From platform dominance to weakened ownership: how external regulation changed Finnish e-identification

There is substantial interest among scholars in digital platforms and the ecosystems around them. Digital platforms are open, continuously evolving, sociotechnical structures that can be sensitive to various changes. We take one-step further and investigate the post-dominance phase of platforms. The electronic identification (eID) ecosystem in Finland provides a good example of ecosystem transformation due to external changes from EU and national regulation. We engage in an extensive case study of a nation-wide monopolistic eID platform. We first take a retrospective view to understand the historical context and then examine in detail how an external driver leads to changes in the ecosystem. We explicate the platform evolution process, from a phase of dominance with centralized control structures to a more federated governance approach. We find that the introduction of intermediaries between the platform and its users contributes to a weakening of the dominant platform owners. This finding that platforms can transform into industry infrastructures has an important implication for our understanding of the dynamics underlying digital platforms.


Introduction
Current research on platforms has focused on guiding firms to become platforms (Gawer and Cusumano 2008;Leijon et al. 2017).Amrit Tiwana's seminal book on orchestrating software platforms suggests that businesses must learn to leverage the power of platform business models in order to stay competitive (Tiwana 2014).Firms are increasingly opening up their products and services to create developer ecosystems ar oun d th eir s erv ices (Ja nse n 2 015 ) .S o -c a l l e d "platformization" has become a popular topic leading many firms to tap into this model of value creation de Reuver et al. 2017).However, increasing use of digital platforms among businesses creates dependencies that we know relatively little about and need to understand better.Digital platforms are digital artifacts, thus, they are volatile and sensitive to changes in technology, regulation, and customer preferences.However, few studies have addressed the implications of termination phases of the platform or the periods following the dominance.After integrating with externally developed and managed solutions, little is known concerning the consequences when the platform ecosystem is transformed or disrupted.Due to the rise of platforms across geographies and industries, it is pivotal to understand what happens to "defeated" platforms.Do they simply disappear, disintegrate or diminish?In order to gain answers to these questions, we engage in an extensive case study of a nation-wide platform that focuses primarily on the latest phase of its evolution.The research question we aim to answer is how does the dominant platform respond to external regulation?This study attempts to answer the call for studies of digital platforms "that are contextualized based on understanding of the domain in which they are embedded" (de Reuver et al. 2017).Our empirical case is an extreme example of an almost-monopoly industry platform -Finnish BankID, which was unsuccessful in anticipating the changes and proactively adapting to them.Finnish BankID is a proprietary platform that is depended on by many organizations as the industry-and country-wide dominant infrastructure for organizations in both the public and private sectors.Such industry platforms have been defined as "serving as foundations upon which a larger number of firms can build further complementaries and potentially generate network effects" (Gawer and Cusumano 2014).We demonstrate how external drivers, in the form of regulations stipulated by the European Union (EU) and Finland, lead to changes in the platform and the ecosystem surrounding it, by affecting the roles, relations and power structures of incumbent ecosystem participants.Finnish regulation, which was altered to be compatible with broader EU requirements, changed the principles of electronic identification (eID) by adding a layer of service brokers into the scheme of the eID, thereby driving the transformation of the platform into an industry infrastructure.Such entity-layering, i.e., the introduction of intermediaries between the platform and its users and external orchestrators on top of platform owners, can be seen as a pervasive phenomenon among dominant platforms that fail to anticipate ecosystem needs and adapt, pushing them to act as the backbone and enabler for the ecosystem.
The remainder of the paper is organized as follows.We begin by defining the main concepts in the literature on digital platforms, ecosystems and infrastructures.This is followed by a section describing study design and the research process.Next, we illustrate a retrospective view of the development of the eID ecosystem in Finland.We then analyze the architectural changes that have occurred before and after regulation changes in the Finnish BankID ecosystem.After that, we discuss the findings on the interplay between platforms and infrastructures.The paper ends by discussing conclusions and implications for future research.

