DETAILED ACTION

Acknowledgements
This Office Action is in response to Applicant’s response/application filed on 09/24/2018.
The Examiner notes that citations to United States Patent Application Publication paragraphs are formatted as [####], #### representing the paragraph number.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are currently pending and have been examined.

Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in China on 03/25/2016. It is noted, however, that applicant has not filed a certified copy of the CN 201610176988.6 application as required by 37 CFR 1.55.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

As per claims 1-20, the claimed invention is directed to an abstract idea without significantly more because:
•             Claim 1 recites
              determining, from one or more risk factors of one or more of risk control rules and a risk control model identifying relationships between risk factors and risk control decision results, a risk factor corresponding to a risk control decision result of a service matching service data for a corresponding risk factor; 
              determining a risk information set corresponding to the risk factor, wherein the risk information set includes a plurality of levels of risk information having different refinement degrees and including information explaining a cause of the risk control decision result;
              determining, from the plurality of levels of risk information and based on a risk information requirement level of a service owner of the service, one or more levels of risk information having refinement degrees matching the risk information requirement level of the service owner; and 
              providing, to the service owner, the one or more levels of risk information.
•             Under Step 1 of the Section 101 analysis, the claim(s) is/are directed to a method, a manufacture, and a system, which are statutory categories of invention.
•             Under Step 2A Prong One of the 2019 Revised Patent Subject Matter Eligiblity Guidance, the claimed invention as drafted includes language (see underlined language above) that recites an abstract idea of determining a risk factor, a risk information set, and risk information levels (a mental process such as a concept performed in the human mind, e.g. an observation, evaluation, judgment, opinion), but for the recitation of additional claim elements. That is, other than reciting “computer”, “memory device”, nothing in the claim precludes the language from being practically performed in the mind. For example, a person is capable of determining a risk factor corresponding to a risk control result, determining a risk information set corresponding to the risk factor, and determining one or more levels of risk information.  Furthermore, the claimed invention as drafted includes language (see underlined language above) that recites an abstract idea of providing levels of risk information to a service owner (fundamental economic principles or practices such as mitigating risk, and/or a certain method of organizing human activity such as a commercial or legal interactions, e.g. sales activities or behaviors) but for the recitation of additional claim elements. Claims 
•             A similar analysis can be applied to dependent claims 2-9, 11-18, and 20, which further recite the abstract idea of determining a correspondence between the risk information set and the risk factors, determining risk control requirement information of the service owner, inferring the risk information of the service owner, and providing a description to the service owner (fundamental economic principles or practices such as mitigating risk, and/or a certain method of organizing human activity such as a commercial or legal interactions, e.g. sales activities or behaviors). That is, other than reciting the additional elements, nothing in the claim precludes the language from being considered as performed manually. For example, a person is capable of determining a correspondence between the risk information set and the risk factors, determining risk control requirement information of the service owner, inferring the risk information of the service owner, and providing a description to the service owner.
•             Under Step 2A Prong Two of the 2019 Revised Patent Subject Matter Eligiblity Guidance, the additional claim element(s), considered individually, do not apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception and in a manner that integrates the exception into a practical application of the exception. The additional claim elements(s) merely add 
•             A similar analysis can be applied to dependent claims 2-9, 11-18, and 20, which include additional claim elements that merely add the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea.
•             Under Step 2A Prong Two, the additional claim element(s), considered in combination, do not apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception and in a manner that integrates the exception into a practical application of the exception. The combination of elements is no more than the sum of their parts. Unlike the eligible claims in Diehr and Bascom, in which the elements limiting the exception taken together improve a technical field, the instant claim lacks an improvement to the functioning of a computer or to any other technology or technical field.
•             Under Step 2B, the additional claim element(s), considered individually and in combination, do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the 
Therefore, claims 1-20 are rejected under 35 U.S.C. §101.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 6, 8-13, 15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Treacey et al. (US 20120053982), in view of Kruglick (US 20160292687).
Regarding claims 1, 10, and 19, Treacey discloses:
          a non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations;
            one or more computers; 
           one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations comprising:
            determining, from one or more risk factors of one or more of risk control rules and a risk control model identifying relationships between risk factors and risk control decision results, a risk factor corresponding to a risk control decision result of a service matching service data for a corresponding risk factor (By disclosing, “a list of risks ([risk factor]) may be defined over the entire organization” ([0006] of Treacey); “At block 301 a risk is identified” ([0052] of Treacey); “an identified risk may be mapped to a root cause ([risk control decision result]) based on the risk category of the identified risk. Mapping a risk into a risk category (framework) ([risk control model]) and subsequently to a root cause may provide an ability to show, at a low level, the highest areas of risk within an E2E environment and then to analyze if any existing controls ([risk control rules]) are 
           determining a risk information set corresponding to the risk factor, wherein the risk information set includes a plurality of levels of risk information having different refinement degrees and including information explaining a cause of the risk control decision result (By disclosing, “the RPN value of the identified risk is determined by multiplying the severity level, occurrence level, and detection level together. Because each level may vary from 1 to 5, the RPN varies from 1 to 125, where the larger the RPN, the greater the risk level. ([0068]-[0069] and Fig. 4 of Treacey); and “an identified risk may be mapped to a root cause ([risk control decision result]) based on the risk category of the identified risk. Mapping a risk into a risk category (framework) ([risk control model]) and subsequently to a root cause may provide an ability to show, at a low level, the highest areas of risk within an E2E environment and then to analyze if any existing controls are effective or need improvement as well as implementation of additional controls” ([0008] and [0030] of Treacey)); and 
          providing, to the service owner, the one or more levels of risk information (By disclosing, “FIG. 7 shows illustrative screen shot 700 for a summary of a risk in accordance with an aspect of the invention. Screen shot 700 enables a user to … edit an existing risk.” ([0118], [0121], and Fig. 7 of Treacey)).
           Treacey does not expressly disclose:
determining, from the plurality of levels of risk information and based on a risk information requirement level of a service owner of the service, one or more levels of risk information having refinement degrees matching the risk information requirement level of the service owner.
            However, Kruglick teaches:
            determining, from the plurality of levels of risk information and based on a risk information requirement level of a service owner of the service, one or more levels of risk information matching the risk information requirement level of the service owner (By disclosing, “risk assessment component 402 can generate a calculation that indicates the level of risk of the transaction. The level of risk can be compared to a defined threshold that can be pre-programmed at or accessed by PC system 102 and/or changed from time to time to reflect different sensitivity to risk that the provider of the good or services associated with the transaction may have.” ([0060] of Kruglick)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of determining, from the plurality of levels of risk information and based on a risk information requirement level of a service owner of the service, one or more levels of risk information having refinement degrees as disclosed by Treacey in view of Kruglick to include determining, from the plurality of levels of risk information and based on a risk information requirement level of a service owner of the service, one or more levels of risk information having refinement degrees matching the risk information requirement level of the service owner. Doing so would result in an improved invention because this would allow service owners customize their own risk requirement level, which makes the risk assessment system suitable for different types of service owners.

