Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsCapital One Services LLC › 18118230
Last updated: April 19, 2026
Application No. 18/118,230

AUTOMATED RISK CONTROL

Final Rejection §101§103§112
Filed
Mar 07, 2023
Examiner
LABOGIN, DORETHEA L
Art Unit
3624
Tech Center
3600 — Transportation & Electronic Commerce
Assignee
Capital One Services LLC
OA Round
4 (Final)
14%
Grant Probability
At Risk
5-6
OA Rounds
3y 11m
To Grant
30%
With Interview

This examiner grants 14% of cases after interview

+16.2% interview lift. A telephonic interview to clarify the technical implementation could significantly improve the outcome.
Based on 172 resolved cases, 2023–2026

Examiner Intelligence

LABOGIN, DORETHEA L View full profile →
Grants only 14% of cases
14%
Career Allow Rate
24 granted / 172 resolved
-38.0% vs TC avg
Strong +16% interview lift
Without
With
+16.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 11m
Avg Prosecution
36 currently pending
Career history
208
Total Applications
across all art units

Statute-Specific Performance

§101
41.2%
+1.2% vs TC avg
§103
39.3%
-0.7% vs TC avg
§102
13.0%
-27.0% vs TC avg
§112
5.7%
-34.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 172 resolved cases

Office Action

§101 §103 §112
DETAILED ACTION Status of the Application This Final Office Action is in response to Application Serial 18/118,230. In response to the Examiner’s action mail dated June 17, 2025, Applicant submitted arguments and amendments to the claims mailed dated September 17, 2025. Applicant amended claim 1,2, 10, 11, 13, 14, 16, 17 and 20. Claim 12 and 19 is/are cancelled. The claims 1-11, 13-18, 20 are examined below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Information Disclosure Statement Applicant did not submit an information disclosure statement for consideration by the examiner. Response to Amendments Claims 1-11, 13-18, 20 is/are pending in this application. The claim(s) 1,2, 10, 11, 13, 14, 16, 17 and 20 is/are amended. Claims 1-11, 13-18, 20 are objected under 112(f). Regarding the 35 U.S.C. 101 rejection. The claims 1-11, 13-18, 20 is/are rejected under 35 U.S.C. 101, see below. Applicant is encouraged to request an interview to discuss patent eligibility. Regarding the pending 35 U.S.C. 103 rejection. The Applicant’s amendments to are not persuasive. The claims 1-11, 13-18, 20 is/are rejected under 35 U.S.C. 103, see below. Examiner notes two claims sets dated June 17, 2025 exists. The claims set appear to be the same. Response to Arguments Applicant’s arguments filed on September 17, 2025 have been fully considered but they are not persuasive and/or are moot in view of the revised rejections. Applicant’s arguments will be addressed herein below. 112 (f) Claim Interpretation On page 8 of the Applicant’s arguments, Applicant respectfully submits that §112(f) does not apply to the present claims. None of the claims recite the word "means," creating a presumption against §112(f). Further, the terms used, such as "control process engine,""trained machine learning control mapping model,""natural language processor," and "graphical user interface dashboard". are recognized structural terms in the art, not nonce placeholders. The specification provides detailed structural disclosure for each: e.g., the control process engine is implemented as a BPMN process engine (Spec. [0042]-[0046]); the machine learning control mapping model is trained with overlapping text windows to map compliance text into codified workflows (Spec. [0089]); the natural language processor includes specific modules (interface 504, semantic analyzer 506, interpreter 510, actuator 512) (Spec. [059]-[068]); and the dashboard is implemented with concrete analytics and alerts (Spec. [00104]-[00107]). Accordingly, the claims recite sufficient structure to perform the recited functions, are not drafted in means-plus-function format, and should be construed under their plain and ordinary meaning. Applicant respectfully requests withdrawal of any §112(f) interpretation. Examiner acknowledges disagrees with Applicant’s 112(f) arguments. Examiner submits the claims were not rejected under 112 (b). A claim limitation expressed in means- (or step-) plus-function language "shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof." 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. If a claim limitation invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it must be interpreted to cover the corresponding structure, materials, or acts in the specification and "equivalents thereof." If the specification fails to disclose sufficient corresponding structure, materials, or acts that perform the entire claimed function, then the claim limitation is indefinite because the applicant has in effect failed to particularly point out and distinctly claim the invention as required by 35 U.S.C. 112(b) . See MPEP 2163. The claims were not rejected under 35 U.S.C. 112(b). Furthermore, Examiner did not reject claims under 112(a). A means- (or step-) plus- function claim limitation is adequately described under 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph, if: (1) The written description adequately links or associates adequately described particular structure, material, or acts to perform the function recited in a means- (or step-) plus- function claim limitation; or (2) it is clear based on the facts of the application that one skilled in the art would have known what structure, material, or acts disclosed in the specification perform the function recited in a means- (or step-) plus- function limitation. Examiner points to Applicant’s specification [024]. Claim