Platforms, ecosystems and infrastructures
In this section, we first outline the key insights from the literature on digital platforms and infrastructures.We then propose to conceptualize digital platforms as layered modular architectures with underlying platform and infrastructure strategic dimensions.Such a perspective serves as analytical lenses for studying the dynamic phenomenon of platform evolution.
The rich tradition of research on platforms and infrastructures originates from multiple disciplines, including information systems (IS), strategic management, and economics.Prior studies from these communities, while rooted in different research traditions, provide separately developed conceptualizations on platforms.In this study, we embrace a technological view of digital platforms, defined as "the set of components used in common across a product family whose functionality can be extended by third parties" (Boudreau and Hagiu 2009;Parker and Van Alstyne 2012).Likewise, the literature in economics and organizational sciences refers to platforms as two-sided markets, multisided markets, or multi-sided platforms (Rochet and Tirole 2003).As defined by Armstrong (2006), two-sided markets involve two groups of agents interacting via the platform, where the benefit gained by one group from joining a platform depends on the size of the other group joining the platform.A digital platform together with the "larger number" of platform-utilizing businesses constitutes the ecosystem that can be considered as a more captivating object of inquiries than platforms alone in isolation.Platform ecosystems have been defined by Selander et al. (2013) as collectives of organizations that are "interlinked by a reciprocal interest in the prosperity of a digital platform for materializing their own product or service".
In an analysis of a wide range of industry examples, Gawer and Cusumano (2014) further distinguish between internal or company-specific platforms and external or industry-wide platforms.They refer to internal (company or product) platforms as a set of assets organized in a common structure from which a company can efficiently develop and produce a stream of derivative products (Gawer and Cusumano 2014).Internal platforms are best understood in the context of new product development and incremental innovation around reusable components or technologies.External or industry platforms, the main subject of this paper, are sets of assets organized into a common structure that act as a foundation upon which external innovators can develop their own complementary products, technologies, or services.As the authors point out (Gawer and Cusumano 2014), such external platforms are ubiquitous: Microsoft Windows and Linux operating systems (OS); Intel and ARM microprocessors; Apple's iPod, iPhone, and iPad, iOS operating system, iTunes and AppStore; Google's Internet search engine and Android OS; Facebook, LinkedIn, and Twitter; video-game consoles; and the Internet.Industry platforms can also be simply utilized by firms without the purpose of building any complementary products for the platform.For example, an HR department may integrate its systems and processes with the LinkedIn platform, thus making a platform used to extend the firm's capabilities become the firms' infrastructure.Hence, whether the artefact under study should be considered an industry platform or the infrastructure really depends on the context of its use and the perspective of the analysis.
Taking the argument above further, research on platforms often comes with the larger and compound concept of digital infrastructures.Infrastructures here are defined as shared, open, unbounded, and evolving socio-technical systems that consist of a set of IT capabilities and their users, operations and design communities (Hanseth and Lyytinen 2010).The concept of digital infrastructures has proven to be instrumental to the Information Systems field, as it helped to change the perspective and unit of analyses from single organizations to organizational networks and from systems to infrastructures, "allowing for a global and emergent perspective on IS" (Bygstad 2008).In this paper, we do not seek to reargue these definitions.Rather, we adapt the interpretation of digital infrastructures from (Henfridsson and Bygstad 2013) as "the heterogeneous collection of sociotechnical components that are essential or contribute to the functioning of a system, organization or industry".The concept of a digital infrastructure can be also adjusted to different contexts: enterprise, industry, economy, national, regional, and global levels (Tilson et al. 2010).Hanseth and Lyytinen (2010) in their seminal work on the relation between two conceptualizations discuss that the differences between platforms and infrastructures lie in their overall increasing complexity, how they relate to their design and use environments, and how they behave over time in relation to those environments.
Another recent study (Kazan et al. 2018) has theorized that platforms within network economies vary in their modularity and consist of two strategic architectural dimensions: (1) value creation, and (2) value delivery.Presuming that digital platforms are created and cultivated on top of digital infrastructures (Constantinides et al. 2018), the authors theorize that digital platforms compete through architectural configurations.Value creation architectures, as defined by Kazan et al. (2018), are modular components of digital platforms that can be exploited by third parties to develop value-added derivatives.Thus, platforms practice modularity in their value creation architectures (i.e., platform level), where they compete within value networks by offering the best resource configuration, i.e., stable core and flexible derivatives.Similarly, platforms also practice modularity in value delivery architectures (i.e., infrastructure level) to deliver derivatives in a standardized format (Kazan et al. 2018).This second strategic dimension refers to efficient diffusion of derivatives across their value network, where platforms rely on access to technological backbones in the form of digital infrastructures (e.g., the Internet).We adopt these strategic dimensions in our discussion, as they guide us in unfolding the complex relation between digital platforms and infrastructures.Constantides et al. (2018) in the introduction to special issue on "Digital infrastructure and platforms" also acknowledge the need to discuss platforms and infrastructures concomitantly as one of the emerging themes in the IS field.Arguably, the layered architectures perspective is built on the notion that infrastructures fuel the platforms while also acknowledging the existence of a recursive relation among them.Hence, we turn to the analytical lens of disentangling digital platforms and discussing the change in a platform ecosystem with the help of layers of value creation and value delivery.

Change and platform ecosystems
We assume the concept of a platform ecosystem to be a form of organizational structure, with change comprising an inherent part of organizational structures.However, describing and explaining the scope, drivers and dynamics of the change processes is challenging and requires a careful selection of the units of analysis.The change processes include entities that, although they do change somewhat as a result of their interactions, remain largely stable and analytically distinct from each other as well as from the processes in which they are embedded (Langley and Tsoukas 2016).In this article, we consider a platform ecosystem to be a unit of analysis with the aim of explaining the change process of it.We also adopt a transactional perspective of time, in which a temporal occurrence is defined as an event, such as an emergence, an organizational crisis or regulation change, that can be often the major turning point in the entity's development ( Van de Ven and Poole 2005).Such an approach assumes that the world consists of things (ecosystem), whose state is changed by sequences of events (regulation).In relation to studies of change and platforms, digital platforms have been mostly studied as enablers for transformations within organizations, markets or industries (e.g., Resca et al. 2013).Platform evolution has also been explored in the context of a platform's ignition, or how the platform materializes in the first place (Sandberg et al. 2014).In our study, we have had the opportunity to look at the exceptional phenomenon of a transformation within a platform ecosystem that also involved a change in its materiality.

