DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements filed 05/04/2021, 11/10/2021, 02/04/2022, 07/17/2022, and 07/24/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s)  are being considered by the examiner. 

Status of Claims
This Office action is in reply to filing by applicant on 09/17/2020.
Claims 1 - 20 are currently pending and have been examined.
This action is made non-final. 

Claim Objections
Claims 4, 5 (no periods), 9, 16, 20  (mis-spelling of "first") are all objected to for apparent typographical mistakes. 
Appropriate correction is required.
Claims 14 - 16 and 18 - 20 appear to have mis-stated their dependencies.
Appropriate correction is required.

Drawing Objections

 New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because FIG.'s 27, 29C, 29D, and 29G of the drawings are illegible and do not comply with line uniformity, density definition requirement and the use of shading standards put forth in 37 CFR 1.84 (l) and (m): 
(l) All drawings must be made by a process which will give them satisfactory reproduction characteristics. Every line, number, and letter must be durable, clean, black (except for color drawings), sufficiently dense and dark, and uniformly thick and well-defined. The weight of all lines and letters must be heavy enough to permit adequate reproduction. This requirement applies to all lines however fine, to shading, and to lines representing cut surfaces in sectional views. Lines and strokes of different thicknesses may be used in the same drawing where different thicknesses have a different meaning. 
(m) Shading. The use of shading in views is encouraged if it aids in understanding the invention and if it does not reduce legibility. Shading is used to indicate the surface or shape of spherical, cylindrical, and conical elements of an object. Flat parts may also be lightly shaded. Such shading is preferred in the case of parts shown in perspective, but not for cross sections. See paragraph (h)(3) of this section. Spaced lines for shading are preferred. These lines must be thin, as few in number as practicable, and they must contrast with the rest of the drawings. As a substitute for shading, heavy lines on the shade side of objects can be used except where they superimpose on each other or obscure reference characters. Light should come from the upper left corner at an angle of 45°. Surface delineations should preferably be shown by proper shading. Solid black shading areas are not permitted, except when used to represent bar graphs or color. 
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as "amended." If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either "Replacement Sheet" or "New Sheet" pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Applicant is advised to employ the services of a competent patent draftsperson outside the Office, as the U.S. Patent and Trademark Office no longer prepares new drawings. 
The Examiner further notes that due the grayscale conversion process inherent in the Office's electronic application filing system, elements of FIG. 4 are rendered partially illegible which interferes with providing a clear disclosure of the invention to the public.
Applicant may further refer to MPEP § 608.02 et seq. for further information regarding acceptability of drawings presented in a utility patent application.



	
Obviousness Type Double Patenting Rejection
Claims 1 - 20 herein are rejected on the ground of nonstatutory double patenting as being unpatentable over independent claim 1 of the Hockey (US11120158B2)  patent (same inventor(s) / assignee).

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Although the claims at issue herein are not word for word identical with the above said Hockey patent's claim 1,  those prior claim(s) are not patentably distinct from this application's claims. Both the patent and the pending application are directed to using ID credentials to access another's account. The patent's claims read on the instant claims.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1 - 20 are  rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  

