Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Application
	Claims 1-20 have been examined in this application.
	The filling date of this application number recited above is June 21, 2019. Domestic Benefit/National Stage priority has been claimed for 62/688,528, 62/688,529, 62/688546, and 62/688,532 in the Application Data Sheet, thus the examination will be undertaken in consideration of June 22, 2018, as the priority date for applicable claims.
The information disclosure statements (IDS) submitted on June 21, 2019 and November 21, 2019 and January 27, 2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The Claims are directed to an abstract idea, Methods of Organizing Human Activity. The claims do not include additional 
As per Claims 1, 8, and 15, the claims recite “authenticating an online user in a transaction without use of strong consumer authentication (SCA) comprising:
receive an authentication request message for a transaction involving a market regulated by a regulatory entity, the authentication request message includes authentication data and a transaction value;
extract the authentication data from the authentication request message;
generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data that includes a risk score for the transaction;
determine that a risk of fraud in the transaction satisfies a risk threshold established by the regulatory entity by evaluating the risk score relative to the risk threshold;
determine that the transaction value is below a transaction limit set by the regulatory entity, the transaction limit identifies a threshold transaction value below which strong consumer authentication may be avoided for transactions satisfying the risk threshold;
and transmit an authentication response message authenticating the transaction without strong consumer authentication having been performed on the transaction based on the determined risk of fraud satisfying the risk threshold and further based on the determined transaction amount being below the transaction limit.”
organized human activity by performing fundamental economic practices and/or commercial interactions. The method recited above is a process of authenticating a customer’s transaction by generating risk scores to determine fraudulent transactions. This recited process is to mitigate the risk of processing fraudulent transactions, wherein risk mitigation is a fundamental economic practice, a certain method of organized human activity. Additionally, this is an online transaction between a merchant and a consumer for purchases, wherein a sales activity is a commercial interaction, which is also a certain method of organized human activity. Therefore, the claims are directed to an abstract idea.
This judicial exception is not integrated into practical application. In particular, the claims recite an additional element of “authentication platform”, “memory device”, “processor”, “computing device”, and “non-transitory computer-readable storage media” to perform the method recited above by instructing the abstract idea to be performed “by” these generic computer components. These general computer components are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system. The claims merely recite generic functions to be performed by these generic computer components, such as: receive data, extract data, compare data, and transmit data. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
Mere instructions to apply an exception using a generic computer system cannot provide an inventive concept. The claim is not patent eligible.
Regarding dependent claims, they are still directed to an abstract idea without significantly more.
Claims 2, 9, and 16 recite “further comprising: generate an enhanced authentication request message associated with the transaction, the enhanced authentication request message including data indicating that the transaction is not mandated for strong consumer authentication; and transmit the enhanced authentication request message to an access control server (ACS).”
Claims 3, 10, and 17 recite “further comprising: generate another enhanced authentication request message associated with another transaction, the other enhanced authentication request message including data indicating that the transaction is mandated for strong consumer authentication; and transmit the other enhanced authentication request message to an access control server, the indicated mandate causing the access control server to initiate SCA for the other transaction.”
Claims 5, 12, and 19 recite “wherein one or more of the first historical data and the second historical data include an approval rate and basis points of fraud.”
Claims 6, and 13 recite “wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score.”
	These additional steps of each claims fail to remedy the deficiencies of their parent claim above because they are merely further limiting the rules used to conduct the previously recited abstract idea, and are therefore rejected for at least the same rationale as applied to their parent claim above.
Claims 4, 11, and 18 recite “further comprising: display a graphical user interface (GUI) dashboard for use by the regulatory entity to evaluate fraud in payment transactions within the market; display, via the GUI, first historical data indicating a level of fraud present in transactions not mandated to be authenticated with SCA based on satisfying the risk threshold and the transaction limit set by the regulatory entity; and display, via the GUI, second historical data indicating a level of fraud present in transactions mandated to be authenticated with SCA based on not satisfying one or more of the risk threshold and the transaction limit set by the regulatory entity.” Mere instructions to display information on a GUI does not improve computer functionality, see MPEP 2106.05(a)(I) example that the courts have indicated may not be sufficient to show an improvement in computer-functionality “viii. Arranging transactional information on a graphical user interface in a manner that assists traders in processing information more quickly, Trading Technologies v. IBG LLC, 921 F.3d 1084, 1093-94, 2019 USPQ2d 138290 (Fed. Cir. 2019)”, therefore the claims are rejected for at least the same rationale as applied to their parent claim above.
Claims 7, 14, and 20 recite “further comprising: display a graphical user interface (GUI) dashboard for use by the regulatory entity to alter configuration of the authentication platform for transactions occurring in the market, the GUI dashboard allowing a regulator to alter one or more of the risk threshold and the transaction limit; and reconfigure one or more of the risk threshold and the transaction limit based on input received from the regulator via the GUI.” The altering of the configuration of the authentication platform as recited in the claims are mere instructions to alter the information to be displayed on the GUI, which does not reconfigure the GUI itself but are rather updating the information that the user has inputted and make the GUI display an updated information. Mere instructions to display an updated information on a GUI does not improve computer functionality, therefore the claims are rejected for at least the same rationale as applied to their parent claim above.
	Claims 2-7, 9-14, and 16-20, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitations fail to establish that the claims are sufficient to integrate into a practical application and do not amount to significantly more than the judicial exception. Similarly to the independent claims, each claim recites using a generic computer component to perform the abstract idea as mentioned above. Therefore, prong 2 and step 2B analysis are similar to above and these claims are not eligible.
Therefore, Claims 1-20 are not drawn to eligible subject matter as they are directed to an abstract idea without significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 8-10, and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over SCHULTZ (U.S. 2008/0288299) in view of Dominguez (U.S. 2011/0196791).