Case settings
The TUPAS protocol, a household name for the Finnish BankID platform, is one of the Strong Customer Authentication (SCA) methods available in Finland, which accounts for more than 90% of all operations requiring SCA (Rissanen 2010).It is a de facto standard owned and administered by banks in Finland, which is based on a combination of PIN and One Time Passwords (OTP).The Finnish BankID is a multi-sided platform that facilitates transactions between two groups, end users and businesses.Bank-specific identifiers have a high penetration in the Finnish market and can be used across a broad range of services and segments other than just banking, including e-commerce and governmental e-services.The platform exhibits not only positive same-side network effects, i.e., users attract more users, but also cross-side positive network effects, i.e., the greater the number of users using the BankID, the more the BankID option will be offered by businesses in their services.The platform is monetized by subsidizing end-users (demand side) and charging businesses (supply side).We study the BankID case in the light of a compact metamorphic, revolutionary change: EU Regulation 910/20141 on electronic identification and trust services for electronic transactions in the internal market (European Union 2014), hereinafter "eIDAS", and the corresponding change in Finland's Act on electronic identification and electronic signatures.The goal of eIDAS is to allow EU residents to use their own national electronic identification schemes (eIDs) to access public services in other EU countries.Finnish Trust Network (FTN) is the national implementation of eIDAS in Finland; it is uniquely applicable to the Finnish market and was prepared by the Finnish Communications Regulatory Authority (FICORA), the authority that supervises strong electronic identification services in Finland and monitors that the services meet the specified requirements.In a nutshell, FTN lowers the price for using BankID services and legitimizes the service broker role by allowing them to act as "one-stop-shop" resellers of all available eID methods and manage contracts and technical integrations between banks and service providers.FTN was initially scheduled to be legally binding by the end of 2017, marking the long awaited start of the transformation.

Data collection and analysis
Methodologically, this research follows an exploratory case study design (Yin 2003).The case study design is the most appropriate strategy when a single unit of analysis is studied and constructed with multiple organizations (Yin 2003).In the present paper, the unit of analysis is a digital platform ecosystem.The study design and context are presented in the following sections.
We used both primary (i.e., interviews) and secondary (e.g., documents) data sources for this study.As suggested by Van de Ven (2007), this is a promising approach to initiate a "historical study before the ultimate outcomes of a change process become apparent".The case study used real-time observations for a year and a half period and 31 interviews in total (2016)(2017)(2018).The description of antecedent conditions was constructed with secondary data and retrospective interview data.A retrospective approach was taken by examining public documentation related to the case, such as government reports, case studies, and reports from news media and organizational archives found online.The secondary data comprises 24 specification items and reports, 16 news articles, 10 blog posts and 2 extensive case studies.
The interviews were semi-structured (Yin 2003) and lasted at least 1 hour.Each interview began by asking the interviewee's position, background, experience and projects/ products/services managed by the interviewee.Interviews covered the following three topics: the role of the organization in the eID ecosystem; the role, challenges, issues, and experiences of using the Finnish BankID platform in their businesses; and planned or expected changes in integrating with the platform.Interviews followed the funnel model (Runeson and Höst 2009) principle, proceeding from open to more specific questions.Each interview was recorded and transcribed, and the data was investigated using open and axial coding.The gathered data was analyzed with a qualitative data coding and analysis tool, Atlas.ti.Our cases consisted of ten Finnish organizations and firms that have various roles in the Finnish eID ecosystem: identity providers, service brokers (resellers), demand side platform users (service providers) and various governmental organizations that supervise and orchestrate eIDs in Finland (Fig. 1).
Although the study initially involved the participation of three organizations (IDP2, SB1 and the Gov1), these were expanded to include other organizations after discovering the magnitude and degree of dependence on BankID throughout the country.As a result, we further contacted SP1, SP2, SP3 and IDP1 to gain more insights into Finnish BankID utilizations.In the third stage, the interviews were eventually conducted with IDP3, SB2 and Gov2.A list of interviewees and their positions is shown in (Table 1) IDP2 is a telecommunications operator and a major cable operator, a pay TV provider in both cable and terrestrial networks.The company employs around 1600 people and serves around 2.7 million customers.
SB1 is a large payment service provider.The customers of SB1 are banks, businesses, merchants and the public sector.SB1 employs approximately 2400 employees in six countries and, according to recent stats (2016), served a network of more than 300,000 merchants and 240 banks.SB1's services also include payment and authentication bundle services.
Gov1 is part of the Finnish government.Gov1 prepares the government's economic and financial policy as well as the budget, and acts as a tax policy expert.One of the tasks of the Gov1 is general steering of public sector agencies' information management.Their ambition, together with other ministries in Finland, is to boost the e-services market in Finland.
IDP1 is a governmental organization that operates under the authority of the Gov1.IDP1's task is to develop, support and manage the usage of electronic data contained in governmental and public Information Systems.
SP1 is a municipality that represent the local level of administration.The SP1 council is the main decision-making organ in local politics, dealing with issues such as city planning, schools, health care, and public transport.SP1 operates the portal for e-services where citizens can make appointments and manage documents electronically.
SP2 is the small payment service operator that resolves bureaucratic complexities in salary payments as an Internet service.Their cloud-based service provides a suite of open APIs and support services for any company or individual to integrate payroll features and salary payments, including integrations between insurance companies, tax agencies, pension companies, employment foundations and banks.
SP3 is a software-development company founded in 2015.Their main service is a native mobile app for students that integrates study records, campus restaurant menus, indoor positioning guide maps, various news and feedsall essential information needed by students in their daily university life.
IDP3 is a large banking group operating in Finland and the Nordic countries.
Gov2 is a regulatory agency that prepares the technical specifications and supervises their compliance.
SB2 is an e-commerce and electronic signatures company, which is an incumbent service broker in the eID ecosystem.
In our earlier report [Bazarhanova et al. 2018], we analyzed the case with an emphasis on the asymmetric relationships between ecosystem participants.We have also reported that an absence of ecosystem governance strategies employed by platform owners contributed to the ecosystem stagnation.Hence, by putting the data together and building on the findings from these previous articles, we take a bird's eye view of the ecosystem and its change as a process.Our analysis followed a qualitative data coding process.We mainly used secondary data to build the retrospective ecosystem development timeline and refined the timeline using the interviewees' insights on past events.We analyzed the interviews to search for indications of the views and attitudes of the case organizations, towards the ecosystem, as well as its past and present states.Interviews helped us not only to construct the ecosystem architectures but also to identify issues with the platform Fig. 1 Organizations interviewed and their roles in Finnish eID ecosystem and implications of changes in regulations.This paper reports the second phase of the data coding and analysis, as well as extends our earlier report [Bazarhanova et al. 2018].While some coding categories were preserved, i.e., "when it comes to let's say web shop payments identifications, we use TUPAS from other external partners" with the code "service broker bundling", other codes and quotes were refactored.We reevaluated the categories and their corresponding codes with the new research question in mind.For example, the quote "because it makes no sense to build it yourself, it is available, relatively cheap and ready" was coded as "reasons for integration" in the earlier coding phase.Looking at the same quote in comparison with another one "banks are difficult partners, it [making agreements] takes time, and it's tedious", we label them with the codes "about the infrastructure" and "about the platform", respectively.When discussing the Finnish BankID, the interviewees switched back and forth concerning the nature of the subject, that is, whether the Finnish BankID platform is a commodity service infrastructure or a monopolistic platform.Conceptually, the difference between digital infrastructures and platforms is in their control arrangements, i.e., an organization or consortium of firms owns and manages the core in either a decentralized (digital infrastructure) or centralized (platform) manner (de Reuver et al. 2017;Hanseth and Lyytinen 2010).We organized these codes into categories, generic or specific to the role of the case firms' in the ecosystem.We used the data to build the architectural views for the ecosystem in terms of two temporal occurrences, before and after the regulation change.We analyzed the relations of the case firms in the ecosystem, their views on dependencies in the new ecosystem architecture, as well as associated challenges and issues.