Independent claim 1 is directed to  a method (process), independent claim 13 is directed to a non-transitory computer readable medium (composition), and independent claim 17 is directed to a system (machine), all of which all of which are statutory categories of invention pursuant to 35 USC 101. (Step 1: YES, the independent claims all fall within a statutory category).
Independent claims 1, 13, 17 recite:
receiving a request to establish an account link, establishing the account link to a user account of an account service using user credentials, and receiving user identifying information and storing the user identifying information; receiving user identifying information and identifying a candidate account link using the user identifying, verifying eligibility for access to the account link, and permitting access to the account link upon successful verification of eligibility.  
Several dependent claims further refine the abstract idea of claims 1, 13, 17:
collecting authentication credentials; performing an authentication process using the account credentials, and storing the account credentials as part of a secure data store in response to successful authentication. (claims 2,14,18); wherein performing the authentication process comprises virtualized authentication. (claim 3); storing user identifying information with an association to the account link, wherein the user identifying information comprises at least a phone number; wherein verifying eligibility for access to the account link comprises performing one-time passcode verification with the phone number (claims 4,15,19); wherein verifying eligibility for access to the account link comprises verifying a second eligibility condition  (claim 5); wherein verifying the second eligibility condition comprises requesting phone number change information from a phone carrier data application programming interface and indicating success of the second eligibility condition if the phone number is indicated to not have changed in a defined time window (claim 6); wherein receiving user identifying information of the first application context comprises receiving a first profile of a first client; wherein receiving user identifying information in the second context comprises receiving a second profile of a second application client; and wherein verifying the second eligibility condition comprises confirming a match of the first profile and the second profile (claim 7); within the first application context, receiving confirmation of the user; if there is an available way, initiating user verification through confirmation (claim 8); establishing the account link to the user account comprises serving a fist instance of an authentication module and storing a cookie through the authentication module; and within the second application context, serving a second instance of an authentication module; and wherein receiving user identifying information of the second application context comprises reading the cookie from the second instance of the authentication module and using the cookie as verification if phone number is not available.  (claims 9,16,20);  wherein the account service is a financial account service with transaction data of the user account, further comprising, receiving transaction information; and wherein verifying eligibility for access to the account link comprises querying the account service and confirming the transaction information in the transaction data of the user account (claim 10); receiving access that includes a set of requested access permissions, wherein verifying eligibility for access comprises for a first set of access permissions verifying a first set of eligibility conditions and for a second set of access permissions verifying a second set of eligibility conditions (claim 11); in response to failing to verify eligibility, establishing access to user account using user credentials (claim 12); establishing a link to the user account comprises serving a fist instance storing ID information and receiving user identifying information comprises reading ID information from the second instance of the authentication using said ID info if a phone number is not available (claims 16,20).  
The claim(s) thus recite the abstract idea of:
gaining access to another's account using various ID credentials.
The above claim limitations, under their broadest reasonable interpretation, cover performance of the limitation(s) as certain methods of organizing human activity which include a fundamental economic principal or practice and/or a commercial / legal interaction. As such, the limitations fall within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. (Step 2A - Prong 1: YES. The claims recite an abstract idea).
The above referenced independent claim limitations do not integrate the abstract idea into a practical application as those limitations simply apply generic computer components to the recited abstract idea, without more. They otherwise attempt to use a computer as a tool to perform the abstract idea.  The account linking computing service, non-transitory computer-readable medium,  processors, and systems, computer limitations of the independent claims  are simply being applied as tools as against the abstract idea. The above said computer related elements additionally quite generally link the abstract idea above noted to computer technology. The recitation of a generic computer component(s) in a claim does not necessarily preclude that claim from reciting an abstract idea. These computer / computer related elements are simply applied as tools to the abstract idea. The computer related limitations of the above analyzed claim(s) are all recited at a high-level of generality (e.g., a generic computer performing a generic computer function). The claims' additional elements do not integrate the articulated abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea, and those additional elements are also set forth with a high level of generality.
The dependent claims as above also lack any elements, including:
account linking computing service, non-transitory computer-readable medium,  processors, and systems, which are independent claim elements (as noted above) upon which the dependent claims are necessarily based;
additional computer related elements in the dependent claims: cookies of claims 9, 16, 19 (ID information), devices of claims 7, 8, and various, apparently, computer related "modules" throughout the dependent claims); 
non-computer related  elements in the dependent claims  (phones of claims 15, 16, 19).
The sum total of the above claim elements fail to integrate the articulated abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea, whether they are considered either separately or as an ordered combination, and those additional (computer) elements in the dependent claims are also set forth at a high level of generality.
The claims are directed to an abstract idea without a practical application.  (Step 2A-Prong 2: NO. The additionally claimed elements in the claims do not integrate the abstract idea into a practical application).
The claims lack additional elements which are sufficient to amount to significantly more than the abstract idea (judicial exception), either separately or as an ordered combination. This lack of providing significantly more than the judicial exception is also referred to as a claim lacking an  “inventive concept”. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements consisting here of various pieces of computer hardware amount to no more than mere instructions to perform the judicial exception by applying generic computer(s) / computer components to it, and/or generally linking the abstract idea to computer technology. Mere instructions to perform a judicial exception by applying generic computer components to it cannot provide an inventive concept. This Application's lack of providing significantly more than the judicial exception is also referred to as its claims lacking an “inventive concept. See MPEP 2106.05(f) where applying a computer as a tool is not indicative of significantly more. The above noted non-computer related elements do not change the outcome of the analysis, as they all depend from said independents and they simply further limit ways which the abstract idea may be performed.  (Step 2B: NO. The claims do not provide significantly more than the judicial exception).

