Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claims 14 and 18 are objected to because of the following informalities.
In claim 14, applicant recites “the subcontractor review phase comprise,” instead of “comprises.”
In claim 18, applicant recites “he client comprises an entity within an industry, filed, or business that is subject to stringent regulation,” where applicant most likely meant “field.” Appropriate correction is required.

Claim Rejections - 35 USC § 101, First Grounds
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Section 33(a) of the America Invents Act reads as follows:  
Notwithstanding any other provision of law, no patent may issue on a claim directed to or encompassing a human organism.  

Claims 11-18 are rejected under 35 U.S.C. 101 and section 33(a) of the America Invents Act as being directed to or encompassing a human organism.  See also Animals - Patentability, 1077 Off. Gaz. Pat. Office 24 (April 21, 1987) (indicating that human organisms are excluded from the scope of patentable subject matter under 35 U.S.C. 101).  
explicitly stated the “client,” “vendor management entity,” and “third-party vendor” may comprise persons and/or parties {i.e. groups of people; para. [0027], [0028], [0029]}, a rejection under 35 U.S.C. 101 is appropriate. Dependent claims  12-18 are rejected due to their dependency, in addition to explicitly reciting “client,” “vendor management entity,” and “third-party vendor.” 

Claim Rejections - 35 USC § 101, Second Grounds
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is not directed to patent eligible subject matter. The claimed matter is directed to a judicial exception (i.e. an abstract idea not integrated into a practical application) without significantly more.

Step 1 (The Statutory Categories): Is the claim to a process, machine, manufacture or composition of matter?  MPEP 2106.03
Per Step 1, claim 1 is directed to a method; claim 11 is directed to system. Thus, independent claims 1 and 11 are directed to a statutory category of invention.  
However, claims 1 and 11 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea, a judicial exception, without reciting additional elements that integrate the judicial exception into a practical application. 
The abstract idea of claim 1 is, essentially a risk management lifecycle, recited in the claim as “conducting a pre-engagement meeting with a client; conducting a risk assessment phase, wherein a vendor management entity determines and reviews the client's applicable regulatory categories and the vendor management entity further analyzes the client's risks associated with current or proposed vendor relationships; conducting a due diligence phase, wherein the vendor management entity performs a due diligence review of a third-party vendor; and conducting a monitoring and reporting phase, wherein the vendor management entity provides monitoring and reporting of the third-party vendor's compliance with applicable regulatory requirements.” 
The abstract idea of claim 11 is, essentially, a risk management lifecycle, recited in the claim as “a vendor management entity; a client; a third-party vendor; wherein the vendor management entity provides a vendor management service; and the vendor management service comprises one or more of the following: a pre-engagement phase, a risk assessment phase, a due diligence phase, a contracting phase, and a monitoring and reporting phase.”

Step 2A Prong 1: Does the claim recite an abstract idea, law of nature, or natural phenomenon? MPEP 2106.04, see also October 2019 Patent Eligibility Guidance Update (issued October 17, 2019) (“2019 PEG Update”). 
The limitations, as drafted, constitute a process that, under its broadest reasonable interpretation, covers performance of the limitations in the mind. In this case, an individual (“vendor management entity”) could mentally assess the “client” prior to engagement (pre-engagement phase), assess risk (risk assessment phase), perform due diligence (due diligence phase), assess contractors or “third-party vendors” (contracting phase), and monitor progress (monitoring and reporting phase). Indeed, by applicant’s own admission, such a process entails a “vendor management entity” that comprises “the person, business, organization, institution, or other entity providing the vendor management methods” (para. [0027] of applicant’s published application}. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, then it falls within the Mental Processes – Concepts Performed in the Human Mind (e.g. observation, evaluation, judgement, opinion) grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
Additionally, the limitations, as drafted, constitute a process that, under its broadest reasonable interpretation, covers commercial activity. That is, the drafted process is comparable to an advertising, marketing, sales activities or behaviors, business relationships process, i.e. managing vendors. If a claim limitation, under its broadest reasonable interpretation, covers performance of limitations of agreements in form of contracts, legal obligations, advertising, marketing, sales activities or behaviors, business relationships, then it falls within the Certain Methods of Organizing Human Activity – Commercial or Legal Interactions (e.g. agreements in form of contracts, legal obligations, advertising, marketing, sales activities or behaviors, business relationships) grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
Lastly, the limitations, as drafted, constitute a process that, under its broadest reasonable interpretation, covers fundamental economic principles or practices. That is, the drafted process is comparable to a hedging, insurance, or mitigating risk, i.e. a process aimed at reducing risk associated with third-party vendors. If a claim limitation, under its broadest reasonable interpretation, covers performance of hedging, insurance, or mitigating risk, then it falls within the Certain Methods of Organizing Human Activity – Fundamental Economic Principles or Practices (e.g. hedging, insurance, mitigating risk) grouping of abstract ideas. Accordingly, the claim recites an abstract idea.