Rejection Under 35 U.S.C. 101 On pages 9-13 of the Applicant’s 35 U.S.C 101 arguments, Applicant traverses the rejection. Step 2A, Prong One. Claim 1, 13, and 20 recite a solution for transforming unstructured compliance text into executable workflows and secured audit records. Claim recites analyzing unstructured text with a natural language processor (NLP)... See amended claim 1. Applicant submits compliance monitoring as broad field is not specifically recited in claim 1. Claim 1 recites a particular computing architecture for transforming unstructured text into executable workflows and for cryptographically securing audit records streamed directly from a BPMN process engine. These operations cannot reasonably be performed mentally or by pen and paper as alleged. Further, the claims cannot reasonably be performed mentally. The claimed natural language processor performs automated parsing with semantic modules (Spec. [061]-[068]) and the trained ML control mapping model infers relationships between compliance control components to codify executable BPMN workflows (Spec. [0029]-[0031],[0039]-[0041]). This is far beyond "scanning words with the eyes" or "mapping a process on paper" as suggested by the Examiner. The process requires specialized ML classifiers, multiple triggers, and codification into executable control code in varying scenarios, which is a computer-implemented architecture. Thus, the claims do not recite an abstract idea under Step 2A, Prong One. Examiner respectfully disagrees with Applicant’s Step 2A prong one arguments. The claims are determining within the text one or more measures to provide assurance of compliance with organizational process requirements, see Applicant’s Abstract. Determining compliance is a mental process – evaluation and observation. The arrangement of business rules into a systematic code is a business process. Business rules are certain methods of organizing human activity - commercial activities. The claims are directed to a judicial exception. Step 2A, Prong Two. Even if the claims were to be viewed as reciting a judicial exception, the amended claims integrate any such exception into a practical application by reciting additional elements that amount to a specific improvement in the functioning of computer-based compliance systems. As the specification describes, the invention improves computer functionality by (i) enabling machine learning-driven codification of unstructured regulatory text into executable workflows, (ii) executing workflows in multiple configurations triggered by distinct events via a BPMN process engine, (iii) streaming audit records directly from the execution engine to a tamperproof cryptographic archive to ensure immutability and security, and (iv) rendering a real-time analytics dashboard with alerts and fraud detection entry points. These improvements are not abstract; they are tied to concrete enhancements in how enterprise computing environments handle compliance monitoring and audit security. Applicant list decision holding where the claims were not directed to an abstract idea and the claim were eligible under step 2A. Accordingly, the claim integrates any alleged exception into a practical application and is eligible under Step 2A, Prong Two. The recited streaming of audit records in real-time from the BPMN process engine into a tamperproof cryptographic archive imposes a concrete technological constraint that improves data integrity and compliance monitoring. The UI dashboard renders analytics from immutable streamed records, enabling fraud detection and assurance monitoring that cannot be achieved through human activity or generic computing. Examiner respectfully disagrees with Applicant’s Step 2A prong 2 arguments. As argued the claims that improves data integrity and compliance monitoring. Regarding Applicant’s arguments of not abstract. Applicant listed cases used to determine if the claims were not directed to an abstract idea. This list was prior to the Step 2A prong 2 analysis. Here a Step 2A prong 2 analysis is conducted to determine if the claims are integrated into a practical application. Examiner considered the additional elements that are recited in the claims. Applicant is pointed to specification [017]. Applicant is encouraged to clarify the relationship of the Natural Language Processor (NLP) unstructured text and the unstructured text machine learning classifier. Applicant is pointed to specification [026]. Applicant is encouraged to request an interview to discuss the elements listed in [0026]. As recited the claims are using a computer to present a textual description of the workflow referred to as BPMN process workflow. Thus, the claims are applying a computer to present the workflow. Specifically, Applicant claims recite, mapping the control components to [[a]] the BPMN process model workflow by inferring relationships [[of]] among the control components, … capturing, in real-time, an audit record of the execution and a status of the first execution scenario and the second execution scenario; [[and]] streaming in real-time and directly from the BPMN process engine, the audit record into a tamperproof cryptographic archive secured against modification. An interview about the integration of the wherein clauses, is recommended. As recited, the claims do not integrate the abstract idea into a practical application at Step 2A prong 2. The claims are “apply it”. See MPEP 2106.05(f). Step 2B. Applicant argues the amended claims are patent-eligible under Step 2B in that they recite additional elements that are not "well-understood, routine, conventional" in