Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Application
Claims 1-20 have been examined in this application.
The filling date of this application number recited above is 21 June 2019. Domestic Benefit / National Stage priority has been claimed for Provisional Applications 62/688528, 62/688529, 62/688546, and 62/688532 in the Application Data Sheet, therefore the examination will be undertaken in 22 June 2018 as the priority date, for applicable claims.
The information disclosure statement (IDS) submitted on 16 August 2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claims 1, 14, and 20 (and claims 2-13 and 15-19 due to dependency) are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
The claims recite “generate, using machine learning, a risk model specific to a particular issuer bank, the risk model generated by comparing …” However, there is no support from the original disclosure that explicitly recites that a risk model is generated by using machine learning. Specification [00153] recites “This analysis is based on a machine learning model where, over time, the authentication platform is capable of improving its ability to determine the risk level associated with transactions” which teaches that the authentication platform utilizes machine learning model to determine risk levels and provide improvement over time, which is different from generating a risk model. Paragraph [00153] further recites “The authentication platform analyzes transactions that are authenticated by the ACS and compares these transactions with historical data to generate a risk model for each issuer bank”, but does not explicitly recite that the risk model is generated by using machine learning, but simply teaches that the two limitations – (1) machine learning model to improve risk level determination and (2) transaction analysis by comparison to generate a risk model – are two separate 

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 14, and 20 (and claims 2-13 and 15-19 due to dependency) are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The claims recite “generate, using machine learning, a risk model specific to a particular issuer bank, the risk model generated by comparing …” and Specification [00153] recites “This analysis is based on a machine learning model where, over time, the authentication platform is capable of improving its ability to determine the risk level associated with transactions”. It is unclear how machine learning is used to generate a risk model, as the Specification discloses that the machine learning model is used, over time, to improve its ability to determine the risk level, which teaches that the machine learning model is the risk model itself that already exists, and the model is not being generated (e.g. create a new model) but are rather being updated (e.g. improve existing model) for improvement over time. Therefore, the claims are indefinite and clarification 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The Claims are directed to an abstract idea, Methods of Organizing Human Activity. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea.
As per Claims 1, 14 and 20, the claim recites “a method, comprising:
generating, a risk model specific to a particular issuer bank, the risk model generated by comparing i) transactions previously authenticated with ii) historical data for all transactions previously processed;
receiving an authentication request message for a current transaction, the authentication request message including authentication data;
extracting the authentication data from the authentication request message;

