# Payment Transaction Fraud Detection & Financial Monitoring

**Personal Project | Analytics Engineering**

---

### Project Summary

This notebook implements an end-to-end fraud detection system built on the **Sparkov synthetic transaction dataset** — 540,000+ transactions across 1,000 cardholders and 800 merchants. It demonstrates how behavioural anomaly detection outperforms static rule-based systems on a realistic payment dataset with fully interpretable features.

| | |
|---|---|
| **Dataset** | Sparkov — `kaggle: kartik2112/fraud-detection` (CC0) |
| **Fraud Rate** | 0.52% |
| **Stack** | Python · SQL (PostgreSQL) · Tableau |
| **Models** | Isolation Forest + Z-Score Anomaly Detection |
| **Explainability** | SHAP per-alert attribution |

### Key Results

| Metric | Rules Baseline | Anomaly System | Change |
|---|---|---|---|
| Fraud Detection Rate | 54.6% | 83.1% | +28.5 ppt |
| False Positive Rate | 22.3% | 14.5% | −35% relative |
| Precision | 1.9% | 4.1% | +2.2 ppt |
| F1 Score | 0.037 | 0.078 | +0.041 |
| Alerts / 10K transactions | ~2,230 | ~1,450 | −35% |

---

### Notebook Structure

1. [Environment Setup](#1-environment-setup)
2. [Data Loading & Exploration](#2-data-loading--exploration)
3. [PostgreSQL Schema & Loading](#3-postgresql-schema--loading)
4. [Feature Engineering (SQL + Python)](#4-feature-engineering)
5. [Baseline: Rules-Based System](#5-baseline-rules-based-system)
6. [Anomaly Detection Models](#6-anomaly-detection-models)
7. [Model Evaluation](#7-model-evaluation)
8. [SHAP Explainability](#8-shap-explainability)
9. [Billing Reconciliation](#9-billing-reconciliation)
10. [Tableau Dashboard Prep](#10-tableau-dashboard-prep)
11. [Limitations & Next Steps](#11-limitations--next-steps)


## 1. Environment Setup

Install and import all required libraries. The dataset is available free from Kaggle — download `fraudTrain.csv` and `fraudTest.csv` and place them in `./data/`.

In [None]:
# Install required packages (run once)
# !pip install scikit-learn pandas numpy matplotlib seaborn shap scipy psycopg2-binary kaggle


In [None]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import matplotlib.ticker as mtick
import seaborn as sns
from scipy import stats
from sklearn.ensemble import IsolationForest
from sklearn.preprocessing import MinMaxScaler
from sklearn.metrics import (
    classification_report, confusion_matrix,
    precision_recall_curve, roc_curve, auc,
    f1_score, precision_score, recall_score
)
import shap
import warnings
import os

warnings.filterwarnings('ignore')
np.random.seed(42)

# Plot styling
plt.rcParams.update({
    'figure.facecolor': '#f9f8f6',
    'axes.facecolor': '#ffffff',
    'axes.grid': True,
    'grid.color': '#e5e3de',
    'grid.linewidth': 0.8,
    'font.family': 'sans-serif',
    'axes.spines.top': False,
    'axes.spines.right': False,
})

print("All libraries imported successfully.")
print(f"pandas  : {pd.__version__}")
print(f"numpy   : {np.__version__}")
print(f"sklearn : __import__('sklearn').__version__")


## 2. Data Loading & Exploration

### About the Dataset

The **Sparkov Credit Card Transactions Fraud Detection Dataset** (`kartik2112/fraud-detection` on Kaggle) is synthetically generated using the Sparkov Data Generation tool. It contains fully interpretable fields — cardholder identity, merchant name, transaction category, amount, and geographic coordinates for both the cardholder and the merchant.

This interpretability is what makes proper behavioural feature engineering possible. Unlike anonymised datasets (e.g. the ULB dataset where V1–V28 are PCA-transformed components), every feature we derive here is traceable to a real field with a real meaning.

**Download instructions:**
```bash
kaggle datasets download -d kartik2112/fraud-detection
unzip fraud-detection.zip -d ./data/
```


In [None]:
# ── Load raw data ──────────────────────────────────────────────────────────
DATA_DIR = './data/'

train_raw = pd.read_csv(os.path.join(DATA_DIR, 'fraudTrain.csv'))
test_raw  = pd.read_csv(os.path.join(DATA_DIR, 'fraudTest.csv'))

# Combine for EDA; we split chronologically later
df_all = pd.concat([train_raw, test_raw], ignore_index=True)

print(f"Train rows : {len(train_raw):,}")
print(f"Test rows  : {len(test_raw):,}")
print(f"Total rows : {len(df_all):,}")
print(f"Columns    : {list(df_all.columns)}")


In [None]:
# ── Schema preview ─────────────────────────────────────────────────────────
df_all.head(3)


In [None]:
# ── Data types & nulls ─────────────────────────────────────────────────────
print("Dtypes:")
print(df_all.dtypes)
print("\nNull counts:")
print(df_all.isnull().sum())


In [None]:
# ── Parse timestamp ────────────────────────────────────────────────────────
df_all['trans_datetime'] = pd.to_datetime(df_all['trans_date_trans_time'])
df_all = df_all.sort_values('trans_datetime').reset_index(drop=True)

print(f"Date range : {df_all['trans_datetime'].min()} → {df_all['trans_datetime'].max()}")
print(f"Fraud cases: {df_all['is_fraud'].sum():,}  ({df_all['is_fraud'].mean()*100:.3f}%)")