the field. For example, neither the prior art nor the record demonstrates that: 1. A trained machine learning control mapping model configured to automatically map unstructured compliance text into executable BPMN workflows, 2. A BPMN process engine executing multi-scenario workflows in response to distinct triggers, 3. Real-time streaming of audit records directly from the BPMN process engine into a tamperproof cryptographic archive, or 4. A dashboard integrating streamed audit data with analytics, alerts, and fraud detection entry points were well-understood, routine, or conventional at the time of filing. See Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018) (patent eligibility may turn on whether the additional elements are well- understood, routine, or conventional, a factual question requiring evidentiary support). These additional elements provide a meaningful inventive concept sufficient to transform any alleged abstract idea into a patent-eligible application. Examiner respectfully disagrees with Applicant’s step 2B arguments. Examiner acknowledges Applicant includes additional elements in the claims. See Step 2A prong 2 analysis above. Besides the mere recitation of the additional elements, the claims are merely conducting the abstract idea using the elements such as tamperproof execution of archives (e.g., repository) as disclosed in specification [039]. The claims when considered as whole are apply it. See MPEP 2106.05 (f). Applicant arguments of Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018) are moot, because Examiner did not raise Berkheimer as an argument. Applicant is pointed to Subject Matter Eligibility Guidance Example 47 for consideration. The claims are not patent eligible under 35 U.S.C. 101. Claim Rejection Under 35 U.S.C. 103 On pages 13-14 of the Applicant’s 35 U.S.C 103 arguments, the Applicant submits: … neither reference teaches the use of a natural language processor (NLP) to automatically analyze unstructured compliance text and extract control components in context. Picos addresses metadata tagging for data lifecycle governance, and Hashmi formalizes obligations into machine-readable rules, but both assume a manual mapping process. The claimed invention instead requires automated NLP-based extraction, which is neither disclosed nor suggested by the cited art. Examiner submits the claims do not necessitate “meta data tagging for data lifecycle governance”. If this feature is necessary, the Applicant is encouraged to claim this feature. None of the cited art discloses or suggest using a trained machine learning control mapping model to automatically infer relationships among control components and generate executable BPMN codified control code. Picos and Hashmi rely on annotated models or formalized literals, but these are manual or static processes, not learned mappings. Barrameda does not address workflow mapping at all. Applicant's claims require codifying rules into executable control code with multiple configurations and scenarios, which is not taught by the references. The cited art generally refers to workflow engines executing declared models. However, neither Picos nor Hashmi discloses execution of codified control code in response to distinct triggers instantiating different configurations of the workflow. Applicant's claims recite execution of a first execution scenario and a second execution scenario based on separate triggers and configurations. This level of multi-scenario trigger-based execution is absent from the art and is not inherent in generic workflow execution. Examiner submits the claims recite the codified control code in response to receipt of a first trigger to automatically instantiate a first execution scenario based on a first configuration of the BPMN process model workflow; executing, by the control BPMN process engine, the codified control code in response to receipt of a second trigger to automatically instantiate a second execution scenario based on a second configuration of the process model workflow. Applicant is encouraged to claim clarify “trigger” as supported in the claimed embodiment in the specification. Examiner respectfully disagrees with the Applicant’s 35 U.S.C. 103 arguments. The Applicant’s amendments to the claims necessitate grounds for a new rejection, see below. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “… based on the respective context of the control components., the control components …”, “by a control process engine”, “by a control process engine a Business Process Model and Notation (BPMN) process engine” in claim(s) 1-11, 13-18, 20. Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof. If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-11 are machine. Claims 13-18 are method. Claims 20 are manufacture. Claims 1—11, 13- 18, and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim 1 (and similarly claim 13 and 20) recite, analyzing, … , unstructured text to determine control components and a respective context of the control components, wherein the text defines one or more measures to provide assurance of compliance with organizational process requirements; mapping, … automatically map the unstructured text into an executable Business Process Model and Notation workflow and based on the respective context of the control components, mapping the control components to [[a]] the BPMN process model workflow by inferring relationships [[of]] among the control components, wherein the process model workflow is executable based on corresponding control code, and wherein the control code is codified by arranging rules of the BPMN