Step 2A Prong 2: Does the claim recite additional elements that integrate the judicial exception into a practical application?  MPEP 2106.04, see also 2019 PEG Update.
	Claims 1 and 11 do not recite additional elements beyond the abstract idea. Therefore, per Step 2A, Prong Two, the claim is directed to an abstract idea not integrated into a practical application.
Claims 1 and 11 do not recite any computer or other technology. Accordingly, the abstract idea is not integrated into a practical application because (1) the limitations do not effect improvements to the functioning of a computer, or to any other technology or technical field (see MPEP 2106.05 (a)); (2) the limitations do not apply or use the abstract idea to effect a particular treatment or prophylaxis for a disease or a medical condition (see the Vanda memo); (3) the limitations do not apply the abstract idea with, or by use of, a particular machine (see MPEP 2106.05 (b)); (4) the limitations do not effect a transformation or reduction of a particular article to a different state or thing (see MPEP 2106.05 (c)); (5) the limitations do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the identified abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designated to monopolize the exception (see MPEP 2106.05 (e) and the Vanda memo). 

Step 2B (The Inventive Concept): Does the claim recite additional elements that amount to significantly more than the judicial exception? MPEP 2106.05.
	Step 2B of the eligibility analysis concludes that the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. Applicant is referred to the Step 2A, Prong 2 analysis above, which demonstrates that the claim is nothing more than the abstract idea. 
When the independent claims are considered as a whole, as a combination, the claim elements noted above do not amount to any more than they amount to individually. The operations appear to merely apply the abstract concept to a technical environment in a very general sense. The most significant elements of the claims, that is the elements that really outline the inventive elements of the claims, are set forth in the elements identified as an abstract idea. Therefore, it is concluded that the elements of the independent claims are directed to one or more abstract ideas and do not amount to significantly more. (MPEP 2106.05)
	Further, Step 2B of the analysis takes into consideration all dependent claims as well, both individually and as a whole, as a combination:
Claims 2-10 and 11-18 are not directed to any additional abstract ideas but are directed to narrowing the abstract idea and therefore would still fall into the same groupings of 1) Mental Processes – Concepts Performed in the Human Mind; 2) Certain Methods of Organizing Human Activity – Commercial or Legal Interactions; 3) Certain Methods of Organizing Human Activity – Fundamental Economic Principles or Practices.
The most significant elements of the claims, that is the elements that really outline the inventive elements of the claims, are set forth in the elements identified in the independent claims as an abstract idea. Therefore, it is concluded that the dependent claims of the instant application do not amount to significantly more either. See MPEP 2106.05.
In sum, claims 1-18 are rejected under 35 USC 101 as being directed to non-statutory subject matter.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-10 and 12-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
In claim 1, applicant recites “from a single source.” It’s unclear what applicant means by “single source” in the context of the claim, and the specification does not provide additional guidance for establishing the bounds. A “source” could, for example, encompass a human completing the tasks, a machine, or a combination. For these reasons, the claim limitation is indefinite. Appropriate correction is required.
In claim 4, applicant recites “compliance/legal.” It’s unclear if applicant meant “compliance and legal,” “compliance or legal,” or “compliance and/or legal.” Appropriate correction is required.  
In claim 4, applicant recites “the due diligence phase comprises a financial review, a security review, a review of operations, a compliance/legal review, or a combination thereof.” It’s unclear from this language if applicant intends to claim “the due diligence phase comprises a financial review, a security review, a review of operations, and a compliance/legal review, or a combination thereof” or “the due diligence phase comprises a financial review, a security review, a review of operations, or a compliance/legal review, or a combination thereof.” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 5, applicant recites “reviewing the third-party vendor's policies, processes, internal controls, or a combination thereof.” It’s unclear from this language if applicant intends to claim “reviewing the third-party vendor's policies, processes, and internal controls, or a combination thereof” or “reviewing the third-party vendor's policies, processes, or internal controls, or a combination thereof” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 6, applicant recites “the vendor management entity provides status reports at more frequent intervals as compared to third-party vendor relationships that involve a non-critical activity, performs more comprehensive monitoring and reporting as compared to third-party vendor relationships that involve a non-critical activity, or a combination thereof.” It’s unclear from this language if applicant intends to claim “the vendor management entity provides status reports at more frequent intervals as compared to third-party vendor relationships that involve a non-critical activity, and performs more comprehensive monitoring and reporting as compared to third-party vendor relationships that involve a non-critical activity, or a combination thereof” or “the vendor management entity provides status reports at more frequent intervals as compared to third-party vendor relationships that involve a non-critical activity, or performs more comprehensive monitoring and reporting as compared to third-party vendor relationships that involve a non-critical activity, or a combination thereof.” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 7, applicant recites “monitoring for any issue, deficiency, concern, or red flag, and notifying the client if any issue, deficiency, concern, or red flag is discovered, wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, an explanation of what triggered the red flag, or a combination thereof.” It’s unclear from this language if applicant intends to claim “monitoring for any issue, deficiency, concern, or red flag, and notifying the client if any issue, deficiency, concern, or red flag is discovered, wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, and an explanation of what triggered the red flag, or a combination thereof” or “monitoring for any issue, deficiency, concern, or red flag, and notifying the client if any issue, deficiency, concern, or red flag is discovered, wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, or an explanation of what triggered the red flag, or a combination thereof.” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 7, applicant recites “monitoring for any issue, deficiency, concern, or red flag”; however, the proceeding claim language claims “wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, an explanation of what triggered the red flag, or a combination thereof.” This limitation implies that both the “concern” and “red flag” are required, where applicant had previously claimed “issue, deficiency, concern, or red flag.” Examiner also notes that applicant’s claim language does not provide for the “deficiency report comprises an identification of the deficiency.” Appropriate correction of these discrepancies is required.
In claim 8, applicant recites “the vendor management entity increases the frequency of status reports for the particular third-party vendor, performs more comprehensive monitoring and reporting for the particular third-party vendor, or a combination thereof.” It’s unclear from this language if applicant intends to claim “the vendor management entity increases the frequency of status reports for the particular third-party vendor, and performs more comprehensive monitoring and reporting for the particular third-party vendor, or a combination thereof” or  “the vendor management entity increases the frequency of status reports for the particular third-party vendor, or performs more comprehensive monitoring and reporting for the particular third-party vendor, or a combination thereof.” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 12, applicant recites “the system comprises a life cycle of services that move serially through the pre-engagement phase, the risk assessment phase, the due diligence phase, the contracting phase, and the monitoring and reporting phase.” However, claim 11, the parent claim, only requires “one or more of the following” phases. Appropriate correction of this discrepancy is required. 
In claim 13, applicant recites “the due diligence review phase”; however, claim 11, the parent claim, only requires “one or more of the following phases.” Appropriate correction is required.
In claim 13, applicant recites “the operational review comprises an analysis of the third-party vendor's strategies, goals, employment policies, employment practices, growth plans, business experience, reputation, market share, reference checks, qualifications, resilience, incident reporting, management programs, human resources management, talent retention, or a combination thereof.” It’s unclear from this language if applicant intends to claim “the due diligence review comprises an operational review, wherein the operational review comprises an analysis of the third-party vendor's strategies, goals, employment policies, employment practices, growth plans, business experience, reputation, market share, reference checks, qualifications, resilience, incident reporting, management programs, human resources management, and talent retention, or a combination thereof” or “the operational review comprises an analysis of the third-party vendor's strategies, goals, employment policies, employment practices, growth plans, business experience, reputation, market share, reference checks, qualifications, resilience, incident reporting, management programs, human resources management, or talent retention, or a combination thereof.” For the purposes of examining, it was assumed applicant meant the latter. Appropriate correction is required.
In claim 15, applicant recites “the subcontractor review”; however, claim 11, the parent claim, makes no such admission, this amounting to a lack of antecedent basis. Appropriate correction is required.
In claim 18, applicant recites “stringent,” which is a relative term. Since the specification does not provide additional guidance for ascertaining the bounds, the claim is indefinite. Appropriate correction is required. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 11, 13-15, and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by over OCC 2013-29 (hereinafter “OCC”; NPL attached).

