DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1-4, 6-14, and 16-20 are currently pending and rejected.
	Claims 5 and 15 are canceled.

Claim Rejection – 35 U.S.C. 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  The amended claims 1 and 11 recite “applying learning analytics, based on known fraudulent activity and suspected fraudulent activity involving both a payor and a payment beneficiary, including fraud-based information from a plurality of payment instructions from one or more other clients, to the correlated plurality of cyber fraud indicators and legitimate payment instructions to determine that the legitimate payment instruction is likely the client”.  It is unclear whether “one or more other clients include the payor and the beneficiary, or people who are unrelated to the payor and the beneficiary.  It is also unclear which client the claim language is referring to in “…based on a historical set of behavior for the client”

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 2-4 and 12-14 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 2-4 and 12-14 recite the limitation “wherein the one or more cyber fraud indicators comprise” “an originating IP address”, malware indicators”, and “look alike domain name”.  However, these limitations are already recited in the amended independent claim 1 and 11.  Claims 2-4 and 12-14 do not further limit the independent claims upon which they dependent.
 Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejection – 35 U.S.C. 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6-14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Binns et al. (Pub. No.: US 2018/0308099), in view of Varghese et al. (Pub. No.: US 2006/0282660), Srivastava et al. (Pub. No.: US 2012/0096553), Zeppenfeld (Pub. No.: US 2012/0254243) and Barnhardt et al. (Pub. No.: US 2018/0181962).
As per claim 1 and 11, Binn teaches a system that combines payment data and cyber fraud indicators to identify potential fraud in payment requests from a client, the system comprising:
a memory that stores and maintains a list of known fraud characteristics and cyber fraud indicators associated with activities prior to a payment instruction (see paragraph 0029 for memory; paragraph 0014 and 0022 teach “fraud marker”, which is indicator of fraud; see paragraph 0037, “Fraud marker engine 202 generally creates and stores fraud markers”, and paragraph 0041, “activity monitoring engine 206 receives and stores some or all of the fraud markers created by fraud marker engine 202 and uses them to determine matches against the monitored activity 207”; also see paragraph 0037-0038, “fraud marker engine 202 assists with analyzing activity 203 between payors and payees (which could be some or all of activity 112, e.g., activity occurring prior to activity 207, on a different network, etc.) to determine fraud markers 108 that can identify fraudulent or likely fraudulent activity”); and
a computer processor, coupled to the memory, programmed to (see paragraph –28):
 	receive, via an electronic input, a legitimate payment instruction from the client (see paragraph 0007 and 0013, “the legitimate (and often willing) payor creates a seemingly legitimate transaction to payee”…”even though the transaction was properly initiated, it may still have been fraudulently induced by the beneficiary of that payment (i.e., the payee)”; see paragraph 0041, activity monitoring and matching engine receive/monitor transaction data between payor and payee);

identify a plurality of cyber fraud indicators, from one or more of a social engineering attack and a business email compromise attack against a client prior to the legitimate payment instruction that cause the client to initiate the legitimate payment instruction on fraudulent grounds, the social engineering attack and the email compromise attack based on leveraging information about the client acquired on a plurality of websites (see paragraph 0013-0014, 0037, 0041-0043. 0050-0059, prior art teaches monitoring payor and payee activities occurring prior to transaction to detect fraudulent pattern, and generate fraud markers/indicators that are associated with detected or potential fraudulent activities; see paragraph 0013 and 0084, “phishing scam via email”, prior art teaches detecting phishing scam, which is a social engineering attack and an email attack against a client),
and the plurality of cyber fraud indicators comprise an IP address associated with prior fraudulent activity (see paragraph 0051-0052 and 0073, fraud markers can be email address, IP address, phone number, etc., associated with prior fraudulent activities; “the one or more” language requires only one of the listed fraud indicators); 
whereby identified characteristics of potentially fraudulent activities are applied to downstream decisioning (see paragraph 0014, 0037, and 0041-0043, activity monitoring engine and activity management engine monitors and compares transaction data to previously identified/generated fraud markers to detect fraud; in other words, identified fraud characteristics are applied to downstream decisioning); 
apply analytics, based on known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, to the correlated one or more cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity (see paragraph 0003, 0020-0021, and 0026, “payee data database 120 stores account information about particular payees and information about payees taken from activity (e.g., activity 206, such as transactions) initiated by payors” and “Payee database 120 stores, in some embodiments, data related to all transactions previously identified as fraudulent or potentially fraudulent”; also see paragraph 0041, “Activity monitoring and matching engine (“activity monitoring engine”) 206 generally monitors activity 207 of affecting payor and/or payee accounts and determines when certain activity matches one or more fraud markers”; both payor and payee activities are monitored and analyzed);
generate a risk score to determine whether the legitimate payment instruction will result in an illegitimate payment (see paragraph 0002-0003, 0013-0014, 0023, 0039, 0059, and 0065, prior art teaches generating a fraud score, which is the same as risk score);
determine an action based on the risk score, the actions comprising one of completing a payment, denying a payment, and allowing a payment with continued monitoring of the payment (see paragraph 0003, 0014 ,0043, and 0069, prior art teaches determining whether to block, cancel, place on hold, or allow a transaction based on the risk score);
add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators (see paragraph 0037, 0050-0059, detected fraud markers/indicators are stored by fraud marker engine or activity monitoring engine).
