Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Application
This office action is in response to the most recent filings filed by applicants on 09/29/21. 
Claims 1-6 are elected without traverse, see Remarks dated 09/29/21
Claims 7-12 are withdrawn from consideration
No claims are amended
No claims are cancelled
No claims are added
Claims 1-6 are pending and rejected below

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., an abstract idea) without significantly more.  
Step One - First, pursuant to step 1 in the January 2019 Guidance on 84 Fed. Reg. 53, the claims 1-6 is/are directed to a method which is a statutory category.
Step 2A under which a claim is not “directed to” a judicial exception unless the claim satisfies a two-prong inquiry. Further, particular groupings of abstract ideas are consistent with judicial precedent and are based on an extraction and synthesis of the key concepts identified by the courts as being abstract.
With respect to the Step 2A, Prong One, the claims as drafted, and given their broadest reasonable interpretation, fall within the Abstract idea grouping of “certain methods of organizing human activity” (business relations; relationships or interactions between people). For instance, independent Claim 1 is directed to an abstract idea, as evidenced by claim limitations “receiving, from a user, a request to establish an electronic relationship with a first third party to evaluate risk presented by the first third party; receiving, possible matches between the first third party and a plurality of other third parties; receiving, from the user, confirmation as to whether the first third party matches one of the other third parties; receiving, a set of shared third party data provided by the first third party; wherein the set of shared third party data provided by the first third party is selected to be delivered to the user only if the user confirms that the first third party matches one of the other third parties.” 
These claim limitations belong to the grouping of “certain methods of organizing human activity” because the claims are related to managing risk for a third party that is providing access to shared data. Managing third party risk for one or more human entities involves organizing human activity based on the description of “certain methods of organizing human activity” provided by the courts. The court have used the phrase “Certain methods of organizing human activity” as —fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions 
Independent Claims 4 is/are recite substantially similar limitations to independent claim 1 and is/are rejected under 2A for similar reasons to claim 1 above.
With respect to the Step 2A, Prong Two - This judicial exception is not integrated into a practical application. In particular, the claim only recites “A computer-implemented method of managing third party risk, the method comprising: providing data corresponding to the request to a server system; from the server system, from the server system, by the server system, from a computing device, to the computing device”, such that it amounts to no more than: adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, as discussed in MPEP 2106.05(f). 
 As a result, claim 1 does not provide any specifics regarding the integration into a practical application when recited in a claim with a judicial exception. 
Similarly, dependent claims 2-3 and 5-6 are also directed to an abstract idea under 2A, first and second prong. In the present application, all of the dependent claims have been evaluated and it was found that they all inherit the deficiencies set forth with respect to the independent claims. For instance, dependent claim 2 recites “further including receiving, from the user, a search query for the first third party from a list of industry members prior to receiving the request to establish an electronic relationship with the first third party.”. As a result, Examiner asserts that dependent claims, such as dependent claims 2-3 and 5-6 are also directed to the abstract idea identified above. 
With respect to Step 2B, the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. First, the invention lacks improvements to another technology or technical field [see Alice at 2351; 2019 IEG at 55], and lacks meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment [Alice at 2360, 2019 IEG at 55], and fails to effect a transformation or reduction of a particular article to a different state or thing [2019 IEG, 55]. For the reasons articulated above, the claims recite an abstract idea that is limited to a particular field of endeavor (MPEP § 2106.05(h)) and recites insignificant extra-solution activity (MPEP § 2106.05(g)). By the factors and rationale provided above with respect to these MPEP sections, the additional elements of the claims that fail to integrate the abstract idea into a practical application also fail to amount to “significantly more” than the abstract idea.
As discussed above with respect to integration of the abstract idea into a practical application, the additional element(s) of “A computer-implemented method of managing third party risk, the method comprising: providing data corresponding to the request to a server system; from the server system, from the server system, by the server system, from a computing device, to the computing device” are insufficient to amount to significantly more. Applicants originally submitted specification describes the computer components above at least in page/ paragraph [0027] as follows: The risk management system 10 comprises a server 12 which is accessible via a network 14 such as the Internet. Industry members such as construction companies 16 and 18 and technology companies 20 and 22 can communicate with the server 12 over the network 14 via user devices which, in this example, include desktop computers 24 and 26, a laptop 28 and a mobile phone 30. In light of the specification, it should be noted that the components discussed above did not meaningfully limit the abstract idea because they merely linked the use of the abstract idea to a particular technological environment (i.e., "implementation via computers"). In light of the specification, it should be noted that the claim limitations discussed above are merely instructions to implement the abstract idea on a computer. See MPEP 2106.05(f). (See MPEP 2106.05(f) - Mere Instructions to Apply an Exception - “Thus, for example, claims that amount to nothing more than an instruction to apply the abstract idea using a generic computer do not render an abstract idea eligible.” Alice Corp., 134 S. Ct. at 235). Mere instructions to apply an exception using computer component cannot provide an inventive concept.). 
The claim fails to recite any improvements to another technology or technical field, improvements to the functioning of the computer itself, use of a particular machine, effecting a transformation or reduction of a particular article to a different state or thing, adding unconventional steps that confine the claim to a particular useful application, and/or meaningful limitations beyond generally linking the use of an abstract idea to a particular environment. See 84 Fed. Reg. 55. Viewed individually or as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself.
Independent Claims 4 is/are recite substantially similar limitations to independent claim 1 and is/are rejected under 2B for similar reasons to claim 1 above.
Further, it should be noted that additional elements of the claimed invention such as claim limitations when considered individually or as an ordered combination along with the other limitations discussed above in method claim 1 also do not meaningfully limit the abstract idea because they merely linked the use of the abstract idea to a particular technological environment (i.e., "implementation via computers"). In light of the specification, it should be noted that the claim limitations discussed above are merely instructions to implement the abstract idea on a computer. See MPEP 2106. 
Similarly, dependent claims 2-3 and 5-6 also do not include limitations amounting to significantly more than the abstract idea under the second prong or 2B of the Alice framework. In the present application, all of the dependent claims have been evaluated and it was found that they all inherit the deficiencies set forth with respect to the independent claims. Further, it should be noted that the dependent claims do not include limitations that overcome the stated assertions. Here, the dependent claims recite features/limitations that include computer components identified above in part 2B of analysis of independent claims 1 and 4. As a result, Examiner asserts that dependent claims, such as dependent claims 2-3 and 5-6 are also directed to the abstract idea identified above. 
For more information on 101 rejections, see MPEP 2106, January 2019 Guidance at https://www.govinfo.gov/content/pkg/FR-2019-01 -07/pdf/2018-28282.pdf
	