As per Claims 1, 8, and 15, SCHULTZ discloses an authentication platform for authenticating an online user in a transaction without use of strong consumer authentication (SCA) (See Figure 2 as disclosed [0020] “In the example of FIG. 2, the online merchant engine 202 first follows the typical credit authorization flow by requesting and authenticating from an individual who is initiating an online transaction with the online merchant engine 202 certain information required to complete the transaction. Such information can be personal data of the individual, which may include but is not limited to, name, address, telephone number, e-mail address, credit card type, credit card number, security code, and expiration date” which the typical credit authorization does not require the individual to input secondary authentication, such as a password), the authentication platform comprising:
	a memory device; and at least one processor coupled to the memory device, the at least one processor programmed to (See [0036] and [0037] disclosing processors, memories, and non-transitory computer readable media to perform the process):
	receive an authentication request message for a transaction involving a market regulated by a regulatory entity, the authentication request message includes authentication data and a transaction value (See Figure 3 – step 302 as disclosed [0032] “In the example of FIG. 3, the flowchart 300 starts at block 302 where an online merchant engine or merchant acquiring engine accepts a request for a transaction initiated by an individual online with over a network” wherein a transaction typically includes an authentication data, such as personal data of the individual (e.g. name, address, credit card number, etc.) as disclosed in [0020], and transaction value would be required to be included as the process involves verifying the credit limit of the card to the transaction amount as disclosed in [0021] and [0034]);
	extract the authentication data from the authentication request message (See Figure 3 – step 304 as disclosed [0032] “The flowchart 300 continues to block 304 where the online merchant engine authenticates the information provided by the individual for the transaction”, wherein this process of authentication can be interpreted as “extracting” authentication data from the received transaction initiated by the individual to be used for authentication);
	generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data that includes a risk score for the transaction ([0022] “The numerical risk score may be computed by a risk management engine 203”);
	determine that a risk of fraud in the transaction satisfies a risk threshold established by the regulatory entity by evaluating the risk score relative to the risk threshold ([0022] “In the example of FIG. 2, the third-party identity validation engine 204 validates the identity of the individual when the fraud risk of the individual is deemed high (such as by a numerical risk score for the transaction being above a threshold)”);
	determine that the transaction value is below a transaction limit set by the regulatory entity, the transaction limit identifies a threshold transaction value below which strong consumer authentication may be avoided for transactions satisfying the risk threshold ([0021] “In one embodiment, the online merchant engine 202 may identify the risk of fraud by the individual by evaluating a set of business rules and limitations and determining if these rules are met. For non-limiting examples, such rules and limitations can include one or more of: whether the single transaction amount is over a preset limit (e.g., $500)” as further disclosed regarding the transaction limit in [0033] “In some embodiments, the individual is also allowed to set a daily purchase limit for each of the cards being monitored or a threshold of transaction count, transaction size, or periodic aggregate transaction value, beyond which threshold the identity validation described herein is invoked as if high risk for fraud exists”);
	and transmit an authentication response message authenticating the transaction without strong consumer authentication having been performed on the transaction based on the determined risk of fraud satisfying the risk threshold and further based on the determined transaction amount being below the transaction limit (See Figure 3 wherein if the risk for fraud does not exist, the transaction is approved, as disclosed [0032] “If the online merchant engine 202 or a risk management engine 203 (which may be provided by some third party, which may or may not be the same third party as provides the identity validation engine, and may or may not be separate from the online merchant engine) determines that the risk for fraud is low, the transaction is approved” and see also [0021] “Once the transaction is authorized based on typical credit authorization flow, the online merchant engine 202 may either immediately approve the transaction with the individual”. Although it may be obvious to one of ordinary skill in the art that approving the transaction can be interpreted as an authentication response message being transmitted, the Examiner provides additional prior art for the purpose of compact prosecution).
Additionally, Dominguez discloses:
receive an authentication request message for a transaction involving a market regulated by a regulatory entity, the authentication request message includes authentication data and a transaction value (See Figure 7 – steps 502, 504, and 506 as disclosed [0065] “The verification request message may contain information about the transaction and the payment account that the consumer wishes to use for the transaction. At stage 506, the verification request message is provided to a Directory Server that is typically part of the payment processing network” wherein information about the transaction includes a transaction value as disclosed [0029] “Typically, the merchant or the merchant's data processing system generates a transaction authorization request message that may include data obtained from the consumer's payment device as well as other data related to the transaction and the merchant (e.g., the transaction amount)”);
	extract the authentication data from the authentication request message (See Figure 7 – steps 508 and 510 as disclosed [0065] “The Directory Server then determines whether authentication data is available for the payment account, as shown at stage 508 … If such authentication data is available, then the Directory Server provides transaction data (and if applicable, other relevant information) to the Risk Management Engine (depicted as element 314 of FIG. 4 and element 702 of FIG. 5) which is requested to perform a fraud assessment for the payment account involved in the payment transaction (stage 510)”);
	generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data that includes a risk score for the transaction (See Figure 7 – step 512 as disclosed [0066] “The Risk Management Engine processes the data regarding the transaction and payment account to determine the risk of fraud associated with the transaction (stage 512)”, wherein the process includes providing a risk score as disclosed [0052] “In operation, the RME may provide either one comprehensive risk score for the transaction, or may provide risk scores for multiple transaction characteristics”);
	determine that a risk of fraud in the transaction satisfies a risk threshold established by the regulatory entity by evaluating the risk score relative to the risk threshold (See Figure 7 – step 516 as disclosed [0066] “The Risk Management Engine then applies its fraud assessment process (i.e., its decision tool, predictive model or rules) to the data for the payment or other transaction (stage 516). This may include evaluating if the account or transaction has a fraud likelihood (or probability) that exceeds a specified threshold, for example”, and see also [0045] “The fraud detection (e.g., a risk assessment) for a proposed, but not yet authorized, transaction may be expressed as a score, a value of a risk associated variable, an indicator corresponding to a fraud possibility above a specified threshold”);
	determine that the transaction value is below a transaction limit set by the regulatory entity, … ([0056] “Depending on the data processing operations implemented by the inventive Risk Management Engine, other features or functions of the fraud detection or transaction risk assessment methods implemented by the present invention may include: … 2) Limit checking--to determine if dollar amount limits for an account have been or may be exceeded by the proposed transaction”);
	and transmit an authentication response message authenticating the transaction … based on the determined risk of fraud satisfying the risk threshold and further based on the determined transaction amount being below the transaction limit (See Figure 7 – step 518 as disclosed [0066] “If the fraud assessment performed by the Risk Management Engine indicates an acceptable level of risk, then the Risk Management Engine notifies the Access Control Server (or, in an alternative embodiment, the Directory Server) that the payment account may be authenticated and the process continues as described with reference to FIGS. 3 and 4 (and as depicted at stage 518)”). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize fraud reduction system with a risk management engine receiving authentication request, performing authentication, and transmitting authentication response as in Dominguez in the system executing the method of SCHULTZ, wherein the system of SCHULTZ already includes various engines performing the authentication process, with the motivation of offering to [0022-0024] “reduce the use of data processing resources”, “protect an authentication/authorization system from attack”, “act as a “safety net” to assist payment processing networks”, and “make it easier and less disruptive to implement” as taught by Dominguez over that of SCHULTZ.