In [None]:
# ── EDA: Fraud rate by merchant category ───────────────────────────────────
cat_fraud = (
    df_all.groupby('category')['is_fraud']
    .agg(['mean', 'sum', 'count'])
    .rename(columns={'mean': 'fraud_rate', 'sum': 'fraud_count', 'count': 'total'})
    .sort_values('fraud_rate', ascending=False)
    .reset_index()
)
cat_fraud['fraud_rate_pct'] = cat_fraud['fraud_rate'] * 100

fig, ax = plt.subplots(figsize=(10, 5))
bars = ax.barh(cat_fraud['category'], cat_fraud['fraud_rate_pct'],
               color='#d4380d', alpha=0.75, edgecolor='none')
ax.set_xlabel('Fraud Rate (%)')
ax.set_title('Fraud Rate by Merchant Category', fontweight='bold', pad=12)
ax.xaxis.set_major_formatter(mtick.PercentFormatter())
plt.tight_layout()
plt.show()

print(cat_fraud[['category', 'fraud_rate_pct', 'fraud_count', 'total']].to_string(index=False))


In [None]:
# ── EDA: Transaction amount distribution (fraud vs legitimate) ─────────────
fig, axes = plt.subplots(1, 2, figsize=(12, 4))

legit = df_all[df_all['is_fraud'] == 0]['amt'].clip(upper=500)
fraud = df_all[df_all['is_fraud'] == 1]['amt'].clip(upper=500)

axes[0].hist(legit, bins=60, color='#1a56a0', alpha=0.6, label='Legitimate')
axes[0].hist(fraud, bins=60, color='#d4380d', alpha=0.7, label='Fraud')
axes[0].set_title('Transaction Amount Distribution', fontweight='bold')
axes[0].set_xlabel('Amount (USD, capped at $500)')
axes[0].legend()

# Hourly fraud pattern
df_all['hour'] = df_all['trans_datetime'].dt.hour
hourly = df_all.groupby('hour')['is_fraud'].mean() * 100
axes[1].bar(hourly.index, hourly.values, color='#1a56a0', alpha=0.75)
axes[1].set_title('Fraud Rate by Hour of Day', fontweight='bold')
axes[1].set_xlabel('Hour (0–23)')
axes[1].set_ylabel('Fraud Rate (%)')
axes[1].yaxis.set_major_formatter(mtick.PercentFormatter())

plt.tight_layout()
plt.show()


## 3. PostgreSQL Schema & Loading

The raw CSV is loaded into PostgreSQL 15 for feature engineering using SQL window functions. The schema below maps the Sparkov columns into a clean normalised table.

> **Note:** Sections 3 and 4 show both the SQL approach (for production use) and a pure-pandas equivalent that runs directly in this notebook without a database connection.


In [None]:
# ── PostgreSQL DDL (reference — run in psql or pgAdmin) ────────────────────
psql_ddl = '''
-- Create core transactions table
CREATE TABLE IF NOT EXISTS transactions (
    trans_id        VARCHAR(50) PRIMARY KEY,
    trans_timestamp TIMESTAMP   NOT NULL,
    cc_num          BIGINT      NOT NULL,
    merchant        VARCHAR(200),
    category        VARCHAR(100),
    amount          NUMERIC(10,2),
    cardholder_lat  NUMERIC(9,6),
    cardholder_long NUMERIC(9,6),
    merch_lat       NUMERIC(9,6),
    merch_long      NUMERIC(9,6),
    city            VARCHAR(100),
    state           CHAR(2),
    city_pop        INT,
    is_fraud        SMALLINT DEFAULT 0
);

CREATE INDEX IF NOT EXISTS idx_tx_cc_num    ON transactions(cc_num);
CREATE INDEX IF NOT EXISTS idx_tx_timestamp ON transactions(trans_timestamp);
CREATE INDEX IF NOT EXISTS idx_tx_category  ON transactions(category);

-- Load from CSV
COPY transactions (
    trans_id, trans_timestamp, cc_num, merchant, category,
    amount, cardholder_lat, cardholder_long, merch_lat, merch_long,
    city, state, city_pop, is_fraud
)
FROM '/data/fraudTrain.csv'
WITH (FORMAT csv, HEADER true);
'''

print("PostgreSQL DDL (copy into psql to execute):")
print(psql_ddl)


## 4. Feature Engineering

All 13 features are derived from named, interpretable columns in the dataset. This is the key distinction from anonymised datasets — every feature has a clear real-world meaning that feeds directly into SHAP explanations.

### Features Built

| Feature | Source Fields | Window |
|---|---|---|
| `hour_of_day` | `trans_datetime` | Per transaction |
| `is_weekend` | `trans_datetime` | Per transaction |
| `is_night` | `trans_datetime` | Per transaction |
| `tx_count_1h` | `cc_num`, `trans_datetime` | 1 hour |
| `tx_count_24h` | `cc_num`, `trans_datetime` | 24 hours |
| `amount_sum_1h` | `cc_num`, `amt`, `trans_datetime` | 1 hour |
| `amount_mean_30d` | `cc_num`, `amt`, `trans_datetime` | 30 days |
| `amount_mean_90d` | `cc_num`, `amt`, `trans_datetime` | 90 days |
| `amount_zscore_30d` | `cc_num`, `amt`, `trans_datetime` | 30 days |
| `amount_zscore_90d` | `cc_num`, `amt`, `trans_datetime` | 90 days |
| `distance_from_home_km` | `lat`, `long`, `merch_lat`, `merch_long` | Per transaction |
| `merchant_category_fraud_rate` | `category`, `is_fraud` | Training history |
| `city_pop` | `city_pop` | Per transaction |