Claims 1 - 20  are not patent-eligible pursuant to 35 USC 101.  
Claim Rejections – 35 USC 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraph of 35 U.S.C. 102 that forms the basis for the rejections under this section made in this Office Action:
(a) NOVELTY; PRIOR ART.— A person shall be entitled to a patent unless—

(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention;



Claims 1 - 3, 5, 7, 8, 10 - 14, 17, and 18 are rejected under 35 USC 102 (a)(1) as being anticipated by Hockey  (US20170068954A1).


Regarding claims 1, 13,17: 
Hockey  discloses:
within a first application context at an account-linking computing service: Throughout this document, claim limitations will be given their Broadest Reasonable Interpretation (BRI) in view of the disclosure as filed (Phillips v. AWH Corp., 415 F.3d 1303, 75 USPQ2d 1321 (Fed. Cir. 2005), MPEP § 2111), and this statement may be the only express notice of BRI's application herein, notwithstanding that BRI's application herein may be applied on multiple occasions. The just referenced limitation's meaning therefore under BRI  includes any   computer / computer service / computer server / computer system   of any sort  which is capable in any way of "linking", or otherwise accessing and/or effectively connecting, various computer accounts in any way, and this interpretation is consistent with the light of the specification. [034], that said   .   .   .   ("For example, the systems of the present disclosure include generation of proxy, virtualized, or simulated instances of software applications that are configured to interface with external systems via public or non-public (e.g., proprietary) application programming interfaces (APIs). The virtualized or simulated instances of the software applications may be authenticated with the external systems as if the virtualized/simulated instances are actually first-party software applications executing on a user computing device. Via the public/non-public APIs user account information may be obtained and processed, such that the data may be normalized and provided to other software systems via a normalized API of the system.", [008]); 
receiving a request to establish an account link, ("The initial request may be received through a normalized API (e.g., API 110) as a connection request. The connection request may be accompanied by parameters that specify a selected institution (if there are multiple institution options) and user credentials for the institution. The user credentials may include a username, password, pin code, and/or any suitable credentials. The API request may additionally include authentication credentials such as a client identifier and secret token that is associated with the account in the system.", [0214]) and (" Different institutions may have different processes to register or enroll a new application (which in the method is a proxy instance) such as multi-factor authentication. During the negotiation, various elements may be extracted and stored as part of the proxy instance. Similarly, some properties may be generated based on communication with the institution. For example, a MAC address or a unique device identifier may be used in connecting to the services of the external institution. Such properties may be stored as part of the proxy instance.", [0215]) and ("Additionally, the method may be applied to create an abstraction between a user and the underlying account. A transaction endpoint can be abstracted to a user entity, which may be associated with multiple optional transactional endpoints (e.g., different bank accounts). Accordingly, the method may include selecting an institution, which functions to dynamically select a connected account to participate in a transaction. Various conditions may be set to respond to events when receiving a transaction request, collecting information for the transaction, and/or executing a transaction.", [0249]); 
establishing the account link to a user account of an account service using user credentials, and ("In one variation, the API 110 allows an API request to specify an account, and a response output provides the information related to executing a transaction with the endpoint. In one implementation, the API 110 can include at least one API resource for interacting with the transaction endpoint. As shown in FIG. 7, an endpoint information request can include institution credentials of an account. The credentials can include username and password.", [0252]);
receiving user identifying information of the first application context and ("According to an embodiment, a method is disclosed comprising: at a financial platform system constructed to programmatically access financial data: creating an application proxy instance that simulates an application of an external financial service system; receiving a normalized account request for financial data of the external financial service system for a specified account, the normalized account request being provided by an external financial application system by using a financial data API of the financial platform system; responsive to the normalized account request:", [015]) and ("a method is disclosed comprising a financial platform system receiving a normalized financial API request associated with at least one financial account endpoint, the normalized financial API request being provided by an external financial application system by using a financial platform API of the financial platform system, the normalized financial API request specifying account credentials of each financial account endpoint of the normalized financial API request; responsive to the normalized financial API request: collecting transaction information of each financial account endpoint of the normalized financial API request by using an application proxy instance associated with the financial account endpoint to collect the transaction information from a corresponding financial institution system by using the associated account credentials specified by the normalized financial API request and a proprietary Application Programming Interface (API) of the financial institution system;", [035]);