Claim 11
Regarding claim 11, OCC discloses: a centralized system for managing third-party vendor relationships {examiner’s interpretation is that OCC describes a “centralized system,” since it relates to “centralized” decision-making regarding “managing third-party vendor relationships”; see examiner-underlined portion on page 1, under Summary; OCC’s third parties comprise “vendors,” as seen by third-party functions described on page 1, under Background} comprising:
a vendor management entity and a client {examiner’s interpretation, given broadest reasonable interpretation, is that bank business units and/or employees are a “client” of a “vendor management entity” embodied by the bank’s management and/or board of directors, since the management and/or board of directors is making decisions regarding “vendor management” for the bank’s business units and/or employees; see examiner-underlined portion on page 1, under Note for Community Banks};
a third-party vendor {OCC’s third parties comprise “vendors,” as seen by third-party functions described on page 1, under Background}; wherein 
the vendor management entity provides a vendor management service {the “vendor management entity,” i.e. the management and/or board of directors, is making decisions regarding “vendor management” for the bank’s business units and/or employees and thereby providing a “vendor management service”; see examiner-underlined portion on page 1, under Note for Community Banks}; and 
the vendor management service comprises one or more of the following: a pre-engagement phase, a risk assessment phase, a due diligence phase, a contracting phase, and a monitoring and reporting phase {risk assessment phase, due diligence phase, contracting phase, monitoring and reporting phase disclosed by OCC, as articulated by examiner in rejection of claims 1 and 3 below; as explained in rejection of claim 1, examiner interprets “risk assessment phase” as being described under Planning Phase in examiner-underlined portion on bottom of page 2 and top of page 3, first bullet point, both of which explicitly mention developing a plan that considers level of risk, i.e. a “risk assessment,” thereby defining a “risk assessment phase”}.

Claim 13
Regarding claim 13, OCC discloses the features of claim 11, including: the due diligence review comprises an operational review {“operational review” seen in section labeled Due Diligence and Third-Party Selection on pages 3 and 4, where various considerations are reviewed, e.g. Strategies and Goals, Legal and Regulatory Compliance, Financial Condition, Business Experience and Reputation, etc.}, wherein the operational review comprises an analysis of the third-party vendor's strategies, goals, employment policies, employment practices, growth plans, business experience, reputation, market share, reference checks, qualifications, resilience, incident reporting, management programs, human resources management, talent retention, or a combination thereof {OCC explicitly mentions reviewing, i.e. “analyzing,” the third party’s strategies and goals; see Strategies and Goals on page 3}.
Claim 14
Regarding claim 14, OCC discloses the features of claim 11, including: comprising a subcontractor review phase {“subcontractor review phase” is being interpreted by examiner as that evaluation period associated with reviewing subcontractors; see examiner-underlined portion on page 4, under Reliance on Subcontractors}, wherein the subcontractor review phase comprise an evaluation of the volume and types of the third-party vendor's subcontracted activities, and an evaluation of the third-party vendor's ability to assess, monitor, and mitigate risks associated with the third-party vendor's use of subcontractors {see examiner-underlined portion on page 4, under Reliance on Subcontractors, which recites this nearly verbatim}.