	
	
	
	
		
	Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bowers; Dana (US 2018/0129989), and further in view of Ghent; Gina S. (US 2016/0134654).

As per claims 1 and 4: Bowers shows:
	A computer-implemented method of managing third party risk (Bowers: [0007]-[0008]: methods and systems), the method comprising: 
	receiving, from a user, a request to establish an electronic relationship with a first third party to evaluate risk presented by the first third party (Bowers: [0038]: receiving, by the processor, a subsequent input into the request widget from the first client comprising instructions to activate an automatic email generator, wherein the automatic email generator, upon activation, prepares and sends automatically, via a network, an electronic communication to one or more third parties (e.g. a service providers) requesting, from the one or more third parties, additional and/or detailed due diligence information; and activating the automatic email generator.); 
	providing data corresponding to the request to a server system (Bowers: [0181] The system 100 may include a risk-assessment module 214 to guide an end-user in assigning a risk rating for a given vendor and/or product. The risk-rating may be utilized as part of the reporting of the compliance and/or contract audit examination. In some implementations, the risk rating may be used to determine the types of information and the types of documents to include in the examination report.); 
	receiving, from the server system, possible matches between the first third party and a plurality of other third parties (Bowers: [0055] FIG. 8 is an example workspace for collecting documents by matching collected end-user's document to a list of suggested documents in accordance with an embodiment of the invention. [0186]: The main dashboard 202 may display a vendor list 302, which may be organized and filtered by a vendor's risk level 304 (e.g., low, medium, high, or undefined/unknown). The main dashboard 202 may display a contract list 306, which may also be organized and filtered by risk levels 308. The main dashboard 202 may display a number of contracts on file (324), such as those stored in the document storage 206.); 
	receiving, from the user, confirmation as to whether the first third party matches one of the other third parties (Bowers: [0197]: In some implementations, the vendor dashboard 204 may be accessed by the end-user when the user selects a vendor from the list of vendors 302 in the main dashboard 202); and 
	Regarding the claim limitation below:
	“receiving, from the server system, a set of shared third-party data provided by the first third party” 
	Bowers in [0382] shows: the share report confirmation interface may show the information about the report shared including the report name, report date, the content of the message, the recipients who received the shared report and their email addresses. This reads on “receiving, from the server system, a set of shared third-party data”; however, in Bowers does not explicitly show tracing information back to the particular third party as such Bowers does not explicitly show “provided by the first third party”. 
	However, Ghent shows “provided by the first third party” at least in [0042]: The TPRM data hub 120 may create and manage a centralized third-party database, which can be a “golden” source for licenses, approved, and shared information (among two or more banks or contracting entities 104) related to the third parties 110 (and/or fourth parties 112) including questionnaires and responses and validated information. As shown, the data hub 120 may collect, store, update, maintain, and provide access to vendor information (e.g., company name, financial profile, and stability) and external audit reports. The data hub 120 may also provide significant event notification and tracking (or a “SENT” service).
Reference Bowers and Reference Ghent are analogous prior art to the claimed invention because the references generally relate to field of third-party data management. Both references are filed before the effective filing date of the instant application; hence, said references are analogous prior-art references.  
It would have been obvious to one of ordinary skill in the art before the filing of this application for AIA  to provide the teachings of Reference Ghent, particularly tracking reports back to the third party at least in [0042], in the disclosure of Reference Bowers, particularly in the [0382] shows: the share report confirmation interface may show the information about the report shared in order to provide for a system that allows tracking of shared information as taught by Reference Ghent (see at least in [0042]) so that the process of third-party data management can be made more efficient and effective. 
Further, the claimed invention is merely a combination of old elements in a similar third-party data management field of endeavor, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that, given the existing technical ability to combine the elements as evidenced by Reference Bowers in view of Reference Ghent, the results of the combination were predictable (MPEP 2143 A); 
	wherein the set of shared third-party data provided by the first third party is selected by the server system to be delivered to the user only if the user confirms that the first third party matches one of the other third parties (Bowers: [0197]: In some implementations, the vendor dashboard 204 may be accessed by the end-user when the user selects a vendor from the list of vendors 302 in the main dashboard 202).

