bank), advising that banking details have changed and requesting that funds be directed to a new account. The new account is controlled by the attacker.
What makes this particularly dangerous in real estate is the size of the amounts and the irreversibility of the transfers. A successful BEC attack on a single residential property transaction can divert hundreds of thousands of dollars. And unlike credit card fraud, where card networks have chargeback mechanisms, bank-to-bank transfers are extremely difficult to reverse once cleared — especially when the recipient account moves funds onward quickly.
The critical control is out-of-band verification. Any change to banking details or payment instructions — regardless of how legitimate the email looks, regardless of whether it contains correct details from earlier in the transaction — must be verified by calling the party directly on a previously known number. Not by replying to the email. Not by calling a number provided in the email. A phone call to a known number takes 60 seconds and prevents a six-figure loss.
Your Regulatory Obligations
AML/CTF Act — from 1 July 2026
AML/CTF Program and AUSTRAC Enrolment
All agencies brokering property sales or purchases must enrol with AUSTRAC from 31 March 2026 and comply with a written, risk-based AML/CTF program from 1 July 2026. The program must include a risk assessment, CDD procedures, reporting processes, and staff training.
AML/CTF Act — Record-Keeping
7-Year Retention of Identity and Transaction Records
Client identity verification records, transaction details, and due diligence documentation must be retained for a minimum of seven years and stored securely. This creates a long-term repository of sensitive personal information that must be actively protected.
Privacy Act 1988 (Cth)
APP 11 — Data Security
Agencies with annual turnover above $3M are fully covered by the Privacy Act. The 2024 amendments explicitly require both technical and organisational measures to protect personal information. AML/CTF compliance creates new categories of sensitive data that fall squarely within APP 11.
Privacy Act — NDB Scheme
Notifiable Data Breaches
A breach exposing client identity documents, financial information, or transaction data that is likely to cause serious harm must be reported to the OAIC and affected individuals as soon as practicable — and no later than 30 days after becoming aware of the breach.
AML/CTF Act — Privacy Interaction
Privacy Act Coverage for AML CDD Data
Notably, agencies below the $3M turnover threshold are still covered by the Privacy Act in respect of personal information collected to meet AML/CTF obligations — the small business exemption does not apply to AML-collected data.
Cyber Security Act 2024 (Cth)
Ransomware Payment Reporting
Agencies with turnover above $3M must report ransomware or extortion payments to the Australian Signals Directorate within 72 hours. Ransomware targeting agencies with large repositories of property transaction data is an active and growing threat.
The Data Profile: What Your Agency Actually Holds
Before considering controls, it is worth mapping the data your agency collects and retains across a typical transaction lifecycle. Most agencies accumulate more sensitive data than they realise:
| Data Type | Why Held | Sensitivity |
|---|---|---|
| Identity documents (passport, driver's licence) | AML/CTF CDD, vendor/buyer verification | Very High — enables identity fraud |
| Bank account details | Deposit processing, settlement funds | Very High — BEC fraud risk |
| Financial information (proof of funds, loan approvals) | Pre-qualification, offer processing | High — financial profile data |
| Rental application data (income, employment, references) | Tenant screening | High — credit and employment data |
| Property access codes and key information | Inspection management | Medium — physical security risk |
| Beneficial ownership documentation | AML/CTF enhanced CDD | High — corporate structure data |
The AML/CTF reforms do not create this data problem — they make it larger. Agencies that already held identity documents for KYC-adjacent purposes will now be holding them under a formal seven-year retention obligation, with explicit regulatory consequences for inadequate security.
Baseline Controls for Real Estate Agencies
For most small-to-medium real estate agencies, the security baseline that addresses the combined risk profile — BEC fraud, data breach, and AML/CTF compliance — centres on a manageable set of practical controls:
- MFA on all email accounts — the single most important control for BEC prevention; an attacker who cannot access your email cannot monitor your transaction communications
- MFA on your property management software and CRM — these systems hold the bulk of client identity and transaction data; they must be protected with strong authentication
- Out-of-band verification procedure for payment instructions — a documented, mandatory policy requiring phone verification of any banking detail change before acting on it; this must apply to staff across the agency, not just principals
- Secure document collection portal — collecting identity documents and financial information through an encrypted portal rather than via email attachments; email is not an appropriate channel for AML CDD documents
- Encrypted storage for identity documents — the AML/CTF records you retain for seven years must be stored in encrypted form, whether in cloud storage or on local drives
- Documented data retention and deletion schedule — what you keep, how long you keep it, and when and how it is securely destroyed when no longer required
- Incident response plan — a documented process for responding to a suspected breach or BEC incident, including who to contact (AUSTRAC for suspicious matters, OAIC for notifiable data breaches, cyber insurer, police)
- Annual cyber security training for all staff — particularly for property managers and support staff who handle identity documents and communicate payment information with clients
Your AML/CTF program and your cyber security controls should be designed together. The CDD data you are required to collect and retain for seven years is the most sensitive data your agency holds. The security controls protecting that data directly satisfy part of your "adequate procedures, policies, systems and controls" obligation under the AML/CTF Act.
Preparing for 1 July 2026
The timeline for real estate agents is now quite short. AUSTRAC's enrolment portal opens on 31 March 2026, and mandatory compliance commences on 1 July 2026. Agencies that have not yet begun preparing are already behind.
The practical preparation steps most agencies need to work through are:
- Confirm whether your services are designated services — buyer's agents, seller's agents, and property developers who sell directly are captured; property management services involving only tenancy management are not currently designated services under the Act
- Conduct your ML/TF risk assessment — AUSTRAC has published guidance and a starter kit; the risk assessment must consider your client base, transaction types, geographic exposure, and delivery channels
- Draft your AML/CTF policies and CDD procedures — documented processes for identity verification at the start of a client relationship, ongoing monitoring, and suspicious matter reporting
- Appoint an AML/CTF compliance officer — a named senior manager responsible for your program
- Audit your data security controls against your new record-keeping obligations — seven-year retention of identity documents requires secure, accessible, and auditable storage
- Enrol with AUSTRAC by 31 March 2026
The cyber security assessment component — step five above — is where many agencies will find the most work to do. The gap between "we scan documents and save them to a shared drive" and "we retain identity verification records in encrypted, access-controlled storage with a documented destruction schedule" is significant, but it is bridgeable with the right tools and processes.
Assess Your Real Estate Agency's Cyber Security Readiness
Our Real Estate Agency Health Check covers the controls most relevant to your business — email security and BEC prevention, identity document handling, data retention practices, and AML/CTF readiness. Scored results, prioritised recommendations, and a written report you can use as evidence of due diligence.