Claim 15
Regarding claim 15, OCC discloses the features of claim 11, including: the subcontractor review phase further comprises an evaluation of potential legal and financial implications of the third-party vendor's legally binding arrangements with subcontractors {see examiner-underlined portion on page 4, under Conflicting Contractual Arrangements With Other Parties, which recites this nearly verbatim}.

Claim 18
Regarding claim 18, OCC discloses the features of claim 11, including: the client comprises an entity within an industry, filed, or business that is subject to stringent regulation {see examiner-underlined portion on page 5, under Responsibility for Compliance With Applicable Laws and Regulations, which states: Ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including provisions that outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and other consumer protection laws and regulations; thus, OCC demonstrates an “entity within an industry subject to stringent regulation” }.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 1-5 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over OCC in view of Kananghinis et al. (US 20040059611), further in view of Guerin et al. (US 20160132896). 

Claim 1
Regarding claim 1, OCC discloses: a method of managing third-party vendor relationships from a single source {OCC discloses method for managing risk associated with third parties, as seen under examiner-underlined portion of page 1 under Notes for Community Banks, where it’s clear that the third parties comprise “vendors,” as seen by third-party functions described on page 1, under Background; note that “from a single source” doesn’t provide context for the “source”; accordingly, given broadest reasonable interpretation in the context of OCC, this “single source” is interpreted as a banking entity, comprising the bank’s business units and/or employees and management and/or board of directors, for example} comprising the steps of:
a vendor management entity and a client {examiner’s interpretation, given broadest reasonable interpretation, is that bank’s business units and/or employees are a “client” of a “vendor management entity” embodied by the bank’s management and/or board of directors, since the management and/or board of directors is making decisions regarding vendors and therefore functioning as a “vendor management entity”; see examiner-underlined portion on page 1, under Note for Community Banks};
conducting a risk assessment phase {examiner interprets “risk assessment phase” as being described under Planning Phase in examiner-underlined portion on bottom of page 2 and top of page 3, first bullet point, both of which explicitly mention developing a plan that considers level of risk, i.e. a “risk assessment,” thereby defining a “risk assessment phase”}, the vendor management entity further analyzes the client's risks associated with current or proposed vendor relationships {Planning Phase considers how the third-party relationship could affect other strategic bank initiatives, such as large technology projects, organizational changes, etc., i.e. an “analysis” of “risks associated with current or proposed vendor relationships” that impact the “client,” i.e. the business units and/or employees; see examiner-underlined portion at top of page 3, fifth bullet point};
conducting a due diligence phase, wherein the vendor management entity performs a due diligence review of a third-party vendor {“due diligence phase” described in examiner-underlined portion in middle of page 3, under Due Diligence and Third-Party Selection, where the bank’s management and/or board of directors, i.e. “vendor management entity,” reviews third parties that the bank is to enter into a contractual relationship with for the exchange of good and services, i.e. “vendors”; “vendor” activities described in examiner-underlined portion of page 1, under Background}; and
conducting a monitoring and reporting phase, wherein the vendor management entity provides monitoring and reporting of the third-party vendor's compliance with applicable regulatory requirements {“monitoring and reporting phase” described in examiner-underlined portion on bottom of page 6, under Ongoing Monitoring, where the bank’s management and/or board of directors, i.e. “vendor management entity,” engages in “monitoring and reporting” of third party’s “compliance” with “regulatory requirements”; see examiner-underlined portion on top of page 7, second bullet point}.
OCC does not explicitly disclose: conducting a pre-engagement meeting with a client; the vendor management entity determines and reviews the client's applicable regulatory categories.
However, Kananghinis teaches a similar system for modeling frameworks and architecture in support of a business that includes: conducting a pre-engagement meeting with a client {Conduct Project Initiation 410 task provides an introduction of the engagement to the client, i.e. a “pre-engagement meeting”; para. [0042]}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by OCC, to include the features of conducting a pre-engagement meeting, as taught by Kananghinis, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
The combination of OCC and Kananghinis doesn’t explicitly disclose: the vendor management entity determines and reviews the client's applicable regulatory categories.
However, Guerin teaches a similar tool for regulatory compliance that includes: the vendor management entity determines and reviews the client's applicable regulatory categories {regulatory compliance device 502, i.e. a “vendor management entity,” determines what industry category/categories apply to the enterprise, i.e. “client”; para. [0058]}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by the combination of OCC and Kananghinis, to include the features of determining a client’s regulatory categories, as taught by Guerin, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 2
Regarding claim 2, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1, but does not explicitly disclose: wherein the pre-engagement meeting comprises any one or more of the following: determining the needs of the client, developing a plan to transition vendor management from the client's internal resources to the vendor management system, determining any third-party vendors currently engaged by the client, and reviewing a list of potential third-party vendors to be engaged by the client.
However, in an alternate embodiment, Kananghinis discloses a pre-engagement phase that includes determining the needs of the client {pre-engagement phase involves “determining” from the client “needs,” i.e. current and planned business and information technology initiatives; para. [0043]}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by the combination of OCC, Kananghinis, and Guerin, to include the features of determining the needs of the client, as demonstrated in Kananghinis second embodiment, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Claim 3
Regarding claim 3, the combination of OCC, Kananghinis, and Guerin disclose the features of claim 1. OCC further discloses: conducting a contracting phase, wherein the vendor management entity negotiates and drafts required contractual agreements between the client and the third-party vendor {“contracting phase” described in examiner-underlined portion on page 4 of OCC, under Contract Negotiation, where the bank’s management and/or board of directors, i.e. “vendor management entity,” negotiates and drafts a “contractual agreement” between bank’s business units, i.e. “client,” and a “third-party vendor”}.

