# Rule-Based Fraud Detection System for UPI Transactions

In digital banking and fintech platforms, companies face a continuous challenge of detecting fraudulent activities in real time while minimizing false positives. Fraudulent transactions can lead to financial losses, regulatory penalties, and erosion of customer trust.

Traditional manual reviews are:
- Time-consuming
- Error-prone
- Not scalable with high transaction volumes

Hence, organizations require a data-driven fraud detection framework that can:
- Identify suspicious behavior early
- Support fraud analysts with actionable insights
- Act as a first-line defense before advanced machine learning models are applied

This project addresses that exact business need.

## Analytical Justification

The project builds a rule-based fraud detection engine by integrating multiple operational data sources:
- Customer details
- Account information
- Transaction history
- Login activity
- Device usage

By consolidating these datasets into a master analytical table, the system enables cross-behavioral analysis that is commonly used by fraud and risk teams in real companies.

Rule-based logic is intentionally used because:
- It is transparent and explainable (important for audits and compliance)
- It is widely adopted as an initial screening layer in financial institutions
- It allows quick iteration based on changing fraud patterns

## Rule Justifications (Very Important)

### 1. Multiple Logins from Different Devices
**Justification:** Frequent logins from multiple devices within a short time frame may indicate account takeover or credential compromise.
**Business Impact:** Early detection prevents unauthorized access before financial transactions occur.

### 2. High-Value Transactions in Short Time Windows
**Justification:** Sudden high-value or repeated transactions can signal fraudulent fund extraction.
**Business Impact:** Reduces direct monetary loss and chargeback risk.

### 3. Transactions at Unusual Hours
**Justification:** Fraudulent activities often occur during off-peak hours to avoid immediate detection.
**Business Impact:** Improves monitoring efficiency during low-staffed time periods.

### 4. Frequent Device or Location Changes
**Justification:** Legitimate users typically exhibit stable device and location patterns. Rapid changes may indicate suspicious access behavior.
**Business Impact:** Helps identify synthetic identities or shared account misuse.

## Data Analytics Justification

This project demonstrates end-to-end data analytics skills relevant to corporate environments:
- SQL-based data extraction from relational databases
- Data validation and quality checks
- Data transformation and feature creation
- Behavioral pattern analysis
- Risk flag generation

Rather than focusing only on modeling, the project emphasizes decision-oriented analytics, which aligns closely with Data Analyst and Fraud Analyst roles.

## Business Value Delivered

The solution enables companies to:
- Prioritize high-risk transactions for manual review
- Reduce false positives through multi-rule evaluation
- Improve operational efficiency of fraud teams
- Create a scalable foundation for future machine learning models

## Strategic Relevance to the Company

This system can be deployed as:
- A real-time rule engine
- A batch risk scoring pipeline
- A pre-processing layer for ML-based fraud detection

It aligns with compliance requirements by offering explainable decision logic, making it suitable for regulated industries such as banking and fintech.



In [2]:
import pandas as pb 
import sqlalchemy 
from urllib.parse import quote_plus
from functools import reduce 



Now i am going to import the date from the my sql date base 

In [3]:
password= quote_plus("Yash@1234")
engine = sqlalchemy.create_engine(f"mysql+pymysql://root:{password}@localhost:3306/fintech_fraud_analytics_db")

# Data Cleaning and Validation

* Data cleaning is performed as a critical preprocessing step to improve data quality and ensure that subsequent fraud detection rules produce accurate and meaningful results.

In [4]:
Accounts = pb.read_sql_table(table_name = "accounts" , con = engine)
has_null = Accounts.isnull().any().any()

if (has_null == True):
    null_count = Accounts.isnull().sum().sum()
    print("Number of null values:", null_count)
else:
    print(f"The Accounts table don't have any null values")


The Accounts table don't have any null values


In [5]:
Customers = pb.read_sql_table(table_name = "customers" , con = engine)
has_null = Customers.isnull().any().any()
if (has_null == True):
    null_count = Customers.isnull().sum().sum()
    print("Number of null values:", null_count)
else:
    print(f"The Customers table don't have any null values")

The Customers table don't have any null values


In [6]:
Devices = pb.read_sql_table(table_name = "devices" , con = engine)
has_null = Devices.isnull().any().any()
if (has_null == True):
    null_count = Devices.isnull().sum().sum()
    print("Number of null values:", null_count)
else:
    print(f"The Devices table don't have any null values")

