DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-20 are currently pending and rejected.

Claim Rejection – 35 U.S.C. 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 2, 4, 6-12, 14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Binns et al. (Pub. No.: US 2018/0308099), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Barnhardt et al. (Pub. No.: US 2018/0181962).
As per claim 1 and 11, Binn teaches a system that combines payment data and cyber fraud indicators to identify potential fraud in payment requests from a client, the system comprising:
a memory that stores and maintains a list of known fraud characteristics and cyber fraud indicators associated with activities prior to a payment instruction (see paragraph 0029 for memory; paragraph 0014 and 0022 teach “fraud marker”, which is indicator of fraud; see paragraph 0037, “Fraud marker engine 202 generally creates and stores fraud markers”, and paragraph 0041, “activity monitoring engine 206 receives and stores some or all of the fraud markers created by fraud marker engine 202 and uses them to determine matches against the monitored activity 207”; also see paragraph 0037-0038, “fraud marker engine 202 assists with analyzing activity 203 between payors and payees (which could be some or all of activity 112, e.g., activity occurring prior to activity 207, on a different network, etc.) to determine fraud markers 108 that can identify fraudulent or likely fraudulent activity”); and
a computer processor, coupled to the memory, programmed to (see paragraph –28):
 	receive, via an electronic input, a legitimate payment instruction from the client (see paragraph 0007 and 0013, “the legitimate (and often willing) payor creates a seemingly legitimate transaction to payee”…”even though the transaction was properly initiated, it may still have been fraudulently induced by the beneficiary of that payment (i.e., the payee)”; see paragraph 0041, activity monitoring and matching engine receive/monitor transaction data between payor and payee);

identify one or more cyber fraud indicators, from one or more of a social engineering attack and a business email compromise attack against a client prior to the legitimate payment instruction that cause the client to initiate the legitimate payment instruction on fraudulent grounds, the social engineering attack and the email compromise attack based on leveraging information about the client acquired on a plurality of websites (see paragraph 0013-0014, 0037, 0041-0043. 0050-0059, prior art teaches monitoring payor and payee activities occurring prior to transaction to detect fraudulent pattern, and generate fraud markers/indicators that are associated with detected or potential fraudulent activities; see paragraph 0013 and 0084, “phishing scam via email”, prior art teaches detecting phishing scam, which is a social engineering attack and an email attack against a client),
and the one or more cyber fraud indicators include an IP address associated with prior fraudulent activity, an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, an automatic number identification that determines an origination telephone number associated with fraudulent activity, and a look alike domain accessed by the device used by the victim prior to the payment instruction (see paragraph 0051-0052 and 0073, fraud markers can be email address, IP address, phone number, etc., associated with prior fraudulent activities; “the one or more” language requires only one of the listed fraud indicators); 
whereby identified characteristics of potentially fraudulent activities are applied to downstream decisioning (see paragraph 0014, 0037, and 0041-0043, activity monitoring engine and activity management engine monitors and compares transaction data to previously identified/generated fraud markers to detect fraud; in other words, identified fraud characteristics are applied to downstream decisioning); 
apply analytics, based on one or more of known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, to the correlated one or more cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity (see paragraph 0003, 0020-0021, and 0026, “payee data database 120 stores account information about particular payees and information about payees taken from activity (e.g., activity 206, such as transactions) initiated by payors” and “Payee database 120 stores, in some embodiments, data related to all transactions previously identified as fraudulent or potentially fraudulent”; also see paragraph 0041, “Activity monitoring and matching engine (“activity monitoring engine”) 206 generally monitors activity 207 of affecting payor and/or payee accounts and determines when certain activity matches one or more fraud markers”; both payor and payee activities are monitored and analyzed);
generate a risk score to determine whether the payment instruction should be executed (see paragraph 0003, 0014, 0023, 0039, 0059, and 0065, prior art teaches generating a fraud score, which is the same as risk score);
determine an action based on the risk score, the actions comprising one of completing a payment, denying a payment, and allowing a payment with continued monitoring of the payment (see paragraph 0003, 0014 ,0043, and 0069, prior art teaches determining whether to block, cancel, place on hold, or allow a transaction based on the risk score);
add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators (see paragraph 0037, 0050-0059, detected fraud markers/indicators are stored by fraud marker engine or activity monitoring engine).
Examiner knows however, Binn does not teach apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.
Srivastava teaches identify one or more cyber fraud indicators, from one or more of a social engineering attack and a business email compromise attack against a client prior to the legitimate payment instruction that cause the client to initiate the legitimate payment instruction on fraudulent grounds, the social engineering attack and the email compromise attack based on leveraging information about the client acquired on a plurality of websites (see paragraph 0020 and 0030, prior art teaches detecting social engineering attacks, such as phishing email attempts), and the one or more cyber fraud indicators includes an IP address associated with prior fraudulent activity, an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating risk of fraud, and a look alike domain accessed by the device used by the victim prior to the payment instruction (see paragraph 0019-0020, 0030, 0032, 0037-0038, 0051, and 0054, prior art teaches comparing IP address against a database of previously archived malicious domain names, malwares, and IP addressed; paragraph 0042-0049 teach look alike domain “constructed to fraudulently pose as other, legitimate websites”);
apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics (see paragraph 0049 and 0052, prior art teaches using machine learning to analyze data and to generate risk score; false positives are fed back to the machine learning algorithm to optimize scoring process).
Barnhardt teaches apply learning analytics, based on one or more of known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, to the correlated one or more cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity (see paragraph 0059).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava and Barnhardt to include apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.  The modification would have been obvious, because it is merely applying a known technique (i.e. machine learning and feedback analysis) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. continuously improve the accuracy of the system by training the machine with known fraud data).
As per claim 2 and 12, Binn teaches wherein the one or more cyber fraud indicators comprise an originating IP address (see paragraph 0052).
As per claim 4 and 14, Binn does not teach wherein the one or more cyber fraud indicators comprise look alike domain names.
Srivastava teaches cyber fraud indicators comprise look alike domain names (see paragraph 0042-0049, prior art teach look alike domain “constructed to fraudulently pose as other, legitimate websites”).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava to include cyber fraud indicators comprise look alike domain names.  The modification would have been obvious, because it is merely applying a known technique (i.e. including domain name as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 6 and 16, Binn teaches an interactive user interface that enables the client to view the risk score and determine a payment action in response (see paragraph 0075-0076).
As per claim 7 and 17, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 8 and 18, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of a second client different from the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of a second client different from the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of a second client different from the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 9 and 19, Binn does not explicitly teach wherein the payment instruction further comprises a request for access to client sensitive information.
Barnhardt teaches a request for access to client sensitive information (see paragraph 0028, 0035, 0045, and 0054 prior art teaches accessing client’s social security number, which is considered sensitive information).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include a request for access to client sensitive information.  The modification would have been obvious, because it is merely applying a known technique (i.e. accessing sensitive information) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve fraud detection accuracy).
As per claim 10 and 20, Binn teaches wherein the computer processor is further programmed to leverage a separate and distinct risk score generated based on beneficiary account data elements (see paragraph 0060 and 0065).