Claim 4
Regarding claim 4, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1. OCC further discloses: the due diligence phase comprises a financial review, a security review, a review of operations, a compliance/legal review, or a combination thereof {“due diligence phase” includes “financial review,” as seen under Financial Condition, underlined by examiner, on page 3 and “compliance/legal review,” as seen under Legal and Regulatory Compliance, underlined by examiner, on page 3}.

Claim 5
Regarding claim 5, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1. OCC further discloses: reviewing the third-party vendor's policies, processes, internal controls, or a combination thereof {see examiner-underlined portion of page 3, under Risk Management, which recites this nearly verbatim}.
Claim 9
Regarding claim 9, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1. OCC further discloses: the monitoring and reporting phase is ongoing {see examiner-underlined portion on top of page 7, under Ongoing Monitoring, which describes this nearly verbatim}.

Claim 10
Regarding claim 10, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1. OCC further discloses: the monitoring and reporting phase {“monitoring and reporting phase” described in examiner-underlined portion on bottom of page 6, under Ongoing Monitoring, where the bank’s management and/or board of directors, i.e. “vendor management entity,” engages in “monitoring and reporting” of third party’s “compliance” with “regulatory requirements”; see examiner-underlined portion on top of page 7, second bullet point}.
Kananghinis further discloses: a one-time delivery of a report {Final Report represents “one-time” delivery of findings; para. [0054]}.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of OCC, Kananghinis, and Guerin, further in view of “Final Rule: Additional Form 8-K Disclosure Requirements and Acceleration of Filing Date,” issued by the U.S. Securities and Exchange Commission (hereinafter “SEC”; NPL attached). 