storing the user identifying information in association with the account link; and ("As shown, the external user account system 1206 may include a record vault 1302, which, as described herein, comprises one or more databases securely storing generated electronic records.", [0300]) and ("Establishing secure communication between the permissions plug-in 1210 and the permissions management system 1204 may include transmission of certain identifying information. For example the permissions plug-in 1210 and/or the external user-facing system/application 1208 may transmit a client ID (e.g., a unique identifier associated with the external user-facing system/application 1208), a user identifier (e.g., a unique identifier associated with the user), a secret key, and/or the like to the permissions management system 1204, which may be processed and verified by the permissions management system 1204.", [0319]), all electronic records, including user identifying information, may be stored;
within a second application context at the account-linking computing service: Per BRI as above, this limitation's meaning includes any  thing, doing, and/or step  of whatsoever kind done and/or performed  by said system post the above referenced initial doing(s) of said system,  .   .   .    ("receiving a request for second factor authentication information from the external computing device of the external institution; requesting, via the API of the computer system, the second factor authentication information from the developer computing device; receiving, via the API of the computer system, the second factor authentication information from the developer computing device; providing the second factor authentication information to the external computing device of the external institution;", [055])
receiving user identifying information of the second application context, Per BRI as above, this limitation's meaning includes any  thing, doing, and/or step  of whatsoever kind done and/or performed by said system relating to its receipt of ID sort of information,  .   .   .    ("Establishing secure communication between the permissions plug-in 1210 and the permissions management system 1204 may include transmission of certain identifying information. For example the permissions plug-in 1210 and/or the external user-facing system/application 1208 may transmit a client ID (e.g., a unique identifier associated with the external user-facing system/application 1208), a user identifier (e.g., a unique identifier associated with the user), a secret key, and/or the like to the permissions management system 1204, which may be processed and verified by the permissions management system 1204.", [0319]);
searching and identifying a candidate account link using the user identifying information of the second application context, ("The initial request may be received through a normalized API (e.g., API 110) as a connection request. The connection request may be accompanied by parameters that specify a selected institution (if there are multiple institution options) and user credentials for the institution. The user credentials may include a username, password, pin code, and/or any suitable credentials. The API request may additionally include authentication credentials such as a client identifier and secret token that is associated with the account in the system.", [0214]);
verifying eligibility for access to the account link, and  ("According to an aspect, the computer-implemented method further comprises: by the one or more hardware processors executing program instructions: verifying authorization to access the user account data based on the token.", [0103]) and ("According to yet another aspect, the unique identifier associated with the token is provided to the computing device associated with the external application by at least: providing a public token or key to the computing device associated with the external application; receiving, from the computing device associated with the external application, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and verifying the validity of the authentication information.", [0120]);
permitting access to the account link upon successful verification of eligibility.  ("The method may additionally include verifying transaction conditions during one or more stages. Transaction conditions may be used to take any suitable action. The available actions can include permitting a transaction or preventing a transaction.", [0244]) and (" For example, an account number and a routing number may be obtained, as well as verification of ownership of the account. In this variation, the system 100 provides the information to execute the transaction. In another embodiment, the method additionally executes the transaction having obtaining the required information and verification.", [0232]).

