CTFR 19/063,282 CTFR 84031 DETAILED ACTION Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. This application is a CON of 17/739,056 05/06/2022 (now abandoned). The present amended claims 2-21 are similar to the abandoned claims of 17/739,056 filed on 12/11/2024. Foreign Priority Acknowledgment is made of applicant's claim for foreign priority based on an application filed in India on 05/08/2021. 12-151 AIA 26-51 12-51 Status of Claims Claim 1 is cancelled. Claims 2-21 are currently pending and rejected. Claim Rejection – 35 U.S.C. 101 07-04-01 AIA 07-04 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 2-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The rationale for this finding is explained below. In the instant case, the claims are directed towards accessing transaction data, analyzing the accessed data, calculating a plurality of network risk scores, determining a most vulnerable risk that is likely to happen, and causing a preventive actions for the most vulnerable risk. The concept is clearly related to managing personal behavior associated with an account, thus the present claims fall within the Certain Method of Organizing Human Activity grouping. Moreover, the claimed steps could be performed mentally, thus the present claims also fall within the Mental Processes grouping. The claims do not include limitations that are “significantly more” than the abstract idea because the claims do not include an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment. Note that the limitations, in the instant claims, are done by the generically recited computer device. The limitations are merely instructions to implement the abstract idea on a computer and require no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry. Therefore, claims 2-21 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Step 1: The claims 2-21 are directed to a process, machine, manufacture, or composition matter. In Alice Corp. Pty. Ltd. v. CLS Bank Intern ., 134 S. Ct. 2347 (2014), the Supreme Court applied a two-step test for determining whether a claim recites patentable subject matter. First, we determine whether the claims at issue are directed to one or more patent-ineligible concepts, i.e., laws of nature, natural phenomenon, and abstract ideas. Id. at 2355 (citing Mayo Collaborative Servs. v. Prometheus Labs., Inc. , 132 S. Ct. 1289, 1296–96 (2012)). If so, we then consider whether the elements of each claim, both individually and as an ordered combination, transform the nature of the claim into a patent-eligible application to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. Claims 2-9 are directed to a process (i.e., method claims). Claims 1-16 are directed to a machine (i.e. system claims). Claims 17-21 are directed to a manufacture (i.e., non-transitory computer readable storage medium claims). Step 2A: The claims are directed to an abstract idea. Prong One The present claims are directed towards accessing transaction data, analyzing the accessed data, calculating a plurality of network risk scores, determining a most vulnerable risk that is likely to happen, and causing a preventive actions for the most vulnerable risk. Claim 2, for example, recites accessing payment transaction data associated with a cardholder within a predetermined time period, generating a set of transaction features, determining a plurality of network risk scores based on the set of transaction features, aggregating the plurality of network risk scores to calculate an overall account risk score based on a statistical model, determining a most vulnerable risk that is likely to happen, and causing a preventive actions for the most vulnerable risk. The concept is clearly related to managing personal behavior associated with an account, thus the present claims fall within the Certain Method of Organizing Human Activity grouping. Moreover, the claimed steps could be performed mentally, since the claimed steps are mostly performing calculations with unspecified amount of data or computation difficulty. As such, the present claims also fall within the Mental Processes grouping. The performance of the claim limitations using generic computer components (i.e. a server system comprising a communication interface, a processor, and a memory) does not preclude the claim limitation from being in the certain methods of organizing human activity grouping and mental processes grouping. The use of machine learning models does not render the claims less abstract, because machine learning was well-known and the preset claims do not improve machine learning itself. Accordingly, this claim recites an abstract idea. Prong Two Independent claim 2 recites a server system as additional element. Independent claim 10 recites a server system comprising a communication interface, a memory, and a processor as additional elements. Independent claim 17 recites a non-transitory medium, and a processor of a system as additional elements. The additional elements are claimed to perform basic computer functions, such as accessing data from a database, generating data based on accessed data, performing calculations, and transmitting notification over network. Dependent claims 3-9, 11-16, and 18-21 do not recite any additional element. The recitation of the computer elements amounts to mere instruction to implement an abstract concept on computers. The present claims do not solve a problem specifically arising in the realm of computer networks. Rather, the present claims implement an abstract concept using existing computer technology in a networked computer environment. The present claims do not recite limitation that improve the functioning of computer, effect a physical transformation, or apply the abstract concept in some other meaningful way beyond generally linking the use of the abstract concept to a particular technological environment. As such, the present claims fail to integrate into a practical application. Amended claim 2 recites “transmitting, by the server system, the notification to an issuer server to perform the recommended preventive action