	As per claims 2, 9, and 16, SCHULTZ discloses the authentication platform of Claim 1, the method of Claim 8, and the non-transitory computer-readable storage media of Claim 15, further comprising:
	generate an enhanced authentication request message associated with the transaction, the enhanced authentication request message including data indicating that the transaction is not mandated for strong consumer authentication (See Figure 3 – step 304 wherein if the individual is authenticated based on the provided information as low risk, then the transaction is approved, meaning additional validation (such as KBA questions in step 310) is not mandated, as disclosed [0032] “If the online merchant engine 202 or a risk management engine 203 (which may be provided by some third party, which may or may not be the same third party as provides the identity validation engine, and may or may not be separate from the online merchant engine) determines that the risk for fraud is low, the transaction is approved”).
	SCHULTZ fails to explicitly disclose, but Dominguez discloses:
	transmit the enhanced authentication request message to an access control server (ACS) ([0039] “After identifying the appropriate authentication service for the payment account or device being used for the transaction, directory server 220 forwards the VEReq message 254 to an access control server (ACS) 225 associated with the account or device issuer's authentication service”). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize transmitting authentication request message to an access control server as in Dominguez in the system executing the method of SCHULTZ, wherein the system of SCHULTZ includes a process of approving the transaction, with the motivation of offering to [0022-0024] “reduce the use of data processing resources”, “protect an authentication/authorization system from attack”, “act as a “safety net” to assist payment processing networks”, and “make it easier and less disruptive to implement” as taught by Dominguez over that of SCHULTZ.