The Devices table don't have any null values


In [7]:
LoginActivity = pb.read_sql_table(table_name = "login_activity" , con = engine)
has_null = LoginActivity.isnull().any().any()
if (has_null == True):
    null_count = LoginActivity.isnull().sum().sum()
    print("Number of null values:", null_count)
else:
    print(f"The Login Activity table don't have any null values")

The Login Activity table don't have any null values


In [8]:
Transactions = pb.read_sql_table(table_name = "transactions" , con = engine)
has_null = Transactions.isnull().any().any()
if (has_null == True):
    null_count = Transactions.isnull().sum().sum()
    print("Number of null values:", null_count)
else:
    print(f"The Transactions table don't have any null values")

The Transactions table don't have any null values


# Duplicate Record Validation

* The dataset is checked for duplicate records to ensure data integrity and prevent skewed analytical results.


In [9]:
has_duplicates = Accounts.duplicated().any()

if(has_duplicates == True):
    all_duplicate_sets = Accounts[Accounts.duplicated(keep=False)]
    print(all_duplicate_sets)
else:
    print(f"The Accounts table don't have any exact duplicate rows") 

The Accounts table don't have any exact duplicate rows


In [10]:
has_duplicates = Customers.duplicated().any()

if(has_duplicates == True):
    all_duplicate_sets = Customers[Customers.duplicated(keep=False)]
    print(all_duplicate_sets)
else:
    print(f"The Customers table don't have any exact duplicate rows") 

The Customers table don't have any exact duplicate rows


In [11]:
has_duplicates = Devices.duplicated().any()

if(has_duplicates == True):
    all_duplicate_sets = Devices[Devices.duplicated(keep=False)]
    print(all_duplicate_sets)
else:
    print(f"The Devices table don't have any exact duplicate rows") 

The Devices table don't have any exact duplicate rows


In [12]:
has_duplicates = LoginActivity.duplicated().any()

if(has_duplicates == True):
    all_duplicate_sets = LoginActivity[LoginActivity.duplicated(keep=False)]
    print(all_duplicate_sets)
else:
    print(f"The LoginActivity table don't have any exact duplicate rows") 

The LoginActivity table don't have any exact duplicate rows


In [13]:
has_duplicates = Transactions.duplicated().any()

if(has_duplicates == True):
    all_duplicate_sets = Transactions[Transactions.duplicated(keep=False)]
    print(all_duplicate_sets)
else:
    print(f"The Transactions table don't have any exact duplicate rows") 

The Transactions table don't have any exact duplicate rows


# Data Type Validation


* Data types of all columns are reviewed and validated to ensure consistency and compatibility with downstream analytical processes.


In [14]:
# df = pb.DataFrame(Transactions)
print(pb.DataFrame(Accounts).dtypes)
print(pb.DataFrame(Customers).dtypes)
print(pb.DataFrame(Devices).dtypes)
print(pb.DataFrame(LoginActivity).dtypes)
print(pb.DataFrame(Transactions).dtypes)





account_id                int64
customer_id               int64
account_type             object
account_open_date        object
status                   object
registered_device_ids    object
dtype: object
customer_id          int64
full_name           object
mobile               int64
email               object
signup_date         object
city                object
state               object
customer_segment    object
dtype: object
device_id        object
customer_id       int64
device_type      object
os_version       object
registered_at    object
last_used_at     object
is_active         int64
dtype: object
login_id            int64
customer_id         int64
device_id          object
login_timestamp    object
ip_address         object
city               object
state              object
success             int64
dtype: object
transaction_id         int64
account_id             int64
txn_timestamp         object
amount               float64
currency              object
txn_type       

# Date-Time Conversion

* Date-related columns are converted from object type to datetime format to enable accurate time-based analysis and fraud detection logic.


In [15]:
Accounts['account_open_date'] = pb.to_datetime(Accounts['account_open_date'])
Customers['signup_date'] = pb.to_datetime(Customers['signup_date'])
Devices['registered_at'] = pb.to_datetime(Devices['registered_at'])
Devices['last_used_at'] = pb.to_datetime(Devices['last_used_at'])
LoginActivity['login_timestamp'] = pb.to_datetime(LoginActivity['login_timestamp'])
Transactions['txn_timestamp'] = pb.to_datetime(Transactions['txn_timestamp'])






# Data Validation & Sanity Checks

In [16]:
Customers_df = pb.DataFrame({
    'customer_id': Customers['customer_id'],
    'signup_date': Customers['signup_date'],
    'flag_missing_signup_date': Customers['signup_date'].isnull().astype(int),
    'flag_future_signup_date': (Customers['signup_date'] == pb.Timestamp('2025-12-20')).astype(int)
})
Customers_df.to_csv('Customers.csv')