by focusing card-reissuance efforts only on cardholders for which card reissuance is indicated, thereby preventing reissuance of a physical payment card associated with the payment account of the cardholder”. Examiner points out that reissuing only cards deemed to be compromised had been a longstanding practice in the banking industry. Issuers do not reissue all cards when a few cards are found to be compromised. Doing so is cost inhibitive for issuers. For example, Graves (Pub. No.: US 2013/032596) filed on 05/31/2012 teaches “misconduct prevention values calculated for a plurality of user accounts may be used to determine which user accounts are most suspicious so that security resources may be focused on such user accounts” (see paragraph 0009). Reciting a standard practice in the industry cannot improve computer function or other technology. Step 2B: The claims do not recite additional elements that amount to significantly more than the abstract idea. Independent claim 2 recites a server system as additional element. Independent claim 10 recites a server system comprising a communication interface, a memory, and a processor as additional elements. Independent claim 17 recites a non-transitory medium, and a processor of a system as additional elements. Dependent claims 3-9, 11-16, and 18-21 do not recite any additional element. The additional elements are claimed to perform basic computer functions, such as accessing data from a database, generating data based on accessed data, performing calculations, and transmitting notification over network. According to MPEP 2106.05(d) , “performing repetitive calculations”, “receiving, processing, and storing data”, “electronically scanning or extracting data from a physical document”, “electronic recordkeeping”, “storing and retrieving information in memory”, and “receiving or transmitting data over a network, e.g., using the Internet to gather data” are considered well-understood, routine, and conventional functions of computer. The present claims do not improve the functioning of computer technology. Simply implementing the abstract idea on a generic computer or using a computer as a tool to perform an abstract idea cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. Therefore, the present claims are ineligible for patent. Prior Art Cited Not Applied Wu et al. (Pub. No.: US 2022/0108329) is cited, because the prior art teaches the following limitations in independent claim 2, 10, and 17: accessing, by a server system, payment transaction data associated with a cardholder from a transaction database (see paragraph 0006, “a computer-implemented method for fraud prevention may include receiving transaction data associated with a plurality of transactions of at least one payment account”), the payment transaction data comprising a plurality of transaction indicators of payment transactions performed by the cardholder within a predetermined time period (see paragraph 0007, “the transaction data may include all transaction associated with the least one account during a preceding time period”; also see paragraph 0023, 0027, 0079, 0100, 0101, 0107, for example); generating, by the server system, a set of transaction features based, at least in part, on the plurality of transaction indicators (see paragraph 0112, 0117, “For example, transaction service provider system 102 and/or issuer system 104 may determine whether to accept or reject the subsequent transaction based solely on the fraud risk score or may determine whether to accept or reject the subsequent transaction based on the fraud risk score and other criteria(e.g., criteria otherwise used by transaction service provider system 102 and/or issuer system 104 to determine whether to accept and/or reject a transaction, such as a predictive model, a deep learning model, a set of rules, features of transaction data and/or attributes determined based thereon, any combination therefore, and/or the like)”); determining, by the server system, a plurality of network risk scores associated with the cardholder based, at least in part, on the set of transaction features and a set of trained machine learning models (see paragraph 0006, “A fraud score for each subperiod of a plurality of subperiods in a time period following the attempted attack(s) may be generated based on the transaction data using a deep learning model and a survival model”; see paragraph 0010, 0022 for generating risk scores using machine learning models; also see paragraph 0008, 0016, 0024, 0108 for different learning models); and transmitting, by the server system, a notification to an issuer server associated with the cardholder based, at least in part, on the overall account risk score (see paragraph 0115, “the further action may include sending a notification indicating that the payment account is in the high risk category (e.g., to issuer system 104, a fraud detection system (e.g., of transaction service provider system 102 and/or issuer system 104), and/or the like)”). Joa et al. (Pub. No.: US 2010/0070405) is cited, because the prior art teaches the following limitations in independent claim 2, 10, and 17: determining, by the server system, a plurality of network risk scores associated with the cardholder for a prediction window, where the plurality of network risk scores comprising at least one or more of: (a) a payment capacity risk score, (b) a contactless payment risk score, and (c) a set of account-level risk scores (see paragraph 0049, “Evaluation of wireless number risk scores may be employed by the financial institution extending credit or maintaining the deposit account. Sample factors considered in the wireless number risk analysis include wireless phone number, wireless phone model, length of wireless number ownership, amount of wireless bill, wireless service provider, number of distinct phone number called, number of late payments, number of nonsufficient (NSF) items, amount of NSF items, prior POS purchase history, prior credit history”; prior art considers a plurality of risk factors, which could be interpreted as