DATA PIPELINE CASE STUDY

Automated Transaction Monitoring Pipeline

Platform: Databricks Built with: SQL, PySpark, n8n Focus: KPI Monitoring, Risk Triggers, Automated Alerting

Project Overview

A cloud-based pipeline that processes 6.3 million mobile money transactions in Databricks, computes daily and weekly business KPIs, evaluates four explainable risk triggers using auditable business rules, and delivers automated reports and alerts to Telegram on a cron schedule. Built to demonstrate cloud scale data processing without requiring anyone to open a dashboard.

The dataset is PaySim, a synthetic mobile money dataset built from real aggregated transaction logs for fraud detection research. It has 6.3M transactions across 31 simulated days, five transaction types, and ground-truth fraud labels.

Note on Defensibility: This pipeline runs on a batch schedule, not streaming — a production equivalent would use Kafka and Databricks Structured Streaming, and the architecture here is designed to be compatible with that upgrade path. PaySim is synthetic, not live data: some patterns in the results below (like a single-day 100% fraud spike) are dataset artifacts, not real-world events, and are labeled as such rather than filtered out.

Pipeline Architecture

Four stages, moving from raw data to a delivered alert:

Risk Triggers

Four explainable, rule-based triggers, evaluated daily and written to an alert_flags table. Results below are the actual validated outputs against PaySim:

Trigger Condition Result
Transaction spike Account exceeds 3× its own 30-day average transaction count in 24 hours 0 rows — PaySim's max daily count per account is 2, making the threshold mathematically unreachable. Kept and documented as a dataset finding, not removed.
Transfer → cash-out chain Same day transfer followed by a cash-out from the same account, in the top 5% of daily amounts 29 same day chains found; 1 exceeds ~$518K. Implemented as an explicit SQL rule, not a trained model, so it stays fully auditable.
Fraud rate breach Daily fraud rate exceeds 1% Fires on 11 of 31 days. Day 31 shows a 100% fraud rate across 274 transactions — a simulation artifact, kept and labeled rather than filtered.
Volume collapse Daily volume drops more than 40% vs. the same day the prior week Fires on ~10 of 31 days, reflecting genuine volume tapering in the dataset's second half.

The transfer → cash-out chain trigger, implemented in SQL:

-- Trigger: Transfer followed by same day cash-out from the same account, -- where the amount sits in the top 5% of daily transaction amounts SELECT t1.account_id, t1.transaction_date, t1.amount AS transfer_amount, t2.amount AS cashout_amount FROM transactions t1 JOIN transactions t2 ON t1.account_id = t2.account_id AND t1.transaction_date = t2.transaction_date AND t1.type = 'TRANSFER' AND t2.type = 'CASH_OUT' WHERE t1.amount >= ( SELECT PERCENTILE_CONT(0.95) WITHIN GROUP (ORDER BY amount) FROM transactions WHERE transaction_date = t1.transaction_date );
Transaction monitoring pipeline: PaySim data through PySpark ingestion, Databricks SQL modeling and triggers, to n8n and Telegram

PaySim data → ingestion → star schema → risk triggers → n8n → Telegram alerts

Automated Workflows

Three cron-triggered n8n workflows query the Databricks SQL endpoint and deliver formatted messages to Telegram:

Key Design Decisions

Known Limitations