DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-20 are currently pending and rejected.

Claim Rejection – 35 U.S.C. 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The rationale for this finding is explained below.  In the instant case, the claims are directed towards combining payment data and cyber fraud indicators to identify potential fraud.  Combining payment data and cyber fraud indicators to identify potential fraud falls under the grouping of “organizing human activity” in 2019 Revised Patent Subject Matter Eligibility Guidance, thus the claims include an abstract idea.  The claims do not include limitations that are “significantly more” than the abstract idea because the claims do not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment.  Note that the limitations, in the instant claims, are done by the generically recited computer device.  The limitations are merely instructions to implement the abstract idea on a computer and require no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry.  Therefore, claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.    
Step 1: The claims 1-20 are directed to a process, machine, manufacture, or composition matter.
In Alice Corp. Pty. Ltd. v. CLS Bank Intern., 134 S. Ct. 2347 (2014), the Supreme Court applied a two-step test for determining whether a claim recites patentable subject matter. First, we determine whether the claims at issue are directed to one or more patent-ineligible concepts, i.e., laws of nature, natural phenomenon, and abstract ideas. Id. at 2355 (citing Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1296–96 (2012)). If so, we then consider whether the elements of each claim, both individually and as an ordered combination, transform the nature of the claim into a patent-eligible application to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. 
Step 2A: The claims are directed to an abstract idea.
Prong One
The present claims recite a system and a method for combining payment data and cyber fraud indicators to identify potential fraud.  The claimed concept comprises maintaining a list of known fraud characteristics and fraud indicators, receiving a payment instruction from a client, and comparing the payment instruction to the list of known known fraud characteristics and fraud indicators to identify one or more cyber fraud indictors associate with the payment instruction, attaching the one or more cyber fraud indictors to the payment instruction to generate a risk score, and applying payment decision to the payment instruction.  Examiner points out that analyzing user’s activity prior to payment against a list of known fraud characteristics and generating a payment decision based on the risk score is managing personal behavior and/or interactions between people.  The performance of the claimed steps using generic computer components (i.e. a memory and a computer processor) does not preclude the claimed steps from being performed by human mind.  The recitation of computer components amounts to mere form of insignificant extra-solution.
Prong Two
The recited computer elements merely perform the functions of receiving instruction, identifying fraud indictor by comparing to a list, combining the cyber fraud indicator to payment instruction and generate a risk score.  Claim 1 for example, recites merely a memory and a computer coupled to the memory as additional elements.  The memory is claimed to store a list of known fraud characteristics and cyber fraud indicators (i.e. “receiving, processing, and storing data”).  Independent claim 11 recites similar limitations.  The computer processor is claimed to receive payment instruction (i.e. “receiving, processing, and storing data”), identify one or more cyber fraud indicators (i.e. comparing data to a list, could be mental processing), merge cyber fraud indicators to payment instruction (i.e. processing and storing data, note: claim limitation does not specify any particular data structure for merging data), generate a risk score (i.e. performing calculation), and apply payment decisioning to the payment instruction (i.e. mental processing, simply approving or rejecting the payment).  According to MPEP 2106.05(d), “performing repetitive calculations“, “receiving, processing, and storing data”, “electronically scanning or extracting data from a physical document”, “electronic recordkeeping”, and “receiving or transmitting data over a network, e.g., using the Internet to gather data” are considered well-understood, routine, and conventional functions of computer.  The recitation of the computer elements amounts to mere instruction to implement an abstract concept on computers.  The combination of these elements is no more than mere instructions to apply the judicial exception using a general purpose computer.  Accordingly, even in combination, these elements do not integrate the abstract idea into a practical application because they do not improve the functioning of the computer itself or produce physical transformation.  Therefore, the claims are directed to an abstract idea.
Examiner points out that analyzing user’s activity prior to payment against a list of known fraud characteristics and generating a payment decision based on the risk score is managing personal behavior and/or interactions between people.  Detecting fraud indicators based on comparing whether an IP address is associated with prior fraudulent activity is nothing more than comparing data against a blacklist.  Specifying cyber-attack as social engineering type attack does not change the nature of the claimed invention, which is basically matching payment data against a list of known fraud characteristics and fraud indicators.  The recitation of learning analytics and using detected cyber fraud indicators as feedback also does not render the claims any less abstract.  Machine learning algorithm was well-known at the time of the invention, and it works by constantly learning from new data set.  The amended claims are merely utilizing existing computer process in a generic fashion, thus the claims do not recite any improvement to computer function.  