process model workflow into a codified control code, and wherein the codified control code comprises one or more tasks, in a plurality of configurations, and executable in a plurality of different execution scenarios; executing, … , the codified control code in response to receipt of a first trigger to automatically instantiate a first execution scenario based on a first configuration of the BPMN process model workflow; executing, … , the codified control code in response to receipt of a second trigger to automatically instantiate a second execution scenario based on a second configuration of the process model workflow; capturing, in real-time, an audit record of the execution and a status of the first execution scenario and the second execution scenario; [[and]] streaming in real-time and directly from …, the audit record into … secured against modification the audit record… ; and rendering, in real-time and based on the streaming audit record… including numerical analytics, alerts, and fraud detection entry points to view a status of the first execution and the second execution to continuously monitor assurance of the compliance with organizational process requirements. The claims 1—11, 13- 18, and 20 are determining within the text one or more measures to provide assurance of compliance with organizational process requirements. Determining compliance is a mental process – evaluation and observation. The claims recite arrangement of business rules into a systematic code is a business process. Business rules are certain methods of organizing human activity - commercial activities. The claims are directed to a judicial exception at Step 2A prong one. This judicial exception are not integrated into a practical application under the second prong of Step 2A. In particular, the claims recite the additional elements beyond the recited abstract idea of, “A system, comprising: a memory; and at least one processor coupled to the memory and configured to perform operations comprising:”, “by a natural language processor (NLP)”, “by a trained machine learning control mapping model configured to”, “by a control process engine a Business Process Model and Notation (BPMN) process engine”, “by the control BPMN process engine”, “a tamperproof cryptographic archive”, “to an uneditable archive”, “, a graphical user interface (UI) dashboard”, at claim 1; “A computer implemented method, the method comprising:”, “by a natural language processor”, “by a machine learning control mapping model”, “by a control process engine a Business Process Model and Notation (BPMN) process engine”, “by the control BPMN process engine”, “a graphical user interface (UI) dashboard” in claim 13; “A non-transitory computer-readable device having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations comprising :”, “by a natural language processor (NLP)”, “by a trained machine learning control mapping model configured to” , “by a control process engine a Business Process Model and Notation (BPMN) process engine”, “by the control BPMN process engine”, “from the BPMN process engine”, “a tamperproof cryptographic archive” , “an uneditable archive”; “ a graphical user interface (UI) dashboard” in claim 20; however, when viewed as an ordered combination, and pursuant to the broadest reasonable interpretation, each of the additional elements are computing elements recite adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05 (f) Claim 2: a second machine learning classifier; a third machine learning classifier; a fourth machine learning classifier; Claim 5: a fifth machine learning classifier; Claim 9: a sixth machine learning classifier; Claim 10: the tamperproof cryptographic archive Accordingly, the additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims also fails to recite any improvements to another technology or technical field, improvements to the functioning of the computer itself, use of a particular machine, effecting transformation or reduction of a particular article to a different state or thing.292766-00003 The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above, the additional elements when considered both individually and as an ordered combination do not amount to significantly more. (See MPEP 2106.05 f – mere instructions to Apply an Exception). At step 2B, it is MPEP 2106.05 (d) – Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information). Dependent claims 2-11 further narrow the abstract idea of independent claim 1. Dependent claims 14-18 further narrow the abstract idea of independent claim 13. Claims 1-11, 13-18, 20 are not patent eligible. Moreover, aside from the aforementioned additional elements, the remaining elements of dependent claims 2-11, & 14-18 do not transform the recited abstract idea into a patent eligible invention because these claims merely recite further limitations that provide no more than simply narrowing the recited abstract idea. Since there are no limitations in these claims that transform the exception into a patent eligible application such that these claims amount to significantly more than the exception itself, claims 1-11, 13-18, 20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-11, 13-18, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Picos (Us 12111949 B2) in view of Hashmi (2016, Normative requirements for regulatory compliance: An Abstract formal framework), Barrameda (US 2021/0359852 A1) and Hariyanti (2021, Information security vulnerability prediction based on business process model using machine learning approach). Regarding Claim 1 [and similarly claim 13 and claim 20] (Currently Amended) A