Regarding claims 2,14  (and claim 18, but see above Objection as per claim 18 which appears, to have the wrong dependency stated (this also applies to claims 17 and 19 - 20 as noted herein); Note that claim 18, and the others just mentioned, will be here considered in the spirit of compact prosecution):
Hockey discloses all the limitations of claims 1,13, respectively (see above note re: claim 18):
Hockey further teaches:
serving an authentication module to an application client of the first application context,    Per BRI, examiner equates "serving" to presenting,    ("authenticating, via the second institution interface module, the virtualized instance of the second mobile device application with the external computing device of the second external institution based on at least one of: an identifier code associated with a mobile device, an authentication token associated with a mobile device, or a Media Access Control (MAC) address associated with a mobile device;", [062]) and ("This block (and/or the 1610) may additionally involve presenting information to, and/or obtaining additional information from, the user for purposes to satisfying multi-factor authentication.", [0364])
collecting authentication credentials from the authentication module, ("Users may grant access to their user accounts by providing credentials related to those accounts.", [006]) and ("a method is disclosed comprising a financial platform system receiving a normalized financial API request associated with at least one financial account endpoint, the normalized financial API request being provided by an external financial application system by using a financial platform API of the financial platform system, the normalized financial API request specifying account credentials of each financial account endpoint of the normalized financial API request; responsive to the normalized financial API request: collecting transaction information of each financial account endpoint of the normalized financial API request .   .   .    and providing a normalized financial API response to the external financial application system, the normalized financial API response providing the transaction information of each financial account endpoint of the normalized financial API request, wherein each application proxy instance is constructed to simulate an application of the corresponding external financial institution system.", [035]);
performing an authentication process with the account service using the account credentials, and  ("receiving a request for second factor authentication information from the external computing device of the external institution; requesting, via the API of the computer system, the second factor authentication information from the developer computing device; receiving, via the API of the computer system, the second factor authentication information from the developer computing device; providing the second factor authentication information to the external computing device of the external institution; receiving, from the external computing device of the external institution, a response indicating acceptance of the second factor authentication information; requesting the transaction information from the external computing device of the external institution;", [055]);
storing the account credentials as part of a secure data store of the account link in response to successful authentication with the accounts service.  ("According to another aspect the computer-implemented method further comprises: by the one or more hardware processors executing program instructions: securely storing the electronic token.", [089]). and ("As shown, the external user account system 1206 may include a record vault 1302, which, as described herein, comprises one or more databases securely storing generated electronic records. Accordingly, in action 1 a, the electronic record that is generated by the external user account system 1206 is stored in the record vault 1302.", [0300]).

Regarding claim 3:
Hockey discloses all the limitations of claim 2:
Hockey further teaches:
wherein performing the authentication process with the account service comprises authenticating with the account service with a virtualized instance of an application as a form of virtualized authentication. (" The virtualized or simulated instances of the software applications may be authenticated with the external systems as if the virtualized/simulated instances are actually first-party software applications executing on a user computing device.", [008])