Examiner also points out that dependent claims 2-10 and 12-20 do not recite additional element.  Claims 2-5 and 12-15 merely provide definition of terms in the independent claims.  Claims 6 and 16 merely recite a GUI for displaying data, which is generic computer element.  Claims 6-10 and 16-20 recite additional data processing, but “receiving, processing, and storing data” is well-understood and conventional computer function according MPEP 2106.05(d).  Therefore, these dependent claims cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.
Step 2B: The claims do not recite additional elements that amount to significantly more than the abstract idea.  
As discussed with respect to Step 2A Prong two, the additional elements in the claims comprise only a memory and a computer processor.  The recited computer elements merely perform basic computer functions of receiving instruction, identifying fraud indictor by comparing to a list, combining the cyber fraud indicator to payment instruction and generate a risk score.  According to MPEP 2106.05(d), the additional elements perform functions that are well-understood, routine, and conventional.  The additional elements in the claims amount to no more than mere instructions to apply the exception using generic computer components.  The same conclusion is reached in Step 2B, i.e. mere instruction to apply an exception on a general purpose computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.  Therefore, the present claims are ineligible for patent.

Claim Rejection – 35 U.S.C. 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, 4, 6-12, 14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stubblefield et al. (Pub. No.: US 2015/0106265), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Binns et al. (Pub. No.: US 2018/0308099).
As per claim 1 and 11, Stubblefield teaches a system that combines payment data and cyber fraud indicators to identify potential fraud in payment requests from a client, the system comprising:
a memory that stores and maintains a list of known fraud characteristics and cyber fraud indicators (see paragraph 0038-0039, “system maintains a set of indicia of fraud”; also see paragraph 0018 for memory; see paragraph 0044, fraud indicators includes IP address, which suggest they are cyber fraud indicators); and
a computer processor, coupled to the memory, programmed to (see paragraph 0018):
receive, via an electronic input, a payment instruction from the client (see paragraph 0024 and 0056-0057);
identify one or more cyber fraud indicators associated with the payment instruction (see paragraph 0014, 0024, 0034, 0036-0039, 0041, 0063, especially paragraph 0038 which teaches “the communication number fraud analysis module…to identify presence of one or more indicia of fraud”; also see TABLE 1 and TABLE 2);
apply payment decisioning to merge the one or more cyber fraud indicators to the payment instruction (see paragraph 0026, 0036-0044, prior art teaches before risk score is calculated, fraud indicators are identified and evaluated by the fraud analysis module; merging the fraud indicators to the payment instruction basically means including the fraud indicators to the payment data to be evaluate together, which the prior art clearly does);
generate a risk score based on the payment decisioning to determine whether the payment instruction should be executed (see paragraph 0015, 0026, 0042-0045, 0062); and
automatically apply the payment decisioning to the payment instruction (see paragraph 0046 and TABLE 4, and 0059, prior art apply payment decisioning based on the risk score).
Examiner notes Stubblefield does not teach wherein the known fraud characteristics and cyber fraud indicators are associated with the activities prior to the payment instruction; identify one or more cyber fraud indicators associated with an attack perpetrated against a client prior to the payment instruction, wherein the attack comprises one of social engineering and business email comprises that involves an attacker leveraging information about a victim acquired on a plurality of websites in order to convince the victim to initiate the payment instruction, there the payment instruction appears legitimate but is premised on fraudulent grounds, and the one or more cyber fraud indicators include an IP address associated with prior fraudulent activity, an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, and a look alike domain accessed by the device used by the victim prior to the payment instruction; wherein the payment decisioning is based on learning analytics whereby identified characteristics potentially fraudulent activities are applied to downstream decisioning; wherein the payment decisioning considers a beneficiary of the payment instruction; add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators; and apply the one or more new cyber fraud indicators as feedback to the learning analytics in order to train and further refine the learning analytics.