Finnish BankID ecosystem evolution
First, we present historical events occurring during the evolution process of the eID ecosystem and its unfolding over time.
We then focus on the latest phase of the ecosystem evolution, before and after eIDAS and FTN regulation changes, by zooming in on BankID ecosystem architectures.We illustrate the intertwined organizational and technology-centric aspects of the changes in the ecosystem and cross-compare these ecosystem views in light of eIDAS and FTN, how the BankID platform operated "before" and how the regulations have changing the ecosystem "after".Such a comparison is crucial in building a narrative that describes the evolution of the BankID ecosystem from dominance to its recent shakeout.As a theoretical framing for the analysis, we reflect on the role of control as being central to what makes a platform a platform, and which distinguishes it from being a standard digital infrastructure.Scholars define the notion of the paradox of control as involving opposing logics, where digital artefacts seem to be governed simultaneously by centralized as well as distributed control (Tilson et al. 2012).The use of the concept of paradox of control will help us to capture the logics around centralized and distributed governance, and the evolutionary dynamics of platforms and infrastructures (Lyytinen et al. 2017).

Ecosystem state -A retrospective view
Overall, Finnish electronic Identity Management (eIDM) is based on three methods: national eID cards (FINEID), as well as financial associations' BankID and MobileID endorsed by telecom operators.The TUPAS protocol was jointly specified by the Federation of Finnish Financial services (FFI), i.e., a consortium of Finnish banks, more than 30 years ago, as illustrated in Fig. 2. A group of large banks decided to standardize the electronic authentication service, whereby service providers identify customers through a bankspecific identification method that the customer uses within the bank's internal services.The method quickly became popular among other e-service providers, allowing the banks to generate additional revenue streams by opening the eID service to other participants.TUPAS is the protocol that is used in establishing citizen authentication and identity, with the protocol being accepted as a standard by Finnish banks.The official name of the service is the "Tupas identification service".In this manuscript, we distinguish between these terms by using "Finnish BankID platform" as the more generic service name for the TUPAS enabled eID exchange.It is important to emphasize that banks have agreed on common standards but not on a shared infrastructure.Each bank has been running their own authentication solution independently since the beginningthere are no cross-bank eIDs and no single eID platform, but instead each bank has their own eID platform enabled by TUPAS.Nevertheless, from the perspective of eID utilizing organizations and users, the service "looks and acts" as an external platform (with multiple owners of various platform components).Therefore, for the sake of simplicity, we illustrate the Finnish BankID platform as a single platform jointly owned by separate banks.
In 1999, although the state introduced non-mandatory FINEID cards to replace the older citizen ID card with a machine-readable smartcard chip, citizens did not take the technology into use.In retrospect, experts attribute the failure of FINEID to high upfront costs of card-reader devices, the learning effort expended in learning to install and use the certificate usage, user experience (UX) issues, and a historically well-disseminated BankID (IDABC 2009).It was even debated whether FINEID card readers should be distributed free of charge to citizens, as had been done in the neighboring country Estonia.However, the government decided not to support or promote FINEID (IDABC 2009).This view was clearly expressed in the Act on the Openness of Government activities, which stated that the governmental policy "does not include any exceptions favoring eID solutions.Any favoritism towards one solution is deemed contradictory to higher principles of openness of public services".To support their stance, the government gave equal legal acknowledgment to the Finnish BankID in 2003 for accessing e-government services, which boosted the overall e-services usage throughout the country, but made the FINEID method quite irrelevant.FFI, as a representative consortium of the financial sector, has been the owner and regulator for BankID services.Back then, smaller banks expressed their concerns that they would prefer "a single government-provided standard which would guarantee similar competitive opportunities for all players" (Kallio et al. 2004).As the last sign of a Finnish BankID "victory", the largest bank in Finland terminated FINEID support in 2009.Although FINEID cards are still in use, they have a very specific niche, mostly for governmental, healthcare, and social welfare workers, and the government has not expressed its will to terminate or expand their use.
MobileID is a PKI-based (Public Key Infrastructure) authentication method developed by Finnish mobile operators in 2011.In contrast to the Finnish BankID, MobileID represent full collaboration between telecom operators in Finland and allow cross-carrier identification.It requires a specialized SIM card with an embedded certificate and a contract with the mobile operator.MobileID can be used to access all public e-services, as well as many private services.The main barrier to MobileID take-up was the classical "chicken-egg" problem between service providers and users (Murphy 2012).Drawbacks slowing down MobileID expansion included a monthly fee and onboarding practices: customers needed to go to a store for first time identification.