Regarding claim 5:
Hockey discloses all the limitations of claim 4:
Hockey further teaches:
wherein verifying eligibility for access to the account link comprises verifying a second eligibility condition   ("According to an aspect, the unique identifier associated with the token is provided to the computing device associated with the external application by at least: providing a public token or key to the computing device associated with the external application; receiving, from the computing device associated with the external application, authentication information including the public token or key, a secret key, and an identifier associated with the external application; and verifying the validity of the authentication information.", [0144]). 
Regarding claim 7:
Hockey discloses all the limitations of claim 5:
Hockey further teaches:
wherein receiving user identifying information of the first application context comprises receiving a first device profile of a first application client; wherein receiving user identifying information in the second application context comprises receiving a second device profile of a second application client; and wherein verifying the second eligibility condition comprises confirming a match of the first device profile and the second device profile.  ("comparing the one or more transaction details with the one or more permissions; determining, based on the comparing, whether or not the external application is authorized to initiate the transaction; and communicating, based on determining whether or not the external application is authorized to initiate the transaction, an authorization indication to the third-party processor.", [075]) and ("determining, based on the comparing, that the external application is authorized to initiate the transaction, wherein the authorization indication indicates that the external application is authorized to initiate the transaction; and communicating, to the third-party processor, the one or more items of user account data.", [076]).
Regarding claim 8:
Hockey discloses all the limitations of claim 1:
Hockey further teaches:
within the first application context, receiving confirmation of an account service application client instantiated on a computing device of the user; ("based on an analysis of interactions between an actual instance of a mobile device application associated with the external institution and the external computing device of the external institution; and instantiate a virtualized instance of the mobile device application associated with the external institution, wherein: the virtualized instance of the mobile device application is configured to communicate with the institution interface module of the computer system so as to interface with the external computing device of the external institution via the non-public API of the external computing device of the external institution, the non-public API of the external computing device of the external institution is configured to interact with the mobile device application,", [055]) 
if there is an available account service application client for the user, initiating user verification through the account service application client, and receiving confirmation of user verification from the account service. ("For example, an account number and a routing number may be obtained, as well as verification of ownership of the account. In this variation, the system 100 provides the information to execute the transaction. In another embodiment, the method additionally executes the transaction having obtaining the required information and verification.", [0232]).
Regarding claim 10:
Hockey discloses all the limitations of claim 1:
Hockey further teaches:
wherein the account service is a financial account service with transaction data of the user account, further comprising, within the second application context, receiving transaction information from a second application; and wherein verifying eligibility for access to the account link comprises querying the account service through the account link and confirming the transaction information in the transaction data of the user account. Per BRI as above, this limitation's interpreted to include any successful query to the above said service re account information. ("Information/data relating to a user account may be accessible through querying particular API resources via the API 110. For example, a list of transactions and information about each individual transaction may be accessible through different API calls of the API 110. Information can additionally relate to account summary information, account details such as address and contact information, information about other parties such as the entities involved in a transaction, and/or any suitable information. The API 110 may additionally be used to trigger or facilitate performing some action. For example, an API call may be used in transferring money, updating account information, setting up alerts, or performing any suitable action. Those skilled in the art will appreciate that such example API features that any suitable API feature possibilities and semantic architecture may be used.", [0207]).

Regarding claim 11:
Hockey discloses all the limitations of claim 1:
Hockey further teaches:
within the second application context receiving an account link access request that includes a set of requested access permissions, wherein verifying eligibility for access to the account link comprises for a first set of access permissions verifying a first set of eligibility conditions and for a second set of access permissions verifying a second set of eligibility conditions. Examiner per BRI  interprets this limitation to include that an account as detailed above may have two sets of authentication conditions   ("an mobile device identifier code, an mobile device authentication token, or a mobile device Media Access Control (MAC) address; request, by the virtualized instance of the mobile device application and via the non-public API of the external computing device of the external institution, the transaction data associated with the user from the external computing device of the external institution by: providing the username associated with the user and the password associated with the user to the external computing device of the external institution; receiving a request for second factor authentication information from the external computing device of the external institution; requesting, via the API of the computer system, the second factor authentication information from the developer computing device; receiving, via the API of the computer system, the second factor authentication information from the developer computing device; providing the second factor authentication information to the external computing device of the external institution; receiving, from the external computing device of the external institution, a response indicating acceptance of the second factor authentication information; requesting the transaction information from the external computing device of the external institution;", [055]).
Regarding claim 12:
Hockey discloses all the limitations of claim 1:
Hockey further teaches:
in response to failing to verify eligibility, establishing the account link to the user account of the account service using user credentials.  ("the method may detect an error condition and automatically fails over to the secondary account. In another variation, a set of accounts may be preconfigured to be used depending on properties of the request. In combination with the proxy transfer endpoint, the identifying information for the proxy endpoint can be used, but the underlying service automatically will use an automatically selected account to use for the funds.", [0249]).
Claim Rejections – 35 USC 103