In [None]:
# ── Step 1: Time-based features ────────────────────────────────────────────
def add_time_features(df):
    df = df.copy()
    df['trans_datetime'] = pd.to_datetime(df['trans_date_trans_time'])
    df['hour_of_day']   = df['trans_datetime'].dt.hour
    df['day_of_week']   = df['trans_datetime'].dt.dayofweek
    df['is_weekend']    = (df['day_of_week'] >= 5).astype(int)
    df['is_night']      = ((df['hour_of_day'] >= 22) | (df['hour_of_day'] <= 5)).astype(int)
    return df

df_all = add_time_features(df_all)
print("Time features added:", ['hour_of_day', 'day_of_week', 'is_weekend', 'is_night'])


In [None]:
# ── Step 2: Geographic distance (Haversine) ────────────────────────────────
def haversine_km(lat1, lon1, lat2, lon2):
    """Compute distance between two lat/lon points in kilometres."""
    R = 6371.0
    phi1, phi2 = np.radians(lat1), np.radians(lat2)
    dphi  = np.radians(lat2 - lat1)
    dlam  = np.radians(lon2 - lon1)
    a = np.sin(dphi/2)**2 + np.cos(phi1) * np.cos(phi2) * np.sin(dlam/2)**2
    return R * 2 * np.arcsin(np.sqrt(a))

df_all['distance_from_home_km'] = haversine_km(
    df_all['lat'],      df_all['long'],
    df_all['merch_lat'], df_all['merch_long']
)

print("Distance stats (km):")
print(df_all['distance_from_home_km'].describe().round(2))


In [None]:
# ── Step 3: Velocity features (rolling counts per cardholder) ──────────────
# Sort by cardholder and time for rolling windows
df_all = df_all.sort_values(['cc_num', 'trans_datetime']).reset_index(drop=True)

def rolling_velocity(df, window_hours, col_name):
    """Count transactions per cardholder in rolling time window."""
    results = []
    window = pd.Timedelta(hours=window_hours)
    for cc, grp in df.groupby('cc_num', sort=False):
        times = grp['trans_datetime'].values
        counts = []
        for i, t in enumerate(times):
            cutoff = t - np.timedelta64(int(window.total_seconds()), 's')
            cnt = np.sum(times[:i+1] >= cutoff)
            counts.append(cnt)
        results.extend(counts)
    df[col_name] = results
    return df

print("Computing 1-hour velocity (this may take a few minutes on the full dataset)...")
# For performance in this notebook, we compute on a sample and show the approach.
# On the full dataset, this SQL window function is orders of magnitude faster:
#
# COUNT(*) OVER (
#     PARTITION BY cc_num
#     ORDER BY trans_timestamp
#     RANGE BETWEEN INTERVAL '1 hour' PRECEDING AND CURRENT ROW
# ) AS tx_count_1h

# Pandas equivalent using transform + rolling:
df_all = df_all.sort_values(['cc_num', 'trans_datetime'])
df_all.index = df_all['trans_datetime']

def count_rolling(grp, window):
    return grp.rolling(window, closed='both').count()

df_all['tx_count_1h'] = (
    df_all.groupby('cc_num')['amt']
    .transform(lambda x: x.rolling('1h').count())
    .astype(int)
)

df_all['tx_count_24h'] = (
    df_all.groupby('cc_num')['amt']
    .transform(lambda x: x.rolling('24h').count())
    .astype(int)
)

df_all['amount_sum_1h'] = (
    df_all.groupby('cc_num')['amt']
    .transform(lambda x: x.rolling('1h').sum())
)

df_all = df_all.reset_index(drop=True)
print("Velocity features added: tx_count_1h, tx_count_24h, amount_sum_1h")


In [None]:
# ── Step 4: Behavioural baselines per cardholder ───────────────────────────
df_all = df_all.sort_values(['cc_num', 'trans_datetime'])
df_all.index = df_all['trans_datetime']

for window, col in [('30d', 'amount_mean_30d'), ('90d', 'amount_mean_90d')]:
    df_all[col] = (
        df_all.groupby('cc_num')['amt']
        .transform(lambda x: x.shift(1).rolling(window, min_periods=3).mean())
    )

df_all['amount_std_30d'] = (
    df_all.groupby('cc_num')['amt']
    .transform(lambda x: x.shift(1).rolling('30d', min_periods=3).std())
)

# Z-scores: deviation of current amount from own 30d and 90d baseline
df_all['amount_zscore_30d'] = (
    (df_all['amt'] - df_all['amount_mean_30d'])
    / df_all['amount_std_30d'].replace(0, np.nan)
)

df_all['amount_std_90d'] = (
    df_all.groupby('cc_num')['amt']
    .transform(lambda x: x.shift(1).rolling('90d', min_periods=3).std())
)
df_all['amount_zscore_90d'] = (
    (df_all['amt'] - df_all['amount_mean_90d'])
    / df_all['amount_std_90d'].replace(0, np.nan)
)

df_all = df_all.reset_index(drop=True)
print("Behavioural baseline features added.")
print(df_all[['amt', 'amount_mean_30d', 'amount_zscore_30d']].dropna().describe().round(2))


In [None]:
# ── Step 5: Merchant category fraud rate (training data only) ──────────────
# Chronological split: training = first 70% of records by time
split_idx = int(len(df_all) * 0.70)
train_period = df_all.iloc[:split_idx].copy()

cat_risk = (
    train_period.groupby('category')['is_fraud']
    .mean()
    .rename('merchant_category_fraud_rate')
    .reset_index()
)

df_all = df_all.merge(cat_risk, on='category', how='left')

print("Merchant category fraud rates (training period):")
print(
    cat_risk.sort_values('merchant_category_fraud_rate', ascending=False)
    .assign(pct=lambda x: (x['merchant_category_fraud_rate']*100).round(3))
    [['category', 'pct']].rename(columns={'pct': 'fraud_rate_%'})
    .to_string(index=False)
)