A recent significant driver for this case was eIDAS, an EU regulation that promotes electronic identifier reuse and interoperability across services in the EU.It came into force in 2014 and required that all Member States comply with its specifications by 2016.One of the main goals of eIDAS is to ensure that people and businesses can use their own national electronic identification schemes (eIDs) to access public services in other EU countries where eIDs are available.Most importantly, eIDAS data security requirements made it impossible to continue to use the TUPAS protocol, thereby increasing the need for bigger changes.Finland's Act on Electronic Identification and Electronic Signatures was amended to correspond to EU legislation and boost market competition in the eID market (Finnish Communications Regulatory Authority 2013).In order to increase competition in the eID market and break down the BankID "monopoly", Finnish legislation was enacted leading to the creation of the Finnish Trust Network (FTN).FTN specifies the role of service brokers that are allowed to resell eID solutions in Finland using a standardized service contract.The most important impact of FTN concerns the contractual agreements, which previously required service providers to sign agreements with each of the banks, 9 banks in total.Since mid-2017, Finnish banks, as owners of the Finnish BankID platform, have needed not only to lower transaction costs from 0.5 to 0.1 EUR on average but also to allow service brokers to manage the contracts and technical integration complexities.Firms interested in becoming service brokers need to meet the requirements for Strong Customer Authentication (SCA) laid down in the legislation.The list of registered providers includes banks, telecom operators, and incumbent service brokers.The change has had a big implication not only on the platform and on its role in the ecosystem but also on other ecosystem participants.
The overall development of the Finnish eID ecosystem exhibits arbitrary evolutionary dynamics.Three competing eID methods were provided by different organizations that retained full control over their own solutions.While the intent of both eIDAS and FTN regulations was to facilitate the use of eIDs, the approach of Finnish regulation at the local level aimed at diminishing the control that TUPAS owners had over the eID ecosystem.

Ecosystem state -before the change
Various service providers need BankID authentication for transactions requiring a certain level of assurance on the identity of the customer, including authorizations, changes of subscription plans or payments.Public organizations use the

MobileID
Fig. 2 Timeline depicting the evolution of the Finnish eID ecosystem governmental interface provided by IDP1 covering all eID methods (FINEID, MobileID, and BankID).In public services, BankID is required only when making payments.
"I think in case of TUPAS [BankID], I think it's just that they are basically the only private operator that can authenticate people.There is no other entity that has to do that same thing.Except of course the government.And then government tried to bring their own authentication method [FINEID] and they failed miserably"-SP2, CTO.
Service description "Any service provider -a firm willing to authenticate its end-users -initiates the identification by sending an identification request to the customer.Customers then transfer the request to their own bank's identification service by clicking on the bank's icon.The request validity is verified by the bank and the customer is then asked to authenticate.At this stage, the customer needs to use the paper-based OTP password or a token-generating mobile-app.The bank's TUPAS service sends a response message to the customer once the identification has taken place.The customer checks the information on the certificate, and after approving it, returns to the service provider's service, at which point the certificate's data is transmitted to the service provider" (Federation of Finnish Financial Services 2011).Thus, in order to query the user identity by accessing the banks customers' database, the method comprises several API calls.From our case companies, we learned that technical integration was less difficult than managing the contracts: "Technical part of the integration like the API calls look mostly the same from bank to bank.So from a technical point of view it was quite easy, but the paper work was huge -SP3, CEO."It is very old and straightforward" -SP2, CTO.
Examining the attitudes of case companies towards the platform in terms of the technology, we observed that firms not only understand the simplicity of the integration process, but also the obsolescence of the standard itself."In the protocol sense, really technical sense there are some problems with the technology, for instance it has been demonstrated that you can find SSN numbers in the cache of the browser"-IDP2, Development manager.
Before changes in the regulation, service providers had to sign separate agreements with each bank, as described in Fig. 3.A small number of third-party firmsincumbent service brokershave been facilitating the technical integrations (i.e., certificate handling and technical integrations) between banks and service providers.For example, IDP1, as part of the government, is responsible for the public sector's authentication services provision.In the private sector, banks retained the right to set the transaction fees at 0.5 EUR on average.Although fees differed from service provider to a service provider (e.g., customers with higher volumes could negotiate better conditions), the state of Finland as the biggest customer had special pricing models for public organizations.Banks could also refuse to provide authentication services to firms when "it is evident that the TUPAS certificate … could potentially cause financial or immaterial losses to the bank" (FFI 2013).
In summary, before the regulation the banks solely retained the control points, such as the control of interfaces, access to the services, the right to develop them, ownership of data etc.Although the banks agreed on technical standards, the BankID providers engaged in a quasi-cooperative relationship, where each bank had full autonomy over their own implementation.