if the ACS is unavailable, the method comprises:
generating, based at least in part on the extracted authentication data, risk- based authentication (RBA) result data including a risk score, the RBA result data generated using the risk model specific to the issuer bank associated with the ACS;
generating an authentication decision based on the RBA result data;
embedding the authentication decision in an authentication response message; and
transmitting the authentication response message with the embedded authentication decision.”
The limitation of the claims recited above, under its broadest reasonable interpretation, is directed to an organized human activity by performing fundamental economic practices and/or commercial interaction. The method recited above is a process to reduce fraudulent transactions through risk-based authentication, which risk mitigation is a fundamental economic practice, and the authentication process may be an interaction between a merchant and a bank to verify a transaction, which is a commercial interaction. Fundamental economic practice and commercial interactions are both certain methods of organized human activity. Therefore, the claims are directed to an abstract idea.
This judicial exception is not integrated into practical application. In particular, the claims recite an additional element of “memory device”, “processor”, “non-transitory computer-readable media”, and “machine learning” to perform the These general computer components are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer system, which is not indicative of integration into a practical application; see MPEP 2106.05(f). 
Additionally, the usage of “machine learning” to generate a risk model is merely using the machine learning as a tool to perform an abstract idea, as an “apply it” of a black box application. The claim limitation merely instructs the machine learning to take the historical data as an input, and provide the risk model as an output. Merely using the machine learning as a tool to perform the abstract idea is not indicative of integration into a practical application.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, considering the additional elements individually and/or as an ordered combination, the additional element of using Mere instructions to apply an exception using a generic computer system cannot provide an inventive concept. The claims are not patent eligible.
Regarding dependent claims, they are still directed to an abstract idea without significantly more.
Claim 2 recites “wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score.”
Claim 3 recites “wherein to determine if the ACS is available, the at least one processor programmed to transmit the authentication request message to the ACS.”
Claim 4 recites “wherein the at least one processor programmed to: wait a predetermined period of time for a response from the ACS; and determine that the ACS is unavailable if no response is received after the predetermined period of time.”
Claim 5 recites “wherein the at least one processor programmed to receive a response from the ACS, wherein the response indicates that the ACS is unable to perform authentication.”
Claim 6 recites “wherein the response indicates at least one of an online user associated with the current transaction is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user.”
Claim 7 recites “wherein to determine if the ACS is available, the at least one processor programmed to determine that an online user associated with the 
Claim 8 recites “wherein the at least one processor is programmed to generate an authentication decision based on the RBA result data.”
Claim 9 recites “wherein to generate RBA result data, the at least one processor is programmed to determine a risk level based on the RBA result data.”
Claim 10 recites “wherein to transmit an authentication response message, the at least one processor is programmed to embed an indicator in the authentication response message indicating that the current transaction is fully authenticated if the risk level is low.”
Claim 11 recites “wherein to transmit an authentication response message, the at least one processor is programmed to embed one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted if the risk level is not low.”
Claim 12 recites “wherein to generate RBA result data, the at least one processor is programmed to: determine whether the authentication request message complies with 3DS 2 Protocol or subsequent 3DS Protocol versions; and bypass determining if the ACS is available if the authentication request message does not comply.”
Claim 13 recites “wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one long term variable and at least one short term variable, wherein the at least one long 
Claim 15 recites “wherein determining if the ACS is available further comprises: transmitting the authentication request message to the ACS; waiting a predetermined period of time for a response from the ACS; and determining that the ACS is unavailable if no response is received after the predetermined period of time.”
Claim 16 recites “further comprising receiving a response from the ACS, wherein the response indicates at least one of the online user is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user.”
Claim 17 recites “wherein determining if the ACS is available further comprises determining that the online user is not associated with the ACS based on the extracted authentication data.”
Claim 18 recites “wherein generating RBA result data further comprises: determining a risk level based on the RBA result data; if the risk level is low, embedding an indicator in the authentication response message indicating that the current transaction is fully authenticated; and if the risk level is not low, embedding one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted.”
Claim 19 recites “wherein generating RBA result data further comprises: determining whether the authentication request message complies with 3DS 2 
	These additional steps of each claims fail to remedy the deficiencies of their parent claim above because they are merely further limiting the rules used to conduct the previously recited abstract idea, and are therefore rejected for at least the same rationale as applied to their parent claim above; therefore they still recite abstract ideas.
	Claims 2-13 and 15-19, when analyzed as a whole, considering the additional elements individually and/or as an ordered combination, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitations fail to establish that the claims are sufficient to integrate into a practical application and do not amount to significantly more than the judicial exception. Similarly to the independent claims, each claim recites using a generic computer component to perform the abstract idea as mentioned above. Therefore, prong 2 and step 2B analysis are similar to above and these claims are not eligible.
Therefore, Claims 1-20 are not drawn to eligible subject matter as they are directed to an abstract idea without significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 7-11, 13-14, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez (U.S. 2011/0196791), in view of GUKAL et al. (U.S. 2016/0239771), in view of Weller et al. (U.S. 2010/0114776), and in view of Nelsen et al. (U.S. 2016/0034900).