system, comprising: a memory; and at least one processor coupled to the memory and configured to perform operations comprising: . analyzing, … , text to determine control components and a respective context of the control components located within the text, wherein the text defines one or more measures to provide assurance of compliance with organizational process requirements; Picos discloses data lifecycle discovery platform (DLDP) determines compliance of DLDP and DSS with obligations relating to data protection arising out of jurisdictional laws or agreements., DLDP can use machine learning to enhance the various functions of DLDP., Picos [abstract] ; Picos discloses a classification technique and machine learning. Picos [Figure 2], [abstract], [column 6 line 10-14].; The machine learning techniques . Picos discloses a list of laws and regulations (e.g., fair Credit reporting and Digital Milennium Copyright Act (DCMA)) … and the laws, regulations, or agreements can relate to specify, or indicate how data is to be handled or secured by an entity or the DLDP, Picos [column 10 lines 22-50] and Picos discloses the system 100 facilitate identifying data type of each data item, and/or features (e.g., data attributes, data identifiers, and/or other metadata, etc) …. And other meta data which are context of the control components, Picos [column 8 lines 35 -65], [Figure 2], [abstract], [column 6 line 10-14] Picos discloses e DLDP or an associated platform (e.g., governance platform) can determine compliance (e.g., a level of compliance) of the DLDP and the data stores with obligations (e.g., legal and/or contractual requirements, responsibilities, duties, constraints, or provisions) relating to data protection (e.g., data protection, privacy, and security) that can arise out of applicable laws or regulations of jurisdictions (e.g., associated with the entity, data store, or DLDP) or agreements (e.g., service-level agreements (SLAs)) between entities. Based at least in part on the results of analyzing the applicable laws, regulations, and/or agreements, the DLDP or the associated platform can employ a rules engine to determine and generate rules to facilitate complying with and enforcing laws, regulations, and/or agreements, and thus, Picos discloses measures to provide assurance of compliance with organizational process requirements, Picos [column 6 lines 15-55] Picos discloses the data management component of or associated with the DLDP can manage (e.g., control) the discovery (e.g., detection) of the presence of items of data of users stored in the set of data stores associated with an entity, in accordance with the defined data management criteria. A scanner component of or associated with the DLDP can scan the set of data stores and can detect the items of data stored in the set of data stores, based at least in part on the scanning. The scanner component, a machine learning component of or associated with the DLDP, or the data management component can generate the information relating to the items of data based at least in part on the results (e.g., scanning results) of the scanning of the set of data stores., Picos [column 72 lines 15-25] Examiner submits specification [097]-[098] disclose maps control components (meta data) located within the text, to a process model workflow, rules, and procedures and control code (compliance rules), as taught by, Picos [column 8 lines 35 -65], [Figure 2], [abstract], [column 6 line 10-14], [column 6 lines 15-55], [column 72 lines 15-25] mapping, by a machine learning control mapping model and based on the respective context of the control components, the control components to a process model workflow by inferring relationships of the control components, Picos discloses the system 100 facilitate identifying data type of each data item, and/or features (e.g., data attributes, data identifiers, and/or other metadata, etc) …. And other meta data., Picos [column 8 lines 35 -65]; Machine learning: Picos [Figure 2], [abstract], [column 6 line 10-14], [column 72 lines 15-25]. wherein the process model workflow is executable based on corresponding control code, and wherein the control code is codified control code of the process model workflow into a codified control code, and wherein the codified control code comprises one or more tasks, in a plurality of configurations, and executable … ; Picos discloses the data management component (e.g., the governance component of the data management component) can analyze laws, regulations, and/or agreements determined to be applicable to the set of data stores, the one or more entities, and/or the users. For instance, the data management component can determine or identify a first subset of laws, regulations, and/or agreements relating to data protection that can be applicable to the set of data stores. Based at least in part on the results of analyzing the first subset of laws, regulations, and/or agreements, the data management component can determine the set of obligations (e.g., legal and/or contractual requirements, responsibilities, duties, constraints, or provisions). The data management component can determine a set of rules that can correspond to the set of obligations and can be used to facilitate enforcing the set of obligations against the set of data stores, the DLDP, and/or the entity, and determining the extent or level of compliance of the set of data stores, the DLDP, and/or the entity with the set of obligations. The data management component can determine the compliance of the set of data stores, the DLDP, and/or the entity with the set of obligations based at least