Customers_df


Unnamed: 0,customer_id,signup_date,flag_missing_signup_date,flag_future_signup_date
0,1,2025-12-04,0,0
1,2,2025-11-26,0,0
2,3,2025-09-04,0,0
3,4,2025-11-11,0,0
4,5,2025-09-29,0,0
...,...,...,...,...
295,296,2025-10-21,0,0
296,297,2025-10-18,0,0
297,298,2025-09-19,0,0
298,299,2025-12-07,0,0


In [29]:
Accounts_df = pb.DataFrame({
    'account_id': Accounts['account_id'],
    'customer_id' : Accounts['customer_id'],
    'flag_account_open_before_signup': (Accounts['account_open_date'] < Customers['signup_date']).astype(int),
    'flag_future_account_open': (Accounts['account_open_date'] > pb.Timestamp('2026-1-2')).astype(int)
})

Accounts_df.to_csv('Accounts_df.csv')

Accounts_df.head()

Unnamed: 0,account_id,customer_id,flag_account_open_before_signup,flag_future_account_open
0,1001,1,0,0
1,1002,2,0,0
2,1003,3,0,0
3,1004,4,0,0
4,1005,5,0,0


In [30]:
Devices_df = pb.DataFrame({
    'device_id': Devices['device_id'],
    'customer_id': Devices['customer_id'],
    'flag_last_used_before_registered': (Devices['last_used_at'] < Devices['registered_at']).astype(int),
    'flag_future_device_registration': (Devices['registered_at'] > pb.Timestamp('2026-1-2')).astype(int),
    'flag_inactive_device' : Devices['is_active']
})
Devices_df.to_csv('Devices_df.csv')



Devices_df


Unnamed: 0,device_id,customer_id,flag_last_used_before_registered,flag_future_device_registration,flag_inactive_device
0,DEV-1-589,1,0,0,1
1,DEV-1-915,1,0,0,1
2,DEV-1-155,1,0,0,1
3,DEV-2-901,2,0,0,1
4,DEV-2-517,2,0,0,0
...,...,...,...,...,...
614,DEV-299-760,299,0,0,1
615,DEV-299-983,299,0,0,0
616,DEV-300-340,300,0,0,1
617,DEV-300-112,300,0,0,1


In [32]:
Devices_df1 = (
    Devices_df
    .groupby('customer_id')
    .agg({
        'flag_last_used_before_registered': 'sum',
        'flag_future_device_registration': 'sum',
        'flag_inactive_device': 'sum'
    })
    .reset_index()
)

# Devices_df1['account_flag'] = (
#     (Devices_df1['flag_last_used_before_registered'] >= 2) &
#     (Devices_df1['flag_future_device_registration'] >= 2) &
#     (Devices_df1['flag_inactive_device'] >= 3)
# ).astype(int)


device_freq = Devices.groupby('customer_id').size()
Devices_df1['Count_of_device_usaged'] = Devices_df1['customer_id'].map(device_freq)


Devices_df1.to_csv('Devices.csv')

Devices_df1


Unnamed: 0,customer_id,flag_last_used_before_registered,flag_future_device_registration,flag_inactive_device,Count_of_device_usaged
0,1,0,0,3,3
1,2,0,0,1,2
2,3,0,0,1,1
3,4,0,0,2,2
4,5,0,0,1,1
...,...,...,...,...,...
295,296,0,0,0,2
296,297,0,0,2,2
297,298,0,0,2,2
298,299,0,0,1,2


In [34]:
# Calculate flags step by step
login_activity_df = LoginActivity.copy()

# Sort by customer and time
login_activity_df = login_activity_df.sort_values(['customer_id', 'login_timestamp'])

# Calculate previous city for each customer
login_activity_df['previous_city'] = login_activity_df.groupby('customer_id')['city'].shift(1)

# Flag city changes
login_activity_df['city_changed'] = (
    (login_activity_df['city'] != login_activity_df['previous_city']) & 
    login_activity_df['previous_city'].notna()
).astype(int)

# Now group by customer
login_activity_df = login_activity_df.groupby('customer_id', as_index=False).agg(
    total_logins=('success', 'count'),
    total_failed_logins=('success', lambda x: (x == 0).sum()),  # Count failures
    city_changes=('city_changed', 'sum')
)