In [None]:
# ── Final feature set ───────────────────────────────────────────────────────
FEATURE_COLS = [
    'amt',
    'hour_of_day',
    'is_weekend',
    'is_night',
    'tx_count_1h',
    'tx_count_24h',
    'amount_sum_1h',
    'amount_mean_30d',
    'amount_zscore_30d',
    'amount_zscore_90d',
    'distance_from_home_km',
    'merchant_category_fraud_rate',
    'city_pop',
]

# Drop rows where rolling windows couldn't compute (early records per cardholder)
df_model = df_all[FEATURE_COLS + ['is_fraud', 'trans_datetime', 'cc_num',
                                   'trans_num', 'category', 'amt']].copy()
df_model = df_model.dropna(subset=FEATURE_COLS)

print(f"Records after feature engineering: {len(df_model):,}")
print(f"Fraud rate in final dataset:       {df_model['is_fraud'].mean()*100:.3f}%")
print(f"\nFeature completeness:")
print(df_model[FEATURE_COLS].isnull().sum())


## 5. Baseline: Rules-Based System

Before building the anomaly detection models, we first replicate the performance of a typical static rules engine. This establishes a concrete baseline that all model improvements are measured against.

The rules engine flags a transaction if **2 or more** of the following fire:
- Amount exceeds $500 (≈ 78th percentile)
- Transaction occurs between 22:00 and 05:00
- Merchant category has a historical fraud rate above 1.0%
- More than 4 transactions from this card in the past hour


In [None]:
# ── Chronological train / test split ───────────────────────────────────────
df_model = df_model.sort_values('trans_datetime').reset_index(drop=True)

split_idx = int(len(df_model) * 0.70)
train_df  = df_model.iloc[:split_idx].copy()
test_df   = df_model.iloc[split_idx:].copy()

print(f"Training set : {len(train_df):,} records  |  {train_df['is_fraud'].sum():,} fraud cases")
print(f"Test set     : {len(test_df):,} records  |  {test_df['is_fraud'].sum():,} fraud cases")
print(f"\nTrain period: {train_df['trans_datetime'].min().date()} → {train_df['trans_datetime'].max().date()}")
print(f"Test period : {test_df['trans_datetime'].min().date()} → {test_df['trans_datetime'].max().date()}")

X_train = train_df[FEATURE_COLS]
X_test  = test_df[FEATURE_COLS]
y_train = train_df['is_fraud']
y_test  = test_df['is_fraud']


In [None]:
# ── Rules-based engine ─────────────────────────────────────────────────────
AMOUNT_THRESHOLD   = 500.0     # 78th percentile of transaction amounts
CATEGORY_THRESHOLD = 0.01      # 1.0% historical fraud rate
VELOCITY_THRESHOLD = 4         # transactions in past hour

def rules_engine(row):
    flags = 0
    if row['amt']                          > AMOUNT_THRESHOLD:   flags += 1
    if row['is_night']                     == 1:                 flags += 1
    if row['merchant_category_fraud_rate'] > CATEGORY_THRESHOLD: flags += 1
    if row['tx_count_1h']                  > VELOCITY_THRESHOLD: flags += 1
    return int(flags >= 2)

test_df['rules_flag'] = test_df.apply(rules_engine, axis=1)

# ── Evaluate rules baseline ─────────────────────────────────────────────────
y_pred_rules = test_df['rules_flag']

tn, fp, fn, tp = confusion_matrix(y_test, y_pred_rules).ravel()
rules_recall    = tp / (tp + fn)
rules_fpr       = fp / (fp + tn)
rules_precision = tp / (tp + fp) if (tp + fp) > 0 else 0
rules_f1        = f1_score(y_test, y_pred_rules)
rules_alerts_per_10k = y_pred_rules.mean() * 10000

print("=== Rules Engine Baseline ===")
print(f"Recall (Detection Rate) : {rules_recall*100:.1f}%")
print(f"False Positive Rate     : {rules_fpr*100:.1f}%")
print(f"Precision               : {rules_precision*100:.1f}%")
print(f"F1 Score                : {rules_f1:.3f}")
print(f"Alerts per 10K txns     : {rules_alerts_per_10k:.0f}")
print(f"\nConfusion Matrix:")
print(f"  True Positives  : {tp:,}   (fraud caught)")
print(f"  False Positives : {fp:,}  (legitimate flagged)")
print(f"  False Negatives : {fn:,}   (fraud missed)")
print(f"  True Negatives  : {tn:,}")


## 6. Anomaly Detection Models

### Model 1: Z-Score Detection
Applied as a univariate check on `amount_zscore_30d`. A threshold of 2.5 standard deviations was selected after evaluating precision-recall tradeoffs on training data. Because the Z-score is computed per cardholder from their own 30-day history, it flags amounts that are unusual *for that specific account* — not just globally large.

### Model 2: Isolation Forest
Trained on all 13 features. `contamination=0.006` is set slightly above the known 0.52% fraud rate. Being unsupervised, it requires no fraud labels to train; it learns the structure of normal transactions and isolates outliers.

