On November 6, 2025, SteelEye hosted its third annual Regs & Eggs New York event, bringing together senior compliance and surveillance leaders from across the financial services industry for a morning of thought leadership, networking, and peer collaboration. This year’s edition focused on how firms can strengthen culture and compliance in a period defined by political change, fast-moving technology, and evolving regulatory expectations.
The morning began with a keynote from Tom Hardin (“Tipper X”), whose personal insider trading story set a powerful human context for the discussions that followed. A panel of practitioners and technologists from RegLabs.ai, Citi, Octaura, and ICBC Standard Bank Group then explored the state of financial compliance in North America and how firms can respond to new threats and opportunities in market surveillance. This recap blog covers the key themes:
Lessons from an Insider Trading Whistleblower – Tom Hardin (Tipper X)
Adapting Compliance Programs to New Risks: Insights from Industry Leaders
Evolving Enforcement Amid Political Change
Behavioural Insights for Modern Surveillance
The Complexities of Global Compliance Operations
Build vs. Buy: Optimising Surveillance Technology
AI in Compliance – Empowering Organisations with Tech
Concluding Reflections: Proactive Compliance in a Changing World
Tom Hardin opened the day with a candid, sometimes and surprisingly sobering account of how an ambitious young hedge fund analyst became embroiled in an insider trading ring - and later turned into a key cooperating witness.
Hardin started his career as a tech-focused analyst at a small hedge fund. Around him, he saw peers openly trading on material non-public information. Conferences and industry conversations are increasingly centred on “edge” that often looks suspiciously like MNPI. At the same time, performance expectations intensified. Performance reviews that had once been quarterly shifted to monthly, and the pressure to keep up mounted.
In that context, he was introduced to a particularly well-connected tech investor who began sharing highly sensitive information. Over time, the relationship moved from casual chats at conferences to regular calls where she tipped him off on upcoming events, like one of which was the 2007 acquisition of Kronos. Hardin initially rationalised his actions: taking a sub-1% “flyer” position felt small, and he told himself that “everyone else is doing it” and that it might not even be that great of a tip.
He described this as “isolated decision-making” – deliberately structuring his trades just under internal thresholds so they wouldn’t raise questions or require conversations with supervisors or compliance departments. By acting alone, he removed the chance that someone could challenge his reasoning or stop him. In hindsight, he believes that if he’d been forced to discuss these trades with others, the misconduct might have been stopped before it was too late.
Hardin emphasised that his motivation wasn’t a quest for millions. Across four illegal trades, he made about $46,000 – an insignificant amount compared with the cost to his career and personal life. The real drivers were the psychological rewards: the rush of getting away with something, the feeling of being part of an elite circle that “had the inside scoop,” and the relentless pressure to perform.
He drew parallels to everyday moral “micro-bends” that many people rationalise: driving a little over the speed limit, downloading music illegally, or using offshore gambling sites. Each small compromise makes the next one easier. Over time, those incremental steps led him from “just this once” to smuggling $15,000 in cash through an airport to pay for an inside tip.
The turning point came in 2008, when FBI agents stopped him on a New York street on his way to drop off his dry cleaning. Terrified and without legal counsel, he agreed to cooperate. For nearly two years, he worked with the FBI, wearing a recording device and helping expose a wider web of illicit trading. While cooperation meant he avoided prison, the long-term consequences were severe. He remains a registered felon and still experiences bank account closures and other AML-related hurdles. His family suffered reputational and emotional fallout, including pressure on his wife at her workplace to resign. Even years later, he was unable to do everyday things like coaching his daughter’s soccer team.
Hardin closed his keynote by reflecting on what might have prevented his misconduct:
Mentorship and open dialogue – He had no trusted senior voice to turn to when his instincts told him something was wrong. When he decided to confide in two friends in the hopes that they would talk him out of it, they instead decided to join in on the illicit activity.
A respected, empowered compliance function – At the time, compliance was viewed as a box-ticking back office, not a strategic partner. Policies were thin and largely boiled down to the “Wall Street Journal Test,” where compliance teams would remind employees, “Don’t do anything that you wouldn’t want to see posted in tomorrow’s Wall Street Journal.” However, there was little real engagement with conduct risk, and not much else to deter him from engaging in such illicit behaviour.
Active supervision rather than “blissful ignorance” – When trades looked unusual, his manager preferred not to know the details as long as performance was good. Today, that attitude would likely be seen as a failure to supervise.
His key message to the room: it doesn’t take a criminal mastermind to break the rules. It takes pressure, isolation, and a culture that allows rationalisation to go unchallenged. The role of compliance is to interrupt that pattern – by surfacing conversations, encouraging escalation, and building systems that make it hard to act alone in the grey.
With Hardin’s story as a backdrop, a diverse panel of leaders from RegLabs.ai, Citi, ICBC Standard Bank Group, and Octaura took the stage to discuss what all of this means for today’s market surveillance and compliance programs.
The panel began with the larger regulatory context. With a new U.S. administration signalling a more deregulatory posture, it might be tempting for firms to relax.
The consensus: that would be a serious mistake.
A recent call from an SEC commissioner to “get back to basics” was interpreted not as a green light to lighten oversight, but as a reminder that fundamentals matter more than ever. Instead of relying on generic annual trainings and “click-through” exercises, firms should refocus on engaging, real-world case studies - stories like Hardin’s that bring conduct risk to life.
Panellists also underscored that U.S. politics do not define global enforcement. International regulators remain highly active, and multinational firms cannot credibly say, “Things are in flux in the U.S., so we’re taking a more relaxed approach.” The message was clear: tone from Washington cannot be the ceiling for a firm’s standards. If anything, firms should use periods of uncertainty the way a sports team uses halftime - to reset, realign, and come out more focused.