Regarding claims 2, 11, and 20, 
          determining a correspondence between the risk information set and the one or more risk factors in the risk control rules and the risk control model (By disclosing, “At block 301 a risk is identified and the corresponding risk level (e.g., risk priority number (RPN) and the risk score), as will be further discussed with FIG. 4, are determined from risk information” ([0052], Fig. 3 of Treacey); and “Screen shot 1000 shows the key E2E controls (shown as a "Controls Inventory" or "System of Record") that have been identified and are utilized in the organization's infrastructure to reduce the risk level. For example, entry 1001 corresponds to control id CID-15 that ensures applications are registered for access rights. The controls shown in screen shot 1000 are typically specific for an organization but may be mapped to standard, risk frameworks (ITIL, COBIT and NIST). A control may also be mapped to one or more known risks (either Self Identified or Audit raised) or to a country specific regulatory and/or legal requirement.” ([0128] of Treacey)).  


Regarding claims 3 and 12, Treacey does not expressly disclose:
          before the determination of the one or more levels of risk information, determining, using a predetermined configuration file, risk control requirement information of the service owner; and
          inferring the risk information requirement level of the service owner from the risk control requirement information of the service owner.
          However, Kruglick teaches:
          before the determination of the one or more levels of risk information, determining, using a predetermined configuration file, risk control requirement information of the service owner (By disclosing, “risk assessment component 402 can generate a calculation that indicates the level of risk of the transaction. The level of risk can be compared to a defined threshold that can be pre-programmed at or accessed by PC system 102 and/or changed from time to time to reflect different sensitivity to risk that the provider of the good or services associated with the transaction may have”; and “the risk threshold employed for the evaluation can differ based on the preference of the merchant associated with providing the goods or services that are the subject of the transaction” ([0060] and [0067] of Kruglick)); and 
         inferring the risk information requirement level of the service owner from the risk control requirement information of the service owner ([0060] and [0067] of Kruglick)).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Treacey in view of Kruglick to include techniques of before the determination of the one or more levels of risk information, determining, using a predetermined configuration file, risk control requirement information of the service owner; and inferring the risk information requirement level of the service owner from the risk control requirement information of the service owner. Doing so would result in an improved invention because this would allow different service owners having their own risk requirement levels, which makes the risk assessment system suitable for different types of service owners.