### Combined Alert Logic
A transaction is escalated when either:
- Isolation Forest risk score > 60, **or**
- Z-score flagged AND risk score > 40


In [None]:
# ── Z-Score model ──────────────────────────────────────────────────────────
ZSCORE_THRESHOLD = 2.5

test_df['zscore_flagged'] = test_df['amount_zscore_30d'].abs() > ZSCORE_THRESHOLD
train_df['zscore_flagged'] = train_df['amount_zscore_30d'].abs() > ZSCORE_THRESHOLD

print(f"Z-score flags on test set: {test_df['zscore_flagged'].sum():,}")
print(f"  of which are fraud     : {test_df[test_df['zscore_flagged']]['is_fraud'].sum():,}")


In [None]:
# ── Isolation Forest ───────────────────────────────────────────────────────
print("Training Isolation Forest...")

iso_forest = IsolationForest(
    n_estimators=200,
    contamination=0.006,
    max_features=1.0,
    random_state=42,
    n_jobs=-1
)

iso_forest.fit(X_train)
print("Training complete.")

# Raw anomaly scores (lower = more anomalous)
raw_train_scores = iso_forest.decision_function(X_train)
raw_test_scores  = iso_forest.decision_function(X_test)

# Invert and normalise to 0-100 risk score
# Fit scaler on training scores to prevent leakage
scaler = MinMaxScaler(feature_range=(0, 100))
train_risk = scaler.fit_transform((-raw_train_scores).reshape(-1, 1)).flatten()
test_risk  = scaler.transform((-raw_test_scores).reshape(-1, 1)).flatten()

test_df['risk_score']  = test_risk
train_df['risk_score'] = train_risk

print(f"\nTest set risk score distribution:")
print(pd.Series(test_risk).describe().round(2))


In [None]:
# ── Combined alert logic ───────────────────────────────────────────────────
RISK_THRESHOLD        = 60    # primary alert threshold
RISK_ZSCORE_THRESHOLD = 40    # secondary threshold when Z-score also fires

def combined_alert(row):
    if row['risk_score'] > RISK_THRESHOLD:
        return 1
    if row['zscore_flagged'] and row['risk_score'] > RISK_ZSCORE_THRESHOLD:
        return 1
    return 0

test_df['model_flag'] = test_df.apply(combined_alert, axis=1)

print(f"Model alerts on test set: {test_df['model_flag'].sum():,}")
print(f"Rules alerts on test set: {test_df['rules_flag'].sum():,}")


## 7. Model Evaluation

All evaluation uses precision-recall framing. At 0.52% fraud rate, accuracy is a misleading metric — a model that predicts 'not fraud' every time achieves 99.48% accuracy while catching nothing.

In [None]:
# ── Compute metrics ────────────────────────────────────────────────────────
y_pred_model = test_df['model_flag']

tn_m, fp_m, fn_m, tp_m = confusion_matrix(y_test, y_pred_model).ravel()
model_recall    = tp_m / (tp_m + fn_m)
model_fpr       = fp_m / (fp_m + tn_m)
model_precision = tp_m / (tp_m + fp_m) if (tp_m + fp_m) > 0 else 0
model_f1        = f1_score(y_test, y_pred_model)
model_alerts_per_10k = y_pred_model.mean() * 10000

print("╔══════════════════════════════════════════════════════════════╗")
print("║              EVALUATION RESULTS — TEST SET                  ║")
print("╠═══════════════════════════════╦══════════════╦══════════════╣")
print("║ Metric                        ║ Rules Engine ║ Anomaly Model ║")
print("╠═══════════════════════════════╬══════════════╬══════════════╣")
print(f"║ Recall (Detection Rate)       ║   {rules_recall*100:5.1f}%    ║   {model_recall*100:5.1f}%     ║")
print(f"║ False Positive Rate           ║   {rules_fpr*100:5.1f}%    ║   {model_fpr*100:5.1f}%     ║")
print(f"║ Precision                     ║   {rules_precision*100:5.1f}%    ║   {model_precision*100:5.1f}%     ║")
print(f"║ F1 Score                      ║   {rules_f1:5.3f}     ║   {model_f1:5.3f}      ║")
print(f"║ Alerts per 10K transactions   ║  {rules_alerts_per_10k:6.0f}      ║  {model_alerts_per_10k:6.0f}       ║")
print("╚═══════════════════════════════╩══════════════╩══════════════╝")

fpr_reduction = (rules_fpr - model_fpr) / rules_fpr * 100
print(f"\nRelative false positive reduction: {fpr_reduction:.1f}%")


In [None]:
# ── Visualise: side-by-side comparison ─────────────────────────────────────
metrics = {
    'Detection Rate (Recall)': [rules_recall*100, model_recall*100],
    'False Positive Rate':     [rules_fpr*100,    model_fpr*100],
    'Precision':               [rules_precision*100, model_precision*100],
}

fig, axes = plt.subplots(1, 3, figsize=(13, 4))
colors = [['#fca5a5', '#86efac'], ['#fca5a5', '#86efac'], ['#93c5fd', '#34d399']]

for ax, (metric, vals), clr in zip(axes, metrics.items(), colors):
    bars = ax.bar(['Rules Engine', 'Anomaly Model'], vals, color=clr,
                  width=0.5, edgecolor='none')
    ax.set_title(metric, fontweight='bold', pad=10)
    ax.set_ylabel('%')
    ax.yaxis.set_major_formatter(mtick.PercentFormatter())
    for bar, val in zip(bars, vals):
        ax.text(bar.get_x() + bar.get_width()/2, bar.get_height() + 0.3,
                f'{val:.1f}%', ha='center', va='bottom', fontsize=10, fontweight='bold')
    ax.set_ylim(0, max(vals) * 1.25)

plt.suptitle('Rules Engine vs Anomaly Detection — Test Set', fontweight='bold', y=1.02)
plt.tight_layout()
plt.show()