In the event the determination of the status of the application as subject to AIA  35 USC 102 and 103 (or as subject to pre-AIA  35 USC 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 USC 103 which forms the basis for all obviousness rejections set forth in this Office Action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 USC 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating
     obviousness or nonobviousness.




Claims 4, 15, 19,  are  rejected pursuant to 35 USC 103 as being unpatentable over     Hockey  (US20170068954A1)  in view of Brown   (US20180295514A1).

Regarding claims 4,15,19:
Hockey discloses all limitations of claims 1, 13, respectively (see above note on dependencies):
Hockey further teaches: 
within the first application context, storing user identifying information with an association to the account link,  ("According to another aspect the computer-implemented method further comprises: by the one or more hardware processors executing program instructions: securely storing the electronic token.", [089]);
Hockey does not expressly disclose, but Brown   teaches:
wherein the user identifying information comprises at least a phone number;  ("In some embodiments, the first device identification information and the second device identification information is at least one of a telephone number, a device serial number, a unique serial number (ICCID), an international mobile subscriber identity (IMSI) number, or an International Mobile Equipment Identity (IMEI).", [017]) 
wherein verifying eligibility for access to the account link comprises performing one-time passcode verification with the phone number,  ("In an instance in which neither the carrier verification authentication process nor the stored authentication history authentication process can be performed, authentication may be performed via a process of sending a one-time passcode to a phone number associated with the target mobile device. As such, as shown in block 715 of FIG. 7, an apparatus, for example, apparatus 200 embodied by, for example, authentication service 102, server 114, or the like, may be configured to perform authentication via a process of sending a one-time passcode to a phone number associated with the target mobile device, for example, in an instance in which neither the carrier verification authentication process nor the stored authentication history authentication process can be performed.", [0150])

It would have been obvious to one of ordinary skill in the art before the effective filing date of this application to have modified Hockey to incorporate the teachings of Brown because Hockey would be more efficient and versatile if a phone number could be employed vis a vis a one-time passcode. ("This technique can be carried out by the authentication system or by the secured system, or another entity. The technique sends a One Time Passcode to the Mobile device using the Short Message Service. The user enters the code into a web page or application page to confirm receipt.", [0138] of Brown).

Claims 9, 16, 20   are  rejected pursuant to 35 USC 103 as being unpatentable over    Hockey  (US20170068954A1)  in view of Harris  (US20050268107A1).