# Create final flags
login_activity_df['flag_failed_login'] = (login_activity_df['total_failed_logins'] >= 1).astype(int)
login_activity_df['flag_multiple_failed_logins'] = (login_activity_df['total_failed_logins'] >= 3).astype(int)
login_activity_df['flag_login_location_change'] = (login_activity_df['city_changes'] > 0).astype(int)

login_activity_df.to_csv('login activity.csv')

login_activity_df

Unnamed: 0,customer_id,total_logins,total_failed_logins,city_changes,flag_failed_login,flag_multiple_failed_logins,flag_login_location_change
0,1,2,2,0,1,0,0
1,2,5,1,2,1,0,1
2,3,8,1,2,1,0,1
3,4,7,1,2,1,0,1
4,5,5,1,2,1,0,1
...,...,...,...,...,...,...,...
287,295,5,3,2,1,1,1
288,296,7,0,3,0,0,1
289,298,1,0,0,0,0,0
290,299,7,0,2,0,0,1


In [35]:
# 1. First create year_month column
Transactions['year_month'] = Transactions['txn_timestamp'].dt.strftime('%Y-%m')

# 2. Then create Frequency_of_transactions
Frequency_of_transactions = Transactions.groupby(['account_id', 'year_month']).size().reset_index(name='transaction_count')

# 3. Now add account_month to Frequency_of_transactions
# Frequency_of_transactions['account_month'] = Frequency_of_transactions['account_id'].astype(str) + '_' + Frequency_of_transactions['year_month']


Frequency_of_transactions.to_csv('Frequency of transactions.csv')

Frequency_of_transactions
# 

Unnamed: 0,account_id,year_month,transaction_count
0,1001,2025-09,1
1,1001,2025-11,2
2,1001,2025-12,1
3,1002,2025-09,1
4,1002,2025-10,3
...,...,...,...
796,1298,2025-12,2
797,1299,2025-09,1
798,1299,2025-11,1
799,1300,2025-10,1


In [36]:
Transactions['year'] = Transactions['txn_timestamp'].dt.strftime('%Y')

Frequency_of_transactions_year_wise = Transactions.groupby(['account_id', 'year']).size().reset_index(name='transaction_count_year_wise')

Frequency_of_transactions_year_wise.to_csv('Frequency of transactions year wise.csv')

Frequency_of_transactions_year_wise

Unnamed: 0,account_id,year,transaction_count_year_wise
0,1001,2025,4
1,1002,2025,4
2,1003,2025,2
3,1004,2025,3
4,1005,2025,5
...,...,...,...
292,1296,2025,3
293,1297,2025,4
294,1298,2025,4
295,1299,2025,2


## Merging all tables into a Master Table
Now we will merge all the created dataframes into a single master dataframe for analysis/modeling.

In [23]:
dataframe = [Customers_df,Accounts_df,login_activity_df,Devices_df1]
merged1_df = reduce(lambda left , right :pb.merge(left,right,on ="customer_id"),dataframe)
merged1_df

# merged1_df = pb.merge(Customers_df, Accounts_df,login_activity_df, on='Customer_id')


Unnamed: 0,customer_id,signup_date,flag_missing_signup_date,flag_future_signup_date,account_id,flag_account_open_before_signup,flag_future_account_open,total_logins,total_failed_logins,city_changes,flag_failed_login,flag_multiple_failed_logins,flag_login_location_change,flag_last_used_before_registered,flag_future_device_registration,flag_inactive_device,Count_of_device_usaged
0,1,2025-12-04,0,0,1001,0,0,2,2,0,1,0,0,0,0,3,3
1,2,2025-11-26,0,0,1002,0,0,5,1,2,1,0,1,0,0,1,2
2,3,2025-09-04,0,0,1003,0,0,8,1,2,1,0,1,0,0,1,1
3,4,2025-11-11,0,0,1004,0,0,7,1,2,1,0,1,0,0,2,2
4,5,2025-09-29,0,0,1005,0,0,5,1,2,1,0,1,0,0,1,1
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
287,295,2025-09-29,0,0,1295,0,0,5,3,2,1,1,1,0,0,1,2
288,296,2025-10-21,0,0,1296,0,0,7,0,3,0,0,1,0,0,0,2
289,298,2025-09-19,0,0,1298,0,0,1,0,0,0,0,0,0,0,2,2
290,299,2025-12-07,0,0,1299,0,0,7,0,2,0,0,1,0,0,1,2


In [24]:
final_merga = pb.merge(merged1_df,Frequency_of_transactions_year_wise,on="account_id")
final_merga