As per Claim 1, 14, and 20, Dominguez teaches a computer-implemented method for authenticating an online user, the method implemented on a computing device comprising a memory device coupled to at least one processor, and the method comprises (See Figure 5 and Figure 8 disclosing the hardware components, (i.e. [0071] "configured to execute a method or process to identify fraudulent payment transactions and to prevent future fraudulent transactions, in accordance with some embodiments of the present invention"):
receive an authentication request message for a current transaction, the authentication request message including authentication data (See Figure 7 - Block 510 wherein [0065] "If such authentication data is available, then the Directory Server provides transaction data (and if applicable, other relevant information) to the Risk Management Engine (depicted as element 314 of FIG. 4 and element 702 of FIG. 5) which is requested to perform a fraud assessment for the payment account involved in the payment transaction (stage 510)" wherein [0063] "an evaluation of the likelihood of fraud associated with a proposed payment transaction may be performed by Risk Assessment Engine 707 in response to a Transaction Authentication Inquiry Message 714");
extract the authentication data from the authentication request message (See Figure 7 - Block 512 wherein [0066] "The Risk Management Engine processes the data regarding the transaction and payment account to determine the risk of fraud associated with the transaction (stage 512)"); and
generate, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data including a risk score, the RBA result data generated using the risk model specific to the issuer bank associated with the ACS (See Figure 7 - Blocks 512 to 516, wherein [0052] “For example, the AHS (as well as other sources within a payment processing network) may contain historical data upon which can provide the basis for models that are predictive of future fraud. The inventive Risk Management Engine (RME) can utilize the outputs of those models during the authentication step or in the development of a rule base that will be used to detect fraudulent or potentially fraudulent transactions … In operation, the Risk Management Engine (RME) may provide either one comprehensive risk score for the transaction, or may provide risk scores for multiple transaction characteristics, with a detailed breakdown that depends on specific areas of concern for a given issuer or merchant” wherein the AHS stores data received from the ACS, as disclosed [0030] “As used herein, in some embodiments, an "AHS" can refer to an authentication history server. An AHS is a server which can receive and archive the result of authentication attempts in an authentication system. An AHS may record both successful and unsuccessful authentication attempts ... The data stored by the AHS can later be analyzed for various purposes” and [0175] “Whether or not authentication was successful, the ACS sends a copy of the Payer Authentication Response, plus related data, to the Authentication History Server. The server serves as the database of record”) and [0049] “Issuers typically update the AHS data records each night with data concerning the consumer authentication transactions that took place during the day”.

Dominguez may not explicitly disclose, but GUKAL discloses:
generate, using machine learning, a risk model specific to a particular issuer bank, the risk model generated by comparing i) transactions previously authenticated by an access control server (ACS) associated with that issuer bank with ii) historical data for all transactions previously processed by a payment processing network ([0074] “The analytical model 102 is trained by a training circuit 104 (e.g., computer readable program code executed by a processor) based on eCommerce transaction reports received from the merchant nodes 120 (e.g., as eCommerce authentication requests) and/or based on eCommerce transaction reports received as feedback from finance issuer nodes 140 and/or other nodes of a financial transaction processing system” wherein the eCommerce transaction reports from the merchant nodes 120 are the i) transactions previously authenticated by an ACS associated with that issuer bank, and the eCommerce transactions reports from finance issuer nodes 140 and/or other nodes of a financial transaction processing system are the ii) historical data for all transactions previously processed by a payment processing network. See also [0099] “The analytical model 102 may be a non-linear model such as a neural network model. The training circuitry 104 can train the neural network model 102 with content of the historical eCommerce transaction reports and/or based on eCommerce authentication requests or other eCommerce transaction data received from merchant nodes 120 or other nodes within the system” and [0104] “The training circuitry 104 may furthermore dynamically train (e.g., fine-tune) the analytical model 102 responsive to content of eCommerce transaction reports, e.g., eCommerce authentication requests, that are dynamically received from merchant nodes 120. The information collector 109 may receive eCommerce authentication requests from the merchant nodes 120 and may further receive authentication responses from the authentication node 130 indicating whether authentication of identified ones of the eCommerce authentication requests passed or failed the authentication process ... The training circuitry 104 can use the identified patterns to or dynamically train the analytical model 102 based on recently occurring eCommerce transactions”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize dynamically training the analytical model utilizing historical transaction data as in GUKAL in the system executing the method of Dominguez, wherein the system of Dominguez teaches generating models based on historical data to be utilized to provide risk scores in [0052], with the motivation of offering to [0013] “enable identification of accounts that are at-risk of fraud or other defined risk before those accounts are compromised” as taught by GUKAL over that of Dominguez.