Claim 6
Regarding claim 6, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1. OCC further discloses: determining whether the third-party vendor relationship involves a critical activity {as seen in examiner-underlined portion on page 5, under Ongoing Monitoring, which explicitly states management should periodically assess to “determine” whether nature of activity is “critical”}. 
The combination of OCC, Kananghinis, and Guerin does not explicitly disclose: if the third-party vendor relationship involves a critical activity, the vendor management entity provides status reports at more frequent intervals as compared to third-party vendor relationships that involve a non-critical activity, performs more comprehensive monitoring and reporting as compared to third-party vendor relationships that involve a non-critical activity, or a combination thereof.
However, SEC teaches a similar system for increasing reporting frequency given a triggering event that includes: if the third-party relationship involves a critical activity, the vendor management entity provides status reports at more frequent intervals as compared to third-party relationships that involve a non-critical activity, performs more comprehensive monitoring and reporting as compared to third-party relationships that involve a non-critical activity, or a combination thereof {the real time issuer disclosure mandate in Section 409 of the Sarbanes-Oxley Act of 2002 require that companies file Form 8-K on a real-time basis, in addition to periodic reporting; an 8-K filing is triggered when, for example, a company enters into a material definitive agreement, i.e. a relationship with a “third party” that’s material to the company; in other words, entering into this “relationship” with a “third party” defines a “critical activity,” which prompts “status reports,” i.e. SEC filings, at “more frequent intervals” compared to standard periodic reporting in the company’s 10-Q, i.e. “non-critical activity”; further, the 8-K filing, in addition to a company’s periodic 10-Q filing, defines “more comprehensive reporting” as compared to standard business operations, i.e. “non-critical activity”; see examiner-underlined portion on page 1, under Summary; see examiner-underlined portion on page 4 continuing to page 5, under Item 1.01 Entry into a Material Definitive Agreement}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by the combination of OCC, Kananghinis, and Guerin, to include the features of modifying reporting intervals and/or reporting comprehensiveness, as taught by SEC, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of OCC, Kananghinis, and Guerin, further in view of Mohanty et al. (US 20080147610).

Claim 7
Regarding claim 7, the combination of OCC, Kananghinis, and Guerin discloses the features of claim 1 but does not disclose: monitoring for any issue, deficiency, concern, or red flag, and notifying the client if any issue, deficiency, concern, or red flag is discovered, wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, an explanation of what triggered the red flag, or a combination thereof.
However, Mohanty teaches a similar system for detecting procedural issues across business applications that includes: monitoring for any issue, deficiency, concern, or red flag, and notifying the client if any issue, deficiency, concern, or red flag is discovered, wherein notifying the client comprises issuing a deficiency report to the client, wherein the deficiency report comprises an identification of the particular cause for concern, an explanation of what triggered the red flag, or a combination thereof {system “monitors” for “deficiencies” and proceeds to “notify” a designated recipient, i.e. “client,” wherein the “notifying” the designated recipient, i.e. “client,” via a notification of the procedural deficiency, i.e. a “report,” where the notification indicates a relevant procedural violation at step 1312, i.e. a “an identification of the particular cause for concern; para. [0210], [0211]}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by the combination of OCC, Kananghinis, and Guerin, to include the features of notifying clients of deficiencies, as taught by Mohanty, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of OCC, Kananghinis, Guerin, and Mohanty, further in view of SEC.
 
