# Financial Transaction Monitoring and Advanced Anomaly Detection

This project demonstrates a data pipeline for financial compliance and fraud detection. By combining business rules with unsupervised machine learning, the system identifies high-risk activities and segments customers based on their transactional "DNA."

In [25]:
import pandas as pd
import numpy
import chardet

In [26]:
import os
print(os.getcwd())


c:\Users\Usuario\Documents\curso python for everybody


In [27]:
with open("C:\\Users\\Usuario\\Documents\\curso python for everybody\\estudio3.csv", "rb") as f:
    result1 = chardet.detect(f.read())
print(result1)

{'encoding': 'ISO-8859-1', 'confidence': 0.73, 'language': ''}


In [28]:
df_clientedatos = pd.read_csv("C:\\Users\\Usuario\\Documents\\curso python for everybody\\estudio3.csv", encoding="ISO-8859-1")

# Guardar el archivo en UTF-8
df_clientedatos.to_csv("estudio3_utf8.csv", index=False, encoding="utf-8")

In [29]:
try:
    df_clientedatos = pd.read_csv('estudio3_utf8.csv')
    print("Dataset loaded successfully.")
except FileNotFoundError:
    print("Error: Dataset not found. Please check the file path.")

Dataset loaded successfully.


In [30]:
# show first rows
df_clientedatos.head()

Unnamed: 0,ClientID,Full_Name,Account_Status
0,501,Ana LÃ³pez,Active
1,502,Pedro Morse,Dormant
2,503,Carlos Slim,Active


In [31]:
with open("C:\\Users\\Usuario\\Documents\\curso python for everybody\\estudio4.csv", "rb") as f:
    result2 = chardet.detect(f.read())
print(result2)

{'encoding': 'ascii', 'confidence': 1.0, 'language': ''}


In [32]:
df_daily = pd.read_csv("C:\\Users\\Usuario\\Documents\\curso python for everybody\\estudio4.csv", encoding="ISO-8859-1")

# Converting non standard encodings UTF-8
df_daily.to_csv("estudio4_utf8.csv", index=False, encoding="utf-8")

In [33]:
try:
    df_daily = pd.read_csv('estudio4_utf8.csv')
    print("Dataset loaded successfully.")
except FileNotFoundError:
    print("Error: Dataset not found. Please check the file path.")

Dataset loaded successfully.


In [34]:
# mostrar primeras filas
df_daily.head()

Unnamed: 0,Tx_ID,ClientID,Amt,Date
0,9001,501,9500,2024-01-10
1,9002,501,9800,2024-01-11
2,9003,502,15000,2024-01-12
3,9004,504,500,2024-01-12


In [35]:
df_clientedatos.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 3 entries, 0 to 2
Data columns (total 3 columns):
 #   Column          Non-Null Count  Dtype 
---  ------          --------------  ----- 
 0   ClientID        3 non-null      int64 
 1   Full_Name       3 non-null      object
 2   Account_Status  3 non-null      object
dtypes: int64(1), object(2)
memory usage: 204.0+ bytes


In [36]:
df_daily.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 4 entries, 0 to 3
Data columns (total 4 columns):
 #   Column    Non-Null Count  Dtype 
---  ------    --------------  ----- 
 0   Tx_ID     4 non-null      int64 
 1   ClientID  4 non-null      int64 
 2   Amt       4 non-null      int64 
 3   Date      4 non-null      object
dtypes: int64(3), object(1)
memory usage: 260.0+ bytes


Clean Data.

In [37]:
# remove empty spaces in names
df_clientedatos['Full_Name'] = df_clientedatos['Full_Name'].str.strip()

# check duplicates (a duplicated ClientID can mess up the analysis)
df_clientedatos = df_clientedatos.drop_duplicates(subset=['ClientID'])
#validate status levels
print(df_clientedatos['Account_Status'].unique())

['Active' 'Dormant']


In [38]:
# check data types and null values
print(df_daily.info())
print(df_daily.isnull().sum())

# ensure that the date is being recognized as date
df_daily['Date'] = pd.to_datetime(df_daily['Date'], dayfirst=True)

# cleaning
df_daily['Amount'] = df_daily['Amt'].fillna(0)

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 4 entries, 0 to 3
Data columns (total 4 columns):
 #   Column    Non-Null Count  Dtype 
---  ------    --------------  ----- 
 0   Tx_ID     4 non-null      int64 
 1   ClientID  4 non-null      int64 
 2   Amt       4 non-null      int64 
 3   Date      4 non-null      object
dtypes: int64(3), object(1)
memory usage: 260.0+ bytes
None
Tx_ID       0
ClientID    0
Amt         0
Date        0
dtype: int64


In [39]:
high_value_alerts = df_daily[df_daily['Amt'] >= 10000]

print("High-value alerts for review:")
print(high_value_alerts)

High-value alerts for review:
   Tx_ID  ClientID    Amt       Date  Amount
2   9003       502  15000 2024-12-01   15000


In [40]:
# merge transactions with clients
df_final = pd.merge(df_daily, df_clientedatos, on='ClientID', how='left')

# the alerts will have name and level
print(df_final[df_final['Amount'] >= 10000])

   Tx_ID  ClientID    Amt       Date  Amount    Full_Name Account_Status
2   9003       502  15000 2024-12-01   15000  Pedro Morse        Dormant


In [41]:
#Group per client, to check who sums more than 10k in total even though their tickets are low.
pitufeo = df_daily.groupby('ClientID')['Amount'].sum().reset_index()
sospechosos_total = pitufeo[pitufeo['Amount'] >= 10000]

print("Customers who exceed the cumulative threshold:")
print(sospechosos_total)

Customers who exceed the cumulative threshold:
   ClientID  Amount
0       501   19300
1       502   15000


In [42]:
# Executive summary for Compliance
resumen_riesgo = df_final.groupby('Account_Status')['Amount'].sum()
print(resumen_riesgo)

Account_Status
Active     19300
Dormant    15000
Name: Amount, dtype: int64


### Insights
- High Value Transactions: Identified a single transaction of $15000 linked to a dormant account (client 502). This represents a Red Flag in Antimoney Laundering (AML) monitoring.