Unnamed: 0,customer_id,signup_date,flag_missing_signup_date,flag_future_signup_date,account_id,flag_account_open_before_signup,flag_future_account_open,total_logins,total_failed_logins,city_changes,flag_failed_login,flag_multiple_failed_logins,flag_login_location_change,flag_last_used_before_registered,flag_future_device_registration,flag_inactive_device,Count_of_device_usaged,year,transaction_count_year_wise
0,1,2025-12-04,0,0,1001,0,0,2,2,0,1,0,0,0,0,3,3,2025,4
1,2,2025-11-26,0,0,1002,0,0,5,1,2,1,0,1,0,0,1,2,2025,4
2,3,2025-09-04,0,0,1003,0,0,8,1,2,1,0,1,0,0,1,1,2025,2
3,4,2025-11-11,0,0,1004,0,0,7,1,2,1,0,1,0,0,2,2,2025,3
4,5,2025-09-29,0,0,1005,0,0,5,1,2,1,0,1,0,0,1,1,2025,5
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
284,295,2025-09-29,0,0,1295,0,0,5,3,2,1,1,1,0,0,1,2,2025,2
285,296,2025-10-21,0,0,1296,0,0,7,0,3,0,0,1,0,0,0,2,2025,3
286,298,2025-09-19,0,0,1298,0,0,1,0,0,0,0,0,0,0,2,2,2025,4
287,299,2025-12-07,0,0,1299,0,0,7,0,2,0,0,1,0,0,1,2,2025,2


In [25]:
# final_merga.drop(columns=['signup_date'])
# final_merga = final_merga.drop(columns=['year'])
# final_merga = final_merga.drop(columns=['account_id'])
# final_merga = final_merga.drop(columns=['total_failed_logins'])
# final_merga = final_merga.drop(columns=['flag_failed_login'])


In [None]:


final_merga.to_csv('final_merga.csv')

final_merga

### Rule-Based Customer Risk Profiling

This section implements the core risk segmentation logic. We filter the master dataset (`final_merga`) to identify customers who exhibit specific patterns indicative of fraud or account compromise.

**Flagging Criteria:**
A customer is flagged if they meet **ANY** of the following conditions:
1.  **High Frequency Access:** Exactly 7 total logins (potential automated script probing).
2.  **Repeated Auth Failures:** Exactly 3 failed login attempts (possible brute force).
3.  **Device Hopping:** Usage of exactly 3 different devices (account sharing or hijacking).
4.  **Transaction Velocity:** Exactly 7 transactions in a year (unusual for typical patterns in this context).
5.  **Composite "Doormat" Indicator:** A specific combination of dormant but compromised attributes:
    *   Low legitimate activity (1 total login)
    *   Future signup date anomaly (data integrity issue)
    *   Presence of failed logins, multiple failure flags, location changes, and inactive devices.

**Output:**
*   `flagged_ids`: List of Customer IDs marked for manual review.
*   `non_flagged_ids`: List of safe Customer IDs.



In [None]:
# Get flagged customer IDs (meeting ANY condition)
flagged_ids = final_merga[
    (final_merga['total_logins'] == 7) |
    (final_merga['total_failed_logins'] == 3) |
    (final_merga['Count_of_device_usaged'] == 3) |
    (final_merga['transaction_count_year_wise'] == 7) |
    (
        (final_merga['total_logins'] == 1) &  # Check if this column name is correct
        (final_merga['flag_future_signup_date'] == 1) &
        (final_merga['flag_failed_login'] == 1) &
        (final_merga['flag_multiple_failed_logins'] == 1) &
        (final_merga['flag_login_location_change'] == 1) &
        (final_merga['flag_inactive_device'] == 3)
    )
]['customer_id'].tolist()

# Get non-flagged IDs
all_ids = final_merga['customer_id'].tolist()
non_flagged_ids = [id for id in all_ids if id not in flagged_ids]



print(f"Flagged customers ({len(flagged_ids)}): {flagged_ids[:5]}...")
print(f"Non-flagged customers ({len(non_flagged_ids)}): {non_flagged_ids[:5]}...")

Flagged customers (121): [1, 4, 7, 11, 12]...
Non-flagged customers (168): [2, 3, 5, 6, 8]...


In [39]:
flagged_df = pb.DataFrame({
    'customer_id': flagged_ids,
    'customer_risk_status': 'Flagged'
})

non_flagged_df = pb.DataFrame({
    'customer_id': non_flagged_ids,
    'customer_risk_status': 'Non-Flagged'
})


In [41]:
customer_risk_summary = pb.concat(
    [flagged_df, non_flagged_df],
    ignore_index=True
)


In [42]:
customer_risk_summary.to_csv(
    'customer_risk_summary.csv',
    index=False
)