Ecosystem state -After the change
It has been decided by banks and the governmental regulators that the TUPAS standard will not be upgraded to meet the new requirements.TUPAS was reported to have security weaknesses -message content was not encrypted, only the connection tunnel -which is the reason why Gov2 together with the banks have agreed to switch to SAML2 and OpenID Connect (OIDC) protocol suites.This means that TUPAS might still be used internally among banks in scenarios outside of the national eID scheme, such as internet banking.
"What could happen is that if there are banks that don't want to invest or develop [TUPAS], they could of course protect these links here with VPNs, to make them private because it is only P2P [banks -service brokers] connection which is done only onceyou could use path for infinite here, with some crypto tunnel.But you can't use it in the public internet side."-IDP2, Development manager.
With the exception of banks, the majority of our case organizations have enthusiastically acknowledged changes in eIDAS and FTN legislation.As shown in Fig. 4, these changes involved replacing "TUPAS" with "SAML or OpenID Connect" protocols, and enveloping the platform with service broker and orchestrator roles.Gov1, as a member of the regulatory body, commented on these: "Google is using that [SAML, OpenID Connect protocols], Facebook is using, everyone, those big players are using, and also the IDP1 using for long time already, they have these mandatory protocols that at least you have to support [specified in the regulation], and the SAML is mandatory and mobile, OpenID Connect is mandatory as well" -Gov1, Development manager.
Since mid-2017, there has been a price ceiling for each eID transaction, a government-imposed price control that weakens the banks' valorization.The new ecosystem architecture with service broker 1 and orchestrator roles is demonstrated in Fig. 4. Currently, the list of registered brokers includes all Finnish banks and telecom operators (i.e., IDP1, IDP2 and IDP3).The motivation for introducing service brokers can be explained by governmental regulators' hope to regulate the market and increase competition.The idea was to make it easier for service providers to integrate with one service broker technically and contractually.The changes were forced upon the banks by the regulation from the Finnish government.Despite having an opposing stance, the response of the banks was largely relinquishing and the changes had to be accepted.Prior to eIDAS and FTN changes, companies, such as SB1 or SB2, had already been acting as ad-hoc brokers by providing technical integrations.However, service providers had to make individual contracts with all Finnish banks.The introduction and legitimization of a man-in-the-middle distributor role solves the complexities of individual contracts that the service provider needed to make with each bank.
"The biggest relief for us is that we don't have to make contracts individually" -SP1, e-services manager.
Here, the EU and Finnish government also play a role as ecosystem orchestrators.Unlike before eIDAS and FTN, where banks carried out the role of platform providers and ecosystem orchestrators exclusively."There's something good in EU" -SP2, CEO.
The insertion of the layer of service brokers implies the reduced control of banks over their own ecosystem; hence, the regulation imposed by external regulators also refers to the enlargement of the orchestration group, i.e., towards more distributed governance.Obviously, this change also means that incumbent broker firms in the private market are going to face more severe competition.Telecom operators are also going to enter the service broker market; IDP2 has expressed enthusiasm about the change, as "it is going to open up the market."All identity providers need to register as brokers at least for their own eID methods.It is each bank's individual decision whether they see the benefits of acting actively as brokers.Thus, the rules in the ecosystem have now been reformulated and each ecosystem participant can create, join, or conversely quit the alliance or partnership relation.The financial industry is notable due to its abundance of strict regulations and compliance requirements, which can sometimes be seen as unfavorable.Though the financial organizations are genuinely secretive in their plans, one question still remains: Why have the banks not started cross-collaboration as in neighboring Nordic countries.Instead, they continue to develop solutions individually.

Summary of findings
The Finnish Bank ID is a nation-wide electronic identification infrastructure in Finland.The eID solution allows companies, banks, organizations and governmental agencies to authenticate 1 Although service brokers can simultaneously also be service providers, not all service providers can be brokers.There is a complex procedure in place for attaining a brokering license with individuals over the Internet.It went through its early evolution phases in the 1980s, strengthening over time and achieving long-term dominance until its recent weakening due to changes in legislation.Retrospectively, we observe how the government endorsement contributes to the sustained dominance of the BankID platform.Even after FTN regulations came into force, the platform is still owned by banks, though they are forced to open access to service brokers.Thus, while the cumulative power in the ecosystem remains constant, the control is more distributed among the actors due to FTN.The platform owners' position has been weakened, while service brokers get direct access to users and gain more control.Governmental regulators introduced the regulation that changed the principles of identification by adding a layer of service brokers into the scheme of electronic identification.
The new layer of service brokers creates a distance between the platform owners and its users.We see that the platform as being wrapped in the service offering of brokers and how external organizations act as ecosystem orchestrators.In this case, the EU (eIDAS) and Finnish government (FTN) acted as regulatory bodies, i.e., external ecosystem orchestrators.From the ecosystem architectures after FTN, we observe that the governance structure became more federated.The introduction of intermediaries pushed the platform owners further away from customers and an extra layer of orchestrators from the abovethe entity layering phenomenonrestrains them from controlling and weakening their position.This chain of causalities caused by external events is summarized in Fig. 5.The figure shows how the eIDAS and FTN regulations led eventually to a federated approach to develop and govern the platform ecosystem.Such a process could take place when dominant platforms are not proactive to the dynamic needs of their business environments and cannot oppose external orchestrators.For example, if Finnish BankID owners had followed the approach of other Nordic countries by collaborating with other identity providers, such as MobileID or FINEID, the regulation change implications could have been different.