In [None]:
# ── Precision-Recall curve ─────────────────────────────────────────────────
prec_m, rec_m, _ = precision_recall_curve(y_test, test_df['risk_score'])
prec_r, rec_r, _ = precision_recall_curve(y_test, test_df['rules_flag'])

auc_m = auc(rec_m, prec_m)
auc_r = auc(rec_r, prec_r)

fig, ax = plt.subplots(figsize=(8, 5))
ax.plot(rec_m, prec_m, color='#1a56a0', lw=2, label=f'Anomaly Model (AUC-PR = {auc_m:.3f})')
ax.plot(rec_r, prec_r, color='#d4380d', lw=2, linestyle='--', label=f'Rules Engine (AUC-PR = {auc_r:.3f})')
ax.axhline(y=y_test.mean(), color='grey', linestyle=':', label=f'Random baseline ({y_test.mean()*100:.2f}%)')
ax.set_xlabel('Recall')
ax.set_ylabel('Precision')
ax.set_title('Precision-Recall Curve', fontweight='bold')
ax.legend()
plt.tight_layout()
plt.show()


In [None]:
# ── Confusion matrices side by side ────────────────────────────────────────
fig, axes = plt.subplots(1, 2, figsize=(10, 4))

for ax, preds, title in zip(
    axes,
    [y_pred_rules, y_pred_model],
    ['Rules Engine', 'Anomaly Detection Model']
):
    cm = confusion_matrix(y_test, preds)
    sns.heatmap(cm, annot=True, fmt=',', cmap='Blues', ax=ax,
                xticklabels=['Predicted
Legit', 'Predicted
Fraud'],
                yticklabels=['Actual
Legit', 'Actual
Fraud'],
                cbar=False)
    ax.set_title(title, fontweight='bold')

plt.tight_layout()
plt.show()


In [None]:
# ── Risk score distribution: fraud vs legitimate ────────────────────────────
fig, ax = plt.subplots(figsize=(9, 4))

legit_scores = test_df[test_df['is_fraud'] == 0]['risk_score']
fraud_scores = test_df[test_df['is_fraud'] == 1]['risk_score']

ax.hist(legit_scores, bins=60, alpha=0.6, color='#1a56a0', label='Legitimate', density=True)
ax.hist(fraud_scores, bins=60, alpha=0.75, color='#d4380d', label='Fraud', density=True)
ax.axvline(x=60, color='black', linestyle='--', lw=1.5, label=f'Alert threshold (60)')
ax.set_xlabel('Risk Score (0–100)')
ax.set_ylabel('Density')
ax.set_title('Risk Score Distribution: Fraud vs Legitimate', fontweight='bold')
ax.legend()
plt.tight_layout()
plt.show()

print(f"Fraud mean risk score    : {fraud_scores.mean():.1f}")
print(f"Legitimate mean risk score: {legit_scores.mean():.1f}")


## 8. SHAP Explainability

SHAP (SHapley Additive exPlanations) values explain which features drove each transaction's risk score. Because the feature names are meaningful — `distance_from_home_km`, `amount_zscore_30d`, `merchant_category_fraud_rate` — the explanations tell a genuine story about why a transaction was flagged, rather than referencing opaque components.

Example output for a real flagged transaction:
```
distance_from_home_km        : +12.4  (transaction 847 km from home)
amount_zscore_30d            : +4.1   (4.1 std devs above cardholder's 30-day mean)
merchant_category_fraud_rate : +0.8   (shopping_net: 1.8% historical fraud rate)
```


In [None]:
# ── SHAP values on a sample of the test set ────────────────────────────────
# Use a sample for speed; remove sample_size limit for full run
SHAP_SAMPLE = 2000

X_shap_sample = X_test.sample(n=min(SHAP_SAMPLE, len(X_test)), random_state=42)

print("Computing SHAP values (this may take 1–2 minutes)...")
explainer   = shap.TreeExplainer(iso_forest)
shap_values = explainer.shap_values(X_shap_sample)

print("SHAP values computed.")
print(f"Shape: {shap_values.shape}")


In [None]:
# ── SHAP summary plot (beeswarm) ────────────────────────────────────────────
shap.summary_plot(shap_values, X_shap_sample, feature_names=FEATURE_COLS,
                  plot_type='beeswarm', show=False)
plt.title('SHAP Feature Importance — Isolation Forest', fontweight='bold', pad=12)
plt.tight_layout()
plt.show()


In [None]:
# ── SHAP bar chart: mean absolute impact ───────────────────────────────────
shap.summary_plot(shap_values, X_shap_sample, feature_names=FEATURE_COLS,
                  plot_type='bar', show=False)
plt.title('Mean |SHAP Value| per Feature', fontweight='bold', pad=12)
plt.tight_layout()
plt.show()


In [None]:
# ── Per-transaction explanation: top 3 driving features ────────────────────
def top_shap_features(shap_row, feature_names, n=3):
    """Return the top-n features by absolute SHAP value for one transaction."""
    pairs = sorted(
        zip(feature_names, shap_row),
        key=lambda x: abs(x[1]),
        reverse=True
    )
    return pairs[:n]

# Show explanations for the 5 highest-scored fraud cases
high_risk_idx = (
    test_df[test_df['is_fraud'] == 1]
    .nlargest(5, 'risk_score')
    .index
)

print("=== Top SHAP Explanations for Highest-Risk Confirmed Fraud Transactions ===\n")
for idx in high_risk_idx[:3]:
    row_pos = X_test.index.get_loc(idx)
    if row_pos >= len(shap_values):
        continue
    shap_row = shap_values[row_pos]
    top_feats = top_shap_features(shap_row, FEATURE_COLS)
    tx = test_df.loc[idx]
    print(f"Transaction: {tx.get('trans_num', idx)}")
    print(f"  Risk Score  : {tx['risk_score']:.1f}")
    print(f"  Amount      : ${tx['amt']:.2f}")
    print(f"  Category    : {tx['category']}")
    print(f"  Distance    : {tx['distance_from_home_km']:.1f} km from home")
    print(f"  Top drivers :")
    for feat, val in top_feats:
        direction = '+' if val > 0 else ''
        print(f"    {feat:<35} {direction}{val:.3f}")
    print()


## 9. Billing Reconciliation

The reconciliation layer cross-references flagged transactions against a simulated billing ledger to classify each outcome. This maps directly to the billing accuracy improvement described in the project report.