Examiner notes however, Binn does not teach the plurality of cyber fraud indicators comprise an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, an automatic number identification that determines an origination telephone number associated with fraudulent activity, and a look alike domain accessed by the device used by the victim prior to the payment instruction, and one or more voice biometrics.  Examiner argues these fraud indicators were well-known prior to the present invention, and the present claims do not combine them in an unconventional way to produce unexpected result.
Varghese teaches the plurality of cyber fraud indicator comprise an autonomous system number (ASN) associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction (see paragraph 0090, 0108, and 0181, “ASN in device profile – Whether there was a prior successful login from this ASN for this device”).
Srivastava teaches the plurality of cyber fraud indicator comprise a malware indicator originating from the victim’s device indicating a risk of fraud (see paragraph 0019-0020, 0023, 0030, 0032, 0037-0038, 0051, and 0054-0055, prior art teaches comparing IP address against a database of previously archived malicious domain names, malwares, and IP addresses), and a look alike domain accessed by the device used by the victim prior to the payment instruction (see paragraph 0042-0049, prior art teaches detecting look alike domain “constructed to fraudulently pose as other, legitimate websites”).
Zeppenfeld teaches the plurality of cyber fraud indicator comprise an automatic number identification that determines an origination telephone number associated with fraudulent activity, and one or more voice biometrics (see paragraph 0027, 0035, 0043, 0052, 0054, 0060-0061, 0101, 0119, and 0128).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Varghese, Srivastava, and Zeppenfeld to include the plurality of cyber fraud indicators comprise an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, an automatic number identification that determines an origination telephone number associated with fraudulent activity, and a look alike domain accessed by the device used by the victim prior to the payment instruction, and one or more voice biometrics.  The modification would have been obvious, because it is merely applying a known technique (i.e. use well-known fraud indicator to detect cyber fraud) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. use fraud indicators that are well understood in the industry so that one skilled in the art would be able to implement immediately).
Examiner knows however, Binn does not teach apply payment decisioning, based on learning analytics, to correlate the plurality of cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.
Srivastava teaches apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics (see paragraph 0049 and 0052, prior art teaches using machine learning to analyze data and to generate risk score; false positives are fed back to the machine learning algorithm to optimize scoring process).
Barnhardt teaches apply learning analytics, based on one or more of known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, including fraud-based information from a plurality of payment instructions from one or more other clients, to the correlated plurality of cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity, the determination made by the learning analytics is also based on a historical set of behavior for the client (see paragraph 0059, prior art teaches modeling large amounts of transaction and account data coming from a very large, general population of people and their transactions, and the risk analysis also identify characteristics of transaction from the perspective of a payer, a payee and both the payer and payee together; specific past transactions identified as fraudulent are analyzed to identified those characteristics of transactions).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava and Barnhardt to include apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.  The modification would have been obvious, because it is merely applying a known technique (i.e. machine learning and feedback analysis) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. continuously improve the accuracy of the system by training the machine with known fraud data).
