Lester, an employee of a financial institution, received a letter from a customer's attorney requesting information concerning the customer. What should Lester do?

When handling third‑party information requests, confidentiality and proper authorization come first. An attorney’s request for a customer's information should be treated through the institution’s formal channels, not handled directly by an employee in a casual way. The correct approach is to avoid confirming or denying whether any information exists or has been filed, and to escalate the request to compliance and legal, while also notifying the regulator as required by policy and law. This protects the customer's privacy and the institution from improper disclosure, ensures the request is reviewed for proper legal basis (such as a subpoena or court order), and ensures any disclosure is done only through the approved process. If a formal and lawful process is in place, compliance will guide what, when, and how information can be released. Reasons the other actions don’t fit: revealing that information exists or sharing documents without verification would breach confidentiality and data-protection rules; replying with the requested information directly bypasses the institution’s controls and could violate privacy and AML requirements.