Discussion
Following Gawer and Cusumano's (2014) distinctions between internal and external platforms, it is obvious that the Finnish BankID serves simultaneously as an internal and external platform.The TUPAS method was established earlier by banks for their own internal use, and consequently opened to other heterogeneous industry actors.The success and sustained dominance of the TUPAS method was contingent on resources possessed by the banks, such as the customer base, which is valuable and hard to imitate (Barney 2010).Their competitive advantage is also based on big volumes of transaction data and inherent trust from customers.Scholars (Gawer and Cusumano 2014) have called for future theorizing on the evolution from internal platforms to external platforms, and that such hypothesis would need to be developed and expanded.Likewise, digital infrastructures do not appear from scratch but evolve incrementally from less complex design classes, such as IT capabilities, applications, platforms, infrastructures (Hanseth and Lyytinen 2010).Infrastructures are also built on the notion that they are never fully complete (Tilson et al. 2010).Thus, we correlate Gawer and Cusumano's conceptualization of an "external platform" with notions of "industry infrastructure".Infrastructure has a supporting or enabling function, which is in contradiction to prescriptions for only one way of working  (Hanseth and Monteiro 1998).Similarly, the Finnish BankID platform (and infrastructure) is used not only for internet banking access but the use case is also horizontally distributed to other contexts, such as banking, payments, e-government services, and e-commerce.Thus, the Finnish BankID platform, simultaneously serving both as an internal and external platform, can also act as the industry infrastructure.
We now bring the conceptualizations of Kazan et al. (2018) introduced earlier in this study, i.e., strategic dimensions of value creation and value delivery architecture, to discuss the architecture of the TUPAS ecosystem before and after undergoing regulatory changes.Once again, Value Creation Architectures (VCAs) are modular components of a digital platform that can be exploited by third parties to develop valueadded derivatives (Kazan et al. 2018).In Finnish BankID, the VCA layer is the "service" layer in the architecture where thirdparty platform users, service providers and end-users together with service brokers integrate with the platform via the boundary resources to create value-added services.Second, Value Delivery Architectures (VDAs) are defined as omnipresent digital infrastructures that operate as technological backbones of value networks to facilitate the efficient delivery of standardized platform derivatives among stakeholders belonging to the same value network (Kazan et al. 2018).In TUPAS, this layer includes the entire process of customer onboarding, i.e., bank account opening, first-time identification as part of Know Your Customer (KYC) requirements, as well as distribution and maintenance of internet banking identifiers.In their original case examining mobile payments (Kazan et al. 2018), VDAs are exemplified as established payment infrastructures, such as MasterCard or VISA, which power the processing of financial transactions.Likewise, the VCA dimension includes interaction between payers and payee to make the payments together with the provision of boundary resources, such as APIs and SDKs.Prior to eIDAS and FTN regulation changes, these two strategic dimensions of VCA and VDA were closely imbricated, as shown in Fig. 6.In other words, banks were in charge for the platform ecosystem orchestration by coordinating the eidentification service creation and delivery, i.e., exclusive control over the entire value chain.Fig. 7 illustrates the Finnish BankID ecosystem after the change, which has disintegrated the VCA &VDA architectures.This happens due to entity layering, i.e., the introductions of external orchestrators and service brokers around the platform.Thus, the Finnish BankID platform seems to exhibit more vividly the strategic dimension of value delivery architecture, i.e., the infrastructure level that functions as a pipeline to deliver value in a standardized format.Its value creation architecture dimension is then the layer where the service brokers are entitled to exploit the modularity and create value-added derivatives by re-configuring the resource.This is possible due to legally enforced access to a critical national infrastructure.
Comparing ecosystem architectures, we observe that the Finnish BankID platform is undergoing a process of "infrastructuring".Constantinides et al. (2018) refer to infrastructuring as making digital platforms more physical, while expanding their reach and scope into supply chain management.They provide an example of Amazon's recent purchase of the Whole Foods supermarket chain as a strategy to move into supply-chain management and distribution with its Amazon Prime service and AmazonFresh unit, while expanding the company's digital platform strategy.Here, the authors suggest "positive infrastructuring" as a strategy for companies to acquire more control and push for more innovation.Asymmetrically, evolution of the Finnish BankID platform into an industry infrastructure could be understood as becoming both the backbone and the back-office.We regard this "negative infrastructuring" phenomenon that comes through entity layering as a platform evolution mechanism.The former perspective on positive infrastructuring is in accordance with Constantinides et al. (2018) who argue that the infrastructuring concept implies a strengthening of a role of the platform, and that dependence on the BankID as an eID method is still strong throughout the industry.In the latter