As per claim 2: Bowers shows:
	further including receiving, from the user, a search query for the first third party from a list of industry members prior to receiving the request to establish an electronic relationship with the first third party (Bowers: [0055] FIG. 8 is an example workspace for collecting documents by matching collected end-user's document to a list of suggested documents in accordance with an embodiment of the invention. [0186]: The main dashboard 202 may display a vendor list 302, which may be organized and filtered by a vendor's risk level 304 (e.g., low, medium, high, or undefined/unknown). The main dashboard 202 may display a contract list 306, which may also be organized and filtered by risk levels 308. The main dashboard 202 may display a number of contracts on file (324), such as those stored in the document storage 206.).

As per claim 3: Bowers shows:
	“wherein the set of shared third party data includes completed questionnaires and due diligence reports” 
	Bowers shows [0013]: displaying one or more questionnaire template selection tabs (e.g., a Blank Questionnaire, a Level 1 Questionnaire, a Level 2 Questionnaire, or a Level 3 Questionnaire), and a subsequent input comprises a questionnaire selection, wherein the selected questionnaire is created from a questionnaire template. [0256]-[0258]. 
	Bowers shows [0036]: due diligence information, [0306]: due diligence tasks. 
	
As per claim 5: Bowers shows:
	wherein a new third party is created if no possible matches are identified (Bowers: [0300]: Depending on their status, the text of the notification sent to them will direct them to either log in using existing credentials or to follow a link to create new credentials that they will use going forward).

As per claim 6: Bowers shows:
	further including sending requests to the third parties to consent to sharing their information and making the third parties searchable after receiving consent (Bowers: [0267]: confirmation received, [0314]: approval confirmation, disapproval confirmation, [0369], [0394]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
NPL Reference:
Putrus, Robert. A Risk Based Management Approach to Third Party Data Security, Risk and Compliance. ISACA Journal. Issue: 2017. Volume: 6. Date: 09/12/2017. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/a-riskbased-management-approach-to-thirdparty-data-security-risk-and-compliance
This reference discloses Process guidelines and a framework for boards of directors and senior management must be considered when providing oversight, examination and risk management of third-party business relationships in the areas of information technology, systems and cyber security. It is hard to find any enterprise that does not rely on third parties to support its operations. Senior management and the board of directors are ultimately responsible for the risk that third-party vendors, contractors and systems impose on the enterprise.
Foreign Reference:
(CN 107704755 A) MA, Hua-ying. This reference discloses a method for managing application program, application program management device and an intelligent terminal, wherein the application managing method comprising: a risk score of an application program obtaining has been installed by the intelligent terminal; determining the risk application program set according to the risk score. the risk set of applications already installed in the application program of the intelligent terminal, the risk index is not less than the preset index set of application program, the risk in the set of applications, the names and risk index of each application to third party terminal associated with the intelligent terminal; if receiving the risk application management instruction sent by said third party terminal of, the risk application management instruction of indicating, in the risk set of applications determines the target application program, performing remote management of the target application program according to the risk application management instruction. remote management of children of the invention so that the parents can better avoid children watch the downloaded application program, the risk application program.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NANCY PRASAD whose telephone number is (571)270-3265. The examiner can normally be reached M-F: 8:00 AM - 4:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Patricia Munson can be reached on (571)270-5396. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/N.P/Examiner, Art Unit 3624                                                                                                                                                                                                        /PATRICIA H MUNSON/Supervisory Patent Examiner, Art Unit 3624