in part on the results of analyzing the information relating to the items of data, the portion of the items of data, and/or the set of rules, and thus, Picos discloses a workflow analyzing the information relates to data (compliance), Picos [column 72 lines 44-67]. executing, by a control process engine, the codified control code in response to receipt of a first trigger to automatically instantiate a first execution scenario based on a first configuration of the process model workflow, Picos discloses scenarios indicating the number of users who have accessed the data or performed operations over the defined period. Picos discloses the information relating to the data mapping 923, that contain information associated with the payments business and were accessed by the users, roles information, and number of PII instances, and thus, Picos discloses executing different scenarios., Picos [column 32 lines 22-55]. executing, by the control process engine, the codified control code in response to receipt of a second trigger to automatically instantiate a second execution scenario based on a second configuration of the process model workflow; …. … a user interface (UI) dashboard to view a status of … of the compliance with organizational process requirements. See above Picos [column 32 lines 22-55] – different scenarios. Picos Figure 5 discloses a user can desire to view or obtain certain data associated with the first entity and stored in the first set of data stores (e.g., 104, 106, and/or 108) associated with the first entity. The user, using communication device 138, can authenticate with the DLDP 102, as more fully described herein. In response to being authenticated by the DLDP 102, the rights management component 402 can determine what access rights the user and/or communication device 138 is permitted to have to access data tracked and/or managed by the DLDP 1., Picos [column 22 lines 20-30] Picos Figure 9 discloses er interface that can comprise information relating to access of data and access controls to control access to data associated with an entity ., For example … the information relating to the data mapping 926 also can comprise information relating to the databases 942 that contain information associated with the payments business unit and were accessed by users., Picos [column 32 lines 34-44], [Figure 9] Although highly suggested, Picos does not explicitly teach: … by a natural language processor (NLP), …., an audit record of the execution … and streaming the audit record to an uneditable archive; … and based on the streaming audit record, …. Hashmi teaches: …. analyzing, by a natural language processor (NLP), text to determine control components and a respective context of the control components … by a machine learning control mapping model and based on the respective context of the control components, the control components to a process model workflow by inferring relationships of the control components, wherein the process model workflow is executable based on corresponding control code, and wherein the control code is codified by arranging rules of the process model workflow into a codified control code, and wherein the codified control code comprises one or more tasks, in a plurality of configurations, and executable in a plurality of different execution scenarios; executing, by a control process engine, the codified control code in response to receipt of a first trigger to automatically instantiate a first execution scenario based on a first configuration of the process model workflow … executing, by the control process engine, the codified control code in response to receipt of a second trigger to automatically instantiate a second execution scenario based on a second configuration of the process model workflow; …. a status of the one or more tasks first execution scenario and the second execution scenario; … Hashmi discloses regulatory rules (in legal context called norms) intend to achieve specific behaviour from business processes, and might be relevant to the whole or part of a business process. They can impose conditions on different aspects of process models, e.g., control-flow, data and resources etc. Based on the rules sets, norms can be classified into various classes and sub-classes according to their effects. … Hashmi teaches an abstract framework consisting of a list of norms and a generic compliance checking approach., Hashmi [abstract] Hashmi p.437 Consider the natural language expression: “I apologise in advance for . . . ” and compliance Traces and compliance checking approach., Hashimi p.437, 439, 441 and Figure 3 illustrates a compliant handling process from LPMA, and thus, Hasmi discloses handing scenarios and configurations for a workflow (e.g., oral complaint or written complaint using BPMN process model). Picos teaches scanning databases to determine compliance of data lifecycle discovery platforms with obligations relating to data protections. Hashmi compares difference compliance management frameworks (CMFs). It would have been obvious to combine before the effective filing date a data lifecycle discovery platform (DLDP) or an associated platform (e.g., governance platform) [that ]can determine compliance (e.g., a level of compliance) of the DLDP and the data stores with obligations (e.g., legal and/or contractual requirement, as taught by Picos, with evaluating mechanisms and algorithms to check the compliance of business processes against relevant regulations, at taught by Hashmi, to place restrictions and provide guidelines for enterprises to streamline their processes, and impose severe financial and