Dominguez may not explicitly disclose, but Weller discloses the following:
determine if the ACS is available to process the transaction ([0143] "At step 125, the ACS 1050 is unable to authenticate the cardholder 1010 and creates an authentication request" wherein the ACS determined it is unable to process the transaction received from the PAReq in step 124);
if the ACS is unavailable, the at least one processor programmed to perform the authentication ([0143] "The authentication request is sent to the TRS/Online C-R 1040 and to request that the TRS/Online C-R 1040 authenticate the cardholder 1010 on behalf of the ACS 1050")
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Dominguez may not explicitly disclose, but Nelsen discloses the following:
generate an authentication decision based on the RBA result data (See Figure 5 – steps 425 and 430, as disclosed [0117] “At block 430, the flow 500 includes receiving, at the server computing device from the second server computing device, an authentication response message formatted according to the second message format” wherein the authentication response message is generated as a reply to an authentication request, which includes an authentication determination, as disclosed [0027] “An "authentication response message" may be an electronic message reply to an authentication request. In some embodiments, the authentication response message may be generated by an issuing financial institution (i.e. issuer) or a payment processing network … The authentication response message may include an authentication result (which may also be known as an authentication determination)”);
embed the authentication decision in an authentication response message (See Figure 5 – step 435, as disclosed [0118] “At block 435, the flow 500 includes generating, by the server computing device based upon the received authentication response message, a modified authentication response message formatted according to the first message format” wherein [0119] “In some embodiments, the modified authentication response message may include an authentication result to help the merchant determine whether processing of the transaction may proceed” see also [0028] “A "modified authentication response message" may be an electronic message reply to an authentication request and may be altered based on an authentication response message”); and
transmit the authentication response message with the embedded authentication decision (See Figure 5 – step 440, as disclosed [0119] “At block 440, the flow 500 includes transmitting, by the server computing device to the computing device of the user, the modified authentication response message”).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize modifying the authentication response message as in Nelsen in the system executing the method of Dominguez with the motivation of offering to [0003] “reduce the levels of fraud, disputes, retrievals, and chargebacks, which subsequently will reduce the costs associated with each of these events” as taught by Nelsen over that of Dominguez.

As per Claim 3, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 1, wherein to determine if the ACS is available, the at least one processor programmed to transmit the authentication request message to the ACS (Figure 10 - step 124 sends a PAReq message to the ACS as disclosed [0142] "The cardholder 1010 sends the PAReq to the TRS/Online C-R 1040, and the TRS/Online C-R 1040 can then send the PAReq to the ACS 1050" which in step 125 the ACS is determined to be unavailable).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability as in Weller in the system executing the Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claims 7 and 17, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 1 and the method of Claim 14, wherein to determine if the ACS is available, the at least one processor programmed to determine that an online user associated with the current transaction is not associated with the ACS based on the extracted authentication data ([0051] "... the directory server 1030 could then forward the VEReq to an access control server (ACS) 1050 associated with the card issuer's authentication service. The ACS 1050 could then determine whether the card information provided in the VEReq can be authenticated. Card information may not be able to be authenticated by the ACS 1050 if, for example, the card information does not include a valid electronic commerce card number, or if there is no authentication information, such as a password or other identifying information, associated with the electronic commerce card number" wherein [0053] discloses that this step of authenticating whether the online user's card information is associated to the issuer's ACS is processed by TRS/Online C-R 1040).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize determining ACS availability as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 8, Dominguez discloses the authentication platform of Claim 1, wherein the at least one processor is programmed to generate an authentication decision based on the RBA result data (Figure 7 - step 518 the RME generates a result to indicate either the transaction is not fraudulent or fraudulent as disclosed in [0066-0070]).

As per Claim 9, Dominguez discloses the authentication platform of Claim 1, wherein to generate RBA result data, the at least one processor is programmed to determine a risk level based on the RBA result data ([0061] "The rules stored in Rule Base 706 are used by Risk Assessment Engine 707 to evaluate whether a proposed transaction is likely to be fraudulent (i.e., whether there is an acceptable or an unacceptable level of risk that the transaction is fraudulent)").