Srivastava teaches wherein the known fraud characteristics and cyber fraud indicators are associated with the activities prior to the payment instruction (see paragraph 0019-0020, “the system may possess existing information about the website, domain name, URL, IP address, or other information associated with the webpage that indicates that the webpage or website may be associated with malicious activity…such as previous social engineering attempts”); 
identify one or more cyber fraud indicators associated with an attack perpetrated against a client prior to the payment instruction, wherein the attack comprises one of social engineering and business email comprises that involves an attacker leveraging information about a victim acquired on a plurality of websites in order to convince the victim to initiate the payment instruction, there the payment instruction appears legitimate but is premised on fraudulent grounds, and the one or more cyber fraud indicators include an IP address associated with prior fraudulent activity, an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, and a look alike domain accessed by the device used by the victim prior to the payment instruction (see paragraph 0020, 0037, 0040, and 0051, prior art teaches comparing IP address against a database of previously archived malicious domain names and IP addresses; paragraph 0042-0049 teach look alike domain “constructed to fraudulently pose as other, legitimate websites”); 
wherein the payment decisioning is based on learning analytics whereby identified characteristics potentially fraudulent activities are applied to downstream decisioning (see paragraph 0052, indicators are “fed back into one or more automated processes”… “to further machine learning and optimization of scoring processes”, prior art teaches machine learning and optimization of scoring processes, thus implying that identified characteristics are applied to downstream decisioning); 
add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators (see paragraph 0051); and 
apply the one or more new cyber fraud indicators as feedback to the learning analytics in order to train and further refine the learning analytics (see paragraph 0052, indicators are “fed back into one or more automated processes”… “to further machine learning and optimization of scoring processes”).
Binn teaches wherein the payment decisioning considers a beneficiary of the payment instruction (see paragraph 0003-0005, 0014, 0020, 0021, 0043, for example).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Stubblefield with teaching from Srivastava and Binn to include wherein the known fraud characteristics and cyber fraud indicators are associated with the activities prior to the payment instruction; identify one or more cyber fraud indicators associated with an attack perpetrated against a client prior to the payment instruction, wherein the attack comprises one of social engineering and business email comprises that involves an attacker leveraging information about a victim acquired on a plurality of websites in order to convince the victim to initiate the payment instruction, there the payment instruction appears legitimate but is premised on fraudulent grounds, and the one or more cyber fraud indicators include an IP address associated with prior fraudulent activity, an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, and a look alike domain accessed by the device used by the victim prior to the payment instruction; wherein the payment decisioning is based on learning analytics whereby identified characteristics potentially fraudulent activities are applied to downstream decisioning; wherein the payment decisioning considers a beneficiary of the payment instruction; add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators; and apply the one or more new cyber fraud indicators as feedback to the learning analytics in order to train and further refine the learning analytics.  The modification would have been obvious, because it is merely applying a known technique (i.e. use machine learning to detect fraudulent indicators based on comparing data against previous social engineering attempts) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide constantly improving fraud detection service).
As per claim 2 and 12, Stubblefield teaches wherein the one or more cyber fraud indicators comprise an originating IP address (see paragraph 0044).
As per claim 4 and 14, Stubblefield does not teach wherein the one or more cyber fraud indicators comprise look alike domain names.
Srivastava teaches cyber fraud indicators comprise look alike domain names (see paragraph 0042-0049, prior art teach look alike domain “constructed to fraudulently pose as other, legitimate websites”).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Stubblefield with teaching from Srivastava to include cyber fraud indicators comprise look alike domain names.  The modification would have been obvious, because it is merely applying a known technique (i.e. including domain name as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 6 and 16, Stubblefield teaches an interactive user interface that enables the client to view the risk score and determine a payment action in response (see paragraph 0046 and TABLE 4, and 0058-0059, risk score is calculated and outputted along with recommended payment action; one skilled in the art would know outputting risk score and recommended action typically means displaying them on a graphical user interface).
As per claim 7 and 17, Stubblefield teaches wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of the client (see paragraph 0051, prior art teaches applying learning analytics to study pattern of sample users and applying the analytics to other users).