criminal penalties., Hashimi (p.429 column 2 paragraph 1). Barrameda teaches: … capturing, in real-time, an audit record of the execution and a status of the one or more tasks first execution scenario and the second execution scenario; and streaming the audit record to an uneditable archive; … and rendering, in real-time and based on the streaming audit record Barrameda [023 ] discloses …. The interface is configured to receive an audit query request and a client key. The processor is configured to determine whether the audit query request is valid; determine whether a chain of events is stored in an audit store, wherein the chain of events is associated with the audit query request; and provide data for the audit query request in response to determining that the chain of events is stored in the audit store. [0024] The disclosed system provides proof that the events of a particular object have not been altered or tampered with in anyway using cryptography. To ensure the data integrity of a large database, data can be stored as a sequential ledger of immutable events (e.g., as in blockchain technology). , Barrameda [023]-[024] and [026] discloses a persistent data structure is a data structure that always preserves the previous version of itself when it is modified. Such data structures are effectively immutable, as their operations do not update the object in-place, but instead always yield a new updated object. [027] discloses … every change in state of an object is stored as an event. Events are stored in sequence and can be “replayed” in order to derive the current state of an application. The capabilities that this persistence model affords are: [0028] Auditability: In some embodiments, events can be stored with other metadata about the change, such as who performed the action and when it was performed. This, effectively, becomes a robust audit log that cannot be circumvented without affecting the active state of the application Barrameda [023]-[024] and [0034] As legacy systems are becoming increasingly difficult to protect from bad actors, internal or external, the disclosed system improves upon the current art by providing both a high level of data granularity and a fully-auditable data model by proving that the events of a particular object have not been altered or tampered with in any way. For example, compliance and regulations (e.g., within the financial services industry) will be easier to comply with by showing a higher level of data integrity., Barrameda [023]-[024], [0034], [Figure 1], [Figure 12] Picos teaches scanning databases to determine compliance of data lifecycle discovery platforms with obligations relating to data protections and the encryption of data. Barrameda discloses a system for auditing event data. It would have been obvious to combine before the effective filing date a data lifecycle discovery platform (DLDP) or an associated platform (e.g., governance platform) [that] can determine compliance (e.g., a level of compliance) of the DLDP and the data stores with obligations (e.g., legal and/or contractual requirement, as taught by Picos, with a system that provides proof that the events of a particular object have not been altered or tampered, at taught by Barrameda, to provide auditability of the system., Barrameda [027]. Pico does not teach: … unstructured text to determine control components and a respective context of the control components, …configured to automatically map the unstructured text into an executable Business Process Model and Notation workflow … the BPMN … BPMN process model workflow … a Business Process Model and Notation (BPMN) process engine, … based on a first configuration of the BPMN process model workflow; executing, by the control BPMN process engine, … in real-time and directly from the BPMN process engine, the audit record into a tamperproof cryptographic archive secured against modification the audit record to an uneditable archive; and rendering, in real-time and based on the streaming audit record, a graphical user interface (UI) dashboard including numerical analytics, alerts, and fraud detection entry points … Hariyanti teaches: analyzing, by a natural language processor (NLP), unstructured text to determine control components and a respective context of the control components, wherein the text defines one or more measures to provide assurance of compliance with organizational process requirements; mapping, by a trained machine learning control mapping model configured to automatically map the unstructured text into an executable Business Process Model and Notation workflow and based on the respective context of the control components, mapping the control components to [[a]] the BPMN process model workflow by inferring relationships [[of]] among the control components, wherein the process model workflow is executable based on corresponding control code, and wherein the control code is codified by arranging rules of the BPMN process model workflow into a codified control code, and wherein the codified control code comprises one or more tasks, in a plurality of configurations, and executable in a plurality of different execution scenarios; executing, by a control process engine a Business Process Model and Notation (BPMN) process engine, the codified control code in response to receipt of a first trigger to automatically instantiate a first execution scenario based on a first configuration of the BPMN process model workflow; executing, by the control BPMN process engine, the codified control code in response to receipt of a second trigger to automatically instantiate a second execution