As per Claim 10, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 9, wherein to transmit an authentication response message, the at least one processor is programmed to embed an indicator in the authentication response message indicating that the current transaction is fully authenticated if the risk level is low ([0169] "The risk levels may alternatively be referred to as risk scores. For example, the levels of risk may be defined as the follows: "Low risk transactions" are passively authenticated; in the majority of cases, the cardholder is not cognizant of the authentication process" as disclosed in Table 1 - Passive Authentication means the transaction is fully authenticated since enough information was provided for authentication).
Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 11, Dominguez may not explicitly disclose, but Weller discloses the authentication platform of Claim 9, wherein to transmit an authentication response message, the at least one processor is programmed to embed one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted if the risk level is not low ([0169] also discloses of "Medium-high risk transactions" and "very high risk transactions", which the authentication response sent to the merchant indicates "pass, fail, passive authentication, attempt or unavailable" in regards to the risk levels, further discussed in [0170] regarding challenge request for risk scores in medium to high range. As recited in the Specifications [00152] ""merchant only" transactions are more risky transactions" therefore the "merchant only" indication has been interpreted as a "risky" transaction).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a risk level indicator in the authentication response message as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

As per Claim 13, Dominguez discloses the authentication platform of Claim 1, wherein to generate RBA result data, the at least one processor is programmed to compare the authentication data to at least one long term variable and at least one short term variable, wherein the at least one long term variable includes historical authentication data and historical authorization data ([0052] "The inventive Risk Management Engine (RME) can utilize the outputs of those models during the authentication step or in the development of a rule base that will be used to detect fraudulent or potentially fraudulent transactions. For example, such rules or indicia may include, but are not limited to: (1) the number of times a particular PAN has been used in the last 24 hours; (2) how many times an account was used at a merchant outside the country in which it was issued; (3) if the password or other authentication credential recently reset; (4) if the password was created immediately before the current transaction; or (5) if a number of relatively small transactions were executed just prior to a larger transaction" see also Figure 6 and [0056] disclosing a variety of features and techniques used for comparison which includes a long term variable, such as geo-location checking (as disclosed in Specifications [0033]), and a short term variable, such as velocity checking (as disclosed in Specifications [0034])). For long term variable, see also [0063] "The data inputs to RME 702 may include, but are not limited to, Authentication History Server data 710 (obtained from AHS 310 of FIG. 4) and Payment Transaction data 712 (which may include indications of known fraudulent accounts or transactions)" and see also Figure 6).

As per Claim 18, Dominguez discloses the method of Claim 14, wherein generating RBA result data further comprises:
determining a risk level based on the RBA result data ([0061] "The rules stored in Rule Base 706 are used by Risk Assessment Engine 707 to evaluate whether a proposed transaction is likely to be fraudulent (i.e., whether there is an acceptable or an unacceptable level of risk that the transaction is fraudulent)").

Dominguez may not explicitly disclose, but Weller discloses the following:
if the risk level is low, embedding an indicator in the authentication response message indicating that the current transaction is fully authenticated ([0169] "The risk levels may alternatively be referred to as risk scores. For example, the levels of risk may be defined as the follows: "Low risk transactions" are passively authenticated; in the majority of cases, the cardholder is not cognizant of the authentication process" as disclosed in Table 1 - Passive Authentication means the transaction is fully authenticated since enough information was provided for authentication); and
if the risk level is not low, embedding one or more indicators in the authentication response message indicating that the current transaction is a merchant only transaction and that authentication was attempted ([0169] also discloses of "Medium-high risk transactions" and "very high risk transactions", which the authentication response sent to the merchant indicates "pass, fail, passive authentication, attempt or unavailable" in regards to the risk levels, further discussed in [0170] regarding 
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a risk level indicator in the authentication response message as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of GUKAL, in view of Weller, in view of Nelsen, and in further view of Diev et al. (U.S. 2017/0228635).

As per Claim 2, Dominguez may not explicitly disclose, but Diev discloses the authentication platform of Claim 1, wherein the RBA result data further include at least one reason code that indicates at least one factor that influenced the generated risk score ([0017] "the predetermined input variable categories of input variables comprise reason codes that identify the input variables that contributed to the computed set of attribution scores").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a reason code as in Diev in the system executing the method of Dominguez with the motivation of offering to [0153] "significantly improve the reliability Diev over that of Dominguez.

