Gem of a Fraud: A classic example of operational risk

Indian banking system is reeling under a series of reported frauds in the last few weeks. The mother of all is the USD 1.7 billion at PNB (Punjab National Bank) which is amongst the top public sector banks.
Modus Operandi: An Indian bank (A) issues an LOU (Letter of undertaking) at the request of a corporate to a bank in a different country (B), guaranteeing a loan that (B) gives to a third party who is overseas. The third party generally is the beneficiary or the importer. The importer sells the goods and repays the loan.  LOUs as corporate lending product is a common practice by banks in India. As it is a high risk lending, LOUs are generally issued against collateral. Regulatory compliance requires the LOU cannot be issued for more than 90 days.
There was a change of guard at the forex business desk of PNB and a fresh request for an LOU was tabled by the corporate in question that enjoyed LOU financing. The new officer asked for 100% cash margin (collateral). The corporate stated that earlier LOUs were issued without any margin. The new officer checked the past records and found no record of LOUs. That opened the Pandora Box. In effect LOUs issued were not recorded in the Bank's books. As I write investigations are currently in progress.
Operational risk: This can be defined as, any loss caused by inadequate or failed internal processes, people, systems, or by external events. Basel II, lists out 7 types of such risks. Internal fraud, external fraud, employment practices and workplace safety, clients, products and business practice, damage to physical assets, business disruption and system failures, execution, delivery and process management.
What went wrong at PNB?

There were many failures in internal controls. I have listed the major ones here.   

1. All the years there was the same officer at the LOU desk
The Bank did have a procedure that required an officer to be transferred every 2 to 3 years. It is not known why the person was not shifted.
2. Direct access of SWIFT system
SWIFT provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment. (www.swift.com)
The officer gained direct access to SWIFT terminal to send the fraudulent LOUs. These transactions were not recorded in the Bank’s books. It is surprising that having straight through processing of SWIFT messages from the core banking system, any messages directly sent was not tracked as exceptions. An extension to this was modifying LOU amount in SWIFT terminal after being approved in the core banking system.
3. Unreconciled Nostro Accounts:
Nostro account refers to an account that a bank holds in a foreign currency in another bank.
The loans guaranteed pass through PNBs Nostro account. However this control failed as the accounts were not reconciled on a regular basis.
4. LOU reconciliation not done:
Banks are subject to audit by central bank, internal audit and audit by external firms. Normally they look for reconciliations and check a few selected randomly for assurance that the transactions are genuine. This appears not to be the case.
5. Sharing of passwords:
It is reported that the prime accused in the Bank shared the SWIFT password with the corporate.
It is still not clear how the overseas banks (Overseas branches of Indian banks) routinely lent money against LOUs without once doing a due diligence. More surprising is that these banks are audited as well by the local controllers and firms. There are no reports of anyone raising exceptions to such transactions.
Perhaps this will go down as a classic example of operational risk leading to credit risk. Similar to what Nick Leeson did for Barings decades ago. One man bringing down an established bank. PNB was founded in 1894.