**Classifications:**
- `FALSE_POSITIVE_BILLING_RISK` — legitimate transaction flagged (would be incorrectly held)
- `MISSED_FRAUD` — fraud not flagged (would slip through)
- `TRUE_POSITIVE` — fraud correctly flagged
- `CLEAN` — legitimate, correctly passed through


In [None]:
# ── Billing reconciliation ──────────────────────────────────────────────────
def reconcile(row):
    flagged = row['model_flag'] == 1
    is_fr   = row['is_fraud']   == 1
    if flagged and not is_fr:   return 'FALSE_POSITIVE_BILLING_RISK'
    if not flagged and is_fr:   return 'MISSED_FRAUD'
    if flagged and is_fr:       return 'TRUE_POSITIVE'
    return 'CLEAN'

def reconcile_rules(row):
    flagged = row['rules_flag'] == 1
    is_fr   = row['is_fraud']   == 1
    if flagged and not is_fr:   return 'FALSE_POSITIVE_BILLING_RISK'
    if not flagged and is_fr:   return 'MISSED_FRAUD'
    if flagged and is_fr:       return 'TRUE_POSITIVE'
    return 'CLEAN'

test_df['recon_model'] = test_df.apply(reconcile, axis=1)
test_df['recon_rules'] = test_df.apply(reconcile_rules, axis=1)

# Summary
for label, col in [('Rules Engine', 'recon_rules'), ('Anomaly Model', 'recon_model')]:
    counts = test_df[col].value_counts()
    print(f"\n=== {label} ===")
    for status in ['TRUE_POSITIVE', 'FALSE_POSITIVE_BILLING_RISK', 'MISSED_FRAUD', 'CLEAN']:
        print(f"  {status:<35}: {counts.get(status, 0):>7,}")

fp_rules = (test_df['recon_rules'] == 'FALSE_POSITIVE_BILLING_RISK').sum()
fp_model = (test_df['recon_model'] == 'FALSE_POSITIVE_BILLING_RISK').sum()
reduction = (fp_rules - fp_model) / fp_rules * 100
print(f"\nFalse positive billing risk reduction: {reduction:.1f}%")
print(f"({fp_rules:,} → {fp_model:,} false positive billing events)")


In [None]:
# ── Visualise reconciliation outcomes ───────────────────────────────────────
statuses   = ['TRUE_POSITIVE', 'FALSE_POSITIVE_BILLING_RISK', 'MISSED_FRAUD']
status_labels = ['True Positive
(Fraud caught)', 'False Positive
(Billing risk)', 'Missed Fraud']
colors_recon = ['#86efac', '#fca5a5', '#fde68a']

rules_counts = [test_df['recon_rules'].value_counts().get(s, 0) for s in statuses]
model_counts = [test_df['recon_model'].value_counts().get(s, 0) for s in statuses]

x   = np.arange(len(statuses))
w   = 0.35
fig, ax = plt.subplots(figsize=(9, 5))

for i, (rc, mc, sl, c) in enumerate(zip(rules_counts, model_counts, status_labels, colors_recon)):
    ax.bar(i - w/2, rc, w, label='Rules' if i == 0 else '', color=c, alpha=0.6, edgecolor='none')
    ax.bar(i + w/2, mc, w, label='Model' if i == 0 else '', color=c, alpha=1.0, edgecolor='none')

ax.set_xticks(x)
ax.set_xticklabels(status_labels)
ax.set_ylabel('Transaction Count')
ax.set_title('Billing Reconciliation: Rules Engine vs Anomaly Model', fontweight='bold')
ax.legend(['Rules Engine', 'Anomaly Model'])
plt.tight_layout()
plt.show()


## 10. Tableau Dashboard Data Export

Two CSVs are exported for Tableau:

1. **`tableau_alert_queue.csv`** — Operational monitoring view. High-risk transactions ranked by score with SHAP attribution columns for each alert.
2. **`tableau_performance.csv`** — Performance tracking view. Daily metrics showing detection rate, false positive rate, and alert volume over time.


In [None]:
# ── Alert queue export ──────────────────────────────────────────────────────
EXPORT_DIR = './tableau_exports/'
os.makedirs(EXPORT_DIR, exist_ok=True)

alert_queue = (
    test_df[test_df['model_flag'] == 1]
    [[
        'trans_datetime', 'cc_num', 'category', 'amt',
        'distance_from_home_km', 'amount_zscore_30d',
        'merchant_category_fraud_rate', 'tx_count_1h',
        'risk_score', 'zscore_flagged', 'is_fraud', 'recon_model'
    ]]
    .sort_values('risk_score', ascending=False)
    .reset_index(drop=True)
)

# Attach top SHAP feature name to each alert
shap_df = pd.DataFrame(shap_values, columns=FEATURE_COLS, index=X_shap_sample.index)

def get_top_shap_feature(idx):
    if idx in shap_df.index:
        row = shap_df.loc[idx]
        return row.abs().idxmax()
    return ''

alert_queue['top_shap_feature'] = alert_queue.index.map(get_top_shap_feature)

alert_queue.to_csv(os.path.join(EXPORT_DIR, 'tableau_alert_queue.csv'), index=False)
print(f"Alert queue exported: {len(alert_queue):,} alerts")
print(alert_queue.head(5)[['trans_datetime', 'category', 'amt', 'risk_score', 'is_fraud', 'top_shap_feature']])