	As per claims 3, 10, and 17, SCHULTZ discloses the authentication platform of Claim 2, the method of Claim 9, the non-transitory computer-readable storage media of Claim 16, further comprising:
	generate another enhanced authentication request message associated with another transaction, the other enhanced authentication request message including data indicating that the transaction is mandated for strong consumer authentication (See Figure 3 – step 306 wherein if a risk for fraud exists, then additional validation is requested which then generates Knowledge Based Authentication (KBA) questions for the user, as disclosed [0032] “Otherwise, the flowchart 300 continues to block 306 where identity validation is requested to a third-party validation engine and some of the information of the individual, such as name, address, and telephone number, is provided to the validation engine”);
	and transmit the other enhanced authentication request message to a … server, the indicated mandate causing the access control server to initiate SCA for the other transaction (See Figure 3 – steps 308 and 310 as disclosed [0032] “The flowchart 300 continues to block 308 where a reverse lookup is performed at a credit reporting engine to obtain the individual's social security number and a set of KBA questions are generated based on the individual's credit history. The flowchart 300 continues to block 310 where the set of KBA questions are provided to the individual via the online merchant engine”). 
	SCHULTZ fails to explicitly disclose, but Dominguez discloses:
transmit the other enhanced authentication request message to an access control server, the indicated mandate causing the access control server to initiate SCA for the other transaction ([0067] However, if the fraud assessment performed by the Risk Management Engine indicates that the payment account or transaction is suspected of being fraudulent, then the Risk Management Engine may perform one or both of the following operations (as depicted at stage 518): [0069] “(b) informing the Access Control Server for the issuer of the payment account, which can then return an appropriate response to the present request (or to future requests) to authenticate the payment account in a transaction”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize transmitting authentication request message to an access control server as in Dominguez in the system executing the method of SCHULTZ, wherein the system of SCHULTZ includes transmitting the data for additional validation, with the motivation of offering to [0070] “provide an “early warning” of a fraudulent transaction” as taught by Dominguez over that of SCHULTZ.

Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over SCHULTZ in view of Dominguez, in further view of Wright (U.S. 2018/0089665).

	As per claims 4, 11, and 18, SCHULTZ fails to explicitly disclose, but Wright discloses the authentication platform of Claim 1, the method of Claim 8, and the non-transitory computer-readable storage media of Claim 15, the processor is further configured to:
	display a graphical user interface (GUI) dashboard for use by the regulatory entity to evaluate fraud in payment transactions within the market (See Figure 5 as disclosed [0077] “FIG. 5 depicts another illustrative GUI 270, which is a second example of GUI 201, showing a transaction screen display including transaction risk indication elements 272 (also referred to as risk indicators or risk level indicators)”);
	display, via the GUI, first historical data indicating a level of fraud present in transactions not mandated to be authenticated with SCA based on satisfying the risk threshold and the transaction limit set by the regulatory entity; and display, via the GUI, second historical data indicating a level of fraud present in transactions mandated to be authenticated with SCA based on not satisfying one or more of the risk threshold and the transaction limit set by the regulatory entity (See Figure 5 which displays a transaction risk value (e.g. HIGH, MED) associated with each transaction, as disclosed [0077] “As described with respect to FIG. 3, this customer risk value is factored in with the card-based failure factors and a transaction risk value is determined, based on historical data across one or more systems 100 in the network”).
	Wherein as disclosed above in Claim 1, SCHULTZ discloses:
… first historical data indicating a level of fraud present in transactions not mandated to be authenticated with SCA based on satisfying the risk threshold and the transaction limit set by the regulatory entity; and … second historical data indicating a level of fraud present in transactions mandated to be authenticated with SCA based on not satisfying one or more of the risk threshold and the transaction limit set by the regulatory entity (Figure 3 (and the associated paragraphs as mentioned in Claim 1) discloses of determining the risk level for transactions, which a risk score is compared against a threshold and also verifies the transaction amount is not over the limit, and if the risk level is “LOW” or possibly “MED” then additional validation is not required, but if the risk level is “HIGH” then the additional validation process is required. Therefore, the determined risk level is an indication whether or not to mandate an additional authentication).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize GUI displaying risk levels associated with transactions as in Wright in the system executing the method of SCHULTZ, wherein the system of SCHULTZ, as explained above, includes a risk level determination for mandating additional authentication, with the motivation of offering to provide a process that is [0014] “relatively unobtrusive and occurs in a relatively short period of time and in person to avoid unnecessary delays” as taught by Wright over that of SCHULTZ.

Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over SCHULTZ in view of Dominguez, in further view of Wright and in further view of Manapat et al. (U.S. 10,867,303 B1)

	As per claims 5, 12, and 19, SCHULTZ fails to explicitly disclose, but Manapat discloses the authentication platform of Claim 4, the method of Claim 11, and the non-transitory computer-readable storage media of Claim 18, wherein one or more of the first historical data and the second historical data include an approval rate and basis points of fraud (See Figures 1A and 1B displaying a rate of authorized transactions, and see Figure 4I disclosing a basis point of fraud from the risk assessment (e.g. information was copied and pasted)). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize approval rate and basis point of fraud as in Manapat in the system executing the method of SCHULTZ with the motivation of offering to provide [Col 1 Lines 52-62] control for better user experience as taught by Manapat over that of SCHULTZ.