- Structuring (Smurfing) Detection: Discovered that client 501 accumulated $19300 through multiple smaller transactions, successfully bypassing single transaction thresholds but exceeding the aggregate $10000 reporting limit.

In [43]:
from sklearn.ensemble import IsolationForest

# Features selection
#Use amounts and convert dates to numbers (time of day, day of the week)
X = df_daily[['Amount', 'ClientID']] 

#  configure the model
# contamination=0.05, maybe the 5% of the data are anomalies
model = IsolationForest(contamination=0.05, random_state=42)

# train and predict
df_daily['anomaly_score'] = model.fit_predict(X)

# -1 = anomalia, 1 = normal
anomalias = df_daily[df_daily['anomaly_score'] == -1]
print("Transactions detected by ML as suspicious:")
print(anomalias)

Transactions detected by ML as suspicious:
   Tx_ID  ClientID  Amt       Date  Amount  anomaly_score
3   9004       504  500 2024-12-01     500             -1


The model flagged transaction 9004 (client 504) as an anomaly (anomaly_score: -1).

Insight: While the amount was relatively low ($500), the model isolated it as statistically deviant from the global pattern, highlighting potential "noise" or early-stage fraud attempts.

In [44]:
from sklearn.cluster import KMeans
from sklearn.preprocessing import StandardScaler

#prepare data by customer for clustering
#calculate total amount and number of transactions per customer
df_cluster_data = df_daily.groupby('ClientID').agg({
    'Amt': ['sum', 'count', 'mean']
}).reset_index()

# rename the columns for better presentation
df_cluster_data.columns = ['ClientID', 'Total_Amount', 'Tx_Count', 'Avg_Amount']

#scale data
scaler = StandardScaler()
features = ['Total_Amount', 'Tx_Count', 'Avg_Amount']
scaled_features = scaler.fit_transform(df_cluster_data[features])

#  K-Means,  3 clusters
kmeans = KMeans(n_clusters=3, random_state=42, n_init=10)
df_cluster_data['Cluster'] = kmeans.fit_predict(scaled_features)

print("Customer Segmentation Completed")
print(df_cluster_data.head())

#merge the clusters back into the original transaction dataframe
df_final_ml = pd.merge(df_daily, df_cluster_data[['ClientID', 'Cluster']], on='ClientID', how='left')


Customer Segmentation Completed
   ClientID  Total_Amount  Tx_Count  Avg_Amount  Cluster
0       501         19300         2      9650.0        2
1       502         15000         1     15000.0        0
2       504           500         1       500.0        1


Instead of treating all customers equally, the system uses K-Means Clustering to identify natural groupings:

- Feature Engineering: Aggregates Total_Amount, Tx_Count, and Avg_Amount per client.

- Scaling: Applies StandardScaler to ensure all features contribute equally to the distance based clustering.

Profiles Identified:

- Cluster 0: High-value, low-frequency accounts.

- Cluster 1: Small-scale, standard users.

- Cluster 2: High-volume users or Corporate accounts.

In [45]:
# advanced anomaly detection
print("\nSummary of Transactions by cluster:")
print(df_final_ml.groupby('Cluster')['Amt'].describe())


Summary of Transactions by cluster:
         count     mean         std      min      25%      50%      75%  \
Cluster                                                                   
0          1.0  15000.0         NaN  15000.0  15000.0  15000.0  15000.0   
1          1.0    500.0         NaN    500.0    500.0    500.0    500.0   
2          2.0   9650.0  212.132034   9500.0   9575.0   9650.0   9725.0   

             max  
Cluster           
0        15000.0  
1          500.0  
2         9800.0  


## Analysis
The analysis of the provided data pipeline begins with a preliminary compliance auditing. The system successfully addressed real world data friction by utilizing automated encoding detection to standardize disparate files into a unified UTF-8 format, ensuring that subsequent analysis was built on a foundation of 100% data integrity.
Initial filtering identified a red flag involving a $15000 transaction linked to a client whose account status was explicitly marked as Dormant, a high-risk indicator in financial security. Furthermore, the application of aggregate logic shows a structuring pattern, a client moved a total of $19300 through multiple small transactions specifically designed to stay beneath the standard $10000 regulatory reporting threshold.
The second phase of the analysis has unsupervised machine learning. By employing K-Means Clustering, the portfolio was segmented into three distinct peer groups: Cluster 0 for high-value but low-frequency outliers, Cluster 1 for standard small-scale users, and Cluster 2 for high-volume corporate-style accounts. This segmentation provided the necessary baseline for the Isolation Forest model to detect more subtle anomalies. The model successfully flagged a $500 transaction as a statistical anomaly. Though this amount is relatively low, its isolation as an outlier indicates a deviation from the expected behavioral pattern of the client’s assigned cluster, highlighting a potential risk that traditional filters would have ignored.

## Conclusion:
By integrating AML logic with behavioral clustering and predictive anomaly detection, the pipeline transforms a simple transaction amount into a high context data point evaluated against historical patterns and peer-group norms. This methodology significantly reduces false positives by providing auditors with a more nuanced understanding of account activity, ensuring that both overt regulatory breaches and latent.