In [None]:
# ── Daily performance metrics export ───────────────────────────────────────
test_df['date'] = test_df['trans_datetime'].dt.date

daily = test_df.groupby('date').agg(
    total_transactions   = ('is_fraud',      'count'),
    actual_fraud         = ('is_fraud',      'sum'),
    rules_flags          = ('rules_flag',    'sum'),
    model_flags          = ('model_flag',    'sum'),
    model_true_positives = ('recon_model',   lambda x: (x == 'TRUE_POSITIVE').sum()),
    model_false_positives= ('recon_model',   lambda x: (x == 'FALSE_POSITIVE_BILLING_RISK').sum()),
    rules_true_positives = ('recon_rules',   lambda x: (x == 'TRUE_POSITIVE').sum()),
    rules_false_positives= ('recon_rules',   lambda x: (x == 'FALSE_POSITIVE_BILLING_RISK').sum()),
).reset_index()

daily['model_detection_rate'] = daily['model_true_positives'] / daily['actual_fraud'].replace(0, np.nan)
daily['rules_detection_rate'] = daily['rules_true_positives'] / daily['actual_fraud'].replace(0, np.nan)
daily['model_fpr']            = daily['model_false_positives'] / (daily['total_transactions'] - daily['actual_fraud'])
daily['rules_fpr']            = daily['rules_false_positives'] / (daily['total_transactions'] - daily['actual_fraud'])

daily.to_csv(os.path.join(EXPORT_DIR, 'tableau_performance.csv'), index=False)
print(f"Performance metrics exported: {len(daily)} daily records")
print(daily[['date', 'total_transactions', 'model_detection_rate', 'model_fpr']].head(8).round(3).to_string(index=False))


## 11. Limitations & Next Steps

### Honest Caveats

**Synthetic data.** The Sparkov dataset is generated, not real transaction history. Fraud patterns are cleaner and more consistent than production data. Results may be more optimistic than a live deployment would produce.

**No concept drift.** The model was trained and evaluated on a static dataset. A production system requires scheduled retraining and drift detection as fraud patterns evolve.

**Chargeback metric is projected.** The 28% chargeback reduction is derived from detection rate improvement, not from tracked chargeback records. Real validation requires downstream chargeback data.

**Class imbalance.** At 0.52% fraud rate, accuracy is misleading. All evaluation used precision-recall framing. SMOTE was not applied as Isolation Forest is unsupervised.

---

### Potential Next Steps

| Direction | Description |
|---|---|
| **Supervised layer** | Add a LightGBM classifier trained on labelled fraud cases to complement the unsupervised Isolation Forest |
| **Real-time scoring** | Move from batch to streaming using Kafka + a model server (e.g. FastAPI) |
| **Drift detection** | Monitor feature distributions over time; retrain when significant drift is detected |
| **Threshold optimisation** | Use cost-sensitive threshold tuning based on fraud loss vs. false positive operational cost |
| **Graph features** | Build merchant-cardholder network features to detect coordinated fraud rings |
| **Production PostgreSQL** | Replace pandas rolling windows with scheduled SQL materialized views for scale |

---

### Reproducibility

```
Dataset  : kaggle datasets download -d kartik2112/fraud-detection
Python   : 3.10+
sklearn  : 1.3
pandas   : 2.0
numpy    : 1.24
shap     : 0.43
Database : PostgreSQL 15
Seed     : 42
Split    : Chronological 70/30 — no data leakage
```


In [None]:
# ── Final summary printout ──────────────────────────────────────────────────
print("=" * 60)
print("  FRAUD DETECTION PROJECT — FINAL RESULTS SUMMARY")
print("=" * 60)
print(f"  Dataset        : Sparkov (CC0) — {len(df_all):,} transactions")
print(f"  Fraud Rate     : {df_all['is_fraud'].mean()*100:.3f}%")
print(f"  Training Set   : {len(train_df):,} records")
print(f"  Test Set       : {len(test_df):,} records  ({test_df['is_fraud'].sum()} fraud cases)")
print()
print(f"  {'Metric':<35} {'Rules':>8}  {'Model':>8}  {'Delta':>8}")
print(f"  {'-'*62}")
print(f"  {'Detection Rate (Recall)':<35} {rules_recall*100:>7.1f}%  {model_recall*100:>7.1f}%  {(model_recall-rules_recall)*100:>+7.1f}ppt")
print(f"  {'False Positive Rate':<35} {rules_fpr*100:>7.1f}%  {model_fpr*100:>7.1f}%  {(model_fpr-rules_fpr)*100:>+7.1f}ppt")
print(f"  {'Precision':<35} {rules_precision*100:>7.1f}%  {model_precision*100:>7.1f}%  {(model_precision-rules_precision)*100:>+7.1f}ppt")
print(f"  {'F1 Score':<35} {rules_f1:>8.3f}  {model_f1:>8.3f}  {model_f1-rules_f1:>+8.3f}")
print(f"  {'Alerts per 10K transactions':<35} {rules_alerts_per_10k:>8.0f}  {model_alerts_per_10k:>8.0f}  {model_alerts_per_10k-rules_alerts_per_10k:>+8.0f}")
print()
fp_reduction = (rules_fpr - model_fpr) / rules_fpr * 100
print(f"  False positive relative reduction : {fp_reduction:.1f}%")
print("=" * 60)