Claim 8
Regarding claim 8, the combination of OCC, Kananghinis, Guerin, and Mohanty discloses the features of claim 7, but doesn’t explicitly disclose: if a deficiency report is issued to the client regarding a particular third-party vendor, the vendor management entity increases the frequency of status reports for the particular third-party vendor, performs more comprehensive monitoring and reporting for the particular third-party vendor, or a combination thereof.
However, SEC teaches a similar system for increasing reporting frequency given a triggering event that includes: if a deficiency is found, the vendor management entity increases the frequency of status reports, performs more comprehensive monitoring and reporting, or a combination thereof {the real time issuer disclosure mandate in Section 409 of the Sarbanes-Oxley Act of 2002 require that companies file Form 8-K on a real-time basis, in addition to periodic reporting; an 8-K filing is triggered when, for example, a company concludes that a material charge for impairment is required, i.e. a “deficiency”; in other words, material impairment prompts “status reports,” i.e. SEC filings, at “more frequent intervals” compared to standard periodic reporting in the company’s 10-Q; further, the 8-K filing, in addition to a company’s periodic 10-Q filing, defines “more comprehensive reporting” as compared to standard business operations; see examiner-underlined portion on page 1, under Summary; see examiner-underlined portion on page 10 continuing to page 11, under Item 2.06 Material Impairments}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by the combination of OCC, Kananghinis, Guerin, and Moharty, to include the features of modifying reporting intervals and/or reporting comprehensiveness, as taught by SEC, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over OCC in view of Kananghinis.

Claim 12
Regarding claim 12, OCC discloses the features of claim 11, including: the system comprises a life cycle of services that move serially through the risk assessment phase, the due diligence phase, the contracting phase, and the monitoring and reporting phase {risk management lifecycle, which explicitly depicts respective phases moving “serially,” depicted in Fig. on page 2; note that, as explained by examiner above, examiner interprets “risk assessment phase” as being described under Planning Phase in examiner-underlined portion on bottom of page 2 and top of page 3, first bullet point, both of which explicitly mention developing a plan that considers level of risk, i.e. a “risk assessment,” thereby defining a “risk assessment phase”}.
OCC doesn’t explicitly disclose: the pre-engagement phase. 
However, Kananghinis teaches a similar system for modeling frameworks and architecture in support of a business that includes: a pre-engagement meeting with a client, thereby defining a pre-engagement phase {Conduct Project Initiation 410 task provides an introduction of the engagement to the client, i.e. a “pre-engagement meeting”; para. [0042]}. 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by OCC, to include the features of conducting a pre-engagement meeting, as taught by Kananghinis, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. Examiner further notes that since this is explicitly a “pre-engagement,” it would necessarily occur at the beginning of any sequence. 

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over OCC in view of Fry et al. (US 20070143355).

Claim 16
Regarding claim 16, OCC discloses the features of claim 11, but doesn’t explicitly disclose: the vendor management service is provided to the client remotely.
However, Fry teaches a similar system for regulatory compliance advisory that includes: the service is provided to the client remotely {user interface 202 may be a web browser on a remote client, i.e. “service provided to the client remotely”; para. [0038]}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by OCC, to include the features of providing the services to a client remotely, as taught by Fry, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. 

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over OCC in view of “The Hilltop Companies Regulatory Compliance Audits & Pre-exam Readiness Services,” by Hilltop Companies (hereinafter “Hilltop”; NPL attached).

Claim 17
Regarding claim 17, OCC discloses the features of claim 11, but doesn’t explicitly disclose: vendor management service comprises regulatory exam assistance.
However, Hilltop teaches a similar system for regulatory exam assistance that includes: vendor management service comprises regulatory exam assistance {Hilltop provides a “service” to customers including “regulatory exam assistance”; see examiner-underlined portion on page 1}.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to modify the method of managing third-party vendors, as taught by OCC, to include the features of conducting regulatory exam assistance, as taught by Hilltop, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
“Vendor Risk Management,” which describes bank’s managing third-party risk;
 US 20030023477, which describes supervision of business activities and generating reports. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN SAMUEL WASAFF whose telephone number is (571)270-5091.  The examiner can normally be reached on Monday through Friday 8:00 am to 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sarah Monfeldt can be reached on (571)270-1833.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J.S.W./Patent Examiner, Art Unit 3689                                                                                                                                                                                                        3/21/21

/CARRIE S GILKEY/Primary Examiner, Art Unit 3689