Examiner further notes that Binn does not teach wherein the accuracy of the risk score is based on a number of indicators considered in the analysis and the number of indicators considered is determined based on the payment instruction, the client providing the payment instruction, and a geographic location for the payment instruction.  Examiner argues however, it is common sense to one of ordinary skill in the art that the higher the number of indicators are being considered in risk analysis, the higher the accuracy of the risk score will be, and higher number of indicators usually comes with higher cost in terms of processing time and resource usage.  Thus, it would have been obvious to use different level of scrutiny/security depends on situation.
Varghese teaches the concept of using higher security for transaction in location where fraud rate is high and where user device has suspicious pattern (see paragraph 0069, 0078, 0120, 0138, 0142, “a rule may specify that where there is receipt of a request from a user device of an amount of money over a certain threshold and where the device is resides in a location, determined by the geolocation information, known for an larger than normal volume of fraudulent activity, the action to be take is to present a predetermined higher security”; also see paragraph 0149, “The selection criteria may include a plurality of usability and security factors…This can be reflected in rules specific to the service provider, or to a particular user, or to a particular transaction type”; also see paragraph 0181 for exemplary rules, which are similar to fraud factors in the present claims).  
It would have been It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Varghese to include wherein the accuracy of the risk score is based on a number of indicators considered in the analysis and the number of indicators considered is determined based on the payment instruction, the client providing the payment instruction, and a geographic location for the payment instruction.  The modification would have been obvious, because it is merely applying a known technique (i.e. consider higher number of indicators when transaction takes place in higher risk geolocation) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. balance between risk detection accuracy and detection cost/processing time).
As per claim 2 and 12, Binn teaches wherein the one or more cyber fraud indicators comprise an originating IP address (see paragraph 0052).
As per claim 3 and 13, Binn does not teach wherein the one or more cyber fraud indicators comprise malware indicators.
Srivastava teaches cyber fraud indicators comprise malware indicators (see paragraph 0019-0020, 0023, 0030, 0032, 0037-0038, 0051, and 0054-0055, prior art teaches comparing IP address against a database of previously archived malicious domain names, malwares, and IP addresses).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava to include cyber fraud indicators comprise malware indicator.  The modification would have been obvious, because it is merely applying a known technique (i.e. including malware indicator as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 4 and 14, Binn does not teach wherein the one or more cyber fraud indicators comprise look alike domain names.
Srivastava teaches cyber fraud indicators comprise look alike domain names (see paragraph 0042-0049, prior art teach look alike domain “constructed to fraudulently pose as other, legitimate websites”).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava to include cyber fraud indicators comprise look alike domain names.  The modification would have been obvious, because it is merely applying a known technique (i.e. including domain name as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 6 and 16, Binn teaches an interactive user interface that enables the client to view the risk score and determine a payment action in response (see paragraph 0075-0076).
As per claim 7 and 17, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 8 and 18, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of a second client different from the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of a second client different from the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of a second client different from the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 9 and 19, Binn does not explicitly teach wherein the payment instruction further comprises a request for access to client sensitive information.
Barnhardt teaches a request for access to client sensitive information (see paragraph 0028, 0035, 0045, and 0054 prior art teaches accessing client’s social security number, which is considered sensitive information).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include a request for access to client sensitive information.  The modification would have been obvious, because it is merely applying a known technique (i.e. accessing sensitive information) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve fraud detection accuracy).
As per claim 10 and 20, Binn teaches wherein the computer processor is further programmed to leverage a separate and distinct risk score generated based on beneficiary account data elements (see paragraph 0060 and 0065).

Response to Remarks
In the response filed on 01/10/2022, Applicant amended independent claims 1 and 11 by combining some limitations from the dependent claims.  By doing so, Applicant has created some conflicts between the independent claims and the dependent claims, since some dependent claims are longer further limiting the independent claims which they depend on.  Examiner also cites new prior arts to address some of the new features.  Updated rejection is provided in this Office Action.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAO FU whose telephone number is (571)270-3441.  The examiner can normally be reached on 9:00 AM - 6:00 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Behncke can be reached on (571) 272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAO FU/Primary Examiner, Art Unit 3697                                                                                                                                                                                                        
FEB-2022