scenario based on a second configuration of the process model workflow; capturing, in real-time, an audit record of the execution and a status of the first execution scenario and the second execution scenario; [[and]] streaming in real-time and directly from the BPMN process engine, the audit record into a tamperproof cryptographic archive secured against modificationthe audit record to an uneditable archive; andrendering, in real-time and based on the streaming audit record, a graphical user interface (UI) dashboard including numerical analytics, alerts, and fraud detection entry points … Hariyanti teaches Identifying information security vulnerabilities of a new business process resulting from a business process redesign (BPR) must occur as early as possible. A new method called Task-based Vulnerability Prediction (TbVP), which uses a machine-learning approach to predict information security vulnerabilities of the business process model. The method consists of two main stages. First, we developed clusters using classification and clustering methods. Second, we built an automatic system to predict vulnerabilities using the clusters obtained from the first stage., Hariyanti [abstract]. Hariyant discloses unstructured text used. The application vulnerabilities list is in the Common Weakness Enumeration (CWE) dictionary, which describes vulnerabilities in text format, the same format as the task labels in the business process model., Hariyanti [p.2 column 1 paragraph 4], [p. 4 column 1 paragraph 2]. Hariyant teaches triggers. Automated tools detect vulnerabilities in applications., Hariyanti [p.3 column 1 paragraph 4]. Hariyant considers the process flow of entry data includes a task that associates checking data types and values format and a task for encrypting data/messages to store and send/receive data., Hariyant [p. 10 column 2 paragraph 1]. Picos teaches scanning databases to determine compliance of data lifecycle discovery platforms with obligations relating to data protections and the encryption of data. Hariyant identifies information security vulnerabilities of a new business resulting from a business process redesign. It would have been obvious to combine before the effective filing date a data lifecycle discovery platform (DLDP) or an associated platform (e.g., governance platform) [that] can determine compliance (e.g., a level of compliance) of the DLDP and the data stores with obligations (e.g., legal and/or contractual requirement, as taught by Picos, with predicting vulnerabilities using machine learning, at taught by Hariyant, to develop a prediction system can produce predictions for each BPR occurrence automatically, without involving experts, reducing their involvement in predicting vulnerability during BPR., Hariyant [p.14 column 1 paragraph 2]. Regarding Claim 2, (Original) [and similarly claim 14] The system of claim 1, the at least one processor further configured with:a first machine learning classifier to extract the tasks from the unstructured text;a second machine learning classifier to extract inputs from the unstructured text;a third machine learning classifier to extract outputs from the unstructured text; or a fourth machine learning classifier to extract actions from the unstructured text. See Claim 1 above, Picos teaches machine learning, classifying metadata, Picos [column 32 lines 22-55], [column 6 line 10-14], [column 72 lines 15-25]. Hashimi further teaches: … unstructured text … Hashmi p.437 Consider the natural language expression: “I apologise in advance for . . . ” and compliance Traces and compliance checking approach., Hashimi p.437, 439, 441 and Figure 3 illustrates a compliant handling process from LPMA, and thus, Hasmi discloses handing scenarios and configurations for a workflow (e.g., oral complaint or written complaint using BPMN process model). Picos teaches scanning databases to determine compliance of data lifecycle discovery platforms with obligations relating to data protections. Hashmi compares difference compliance management frameworks (CMFs). It would have been obvious to combine before the effective filing date a data
Read full office action

Prosecution Timeline

Mar 07, 2023
Application Filed
Sep 27, 2024
Non-Final Rejection — §101, §103, §112
Dec 05, 2024
Response Filed
Dec 13, 2024
Final Rejection — §101, §103, §112
Feb 28, 2025
Response after Non-Final Action
Mar 21, 2025
Request for Continued Examination
Mar 24, 2025
Response after Non-Final Action
Jun 13, 2025
Non-Final Rejection — §101, §103, §112
Sep 17, 2025
Response Filed
Sep 27, 2025
Final Rejection — §101, §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/155,191
Patent 12586018
SYSTEM AND METHOD FOR CREATING A SERVICE INSTANCE
2y 5m to grant Granted Mar 24, 2026
18/121,357
Patent 12406218
DASHBOARD FOR MULTI SITE MANAGEMENT SYSTEM
2y 5m to grant Granted Sep 02, 2025
17/972,167
Patent 12321841
Unsupervised Cross-Domain Data Augmentation for Long-Document Based Prediction and Explanation
2y 5m to grant Granted Jun 03, 2025
16/992,827
Patent 12299609
DYNAMICALLY TRANSMITTING ONLINE MODE INVITATIONS TO PROVIDER DEVICES IN RESPONSE TO DETECTED CHANGES IN PROVIDER DEVICE EFFICIENCY
2y 5m to grant Granted May 13, 2025
17/436,107
Patent 11928619
VEHICLE DISPATCH SERVICE BOARDING LOCATION DETERMINATION METHOD, AND VEHICLE DISPATCH SERVICE BOARDING LOCATION DETERMINATION DEVICE
2y 5m to grant Granted Mar 12, 2024
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
14%
Grant Probability
30%
With Interview (+16.2%)
3y 11m
Median Time to Grant
High
PTA Risk
Based on 172 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month