Claims 4-6 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of GUKAL, in view of Weller, in view of Nelsen, and in further view of Davis (U.S. 2006/0179007).

As per Claim 4, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 3, wherein the at least one processor programmed to:
wait a predetermined period of time for a response from the ACS ([0032] "3) the central transaction server 280 timed out waiting on a response from the ACS 225"); and
determine that the ACS is unavailable if no response is received after the predetermined period of time ([0040] "the ACS 225 ... does not reply to the central transaction server 280 within a predetermined period of time … the ACS 225 cannot authenticate the electronic commerce card information").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a time limit as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claim 5, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 3, wherein the at least one processor programmed to receive a response from the ACS, wherein the response indicates that the ACS is unable to perform authentication ([0039] "The ACS 225 returns an authentication response 266 to the central transaction server 280, which in turn forwards an authentication response 278 to the cardholder system 205 … Alternatively, the authentication response can include a message indicating that the authentication failed. In a further embodiment, the authentication response also includes an error code identifying the reason for authentication failure" wherein the reason for failure can indicate that the ACS is unable to perform authentication as given by examples in [0040] "If, for example, the ACS 225 does not support authentication functions, the ACS 225 is not operating ...").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize ACS unavailable response message as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claims 6 and 16, Dominguez may not explicitly disclose, but Davis discloses the authentication platform of Claim 5 and the method of Claim 15, wherein the response indicates at least one of an online user associated with the current transaction is not enrolled with the ACS, the ACS is currently unavailable, or the ACS was unable to authenticate the online user (the reason for authentication failure can [0040] "If, for example, the ACS 225 does not support authentication functions, the ACS 225 is not operating …").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize ACS unavailable response message as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

As per Claim 15, Dominguez may not explicitly disclose, but Weller discloses the method of Claim 14, wherein determining if the ACS is available further comprises:
transmitting the authentication request message to the ACS (Figure 10 - step 124 sends a PAReq message to the ACS as disclosed [0142] "The cardholder 1010 sends the PAReq to the TRS/Online C-R 1040, and the TRS/Online C-R 1040 can then send the PAReq to the ACS 1050" which in step 125 the ACS is determined to be unavailable).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a message to the ACS as in Weller in the system executing the method of Dominguez with the motivation of offering to provide [0006] "better ways to authenticate consumers" as taught by Weller over that of Dominguez.

Dominguez may not explicitly disclose, but Davis discloses the following:
([0032] "3) the central transaction server 280 timed out waiting on a response from the ACS 225"); and
determining that the ACS is unavailable if no response is received after the predetermined period of time ([0040] "the ACS 225 ... does not reply to the central transaction server 280 within a predetermined period of time … the ACS 225 cannot authenticate the electronic commerce card information").
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize a time limit as in Davis in the system executing the method of Dominguez with the motivation of offering to [0004] "facilitate monitoring and management, increase overall reliability and fault tolerance, and simplify system upgrades and migrations" as taught by Davis over that of Dominguez.

Claims 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dominguez, in view of GUKAL, in view of Weller, in view of Nelsen, and in further view of Hey et al. (U.S. 2019/0188715).