Claim 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Binns et al. (Pub. No.: US 2018/0308099), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Barnhardt et al. (Pub. No.: US 2018/0181962), and further in view of Ivey et al. (Pub. No.: US 2016/0005029).
As per claim 3 and 13, Binn does not teach wherein the one or more cyber fraud indicators comprise malware indicators.
Ivey teaches cyber fraud indicators comprise malware indicators (see paragraph 0062).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Ivey to include cyber fraud indicators comprise malware indicator.  The modification would have been obvious, because it is merely applying a known technique (i.e. including malware indicator as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).

Claim 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Binns et al. (Pub. No.: US 2018/0308099), in view of Srivastava et al. (Pub. No.: US 2012/0096553) and Barnhardt et al. (Pub. No.: US 2018/0181962), and further in view of Kowalchyk et al. (Patent No.: US 8,020,763).
As per claim 5 and 15, Binn does not teach wherein the one or more cyber fraud indicators comprise voice biometrics.
Kowalchyk teaches cyber fraud indicators comprise voice biometrics (see column 4, line 29-48; column 13, line 33-54; column 16, line 48-54).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Kowalchyk to include cyber fraud indicators comprise voice biometrics.  The modification would have been obvious, because it is merely applying a known technique (i.e. including voice biometrics as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).

Response to Remarks
Rejection under 35 U.S.C. 101
Applicant’s arguments, see Remarks, filed on 07/28/2021, with respect to rejection under 35 U.S.C. 101 have been fully considered and are persuasive.  The rejection of claims 1-20 under 35 U.S.C. 101 has been withdrawn. 

Rejection under 35 U.S.C. 103
Applicant merely underlined certain claim limitations and argued the cited prior arts do not teach those limitations without providing any rationale.  Applicant’s argument with respect to rejection under 35 U.S.C. 103 is not persuasive.  In this Office Action, Examiner updates the rejection under 35 U.S.C. 103 to better address the amended claims.




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAO FU whose telephone number is (571)270-3441.  The examiner can normally be reached on 9:00 AM - 6:00 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Behncke can be reached on (571) 272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAO FU/Primary Examiner, Art Unit 3697                                                                                                                                                                                                        
SEPT-2021