Event Consequence
Fig. 5 The causal path from platform dominance to federated governance approach in Finnish BankID perspective, there is the risk for banks that new competitors will consign them to a limited role as back-office utilities, while non-banks become the new face of their customers' financial lives" (Busch and Moreno 2014).In line with de Reuver et al. (2017), in this article we observe empirically that it is the control arrangement that sets digital platforms apart from digital infrastructures.In another study on digital platform evolution, platforms are considered to go through four lifecycle stages: birth, expansion, leadership and self-renewal (Teece 2017).In general, we commit to the conceptualization that platforms evolve through lifecycle phases.The Finnish BankID case helps to show that the self-renewal stage implies a major transformation.Self-renewal could also indicate a shift in decision-making ownership, as from platform to infrastructure.We expand the platform lifecycle model (Teece 2017) by proposing that a platform that does not develop the ability to pursue new businesses while not undermining their existing advantages and revenue sources (O'Reilly III and Tushman 2008), retire (or self-renew) by becoming the industry infrastructure.

Limitations and future research
This study has limitations.The first is the trade-off between observing a process in real-time instead of relying on retrospective accounts.When conducting real-time observations of a change process as it unfolds, the chances of missing critical events are high (Van de Ven 2007).The second is the tradeoff between temporal duration and granularity of events.Despite providing a retrospective overview on historical events, our study focuses in detail on the change process of a relatively short temporal duration.It is also important to note that we did not have direct access to all banks, and our view on the

Value Delivery & Creation Architetures
Fig. 6 Finnish BankID architecture before the regulation change, labeled with the value network concepts from Kazan et al. (2018) ecosystem evolution is based on the data collected from various ecosystem participants.The empirical evidence we provide may be industry or country specific.Qualitative research findings illustrate the specific phenomena studied in real-life settings and are not generalizable to the population as such.However, case studies not only bring richer semantical meanings for problem understanding, but also can act as an effective benchmarking method to evaluate theory, for which solutions could then be developed and transferred into industrial practice.
In this article, we only scratched the surface of the banking platform evolution into an infrastructure only due to eIDAS and FTN regulations.This is a timely implication considering the upcoming waves of other important changes caused by regulations in Europe.Banks are also the central actors in this next wave of financial services shakeout.For example, the second Payment Service Directive (PSD2), which requires banks to grant third parties access to customer accounts and payment services following customer consent, is a platform-based business approach.The introduction of this regulatory framework poses various challenges for the banking sector, with the threat of them becoming the back office.On the other hand, it also brings opportunities for innovative services creation.Among other challengers are the big tech platforms, such as Google, Amazon, Facebook, and Apple (GAFA), as well as Baidu, Alibaba, and Tencent (BAT), which constantly look for ways to create value in new industries.A famous survey from Accenture2 reports on consumers' increasing readiness to have their banking services provided by non-traditional financial service companies.Thus, questions concerning the consequences of platforms being challenged by their environments have become one of the most relevant inquiries nowadays.Since financial services are heavily interlinked with eIDs, the future development of the eID ecosystem might be dependent on winner or loser methods in financial services.For these reasons, it would be interesting to investigate how the eID ecosystem is affected by the disruption triggered by PSD2 and the changes resulting from the transformation of financial services, and how they reciprocally shape one another.
Moreover, change in the external environment is a very broad area to consider.Other types of change can be, for example, of technological, competitive or organizational nature and adding a layer of service brokers may not be a suitable response for them.In this article, we investigate the entity layering phenomenon as a response to an external regulation a specific type of external changethat calls for more reflections on different response types in correlation with the types of external change.
Inspired by the conceptualization of Kazan et al. (2018) on layered modular architectures, the facilitation of value creation goes hand in hand with value capture.Thus, a potential direction for future research could be, perhaps, extending the layered modular architectures on VDA and VCA by bringing the value capture into the equation.This research direction promises to deliver novel insights and contribute to our understanding of how platform ecosystems differ from other phenomena.Finally, since qualitative study results can be thought of as inputs for quantitative inquiries, future research could shed more light on the evolution of platforms into infrastructure by using variance-based approaches (Van de Ven 2007).

Conclusion
Platform ecosystems are emerging ubiquitously across industries and domains.We engaged in an extensive case study of the BankID platforman eID method exerting a nation-wide near monopoly in Finlandand explained the implications of its transformation triggered by external ecosystem orchestrators.The Finnish Trust Network regulation changed the principles of identification by adding a layer of service brokers into the scheme of electronic identification (eID).Such entity layering, i.e., the introduction of intermediaries between the platform and its users and external orchestrators on top of platform owners, can be seen as a pervasive phenomenon among incumbent platforms that do not succeed in adapting to their changing environments.We analyze the changes in ecosystem architectures from a technological and organizational perspective.As we observe the increasing distance between platform owners, and end-users, as well as reconfigurations in the roles and power structures among incumbent ecosystem participants, we explicate the evolutionary transformation of an industry platform into an industry infrastructure.This is an important implication to be considered by similar industry platforms in rapidly changing business environments.

Fig. 3
Fig. 3 BankID ecosystem architecture before the change Fig. 4 BankID ecosystem architecture after the change

Fig. 7
Fig.7Finnish BankID architecture after the regulation change, labeled with the value network concepts fromKazan et al. (2018)

Table 1
Interviewees from case organizations and their positions