category risk scores of an overall risk score; number of late payments, number of NSF items, and amount of NSF items are indications for payment capacity risk; wireless number risk including prior POS purchase history is an indication of a contactless payment risk; and prior credit history is an indication of account-level risk); and aggregating, by the server system, the plurality of network risk scores to calculate an overall account risk score associated with cardholder based, at least in part, on a statistical model (see paragraph 0028, “Wireless number risk scores may be used in conjunction with…other available risk identifiers in determining whether to grant these applications”, prior art teaches wireless number risk score is aggregated with other available risk scores to determine the overall risk of the account). However, neither Wu et al. nor Joa et al. teach “wherein the payment capacity risk score is determined by the following: calculating, by the server system, a credit burst score based, at least in part, on spend behavioral data associated with the cardholder; determining, by the server system, whether the credit burst score being at least equal to a pre-defined threshold value; and in response to determining that the credit burst score is at least equal to the pre-defined threshold value, determining, by the server system, an account attrition score and a non-sufficient funds (NSF) score associated with the cardholder”, as recited in the independent claims. Raptnapu et al. (Pub. No.: US 2020/0043006) teaches the concept of detecting risky account status by determining whether current spending amount is more than three deviations from the mean of all spend transactions (see paragraph 0024). Paragraph 0099 of applicant’s specification discloses that credit burst score may be calculated as mean + 2 sigma. However, Raptnapu et al. does not fulfill the deficiency of Wu et al. and Joa et al., as the prior art fails to teach “wherein the payment capacity risk score is determined by the following: calculating, by the server system, a credit burst score based, at least in part, on spend behavioral data associated with the cardholder; determining, by the server system, whether the credit burst score being at least equal to a pre-defined threshold value; and in response to determining that the credit burst score is at least equal to the pre-defined threshold value, determining, by the server system, an account attrition score and a non-sufficient funds (NSF) score associated with the cardholder”. Examiner points out that these novel features sit entirely in the realm of abstract concept. They are the abstract concept itself, thus they do not integrate the abstract concept into a practical application. Therefore, the present claims are still ineligible for patent under 35 U.S.C. 101. Response to Remarks In the response filed on 05/11/2026, Applicant amended independent claim 2 by adding a new limitation, “transmitting, by the server system, the notification to an issuer server to perform the recommended preventive action by focusing card-reissuance efforts only on cardholders for which card reissuance is indicated, thereby preventing reissuance of a physical payment card associated with the payment account of the cardholder”. Examiner points out that reissuing only cards deemed to be compromised had been a longstanding practice in the banking industry. Issuers do not reissue all cards when a few cards are found to be compromised. Doing so is cost inhibitive for issuers. Similarly, claim 3 now recites a limitation, “the notification causes the issuer server to allocate card-reissuance resources to the most vulnerable risk and not allocate card-reissuance to risk that are not the most vulnerable risk”; claim 10 and 17 now recite “cause, by the server system, a preventive action for only the most vulnerable risk, the preventive action reducing the most vulnerable risk by preventing at least reissuance of a physical payment card associated with the payment account of the cardholder”. These limitations are standard practice in the banking industry, thus they do not improve computer function or any other technology. Applicant's arguments filed 05/11/2026 have been fully considered but they are not persuasive. Step 2A Prong 1 Applicant argued that “claim 2, in part recites at least ‘based, at least in part, on the most vulnerable risk being likely to happen from the payment account of the plurality of cardholders, generating, by the server system, a notification identifying the most vulnerable risk and a recommended preventive action for only the most vulnerable risk; and transmitting, by the server system, the notification to an issuer server to perform the recommended preventive action by focusing card-reissuance efforts only on cardholders for which card reissuance is indicated, thereby preventing reissuance of a physical payment card associated with the payment account of the cardholder”. As discussed earlier, notifying issuers to perform a recommended preventive action, such as reissuing card, to only accounts with the most vulnerable risk had been a standard practice in banking industry. For example, Graves (Pub. No.: US 2013/0325696) filed on 05/31/2012 teaches “misconduct prevention values calculated for a plurality of user accounts may be used to determine which user accounts are most suspicious so that security resources may be focused on such user accounts” (see paragraph 0009). Reciting such practice does not direct the claim away from longstanding economic practice. Therefore, the amended claims still fall under the grouping of Certain Methods of Organizing Human Activities. Step 2A Prong 2 Applicant argued that claim 2 “prevents reissuance of a physical payment card, which produces a real-world, system-level effect including modifying operation of card issuance systems, preventing unnecessary card manufacturing, encoding and distribution, and avoiding downstream transaction processing load associated with newly issued cards”, and as such claim 2 “reflects a technical solution to a technical