Claims 6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over SCHULTZ in view of Dominguez, in further view of Diev et al. (U.S. 2017/0228635).

	As per claims 6 and 13, SCHULTZ fails to explicitly disclose, but Diev discloses the authentication platform of Claim 1 and the method of Claim 8, wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score ([0017] "the predetermined input variable categories of input variables comprise reason codes that identify the input variables that contributed to the computed set of attribution scores"). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize transmitting authentication request message to an access control server as in Diev in the system executing the method of SCHULTZ, wherein the system of SCHULTZ generates a risk score, with the motivation of offering to provide [0198] “an easier time explaining to the customer why the transaction was declined” as taught by Diev over that of SCHULTZ.

Claims 7, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over SCHULTZ in view of Dominguez, in further view of Manapat et al. (U.S. 10,867,303 B1) 

As per claims 7, 14, and 20, Manapat discloses the authentication platform of Claim 1, the method of Claim 8, and the non-transitory computer-readable storage media of Claim 15, further comprising:
	display a graphical user interface (GUI) dashboard for use by the regulatory entity to alter configuration of the authentication platform for transactions occurring in the market, the GUI dashboard allowing a regulator to alter one or more of the risk threshold and the transaction limit (See Figure 4A displaying a GUI for the user to create a new rule, and see also Figures 4F and 4G showing an example rule for altering the transaction limit, and also Figure 4H for altering the risk level threshold to “highest”);
	and reconfigure one or more of the risk threshold and the transaction limit based on input received from the regulator via the GUI (See Figure 4G including “Add and Enable” button to reconfigure the transaction limit). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize changing risk threshold and transaction limit through GUI as in Manapat in the system executing the method of SCHULTZ with the motivation of offering to provide [Col 1 Lines 52-62] control for better user experience as taught by Manapat over that of SCHULTZ.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/448,572, 16/448,596, and 16/488,822. Although the claims at issue are not identical, they are not patentably distinct from each other because they are all directed toward method and systems for risk-based authentication (RBA).
The instant application performs the RBA without a strong consumer authentication (SCA), compares the risk score to a threshold, and then transmits the results.
The ‘572 application performs the RBA and transmits the results to the ACS.
The ‘596 application performs the RBA and routes the results.
The ‘822 application determines if an Access Control Sever (ACS) is unavailable to process the transaction, then it performs the RBA and routes the results.
It would have been obvious to one of ordinary skilled in the art at the time of filing that a system performing RBA on behalf of the ACS would also be processed if ACS is unavailable to perform the transaction, and SCA would be performed later if RBA results as a high risk. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Roche et al. (U.S. 2011/0218879) discloses a method and corresponding system for supporting authentication processing of commercial transactions conducted over a communications network between consumers and merchants.
Sheets et al. (U.S. 9,390,445 B2) discloses of the invention providing strong user authentication on a consumer device without requiring the user to go through a formal registration process with the issuer or processing network.
Hey et al. (U.S. 2017/0046701) discloses systems and methods for use in monitoring authentication messaging associated with payment account transactions.
Gilbert et al. (U.S. 2015/0161608) discloses cardholder authentication method including receiving, at an authentication network, an authentication request involving an account.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY H JUNG whose telephone number is (571)270-5018.  The examiner can normally be reached on Mon - Fri 8:30 - 4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine M Behncke can be reached on 571-272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/H.H.J./           Examiner, Art Unit 3697                                                                                                                                                                                            
	
	/CHRISTINE M BEHNCKE/           Supervisory Patent Examiner, Art Unit 3697