Hardin’s experience illustrated the danger of assuming “the industry is lax right now.” That perception helped him rationalise behaviour that later became a high-profile enforcement story. The lesson for today’s firms: stay on the course of strong controls regardless of the political cycle.
Next, the panel turned to human behaviour - arguably the thread that tied the whole morning together. Traditionally, surveillance focused on rules and keywords: was something said that shouldn’t have been said? Increasingly, firms recognise they must also ask: what is the context and tone around what’s being said?
Panellists highlighted examples such as messages showing repeated anger, frustration, or burnout, a sudden spike in urgency around performance or deal closures, or shifts to vague or euphemistic language around risk-taking. These signals can indicate individuals under pressure or drifting into moral grey zones. In Hardin’s case, his growing stress, secrecy, and rationalisation were all behavioural cues that something was off. Modern surveillance programs should be designed to pick up those early signals, not just explicit rule-breaking.
The panel also acknowledged that employees today have more tools to circumvent controls: off-channel communications, encrypted apps, and even AI-based methods to obfuscate behaviour. That reality raises the bar for compliance teams: they must understand how people behave under pressure and embed that understanding into both training and monitoring.
For global institutions, the compliance challenge multiplies. Panellists described environments where a “single firm” is actually hundreds of entities across regions, each with its own legacy systems, local regulations, and inherited practices from acquisitions. This makes tasks like transaction reporting extremely complex and increases the risk of gaps or inconsistencies.
The panel’s advice:
Treat regional insights as an early warning system for the rest of the firm.
Communicate clearly how local enforcement trends are likely to spread.
Where possible, implement robust controls globally - even if only one region currently “requires” them.
Internal silos and regional fragmentation echo Hardin’s concept of isolated decision-making, but on an institutional scale. If different parts of a firm are not talking to each other, it becomes easier for risks to go unnoticed. A global compliance strategy that shares data, themes, and lessons across borders is essential.
The discussion then moved to surveillance technology and the familiar question: should firms build or buy? One analogy from the panel summed up the consensus: if you’re a skilled carpenter, building your own house might make sense. If not, you’d be better off hiring professionals. The same applies to surveillance systems. A small subset of firms with deep engineering expertise and budgets might successfully build bespoke solutions. Most others will, and probably should, rely on vendor platforms. However, buying does not equate to outsourcing responsibility. Panellists highlighted several key points:
Vendor systems bring their own assumptions and constraints; they may not perfectly fit a firm’s risk profile or product mix.
Third-party risk management becomes critical: firms must regularly review and test their surveillance tools, challenge vendors on how quickly rules are updated, and document their oversight.
True value comes from partnership – treating vendors as collaborators, not black boxes.
In Hardin’s era, surveillance frameworks missed patterns like repeated 0.9% pre-event trades. Whether a system is built or bought, today’s firms need technology - and governance around that technology - capable of spotting similar behavioural anomalies and escalating them promptly.
Finally, the panel addressed AI, which is moving rapidly from buzzword to business reality. Many attendees related to the idea of “wishing we had leaned into AI earlier.” Still, most firms today use AI in relatively simple ways: drafting policies, summarising long documents, or handling basic queries. The bigger opportunity, though, remains in using AI to enhance surveillance and risk management, for example, by:
Analysing communications at scale to detect subtle indicators of misconduct.
Identifying complex patterns across trading, communications, and HR data.
Prioritising alerts more intelligently so human reviewers focus on the highest-risk cases.
At the same time, the panel stressed that AI must augment, not replace, human judgment. Compliance teams remain accountable for decisions; regulators will expect clear explanations for why an alert was raised or an action taken. As bad actors begin to experiment with AI themselves, firms must adopt it thoughtfully - ensuring robust governance, testing, and transparency.
Linking back to Hardin’s story, panellists noted that even the most advanced models cannot replace ethical culture. AI can tell you what looks odd, but only people can decide why it matters and what to do next.
This year’s Regs & Eggs made one thing abundantly clear: the future of financial compliance will not be defined by choosing between people and technology, but by combining the best of both.
Tom Hardin’s journey illustrated how misconduct can emerge from everyday pressures, minor rationalisations, and a lack of meaningful oversight. The panel discussions then showed how today’s firms are grappling with that reality - navigating shifting political signals, integrating behavioural insight into surveillance, managing global complexity, choosing the right technology strategy, and harnessing AI responsibly.
For compliance and surveillance leaders, the call to action is to build programs that are:
Proactive – focused on early signals and emerging risks, not just post-event investigations.
Behaviorally informed – designed with a deep understanding of human motivations and pressures.
Tech-enabled – leveraging data, automation, and AI, while keeping human judgment firmly in the loop.
Ultimately, the goal is to ensure that no one in the organisation is left making high-stakes decisions in isolation, and that the firm is prepared for the next wave of regulatory, technological, and cultural change - wherever it comes from.
As we close out this year’s Regs & Eggs New York, we hope the discussions offered valuable insights and practical takeaways - whether you joined us in person or are catching up through this recap. Our goal is always to bring the industry together for open, meaningful dialogue, and we’re grateful to everyone who contributed to the conversation. We thank all participants and speakers for their engagement, and we look forward to building on this momentum next year as we continue exploring how culture, technology, and compliance evolve in times of change.
Discover how SteelEye’s robust data and surveillance capabilities can help you make informed, compliant decisions when it comes to record-keeping and personal data protection.