Regarding claims 4 and 13, 
          providing the one or more levels of risk information includes outputting the one or more levels of risk information to the service owner when providing the one or more levels of risk information to the service owner (By disclosing, “FIG. 7 shows illustrative screen shot 700 for a summary of a risk in accordance with an aspect of the invention. Screen shot 700 enables a user to … edit an existing risk.” ([0118], [0121], and Fig. 7 of Treacey)).  

Regarding claims 6 and 15, 
          wherein the plurality of levels of risk information are constructed based on the risk control rules, the risk control model, and historical risk control experience data. (By disclosing, “FIG. 10 shows illustrative screen shot 1000 for a control inventory summary in accordance with an aspect of the invention. Screen shot 1000 shows the key E2E controls (shown as a "Controls Inventory" or "System of Record") that have been identified and are utilized in the organization's infrastructure to reduce the risk level” (See at least paragraph [0128] and Fig. 10 of Treacey)). 

Regarding claims 8 and 17, Treacey does not expressly disclose:
          wherein the risk control decision result of the service owner includes rejecting the service, accepting the service, or a need to manually review the service.
          However, Kruglick teaches:
          wherein the risk control decision result of the service owner includes rejecting the service, accepting the service, or a need to manually review the service (By disclosing, “After risk assessment component 402 receives information after physical verification of the entity, risk assessment component 402 can perform another assessment to determine whether the transaction should be approved. In some embodiments, the physical verification is successful and PC system 102 outputs a message to payment processing device to approve and/or process the transaction” ([0061] of Kruglick)).  
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of 

Regarding claims 9 and 18, 
          wherein the service is a payment service, and wherein the service owner is a merchant of the payment service ([0031]-[0031] of Kruglick).
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Treacey in view of Kruglick to include a payment service as the service and a merchant as the service owner.  Doing so would result in an improved invention because this would allow the risk assessment system be used in the business transactions, thus expending the scope of the claimed invention.   

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Treacey et al. (US 20120053982), in view of Kruglick (US 20160292687), and further in view of Dennis et al. (US 20140324519).
Regarding claims 5 and 14, Treacey does not expressly disclose:
          wherein the risk information requirement level of the service owner is one of multiple predetermined risk information requirement levels, 30wherein each of the multiple predetermined risk information requirement levels indicates a risk information requirement degree of the service owner or a risk information requirement depth of the service owner.
          However, Dennis teaches:
          wherein the risk information requirement level of the service owner is one of multiple predetermined risk information requirement levels, 30wherein each of the multiple predetermined risk information requirement levels indicates a risk information requirement degree of the service owner or a risk information requirement depth of the service owner (By disclosing, “FIG. 7 illustrates a risk decision making matrix 700 to assist the system 101 in determining which user/users to alert when individual or aggregate/portfolio risk levels are above predetermined threshold values” which infers that levels below the threshold values are required (See at least paragraph [0043] of Dennis)).  
          Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Treacey in view of Dennis to include techniques of the risk information requirement level of the service owner is one of multiple predetermined risk information requirement levels, 30wherein each of the multiple predetermined risk information requirement levels indicates a risk information requirement degree of the service owner or a risk information requirement depth of the service owner.  Doing so would result in an improved invention because this would allow the risk be assessed based on a clearer detailed standard, and make it easier for the risk assessment system to make a risk control decision result based on the detailed standard.

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Treacey et al. (US 20120053982), in view of Kruglick (US 20160292687), and further in view of Yu et al. (US 9292808).
Regarding claims 7 and 16, 
         providing, to the service owner, a description describing how the plurality of levels of risk information are determined (By disclosing, “[t]he calculated risk level 906 may be calculated and displayed to a user” (See at least Col 7 line 64 -Col 8 line 42 of Yu)).  
           Therefore, it would have been obvious to one of ordinary skill in the art at the effective filing date of the present application to modify the method of Treacey to include techniques of providing, to the service owner, a description describing how the plurality of levels of risk information are determined. Doing so would result in an improved invention because this would allow a user understand the reason for getting the risk level, which makes the processing method of the risk assessment system more transparent.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20150026027 to Priess for disclosing a platform for fraud detection and analysis.
US 20150073981 to Adjaoute for disclosing processing daily payment transaction data with a risk and compliance platform to obtain a fraud score for each constituent transaction.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUAN ZHANG whose telephone number is (571)272-4642.  The examiner can normally be reached on Mon - Fri 10 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on 5712701492.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/DUAN ZHANG/Examiner, Art Unit 3685                                                                                                                                                                                                        
/JAY HUANG/Primary Examiner, Art Unit 3685