As per claim 8 and 18, Stubblefield teaches wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of a second client different from the client (see paragraph 0051, prior art teaches applying learning analytics to study pattern of sample users and applying the analytics to other users).
As per claim 9 and 19, Stubblefield teaches wherein the payment instruction further comprises a request for access to client sensitive information (see paragraph 0014 and 0059).
As per claim 10 and 20, Stubblefield teaches wherein the computer processor is further programmed to leverage a separate and distinct risk score generated based on beneficiary account data elements (see paragraph 0015, 0059, 0062).

Claim 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stubblefield et al. (Pub. No.: US 2015/0106265), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Binns et al. (Pub. No.: US 2018/0308099), and further in view of Ivey et al. (Pub. No.: US 2016/0005029).
As per claim 3 and 13, Stubblefield does not teach wherein the one or more cyber fraud indicators comprise malware indicators.
Ivey teaches cyber fraud indicators comprise malware indicators (see paragraph 0062).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Stubblefield with teaching from Ivey to include cyber fraud indicators comprise malware indicator.  The modification would have been obvious, because it is merely applying a known technique (i.e. including malware indicator as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).

Claim 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Stubblefield et al. (Pub. No.: US 2015/0106265), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Binns et al. (Pub. No.: US 2018/0308099), and further in view of Kowalchyk et al. (Patent No.: US 8,020,763).
As per claim 5 and 15, Stubblefield does not teach wherein the one or more cyber fraud indicators comprise voice biometrics.
Kowalchyk teaches cyber fraud indicators comprise voice biometrics (see column 4, line 29-48; column 13, line 33-54; column 16, line 48-54).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Stubblefield with teaching from Kowalchyk to include cyber fraud indicators comprise voice biometrics.  The modification would have been obvious, because it is merely applying a known technique (i.e. including voice biometrics as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).

Response to Remarks
In the response filed on 02/18/2015, Applicant amended independent claims 1 and 11.  The amended claims now define the cyber fraud indictors are associated with social engineering attempts and recite the new cyber fraud indicators are used as feedback in machine learning.  Examiner points out that social engineering type cyber frauds are well-known and feeding new data into machine learning algorithm to improve accuracy is a conventional process (i.e. this is literally what machine learning is performed).  Applicant's arguments with respect to 35 U.S.C. 101 have been fully considered but they are not persuasive. 
The present claims recite a system and a method for combining payment data and cyber fraud indicators to identify potential fraud.  The claimed concept comprises maintaining a list of known fraud characteristics and fraud indicators, receiving a payment instruction from a client, and comparing the payment instruction to the list of known known fraud characteristics and fraud indicators to identify one or more cyber fraud indictors associate with the payment instruction, attaching the one or more cyber fraud indictors to the payment instruction to generate a risk score, and applying payment decision to the payment instruction.  Examiner points out that analyzing user’s activity prior to payment against a list of known fraud characteristics and generating a payment decision based on the risk score is managing personal behavior and/or interactions between people.  Detecting fraud indicators based on comparing whether an IP address is associated with prior fraudulent activity is nothing more than comparing data against a blacklist.  Specifying cyber-attack as social engineering type attack does not change the nature of the claimed invention, which is basically matching payment data against a list of known fraud characteristics and fraud indicators.  The recitation of learning analytics and using detected cyber fraud indicators as feedback also does not render the claims any less abstract.  Machine learning algorithm was well-known at the time of the invention, and it works by constantly learning from new data set.  The amended claims are merely utilizing existing computer process in a generic fashion, thus the claims do not recite any improvement to computer function.  Mere instruction to apply an exception on a general purpose computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.  Therefore, Examiner maintains the ground of rejection under 35 U.S.C. 101.
Examiner also cites two new references, Srivastava et al. (Pub. No.: US 2012/0096553) and Binns et al. (Pub. No.: US 2018/0308099), to address the amended limitations for rejection under 35 U.S.C. 103.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAO FU whose telephone number is (571)270-3441.  The examiner can normally be reached on 9:00 AM - 6:00 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Behncke can be reached on (571) 272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAO FU/Primary Examiner, Art Unit 3697                                                                                                                                                                                                        
MAY-2021