problem in payment processing systems”. Examiner disagrees for the same rationale mentioned earlier. notifying issuers to perform a recommended preventive action, such as reissuing card, to only accounts with the most vulnerable risk had been a standard practice in banking industry. None of the issuers in the industry would reissue cards to all accounts when just some were found to be compromised. Doing that would be cost inhibitive. For example, Graves (Pub. No.: US 2013/0325696) filed on 05/31/2012 teaches “misconduct prevention values calculated for a plurality of user accounts may be used to determine which user accounts are most suspicious so that security resources may be focused on such user accounts” (see paragraph 0009). Reciting a standard practice in the industry cannot improve computer function or other technology. Applicant attempted to draw analogy to claim 3 of Example 47 in July 2024 Subject Matter Eligibility Examples . Examiner disagrees and points out that the present claims do not recite steps like step (d)-(f) in claim 3 of Example 47. Claim 3 of Example 47 recites “(d) detecting a source address associated with the one or more malicious network packets in real time; (e) dropping the one or more malicious network packets in real time; and (f) blocking future traffic from the source address”. The example states steps (d)-(f) “provide for improved network security using the information from detection to enhance security by taking proactive measures to remediate the danger by detecting the source address associated with the potentially malicious packets”. These steps were unknown in the prior arts and could not be performed in the human mind. The present claim 2, however, recites “transmitting, by the server system, the notification to an issuer server to perform the recommended preventive action by focusing card-reissuance efforts only on cardholders for which card reissuance is indicated, thereby preventing reissuance of a physical payment card associated with the payment account of the cardholder”. Claim 2 merely requires transmitting a message to an issuer server, telling the issuer to focus on comprised cards and do nothing to other cards. In this case, the amended feature of claim 2 does not improve network functionality, since sending message/notification is a basic computer function, according to MPEP 2016.05(d). The reissuance of the physical payment card is not performed by the claimed server system, but by an external issuer server. More, the amended step merely means reissue cards to cardholders for which cards reissuance is indicated, and this is how standard procedure works in banking industry. Furthermore, the amended feature is not blocking malicious transmission from suspicious IP address. Rather, the amended feature merely prevents reissuance of card to account not deemed suspicious (yet, non-suspicious accounts were not receiving reissued cards in the first place). For these reasons, the amended feature does not indicate integration into practical application. Step 2B Applicant argued that inventive concept may be found in the non-conventional and non-generic arrangement of limitation of the claim 2, and again emphasizing on the limitations, “generating, by the server system, a notification identifying the most vulnerable risk and a recommended preventive action for only the most vulnerable risk; and transmitting, by the server system, the notification to an issuer server to perform the recommended preventive action by focusing card-reissuance efforts only on cardholders for which card reissuance is indicated, thereby preventing reissuance of a physical payment card associated with the payment account of the cardholder”. Examiner points out that the present claims do not actually recite non-conventional arrangement of system components similar to the BASCOM case. As discussed earlier, notifying issuers to perform a recommended preventive action, such as reissuing card, to only accounts with the most vulnerable risk had been a standard practice in banking industry. For example, Graves (Pub. No.: US 2013/0325696) filed on 05/31/2012 teaches “misconduct prevention values calculated for a plurality of user accounts may be used to determine which user accounts are most suspicious so that security resources may be focused on such user accounts” (see paragraph 0009). The present claims do not improve the functioning of computer technology. Simply implementing the abstract idea on a generic computer or using a computer as a tool to perform an abstract idea cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. Therefore, the present claims are ineligible for patent. Examiner maintains the ground of rejection under 35 U.S.C. 101. Conclusion 07-39 AIA THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAO FU whose telephone number is (571)270-3441. The examiner can normally be reached 9:00 AM - 6:00 PM PST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine M Behncke can be reached at (571) 272-8103. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HAO FU/Primary Examiner, Art Unit 3695 MAY-2026 Application/Control Number: 19/063,282 Page 2 Art Unit: 3695 Application/Control Number: 19/063,282 Page 3 Art Unit: 3695 Application/Control Number: 19/063,282 Page 4 Art Unit: 3695 Application/Control Number: 19/063,282 Page 5 Art Unit: 3695 Application/Control Number: 19/063,282 Page 6 Art Unit: 3695 Application/Control Number: 19/063,282 Page 7 Art Unit: 3695 Application/Control Number: 19/063,282 Page 8 Art Unit: 3695 Application/Control Number: 19/063,282 Page 9 Art Unit: 3695 Application/Control Number: 19/063,282 Page 10 Art Unit: 3695 Application/Control Number: 19/063,282 Page 11 Art Unit: 3695 Application/Control Number: 19/063,282 Page 12 Art Unit: 3695 Application/Control Number: 19/063,282 Page 13 Art Unit: 3695 Application/Control Number: 19/063,282 Page 14 Art Unit: 3695 Application/Control Number: 19/063,282 Page 15 Art Unit: 3695 Application/Control Number: 19/063,282 Page 16 Art Unit: 3695 Application/Control Number: 19/063,282 Page 17 Art Unit: 3695