The draft digital personal data protection (DPDP) rules, which require banks to obtain explicit consent from their customers before using their data for purposes beyond the original intent, although is being followed in spirit, leaves no room for regulatory arbitrage, experts said.They said that the potential business impact is difficult to assess at this stage, but the formalisation of these rules will mean banks now need to establish clear data processing agreements with third-party entities to ensure compliance.