As per Claims 12 and 19, Dominguez may not explicitly disclose, but Hey discloses the authentication platform of Claim 1 and the method of Claim 14, wherein to generate RBA result data, the at least one processor is programmed to:
determine whether the authentication request message complies with 3DS 2 Protocol or subsequent 3DS Protocol versions (See Figure 2 - steps 114 and 116, Figure 3, wherein the AREQ message is sent from the "3DS Server" to "Validate Operator ID" to verify the compliance); and
bypass determining if the ACS is available if the authentication request message does not comply ([0031] "The interchange network system 22 may determine whether the merchant ID contained in the AREQ is valid, as shown in 120, and if it is not, then the interchange network system 22 may send to the merchant device 18 a denial message rejecting the authentication request message, as shown in 118" which bypasses any steps to be taken with the ACS but just ends the process as shown in Figures 2 and 3).
It would have been obvious to one of ordinary skill in the art at the time of the invention to utilize 3DS Protocol compliance as in Hey in the system executing the method of Dominguez with the motivation of offering to [0007] "protect against fraud by requiring and validating merchant and card issuer operator IDs prior to authorizing the transactions" as taught by Hey over that of Dominguez.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over the claims of copending Applications No. 16/448,884, 16/448,572, and 16/448,596. Although the claims at issue are not identical, they are not patentably distinct from each other because they are all directed toward methods and systems, for risk-based authentication (RBA) on behalf of an Access Control Server (ACS). 
The instant application determines if the ACS can process the transaction, and if unavailable, performs the RBA and transmits the results to the ACS. 
The ‘884 application performs the RBA and compares the risk score to a threshold and limit value, then transmits the results.
The ‘572 application performs the RBA and transmits the results to the ACS.
The ‘596 application performs the RBA and routes the results.
It would have been obvious to one skilled in the art at the time of filing that a system performing RBA on behalf of the ACS would be processed whether the ACS is available or not, therefore the method is performed if the ACS is unavailable. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Response to Arguments
Applicant's arguments, see pages 9 to 12, filed 16 August 2021, with respect to 35 U.S.C. 101 rejection have been fully considered but they are not persuasive.
Applicant contends, see pages 9 to 11, that “the claims are not directed to an abstract idea”. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 
Applicant contends, see pages 11 to 12, that “the claims include additional elements that provide an improvement to the technical field of systems for authenticating users of payment networks, particularly as they enable generating, using machine learning, a risk model specific to a particular issuer bank associated with an ACS, and using that risk model to generate RBA result data when the ACS is unavailable”. Examiner respectfully disagrees. As discussed above under 35 U.S.C. 101 rejection, the additional elements are generic computer components, by which are merely instructed to implement the abstract idea (e.g. “apply it”). Using machine learning to generate a risk model does not provide any improvement to the functioning of a computer, or to any other technology or technical field, but is merely using the “machine learning” as a tool to perform the abstract idea – the machine learning is simply used as a black box application with an input of “historical data” and an output of “risk model”. 
BASCOM”. Examiner respectfully disagrees. As discussed above, mere instructions to apply machine learning model to perform the generic function of comparing data (i.e. current transaction to prior transactions) is not indicative of an inventive concept (aka “significantly more”). See MPEP 2106.05(d) “For example, in BASCOM, even though the court found that all of the additional elements in the claim recited generic computer network or Internet components, the elements in combination amounted to significantly more because of the non-conventional and non-generic arrangement that provided a technical improvement in the art. BASCOM Global Internet Servs. v. AT&T Mobility LLC, 827 F.3d 1341, 1350-51, 119 USPQ2d 1236, 1243-44 (2016)”, wherein the additional elements recited in the claims of the current application, the elements in combination does not amount to significantly more because it recites conventional and generic arrangement (e.g. generic computer components) being merely applied to the judicial exception (i.e. use machine learning as a black box). Therefore, the 35 U.S.C. 101 rejection is maintained.
Applicant’s arguments, see pages 12 to 17, with respect to the 35 U.S.C. 103 rejection have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. The limitation regarding the determination of the availability of the ACS is taught by the prior art reference Weller in [0143] which sets the condition of performing the authentication process on behalf of the 
Applicant's arguments, see page 17, with respect to Non-statutory Double Patenting rejection have been fully considered but they are not persuasive. Although the claims at issue are not identical, they are not patentably distinct from each other because they are all directed toward methods and systems, for risk-based authentication (RBA) on behalf of an Access Control Server (ACS). Therefore, the Double Patenting rejection is maintained.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Han et al. (U.S. 10,366,378) discloses methods and systems for processing one or more payment transactions between a merchant and a buyer by detecting buyer's communication device as an instrument to approve or reject a payment transaction in offline mode.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY H JUNG whose telephone number is (571)270-5018.  The examiner can normally be reached on Mon - Fri 8:30 - 4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/H.H.J./           Examiner, Art Unit 3697                                                                                                                                                                                            
	
	/CHRISTINE M BEHNCKE/           Supervisory Patent Examiner, Art Unit 3697