Regarding claims 9,16,20:
Hockey discloses all limitations of claims 1, 14, respectively (see above note on dependencies per claim 20):
Hockey further teaches: 
within the first application context, storing user identifying information with an association to the account link,  ("According to another aspect the computer-implemented method further comprises: by the one or more hardware processors executing program instructions: securely storing the electronic token.", [089]);
Hockey does not expressly disclose, but Harris teaches:
establishing the account link to the user account comprises serving a fist instance of an authentication module and storing a cookie through the authentication module; ("Cookies are generally used to recognize users in order to pre-populate data fields and/or to maintain sessions. But cookies can also be used as a device ID. A site may place a unique secure cookie on a user's machine to create a software-protected device ID which unauthorized sites cannot access, and therefore cannot copy and use to impersonate the device. When the user signs on, the site can access the cookie, compare it to the copy of the user's cookie stored in the site's database and, if it matches, have a high level of assurance that the computer being used is the user's computer.", [035]);
and within the second application context, serving a second instance of an authentication module; and wherein receiving user identifying information of the second application context comprises reading the cookie from the second instance of the authentication module and using the cookie as verification if phone number is not available. ("At step 406 one or more device identifiers, such as encrypted cookies, and/or other identifiers are stored on the user computer system or one or more device identifiers, such as MAC addresses are retrieved from it, as described above, or other device identifiers, such as a mobile device identifier (e.g. a mobile telephone number), are received.", [0149]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of this application to have modified Hockey to incorporate the teachings of Harris because Hockey would be more efficient and versatile if a cookie could be employed in lieu of a phone number ("Cookies are generally used to recognize users in order to pre-populate data fields and/or to maintain sessions. But cookies can also be used as a device ID.", [035]) of Harris).

Claim 6   is rejected pursuant to 35 USC 103 as being unpatentable over    Hockey  (US20170068954A1)  in view of Woodward (US20190200227A1).


Regarding claim 6:
Hockey discloses all limitations of claim 5:
Hockey does not expressly  disclose, but Woodward teaches:
wherein verifying the second eligibility condition comprises requesting phone number change information from a phone carrier data application programming interface and indicating success of the second eligibility condition if the phone number is indicated to not have changed in a defined time window.  ("Number Change Event date—this date reflects when a mobile number has changed in a mobile phone account. The bank operating the customer data management system 134 may decide that a number change made after the date of enrollment should cause the phone number to appear on a “do not call” or “ineligible number” list, because of risk that the mobile device may be used by a person/subscriber who is not consented to calls.", [021]) 

It would have been obvious to one of ordinary skill in the art before the effective filing date of this application to have modified Hockey to incorporate the teachings of Woodward because Hockey would be more efficient and versatile if it could account for phone number changes ("Thus, a recent Mobile ID Created Date may reflect that the subscriber of the phone has changed and the number should not be used, if such date is after a customer has enrolled at system 130.", [020] of Woodward.

Conclusion


The following prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please see attached form 892.
Raposa  (US10250612B1) - Approaches presented herein can provide for end-to-end auditing of cross-account roles. A user associated with a first account might request some degree of access to resources associated with a second account. A role can be assumed by that user that delegates access to those resources, and the user can be issued temporary credentials to obtain the access. In order to provide for full auditing of these cross-account roles, calls that assume a role in one account can be linked to resource-related calls under a different account, which can include a third party account. Information can be obtained from both accounts that can be linked using an identifier provided to each environment as part of the role assumption. The linking can provide a full audit chain from end user to resource access across the separate accounts.
Page (US10142307B1) -   A system and method allows a matching system to mediate requests for information among different computer systems without storing information that can be used to log into those computer systems.
Clark (US20150317613A1) - A computer-implemented method for authorizing access to transaction data to a third-party computer system is implemented by a payment processor computer system coupled to a memory. The method includes receiving a request for access to transaction data associated with a cardholder account, requesting a set of authentication information associated with the cardholder account, authenticating the set of authentication information upon receiving the set of authentication information, and authorizing the third-party computer system to receive transaction data associated with the cardholder account. Upon validation, the payment processor computer system generates an authorization token and provides the authorization token to the third-party computer system. The third-party computer system uses the authorization token and a secure identifier to retrieve transaction data associated with the cardholder account.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW COBB whose telephone number is (571) 272-3850. The examiner can normally be reached 9 - 5, M - F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael W. Anderson can be reached at (571) 270-0508. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.





/MATTHEW COBB/Examiner, Art Unit 3698                                                                                                                                                                                                        /BRUCE I EBERSMAN/Primary Examiner, Art Unit 3698